A new report released today by security awareness training company KnowBe4 Inc. finds that human resources-related email subjects remain a principal strategy among cyberattackers, accounting for more than half of the top-clicked phishing email subjects.

The KnowBe4 third quarter phishing report found that phishing emails continue to be one of the most common methods to perpetuate malicious attacks on organizations around the globe. A previous report from KnowBe4 found that one in three users is likely to click on a suspicious link or comply with a fraudulent request.

Phishing emails are malicious attempts by hackers to trick users into divulging sensitive information, typically by mimicking trusted entities. The effectiveness of these emails relies significantly on their believability.

KnowBe4’s research found that HR-related subjects, such as notifications about dress code modifications, training schedules and vacation updates, are particularly effective bait. The rationale is logical: HR emails touch on topics that directly affect an employee’s day-to-day work and personal life, prompting swift and often impulsive actions.

This report notes that the pattern of employees clicking on HR-related emails without thinking twice isn’t particularly new. Over the last two quarters, there has been a consistent trend wherein cybercriminals have increasingly adopted HR-themed phishing attempts. The strategy of these cybercriminals is to capitalize on the inherent trust employees place in internal communications, increasing the likelihood of the recipient interacting with the malicious content.

Also of interest in the report is the use of seasonal email subjects. KnowBe4 found a rise in phishing emails centered around Halloween and fall themes. Although such emails may seem benign, their familiarity can create a sense of security, leading users to drop their guard.

Information technology notifications, online service alerts and tax-related subjects also remained popular in phishing emails, emphasizing a preference among cybercriminals for mimicking authoritative or urgent communications. Such messages are more likely to evoke immediate responses, given the potential implications of ignoring them.

“The continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organizations because they appear to be coming from a trusted, reliable source,” said KnowBe4 Chief Executive Stu Sjouwerman.

Image: DALL-E 3