Hackers targeting businesses through HR-related emails

New data suggests you should think twice before clicking on that “change of dress code” email.

KnowBe4, a security awareness training and simulated phishing platform, has released its Phishing by Industry Benchmarking Report. The report found that HR-related business messages continued to be one of the most effective and popular approaches used by cyber criminals to get unsuspecting users to expose themselves to cyber threats.

Phishing is a form of cyber attack in which cyber criminals will pose as a trusted entity in an effort to trick individuals into revealing sensitive information, like passwords or financial information.

“This steady trend from the last two quarters of cyber criminals using email subjects coming from HR include messages related to dress code changes, training notifications, vacation updates and more,” said KnowBe4.

“These are effective because they may cause a person to react before thinking logically about the legitimacy of the email and have the potential to impact an employee’s personal life and professional workday.”

A growing threat

In Q3 2023, phishing attacks surged by 173 per cent, according to Vade Secure, while malware threats were up 110 per cent.

“While hackers were busy throughout Q3, they were most active in August, sending more than 207.3 million phishing emails, nearly double the amount from July,” said Vade Secure.

HR-related emails can be a particularly effective method used by cyber criminals to procure sensitive information from employees.

“The continued trend of disguising emails as coming from an internal department such as HR is especially dangerous to organisations because they appear to be coming from a trusted, reliable source,” said Stu Sjouwerman, chief executive at KnowBe4.

“These malicious emails take advantage of employee trust and create vulnerabilities within an organisation that could potentially result in its downfall,” added Mr Sjouwerman.

A fireable offence?

Since Frank Lombardo, chief technology officer at Insignia Financial, told the gathering at a recent cyber summit that clicking on suspicious links should constitute grounds for dismissal, commentators have given much air to the rising business cost of poor cyber security training and awareness.

Mr Lombardo’s comments came off the back of the recent cyber security breaches at Optus and Medibank.

“You need to recognise that if you’ve done everything that you can and if there’s a weakness, and if at that human level and the human just isn’t getting it, then you do need to take appropriate action because the consequences are severe if you get it wrong,” said Mr Lombardo.

While others have condemned the idea that employees should be fired for falling prey to phishing campaigns, there is no debate that the costs for businesses can be substantial.

In 2019, the Australian Competition and Consumer Commission (ACCC) estimated that business email compromise scams cost Australian businesses $132 million every year. The techniques can be highly sophisticated in their approaches, from intercepting invoices and changing the details to include fraudulent payment information to impersonating staff in making requests for payments.

“Companies can suffer huge financial and reputational damage if breached, and aggrieved customers are increasingly launching class action suits to punish businesses caught operating with weak security protections and protocols,” wrote Nine News.

Training and awareness

Users are getting wiser to the tactics used by cyber criminals, according to Verizon, as click rates on phishing emails dropped from 25 per cent in 2012 to 3 per cent in 2018. While the degree to which training contributed to the decrease is unclear, research suggests that security awareness training can reduce the cost of phishing attacks by over 50 per cent.

Similarly, CyberPilot found that continuous phishing testing and awareness training led to a 60 per cent reduction in mistakes during simulated phishing attacks. In the first test, an average of 15 per cent of recipients submitted the personal information requested by the cyber criminal, while only 6 per cent did so by the third test.

“An educated workforce is essential to fostering a strong security culture and is an organisation’s best defence to stay safe online,” said Mr Sjouwerman.