HR-related phishing emails more likely to be clicked

Employers told to prioritize security awareness amid increased cyber threats

HR-related phishing emails more likely to be clicked

Employees are more likely to become victims of HR-related phishing emails, a new report has found, which underscored how business-related frauds are gaining momentum.

Sourced from its phishing tests, KnowBe4's latest report found that employees are most likely to click on phishing emails with the following subjects:

  • Google: You were mentioned in a document: "Strategic Plan Draft" (17%)
  • HR: Important: Dress Code Changes (15%)
  • HR: Vacation Policy Update (14%)
  • Adobe Sign: Your Performance Review (11%)
  • Password Check Required Immediately (11%)
  • Acknowledge Your Appraisal (7%)
  • IT: Internet Report (7%)
  • Main points from today's meeting (6%)
  • USAA: Account Suspension (6%)

"These attacks are effective because they could potentially affect users' daily work and cause a person to react before thinking logically about the legitimacy of the email," says the report.

While CEOs say cybersecurity is amongst their top concerns in the workplace, Canadian organizations say they're underprepared for a cyberattack, according to a new KPMG report.

It further shows the shift of phishing emails from personal to business matters, as personal-related subjects from social media fell off the list. The report also found that the top five attack vector types are:

  1. Link - Phishing hyperlink in the email
  2. Spoofs Domain - Appears to come from the user's domain
  3. PDF Attachment - Email contains a PDF attachment
  4. Branded - Phishing test link has user's organisational logo and name
  5. Credentials Landing Page - Phishing link directs user to data entry or login landing page

While cyber crime is rampant these days, nearly four in 10 Canadians say they don't receive any cybersecurity training at work, according to a survey of 937 workers by ISA Cybersecurity.

The report comes amid the heightened threat of cyberattacks as more businesses go “virtual”. Previously, employers were warned against online payroll-related frauds and COVID-related scams. Stu Sjouwerman, CEO of KnowBe4, said it’s essential that employers train their employees on cybersecurity as threats become more sophisticated.

"As phishing emails evolve and become more sophisticated, it is imperative that organisations prioritise security awareness training for all employees, now more than ever," said Sjouwerman.

"New-school security awareness training for employees helps combat phishing and malicious emails by educating users on what to look out for - it is the key to creating a healthy level of scepticism to better protect an organisation and build a stronger security culture."

Latest stories