Emails pretending to be from Human Resources (HR) or Information Technology (IT) departments are the most common phishing scams, a new report by KnowBe4, a company specialising in cybersecurity awareness training, has revealed.

Phishing emails are fake emails designed to trick people into clicking on malicious links or attachments. These emails often appear to be from legitimate sources, such as a bank or a company’s IT department. Once a victim clicks on a malicious link or attachment, their computer can become infected with malware or other harmful software.

The KnowBe4 report analysed data from phishing simulations conducted in the first quarter of 2024. The report found that emails with HR-related subjects were clicked on most often, accounting for more than 42% of all clicks. Emails with IT-related subjects were the second most common type of clicked phishing email, making up 30% of clicks.

“Nearly one third of users are susceptible to clicking on malicious links or complying with fraudulent requests,” according to the authors of the KnowBe4 report.

“As a result, cybercriminals take advantage of this vulnerability and leverage the innovative tools available to them, such as AI, to come up with increasingly sophisticated messages to outsmart users. These bad actors tailor phishing email strategies to appear more legitimate in their requests and trick employees by inciting an emotional response and urgency to click on a malicious link or download an infected attachment,” according to the report findings.

This isn’t the first time KnowBe4 has identified HR phishing scams as a major threat. In KnowBe4’s Q2 2023 report, 50% of phishing emails impersonated HR departments. According to that report, cybercriminals impersonate HR departments and trick employees into clicking on malicious links or attachments containing seemingly legitimate HR-related information such as: holiday information, dress code changes, IT and online service notifications, tax-related information and company surveys.

“KnowBe4’s report shows that cybercriminals are becoming increasingly tactical in exploiting employee trust by using HR-related phishing emails due to their seemingly legitimate source,” said Stu Sjouwerman, CEO of KnowBe4. “Emails coming from an internal department such as HR or IT are especially harmful to organisations since they appear to be coming from a trusted source and can convince employees to engage quickly before confirming their legitimacy, exposing the company to security vulnerabilities. A well-trained workforce is therefore crucial in building a strong security culture and serves as the best defence in safeguarding organisations against preventable cyberattacks.”

The KnowBe4 report also found that emails related to taxes, healthcare, and ApplePay are becoming more common. “These types of attacks are effective because they cause a person to react to a potentially alarming topic and engage to protect their private information before thinking logically about the credibility of the email,” according to the cybersecurity training company.