23 May 2024

Your next phishing email could be about taxes, healthcare or ApplePay: KnowBe4

Source: KnowBe4 Top-Clicked Phishing Tests infographic. List of Q124 'in the wild' attacks.
Source: KnowBe4 Top-Clicked Phishing Tests infographic. Q124 'in the wild' attacks.

KnowBe4, the provider of the security awareness training and simulated phishing platform, has found that HR or IT-related business email messages are the most common email subjects clicked on in phishing tests.

Phishing emails continue to be one of the most common methods for executing cyberattacks on organisations worldwide, the company said. KnowBe4’s 2023 Phishing by Industry Benchmarking Report, published in Q124, reveals that nearly one third of users are susceptible to clicking on malicious links or complying with fraudulent requests. 

Cybercriminals are further leveraging tools now available to them, such as AI, to come up with increasingly sophisticated messages to outsmart users, KnowBe4 said. Phishing emails can now be tailored to appear even more legitimate, or trick employees by inciting an emotional response and urgency to click on a malicious link or download an infected attachment.

HR-related phishing attacks take the top spot at 42%, a trend that has persisted for the last three quarters, followed by IT-related phishing emails at 30%. Phishing emails from HR or IT departments that prompt dress code changes, tax and healthcare updates, training notifications and other similar actions are effective in deceiving employees as they can affect a user’s work, evoke an immediate response and can cause a person to react before thinking about the validity of the email.

The KnowBe4 phishing report this quarter also noted more personal phishing email attacks, using pretexts such as tax, healthcare and ApplePay, that could affect users' sensitive information. These types of attacks are effective because they cause a person to react to a potentially alarming topic and engage to protect their private information before thinking logically about the credibility of the email.

“KnowBe4’s report shows that cybercriminals are becoming increasingly tactical in exploiting employee trust by using HR-related phishing emails due to their seemingly legitimate source,” said Stu Sjouwerman, CEO of KnowBe4.

“Emails coming from an internal department such as HR or IT are especially harmful to organisations since they appear to be coming from a trusted source and can convince employees to engage quickly before confirming their legitimacy, exposing the company to security vulnerabilities. 

"A well-trained workforce is therefore crucial in building a strong security culture and serves as the best defence in safeguarding organisations against preventable cyberattacks.”

Explore

Download the Q124 KnowBe4 Phishing Report Top-Clicked Phishing Tests infographic at https://www.knowbe4.com/hubfs/Quarterly-Phishing/Q12024.pdf (PDF), and 

Get the 2023 Phishing by Industry Benchmarking Report at https://info.knowbe4.com/en-us/phishing-by-industry-benchmarking-report.