According to a cyber awareness training firm, HR-linked phishing emails evoke a strong sense of cyber-naïveté

Business phishing emails are particularly effective because, if left unanswered, they could potentially affect users’ work or even lead to serious consequences.

However, such phishing emails are usually masked by a spoofed domain, and even replicate the real company name and logo (sometimes even the employee’s name) in the email body. Most include a phishing hyperlink in the email or some PDF attachment.

By now most people know that if they receive a text message confirming an $1,800 order they never placed, or telling them they have just won a new car, they should not fall for the con. But what if it is from their Human Resources Department about an upcoming performance review or some career-threatening issue?

Or, what if the attachment is a draft of a Strategic Plan that mentions their name? Will the following HR email headings make you rush to open the email and click on whatever links it contains?

According to KnowBe4’s own data, half of the most frequently opened phishing emails had subject headings related to Human Resources, including vacation policy updates, dress code changes and upcoming performance reviews. The other top category was IT requests, including password verifications needed immediately.

The firm’s CEO Stu Sjouwerman said: “We already know that more than 80% of company data breaches globally come from human error. Security awareness training is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognize a suspicious email, even if it appears to come from an internal source—causing them to pause before clicking. That moment where they stop and question the email is a critical and it is an often-overlooked element of security culture that could significantly reduce the corporate risk surface.”