HR Leader logo
Stay connected.   Subscribe  to our newsletter

Research shows most email scams are HR-related

By Jack Campbell | |4 minute read

Half of all malicious emails affecting workplaces are HR-related, according to a recent study.

KnowBe4’s Phishing by Industry Benchmarking Report highlighted that HR-related email subjects are utilised as a phishing strategy and make up 50 per cent of top email subjects.

The Australian Signals Directorate describes phishing emails as “a way cyber criminals trick you into giving them personal information. They send you fraudulent emails or text messages often pretending to be from large organisations you know or trust. They may try to steal your online banking logins, credit card details or passwords. Phishing can result in the loss of information, money or identity theft.”


Posing as HR departments, these latest scams play on the trust of employees, opening up organisations to a cyber attack.

“The threat of phishing emails remains as high as ever as cyber criminals continuously tweak their messages to be more sophisticated and seemingly credible,” said Stu Sjouwerman, chief executive, KnowBe4.

“The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50 per cent of these emails appear to come from HR – a trusted and crucial department of so many, if not all, organisations.”

According to KnowBe4, these phishing emails can contain information such as:

  • Holiday information
  • Dress code changes
  • IT and online service notifications
  • Tax-related information
  • Company surveys

Mr Sjouwerman continued: “These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organisation.”

To better help employees identify and report these scam attempts, employers should ensure that staff are kept up to date with relevant training in cyber security.

“New-school security awareness training for employees is crucial to help combat phishing and malicious emails by educating users on the most common cyber attacks and threats,” Mr Sjouwerman explained.

“An educated workforce is an organisation’s best defence and is essential to fostering and maintaining a strong security culture.”

The top five methods for attacking companies, as listed by KnowBe4, are:

  • Link: Phishing hyperlink in the email
  • Spoofs domain: Appears to come from the user’s domain
  • PDF attachment: Email contains a PDF attachment
  • HTML attachment: Email contains an HTML attachment
  • Branded: Phishing test link has user’s organisational logo and name

To learn more about phishing and how to protect your organisation, read “3 things you need to know about phishing”.

To read about why security training is so important, visit “Greater focus on security training needed”.

Jack Campbell

Jack Campbell

Jack is the editor at HR Leader.