Common Business-Related Phishing Scams Include Fake HR and IT Subject Lines (2024)

Think you’ve received an important document from HR? Be careful.

KnowBe4’s quarterly phishing test report found that threat actors in Q2 often found success with emails spoofing HR departments. After an ill-fated click occurred, links in the body of emails and PDF documents were common vectors for attacks.

TechRepublic spoke with KnowBe4 Security Awareness Advocate Erich Kron about the results of the phishing tests and how to keep businesses safe from ever-evolving, generative AI-powered phishing attacks.

Fake emails from HR top the list of social engineering scams

Some attackers use fake messages from HR to make employees believe that clicking a link or viewing a document is urgent. According to the report:

• 42% of the business-related email subject lines studied were related to HR.
• Another 30% were related to IT.
• Many of these subject lines played on employees’ emotions at work, such as “Comment was left on your Time Off Request” or “Possible Typo.”

“If you have a strong emotional response to a text message, or a phone call, or an email, we need to take a deep breath and step back and look at it very critically,” said Kron. “Because these are social engineering attacks and these really work off of getting you in an emotional state where you make mistakes.”

Other recent attacks have come from emails faking messages from Microsoft or Amazon.

Phishing emails with QR codes have also tricked employees. Like malicious links, these QR codes are usually found in emails purporting to be from well-known companies, HR, or IT.

“The continuous rise in HR related phishing emails is especially troubling, as they target the very foundation of organizational trust,” said Stu Sjouwerman, CEO at KnowBe4, in a press release on Aug. 7. “Moreover, the increase of QR codes in phishing attempts adds another layer of complexity to these threats.”

The health care and pharmaceuticals industries were most susceptible to phishing attacks, KnowBe4 found, followed by hospitality, education, and insurance — with some variance for different sizes of organizations.

How does KnowBe4’s phishing report work?

KnowBe4 gathers the information for its quarterly Industry Benchmarking Report from its customers and from its phishing report portal, which any business can use.

KnowBe4, which sells a simulated phishing platform, launches fake phishing attacks against businesses to test their resilience. Specifically, KnowBe4 assessed the types of attacks people are falling for and how training like theirs keeps businesses safer from cyberattacks.

The data came from 54 million simulated phishing tests, which impacted more than 11.9 million users from 55,675 organizations around the world.

“A lot of times we actually take the real ones [phishing attacks] that are out there and turn them into simulated ones,” said Kron. “So we do what we call defanging them, because we know that’s really what’s going on out there.”

The report measured “Phish-prone Percentage,” a proprietary assessment of the percentage of “employees likely to fall for social engineering or phishing scams.” The average PPP fell from 34.3% to just 4.6% after a year of ongoing training and phishing tests.

SEE: The difference between phishing and spear phishing is whether the attack is widespread or crafted for a specific person.

How businesses can reduce vulnerability to phishing attacks

Organizations should make it clear to employees that phishing emails may not be as filled with typos or blatant pleas for money as they used to be.

“Generative AI has really helped with the translations and cleaning up things,” said Kron, “and allowed them [attackers] to scale a whole lot more without all of those errors that we would normally see.”

Employees should remember to look closely at URLs and email addresses. They should consider whether an email with a subject line including the word “urgent” really is what it seems.

For example, “Did it actually come from my boss, or does it just say their name?” Kron said.

Anti-spam or anti-virus filters can catch some social engineering and phishing attacks, while multifactor authentication can limit attackers’ reach even if the victim clicks a link or scans a QR code. Along with KnowBe4, companies such as Sophos, Proofpoint, Ninjio Hoxhunt, Cofense, and others offer security training through simulated attacks.

Overall, make sure employees are vigilant, whether or not that vigilance is tested with a regular phishing test.

“Be a little bit on edge about it,” Kron said.