Phishing Emails Reel in with HR Subjects

The success rate of HR-related messaging in phishing campaigns, 1 of 3 users, expose a security liability for companies, according to a report by KnowBe4. Mexican users are especially vulnerable to these types of attacks because of their limited exposure and understanding of this social engineering campaigns. 

The report analyzed phishing tests conducted in Q2 2023 and found that the most popular emails with HR-related subject lines focused on dress code changes, training notifications, W4 updates, performance reviews and vacation policy updates.

"The threat of phishing emails remains as high as ever as cybercriminals continuously tweak their messages to be more sophisticated and seemingly credible," said Stu Sjouwerman, CEO, KnowBe4. "The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50% of these emails appear to come from HR — a trusted and crucial department of so many if not all organizations."

Phishing attacks capitalize on the effectiveness of HR-related subjects to exploit employees' impulse-driven responses, leading them to overlook verifying the email's legitimacy. The latest report underscores the popularity of holiday-themed email subjects, especially during the last quarter, with a staggering 4 out of the top 5 holiday emails seemingly originating from HR. These emails cleverly entice recipients with offers related to holiday celebrations, schedule changes and attractive incentives associated with national holidays.

Mexico has become a prominent target for phishing attacks, with a particular surge in Business Email Compromise (BEC) attacks following the onset of the pandemic. These BEC attacks, which are a specific type of phishing tactic, now pose a significant threat to finance department employees in the country.

In BEC attacks, cybercriminals employ deceptive tactics by creating counterfeit email addresses that resemble familiar sources, aiming to deceive recipients. These emails frequently involve urgent or time-sensitive requests, luring employees into taking swift action without questioning their legitimacy. When such attacks are successful, the hackers often exploit the compromised system to commit financial fraud or launch subsequent attacks, posing a significant threat to the targeted company. As a result, the report suggests educating the employees to identify and avoid phishing emails.

"Security leaders can elevate training efforts and foster a resilient security culture by embracing gamification, competitions and customized training for different business units," said Juan Carlos Carrillo, Cybersecurity Director, PwC Mexico. "Integrating phishing simulations with measurable metrics enables a consistent assessment of individuals who may need specialized training. To optimize effectiveness, these simulations should be tailored to match a target's cyber-savviness while considering the unique context of the organization's specific needs,” he added.