Phishing attacks using HR-related messaging continue to be a goldmine for cybercriminals, according to a new report.
About 60 percent of failed phishing tests in the workplace purported to come from HR, with subject lines related to employee dress codes, vacation policies, performance reviews and employee tax forms.
The report was conducted by KnowBe4, a security awareness training provider in Tampa, Fla.
According to the report, nearly 1 in 3 users were likely to click on a suspicious link or comply with a fraudulent request.
“Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe,” said Stu Sjouwerman, CEO of KnowBe4.
“I have seen in practice that this is a particularly effective way to get people to click on things that they would normally not click on,” said Linn Freedman, a partner in the Providence, R.I., office of law firm Robinson and Cole and chair of the firm’s Data Privacy and Cybersecurity Team. “Threat actors know that we are all focused on our job performance, evaluations and compensation and are anxious about changes or disruptions to our job. They prey on that vulnerability and are able to fashion phishing campaigns about HR concerns that catch people off guard, distract them and cause them to click on something malicious. We are seeing a surge in these types of campaigns because they are very effective.”
There’s been an increasing level of diversification among HR-related subjects in phishing attacks in recent months, Sjouwerman said. “Holiday phishing email subjects were utilized this summer with four out of the five top holiday email subjects appearing to have come from HR. Incentives referring to national holidays such as Juneteenth and the Fourth of July, holiday celebrations, and schedule changes were used as bait for unsuspecting end users.”
The KnowBe4 report revealed that hyperlinks in the email body—that compromise data security when clicked—are still the top type of phishing lure.
The prevalence of remote work may also be a factor. “Although workers have become more accustomed to working in a remote setting, they can still be distracted by things going on around them,” Freedman said. “It is the distraction of remote working that is the risk. Workers who are distracted are the ones that are clicking on phishing emails, disclosing their credentials and not paying attention to security measures taken by companies to protect them from these campaigns, including ignoring banners that alert workers that emails are coming from outside the organization. It is important for companies to ask their workers to slow down, focus on the task at hand, identify risks and red flags, and to keep their workers up to speed on the latest schemes.”
Updated security awareness training for employees is crucial to help combat phishing and malicious emails, Sjouwerman said.
Best Practices for Staying Safe
Freedman provided the following list of tips that companies can employ to reduce the risk of becoming a victim to an HR-related phishing attack:
- Implement a strong spam filter.
- Require multi-factor authentication.
- Educate workers on the latest phishing schemes, including email phishing, text “smishing” and voice “vishing.”
- Implement a banner that alerts workers to emails that they are receiving from outside the company.
- Implement phishing tests and require education for those who fail.
- Make sure that all employees know who to report a phishing email to, and that they feel comfortable reporting it.
- Encourage workers to report phishing emails and not just delete them.
- Encourage employees to focus on their work, slow down and listen to their gut instincts.
- Implement information technology tools that will assist in identifying suspicious emails that may get through the firewall and spam filter.
- Incentivize your workers to be more vigilant.