Bad actors continue to rely on phishing emails, with some of the most effective attacks against businesses masquerading as internal communications.
A KnowBe4 study analyzing user behavior during a phishing simulation found that roughly 60% of the failures involved emails referencing an internal team, with nearly half specifically mentioning HR. Some of the most convincing phishing emails included fake Zoom Clips (shortform asynchronous videos purporting to be from a manager), HR training reports, and mail server warnings.
Another tactic that increased the effectiveness of these attacks was the use of QR codes. The top three QR codes scanned by users were linked to a new HR drug and alcohol policy, a DocuSign document for review, and a birthday message sent through Workday.
Phishing for Emotional Responses
The data from KnowBe4 aligns with a recent report from the Association for Financial Professionals, which found that 79% of organizations surveyed had experienced attempted or actual payments fraud over the past year.
The most common tactic identified was business email compromise, often stemming from spoofed internal communications.
A combination of convincing emails and social engineering has been particularly effective for cybercriminals. Bad actors know that employees are less likely to question messages from HR or management and often feel pressured to respond quickly.
Unfortunately, once a user clicks a malicious link or scans a QR code, they can expose their organization to everything from payments fraud to ransomware attacks. For example, a recent breach at the U.S. Office of the Comptroller of the Currency gave criminals access to thousands of highly sensitive emails for over a year—all because they compromised a single administrator’s account.
Incumbent on Organizations
In addition to crafting fake internal communications, criminals are also impersonating the vendors that companies rely on. The KnowBe4 report found that organizations are highly susceptible to communications that appear to be from Microsoft, LinkedIn, and Google.
The focus on phishing means employee education is a critical component of an organization’s fraud defenses, and workers must be conditioned to question every communication. However, it is increasingly incumbent upon organizations to think outside the box to stay ahead of a fraud problem that is spiraling out of control.
