Human resources (HR) and IT-related phishing emails share the lion’s share (48,6%) of the top-clicked phishing types globally.
Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks, and KnowBe4’s 2024 Phishing by Industry Benchmarking Report reveals that about one in three users is susceptible to interacting with malicious links or fraudulent requests.
Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.
The report spotlights the ongoing threat posed by email-embedded phishing links, which continue to be the top attack vector of choice. These malicious links, PDF attachments and spoofed domains, when interacted with, often result in disastrous cyberattacks, including ransomware attacks and business email compromise.
The report also reveals a surge in phishing campaigns leveraging QR codes. Popular QR code phishing subjects include HR reminders for policy reviews, DocuSign emails to sign an urgent document, and Zoom meeting invitations. These messages, often masquerading as communication from HR, colleagues or external vendors, pose substantial risks as they can easily be replicated by malicious actors.
“Our latest phishing report underscores the evolving sophistication of phishing tactics, with cybercriminals increasingly exploiting the trust employees place in internal communications,” says Stu Sjouwerman, CEO of KnowBe4. “The prevalence of HR and IT-themed phishing attempts, coupled with emerging techniques like QR code integration, presents a complex threat landscape.
“These tactics are particularly deceptive as they leverage the perceived legitimacy of trusted sources, often prompting hasty actions before verification. In this rapidly changing environment, a well-trained workforce and a robust security culture are not just beneficial—they are essential. By prioritizing human risk management, organisations can effectively build a formidable defense against avoidable cyberthreats.”