All of us belief HR – or a minimum of we do after we suppose they’re emailing us! Information from KnowBe4’s HRM+ platform reveals that phishing simulations with inside topic traces dominate the record of most-clicked templates in 2025.
Out of the high 10 templates folks interacted with between Could 1 – June 30, 2025, an unimaginable 98.4% had topic traces regarding inside matters – with HR talked about in 45.2%. (It was a related story between January 1 – April 30 this yr too.) Our knowledge reveals that individuals are most probably to work together with simulations which have topic traces about pay (equivalent to updating tax varieties), modifications to the gown code, day off and efficiency evaluations.
There’s nothing vastly out of the atypical in these templates: they’re all pretty commonplace communications you may fairly anticipate to obtain from a HR division. They’re additionally matters that folks might be naturally interested by – which, sadly, is once more pretty commonplace for emails from HR – and why it makes them a preferred division for impersonation assaults by cybercriminals.
Why Do Folks Fall Sufferer to Phishing Emails Impersonating HR?
When somebody receives an e mail from HR – whether or not it’s professional, a simulation or a phishing assault – they are going to depend on ‘psychological shortcuts’ (or heuristics) that assist them to make snap judgments in regards to the e mail.
One is authority bias. Folks can place unreasonably excessive confidence in info they consider has come from an individual or group with formal authority. That is very often a deeply internalized heuristic that begins from a younger age with authority figures equivalent to dad and mom, guardians and family, or schoolteachers. Moreover, authority bias might be roughly prevalent based mostly on macro elements equivalent to tradition.
As soon as we attain the office, we enter a hierarchy with CEOs and boards of administrators on the high – and, crucially, with HR appearing because the official inside voice that confirms modifications or new insurance policies, and so on.. Over time, we study to belief what they are saying and change into accustomed to receiving updates from HR over e mail, which might decrease folks’s suspicions to an impersonation assault.
This brings us to representativeness, a heuristic that leads folks to make judgments of how seemingly one thing belongs to a normal class based mostly on how related it’s to different members of that class. It is likely to be fairly straightforward for folks to establish a phishing e mail when it doesn’t slot in with regular HR communications. Nonetheless, with the elevated use of GenAI, it’s turning into simpler than ever for cybercriminals to create well-written assaults with acceptable branding, and so on., that initially – and even second – look can be sufficient to deceive somebody.
They may additionally play on social proof; folks’s worry of lacking out or choice to “observe the herd” in an ambiguous scenario. For instance, cybercriminals can suggest somebody has forgotten to do one thing the remainder of their division or firm has already accomplished.
In addition to tapping into these heuristics, cybercriminals additionally use a wide range of different ways within the pretext of their assaults. We’ve already famous that individuals are naturally interested by HR-related matters, making these topics an apparent selection for impersonation.
Cybercriminals then take this one step additional. They exploit worker issues about job efficiency, wage changes and retirement advantages to create a way of urgency. The worry of lacking a essential deadline for advantages enrollment or going through penalties for not complying with a brand new coverage can compel fast motion, usually inflicting folks to not unknowingly disengage with logical decision-making processes (that in any other case may urge warning).
These should not easy, opportunistic assaults. Cybercriminals at the moment are utilizing superior, sector-specific concentrating on based mostly on in depth reconnaissance. For instance, staff in manufacturing may obtain fraudulent security messages, whereas these in healthcare are focused with pretend HIPAA-related correspondence. To evade safety instruments, attackers use complicated multi-redirect infrastructures, sending customers by a sequence of compromised web sites and URL shorteners earlier than they ever attain the ultimate credential-stealing web page.
The Rising Threat of HR Impersonation Assaults
Our Menace Lab group has uncovered a 120% enhance within the quantity of phishing assaults impersonating HR between January 1 – March thirty first, 2025, versus the earlier three months. The risk has remained elevated since then, with campaigns spiking round administrative and monetary calendar occasions, as cybercriminals hope their assaults will seem extra convincing amongst noisy inboxes stuffed with professional emails on related matters or folks will work together rapidly with one thing they’re anticipating to obtain.
In our subsequent put up, we dive into 4 examples of HR impersonation assaults we’ve seen up to now in 2025, exploring how cybercriminals put the speculation talked about on this article into observe to govern their targets. Take a learn now.
Lead researchers: Jeewan Singh Jalal, Anand Bodke and Prabhakaran Ravichandhiran
