Phishing assaults impersonating HR are on the rise. Between January 1 – March 31, 2025, our Menace Lab workforce noticed an 120% surge in these assaults reported by way of our PhishER product versus the earlier three months. These assaults have remained at elevated ranges since peaking in February.
(FYI in our earlier put up, we explored the psychology that makes these assaults so efficient. Now, we’ll have a look at the traits and particular campaigns behind the numbers.)
Our evaluation of those assaults in 2025 reveals 4 total traits for HR impersonation assaults in 2025:
- Seasonal Alignment: Assaults are strategically timed to coincide with administrative and monetary cycles, typically creating a way of urgency by time-sensitive deadlines to socially engineer their targets.
- Improve in Quantity and Sophistication: HR-themed assaults are quickly rising in each quantity and complexity, with attackers investing in specialised social engineering.
- Superior, Sector-Particular Focusing on: Cybercriminals present proof of intensive reconnaissance, tailoring lures to particular industries like manufacturing (security messages), healthcare (HIPAA) and finance (regulatory updates).
- Obfuscation techniques to evade safe e-mail gateways (SEGs): Campaigns use a number of techniques to evade SEGs, together with disguised payloads and hijacked infrastructure from reliable providers.
See 4 Phishing Campaigns Impersonating HR
Vector and kind: E mail phishing
Main methods: Social engineering, impersonation, quishing, payload obfuscation
Targets: World
Platform: Microsoft 365 and GSuite
Bypassed native and SEG detection: Sure
1. Adjustments to Payroll and Advantages
Key tactic: This assault combines the highly effective lure of economic info with a multi-channel QR code assault to bypass technical e-mail filters and deceive targets.
This marketing campaign was initiated in Could 2025 and, since then, has systematically focused organizations globally and throughout totally different sectors, utilizing varied methods to optimize their efficacy.
Within the instance under, a quishing payload is obfuscated in an attachment to bypass native and SEG detection. (Take a look at this weblog for more information on how phishing assaults get by SEG detection.) Though the e-mail physique is clean – one of many indicators that seemingly led to the recipient to report it by way of the KnowBe4 Phish Alert Button – it’s extremely customized with the recipient’s identify and firm brand, and focuses on the deeply private subject of remuneration.
By utilizing a QR code designed to be scanned on a cell gadget, this multi-channel assault makes an attempt to maneuver the risk from a safe company desktop to a much less safe private gadget to evade detection.
Quishing (QR code phishing) payload impersonating HR displayed inside the PhishER portal.
2. HR Coverage Replace
Key tactic: By leveraging a reliable, trusted service (Intuit QuickBooks) and fabricating a decent deadline, this marketing campaign pressures the goal to behave out of worry and urgency.
All through 2025, our Menace Lab workforce has noticed an exponential development in attackers utilizing reliable providers to bypass legacy e-mail safety. In March, we reported a 36.5% spike in assaults utilizing Intuit QuickBook’s infrastructure – and under is an instance of cybercriminals persevering with to hijack this service.
HR impersonation assault leveraging Intuit QuickBook’s service, as seen within the PhishER dashboard.
This assault makes use of a fraudulent deadline – the identical date as the e-mail is distributed – and a consequence for inaction to create a way of urgency within the hopes that the goal will rush to conform with out occupied with the legitimacy of the assault.
3. 401(okay) Replace Marketing campaign
Key tactic: This assault leverages workers’ pure considerations about their retirement funds. It builds a false sense of authenticity through the use of official-looking templates and faux monitoring numbers, whereas deploying malicious SVG attachments to bypass conventional safety filters
In June and July 2025, a marketing campaign focused mid-sized organizations with fraudulent 401(okay) documentation requests. To seem reliable, the assault used HTML templates to imitate system-generated alerts, customized with the recipient’s identify and firm.
Phishing e-mail inside the PhishER portal referencing adjustments to the recipient’s 401(okay) retirement plan.
One other model prompted targets to open a malicious SVG attachment, including a pretend monitoring quantity within the topic line to boost its credibility. Earlier this yr, we reported a 245% enhance in SVG recordsdata to obfuscate payload in order that they bypass SEG detection.
Inspection of a malicious attachment inside PhishER.
4. Digital Contract and Monetary Documentation
Key tactic: This marketing campaign impersonates routine enterprise processes and automatic system notifications to lull targets right into a false sense of safety, exploiting their common job features to steal credentials.
In Could 2025, we recognized a marketing campaign impersonating HR that claimed to flow into pretend contracts. Topic traces have been customized with the recipient’s firm identify and the precise date the e-mail was despatched. The assault used stylized HTML templates mimicking automated enterprise emails – full with help information and disclaimers – to seem credible and direct targets to a credential-harvesting website.
Credential harvesting phishing assault displayed by way of PhishER.
These examples present simply how convincing HR impersonation phishing e-mail might be – however the true sophistication lies within the supply. How does a QR code embedded in an attachment execute a credential harvesting assault? What does the malicious code inside an SVG file truly appear like?
Learn the subsequent put up on this sequence, the place our researchers will present a full technical evaluation of those superior evasion methods.
Missed the primary put up on this sequence? Learn now.
Lead analysis: Jewaan Singh Jalal, Anand Bodke and Prabhakaran Ravichandhiran
