The most-clicked phishing emails pretend to come from HR—and their subject matter might surprise you

Joey AbramsBy Joey AbramsAssociate Production Editor
Joey AbramsAssociate Production Editor

    Joey Abrams is the associate production editor at Fortune.

    Shot of a hacker dressed in a black mask hacking a computer.
    Employees are falling for HR-related phishing scams.
    PeopleImages—Getty Images

    Good morning!

    Your organization’s next cybersecurity nightmare may come from scammers masquerading as HR. According to security software company KnowBe4’s second-quarter 2023 global phishing report, half of the top phishing tests employees clicked featured HR-related subject lines.

    Per the study, fake HR email subjects included information related to vacation (19% of all successful phishing email tests), dress code policies (11%), requests for W-4 updates (11%), and training deadlines (9%). Non-HR-related email scams that received high clicks cited potential typos, Adobe “requests” to sign off on performance reviews, and fake Google notifications about mentions in a shared document.

    “We saw a huge uptick in the HR emails getting used,” says James McQuiggan, a security awareness advocate at KnowBe4. “Anything that’s authoritative, anything that drives that emotion with users, [employees will] be real gung ho trying to find out what’s going on.”

    Phishing scams create a sense of urgency for the victim, prompting them to click the bait without caution. Although many employees have learned to catch more obvious scams, like fake invoices or requests from an attacker impersonating the CEO, it’s easier to let one’s guard down when the email subject concerns payroll or vacation policy changes.

    “Creating that sense of urgency is really part of the toolkit that an attacker would use, and if you’re like me or other employees, you’d be concerned if you had an email from HR in general,” says Deron Grzetich, national cyber leader at West Monroe, a digital services firm headquartered in Chicago.

    Employers and HR teams can practice three actions to prevent phishing scams.

    1. Invest in security tools like two-factor authentication or email filtering software to help prevent phishing scams from landing in inboxes.

    2. Make employees aware of cyber risks and how to report them. Establish communication best practices with employees.

    3. Announce policy changes or updates in another forum besides email, such as a Slack channel or internal portal to update staff or tasking managers with sharing new HR guidelines.

    CHROs should also provide employees with step-by-step instructions for accessing such information internally without clicking on a URL in an email. “Communication is key when you’re making changes like that. If there are other out-of-band communication methods that you can do with your users, then that goes a long way as well, rather than just relying on [saying], ‘Hey, there’s this email coming,’” says McQuiggan.

    Think of it as operating like a bank would with client communications, Grzetich says. “​​My bank wouldn’t give me an emailed link to click on. They would tell me to go to the bank website and log in. HR could do that as well.”

    Paige McGlauflin
    paige.mcglauflin@fortune.com
    @paidion

    Reporter's Notebook

    The most compelling data, quotes, and insights from the field.

    By 2040, employers could help Americans expand their life span by 12 years and their years spent in good health by 19, according to a new report from Deloitte.

    Company-provided health insurance covered more than half of U.S. residents in 2021. Offering benefits that support workers’ physical and emotional well-being could boost productivity and retention and reduce health care costs through illness prevention, the report finds.

    Around the Table

    A round-up of the most important HR headlines.

    - Around 84% of LGBTQ workers are out to at least one coworker, but less than half are out to their human resources department. Bloomberg

    - Workers are taking fewer overtime shifts, reducing the average workday by 37 minutes. Productivity, however, remains the same. Financial Advisor

    - Even at companies where A.I. is banned, employees are boosting their productivity by secretly using the technology. Business Insider

    - New data shows that the labor market is slowly cooling and rebalancing itself without the threat of additional layoffs or a recession. Axios

    Watercooler

    Everything you need to know from Fortune.

    Global 500. The 2023 Fortune Global 500 ranking is out today. Fifty-seven companies employ at least 300,000 people worldwide, led by Walmart, with 2.1 million employees.

    Discrimination weighs heavily. C-suite execs are showing a newfound interest in fitness and getting ripped. The trend might shed light on new workplace beauty standards that often leave women vulnerable. —Paige Hagy

    RTO backfires. A handful of new reports shed light on companies' internal struggles after mandating a return to office. In one survey, employees likened the displeasure of an office return to taking a 2% to 3% pay cut. —Gleb Tsipursky

    Language linkWorkers in English-speaking countries spend more time working from home, and it has little to do with national income. —Jane Thier

    This is the web version of CHRO Daily, a newsletter focusing on helping HR executives navigate the needs of the workplace. Sign up to get it delivered free to your inbox.