Do you think you have received an important document from Human Resources? Be careful.
KnowBe4’s quarterly phishing testing report revealed that in Q2, threat actors were successful with emails impersonating human resources departments. After an unfortunate click, links in the body of emails and PDF documents were common attack vectors.
TechRepublic spoke to Erich Kron, security awareness advocate at KnowBe4, about the results of phishing tests and how to keep businesses safe from ever-evolving, generative AI-powered phishing attacks.
Fake HR emails top the list of social engineering scams
Some attackers are using fake HR messages to trick employees into believing that clicking a link or viewing a document is urgent. According to the report:
- 42% of business-related email subject lines studied were HR-related.
- Another 30% was IT related.
- Many of these subject lines appealed to employees' emotions at work, such as “A comment was left on your time off request” or “Possible typo.”
“If you have a strong emotional reaction to a text message, a phone call or an email, we need to take a deep breath, step back and look at it very critically,” Kron said. “Because these are social engineering attacks and they really work to put you in an emotional state where you make mistakes.”
Other recent attacks have come from emails that spoof messages from Microsoft or Amazon.
Phishing emails with QR codes have also been tricking employees. Like malicious links, these QR codes are often found in emails purporting to come from well-known companies, HR, or IT.
“The continued rise in HR-related phishing emails is especially concerning as they target the very foundation of organizational trust,” said Stu Sjouwerman, CEO of KnowBe4, in an Aug. 7 press release. “Additionally, the rise of QR codes in phishing attempts adds another layer of complexity to these threats.”
KnowBe4 found that the healthcare and pharmaceutical industries were the most susceptible to phishing attacks, followed by hospitality, education and insurance, with some variation for different sizes of organizations.
How does KnowBe4's phishing report work?
KnowBe4 collects the information for its Quarterly Industry Benchmarking Report from its clients and its Phishing Reporting Portal, which any business can use.
KnowBe4, which sells a simulated phishing platform, launches fake phishing attacks against companies to test their resilience. Specifically, KnowBe4 assessed the types of attacks people fall for and how training like its own keeps companies safer from cyberattacks.
The data comes from 54 million simulated phishing tests, affecting more than 11.9 million users from 55,675 organizations around the world.
“Many times we actually take the real ones [phishing attacks] “We can identify hazards that exist and turn them into simulated hazards,” Kron said. “That’s why we do what we call ‘de-silting,’ because we know that’s what’s really happening.”
The report measured “phishing rate,” a proprietary assessment of the percentage of “employees likely to fall for social engineering or phishing scams.” The average PPP dropped from 34.3% to just 4.6% after a year of ongoing phishing training and testing.
SEE: The difference between phishing and spear phishing is whether the attack is generalized or designed for a specific person.
How can companies reduce vulnerability to phishing attacks?
Organizations should make it clear to their employees that phishing emails may not be as full of typos or blatant requests for money as they used to be.
“Generative AI has really helped with translations and cleaning things up,” Kron said, “and allowed them to [attackers] scale much higher without all those bugs we would normally see.”
Employees should remember to carefully review URLs and email addresses. They should consider whether an email with a subject line that includes the word “urgent” is really what it seems.
For example, “Did that actually come from my boss or did it just say his name?” Kron said.
Anti-spam or antivirus filters can detect some social engineering and phishing attacks, while multi-factor authentication can limit attackers’ reach even if the victim clicks on a link or scans a QR code. Along with KnowBe4, companies such as Sophos, Proofpoint, Ninjio Hoxhunt, Cofense and others offer security training using simulated attacks.
In general, make sure employees are vigilant, regardless of whether or not that vigilance is tested with a regular phishing scan.
“You have to be a little nervous about it,” Kron said.