Managing risk

Hackers using HR messages to deceive businesses

Cybercriminals are increasingly using HR-related email subjects in phishing attacks, a new report reveals. 

31 October 2023

KnowBe4's Q3 2023 global phishing report says HR-related email subjects now make up more than 50% of top email subjects.

Other top subjects clicked on in phishing tests included popular seasonal messages that pique employees' interest and may affect their work day.

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe. KnowBe4’s 2023 Phishing by Industry Benchmarking Report revealed that nearly one in three users are likely to click on a suspicious link or comply with a fraudulent request. Because of this, cybercriminals refine their strategies to stay up-to-date with trends and use tactics in order to grab the attention of end users to ultimately outsmart them. This results in cybercriminals changing phishing email subjects to be more believable while preying on emotions by inflicting urgency, confusion, and distress to get employees to click on a malicious phishing link or download an attachment. 

In the past two quarters, there has been a steady rise in cybercriminals using HR-related subjects like dress code modifications, training alerts, and holiday news. These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and have the potential to impact an employee's personal life and professional workday. 

Additionally, the report reflects the consistent trend of utilising IT and online service notifications as well as tax-related email subjects.

“The continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organisations because they appear to be coming from a trusted, reliable source,” said Stu Sjouwerman, CEO, KnowBe4.

“These malicious emails take advantage of employee trust and create vulnerabilities within an organization that could potentially result in its downfall. KnowBe4’s phishing test reports emphasise the importance of new-school security awareness training that educates end users on the latest and most common cyber attacks and threats. An educated workforce is essential to fostering a strong security culture and is an organisation’s best defence to stay safe online.”

Download a copy of the Phishing Report infographic here.

Need help?

My Business Cyber offers a complete solution to test, train, and measure awareness, reducing the risk of human error. Protect your business from cyber scams and attacks with automated staff training, phishing simulations, tools, and resources.  


My Business Workplace includes pre-approved contracts, policies, letters, checklists and so much more from award-winning law firm Australian Business Lawyers and Advisors (ABLA). From contracts of employment to letters of termination and everything in between, we've got you covered.

Join for free

Join My Business for free and receive more useful articles and guides for your business.

Please enter the thanks you text here.

I acknowledge I have read and understood NSWBC Privacy Policy and I consent to the processing of my personal data for marketing and profiling purposes.