Disturbing Trend in Q2 2023 Phishing Report: HR-Themed Emails Used to Target Employees

Stay informed to safeguard against evolving cyber threats.

KnowBe4, a leading provider of security awareness training and simulated phishing platforms, has published its Q2 2023 top-clicked phishing report, shedding light on the alarming rise of phishing attacks that exploit HR-related email subjects. The report exposes cybercriminals’ evolving tactics and highlights the urgent need for organizations to strengthen their defenses against phishing attempts.

Phishing attacks continue to be a prominent threat to businesses worldwide, with cybercriminals adapting their strategies to deceive end users effectively. By creating email subjects that evoke strong emotions, such as distress, panic, or excitement, hackers aim to trick employees into clicking on malicious links or attachments. KnowBe4’s 2023 Phishing by Industry Benchmarking Report further revealed that nearly one in three users are susceptible to clicking on suspicious links or complying with fraudulent requests.

The Q2 2023 report highlights a concerning trend where cybercriminals are increasingly utilizing HR-themed email subjects to target employees. Messages related to dress code changes, training notifications, vacation updates, and other HR matters are designed to prompt quick reactions from recipients, bypassing logical scrutiny of the email’s legitimacy. These deceptive tactics have the potential to disrupt both an employee’s personal life and their professional workday.

The holiday season proved to be a popular theme for phishing attacks, with four out of the top five holiday-themed email subjects appearing to originate from HR departments. Cybercriminals employed incentives related to national holidays like Juneteenth and the Fourth of July, holiday celebrations, and schedule changes as bait to lure unsuspecting end users. The report also indicates a consistent use of IT and online service notifications, along with tax-related email subjects.

Stu Sjouwerman, the CEO of KnowBe4, expressed his concern about the ongoing threat posed by phishing emails. He noted that cybercriminals continuously enhance the sophistication of their messages to appear genuine, making it increasingly challenging for users to identify potential threats. With 50% of these phishing emails masquerading as HR communications—a department often trusted and relied upon—organizations face the risk of significant breaches that could have disastrous consequences.

Sjouwerman stressed the importance of new-school security awareness training for employees, emphasizing the need to educate them about common cyber attacks and threats. He stated that an informed and vigilant workforce is the best defense against phishing and other malicious emails, fostering and maintaining a strong security culture within the organization.

As the cyber threat landscape continues to evolve, businesses must prioritize cybersecurity awareness and invest in robust training programs to empower their employees against phishing attacks. By staying vigilant and informed, organizations can fortify their defenses and safeguard their sensitive data from the ever-evolving tactics of cybercriminals.