We all trust HR - or at least we do when we think they’re emailing us! Data from KnowBe4’s HRM+ platform reveals that phishing simulations with internal subject lines dominate the list of most-clicked templates in 2025.
Out of the top 10 templates people interacted with between May 1 - June 30, 2025, an incredible 98.4% had subject lines relating to internal topics - with HR mentioned in 45.2%. (It was a similar story between January 1 - April 30 this year too.) Our data shows that people are most likely to interact with simulations that have subject lines about pay (such as updating tax forms), changes to the dress code, time off and performance reviews.
There’s nothing hugely out of the ordinary in these templates: they’re all fairly standard communications you could reasonably expect to receive from a HR department. They’re also topics that people will be naturally curious about - which, unfortunately, is again fairly standard for emails from HR - and why it makes them a popular department for impersonation attacks by cybercriminals.
Why Do People Fall Victim to Phishing Emails Impersonating HR?
When someone receives an email from HR - whether it’s legitimate, a simulation or a phishing attack - they will rely on ‘mental shortcuts’ (or heuristics) that help them to make snap judgments about the email.
One is authority bias. People can place unreasonably high confidence in information they believe has come from a person or team with formal authority. This is quite often a deeply internalized heuristic that starts from a young age with authority figures such as parents, guardians and relatives, or schoolteachers. Additionally, authority bias can be more or less prevalent based on macro factors such as culture.
Once we reach the workplace, we enter a hierarchy with CEOs and boards of directors at the top - and, crucially, with HR acting as the official internal voice that confirms changes or new policies, etc.. Over time, we learn to trust what they say and become familiar with receiving updates from HR over email, which can lower people’s suspicions to an impersonation attack.
This brings us to representativeness, a heuristic that leads people to make judgments of how likely something belongs to a general category based on how similar it is to other members of that category. It might be quite easy for people to identify a phishing email when it doesn’t fit in with normal HR communications. However, with the increased use of GenAI, it’s becoming easier than ever for cybercriminals to create well-written attacks with appropriate branding, etc., that at first - or even second - glance would be enough to deceive someone.
They might also play on social proof; people’s fear of missing out or decision to “follow the herd” in an ambiguous situation. For example, cybercriminals can imply someone has forgotten to do something the rest of their department or company has already completed.
As well as tapping into these heuristics, cybercriminals also use a variety of other tactics in the pretext of their attacks. We’ve already noted that people are naturally curious about HR-related topics, making these subjects an obvious choice for impersonation.
Cybercriminals then take this one step further. They exploit employee concerns about job performance, salary adjustments and retirement benefits to create a sense of urgency. The fear of missing a critical deadline for benefits enrollment or facing consequences for not complying with a new policy can compel immediate action, often causing people to not unknowingly disengage with logical decision-making processes (that otherwise might urge caution).
These are not simple, opportunistic attacks. Cybercriminals are now using advanced, sector-specific targeting based on extensive reconnaissance. For example, employees in manufacturing might receive fraudulent safety messages, while those in healthcare are targeted with fake HIPAA-related correspondence. To evade security tools, attackers use complex multi-redirect infrastructures, sending users through a series of compromised websites and URL shorteners before they ever reach the final credential-stealing page.
The Rising Risk of HR Impersonation Attacks
Our Threat Lab team has uncovered a 120% increase in the volume of phishing attacks impersonating HR between January 1 - March 31st, 2025, versus the previous three months. The threat has remained elevated since then, with campaigns spiking around administrative and financial calendar events, as cybercriminals hope their attacks will appear more convincing amongst noisy inboxes filled with legitimate emails on similar topics or people will interact quickly with something they’re expecting to receive.
In our next post, we dive into four examples of HR impersonation attacks we’ve seen so far in 2025, exploring how cybercriminals put the theory mentioned in this article into practice to manipulate their targets. Take a read now.
Lead researchers: Jeewan Singh Jalal, Anand Bodke and Prabhakaran Ravichandhiran
Here's how it works:
