HR and IT-related emails the most vulnerable to phishing attacks

Tax alerts, Apple Pay, and healthcare notifications are just some ways bad actors manipulate users into falling into the email phishing trap, which is affecting HR and IT-related emails at an alarming rate.

KnowBe4’s Phishing by Industry Benchmarking Report reveals that nearly one-third of users are susceptible to clicking on malicious links or complying with fraudulent requests. As a result, cyber criminals have taken advantage of this vulnerability and are leveraging innovative tools from new technologies to take advantage of users more than ever.

AI has been a cornerstone for bad actors to take advantage of users by crafting sophisticated messages that are much harder to dissuade than dodgy emails. These cyber criminals tailor phishing email strategies to appear more legitimate in their requests and trick employees by inciting an emotional response and urgency to click on a malicious link or download an infected attachment.

In terms of who is being targeted the most, HR-related attacks took the top spot at 42 per cent, followed by IT-related phishing emails at 30 per cent. Phishing emails from HR or IT departments including themes such as dress code changes, tax inquiries, healthcare updates or similar actions are effective in tricking employees as they create that urgent response.

Personal phishing attacks can also derive that urgent response. Tax, healthcare, and Apple Pay are just some of the subjects that garner an immediate response from users as it is very sensitive information. Due to the alarming nature of the email, users are less likely to go through the proper safety checks as they are in a race to protect that private information.

Stu Sjouwerman, chief executive of KnowBe4, believes these attacks are getting more difficult to expose as the sophistication of their nature increases.

“The report shows that cybercriminals are becoming increasingly tactical in exploiting employee trust by using HR-related phishing emails due to their seemingly legitimate source.”

The examples of standard email phishing attempts that have recently been deployed by bad actors are as follows:

• Urgent: Tax Notification (HTML Attachment)
• Welcome to the Future of Healthcare! (Link)
• Unlocking New Possibilities (Link)
• Urgent Business Review (Link)
• HR: New Rewards Program (Link) (Spoofs Domain)
• AWS: AWS Account on Hold: Response Required (Link)
• Additional entries have been made on your report (Link)
• Apple: Apple Pay was suspended on your Device!! (Link)
• Annual Survey (Link) (Spoofs Domain)
• Microsoft: SECURITY ALERT!
• Cleansing Needed! (Link) Install VPN (Link)

“Emails coming from an internal department such as HR or IT are especially harmful to organisations since they appear to be coming from a trusted source and can convince employees to engage quickly before confirming their legitimacy, exposing the company to security vulnerabilities.”

“A well-trained workforce is therefore crucial in building a strong security culture and serves as the best defence in safeguarding organisations against preventable cyberattacks,” Sjouwerman said.