We all trust HR - or at least we do when we think they’re emailing us! Data from KnowBe4’s HRM+ platform reveals that phishing simulations with internal subject lines dominate the list of most-clicked templates in 2025.
HR teams manage some of the most sensitive data in any organization, including employee personal information, payroll details, tax records, and benefits data. This makes HR a high-value target for cybercriminals and a critical area of cybersecurity risk that organizations often underestimate.
Out of the top 10 templates people interacted with between May 1 - June 30, 2025, an incredible 98.4% had subject lines relating to internal topics - with HR mentioned in 45.2%. (It was a similar story between January 1 - April 30 this year too.) Our data shows that people are most likely to interact with simulations that have subject lines about pay (such as updating tax forms), changes to the dress code, time off and performance reviews.
There’s nothing hugely out of the ordinary in these templates: they’re all fairly standard communications you could reasonably expect to receive from a HR department. They’re also topics that people will be naturally curious about - which, unfortunately, is again fairly standard for emails from HR - and why it makes them a popular department for impersonation attacks by cybercriminals.
This is a clear example of human risk in action where normal, trusted behaviors create opportunities for attackers. Managing cybersecurity human resources risk requires understanding not just threats, but how people naturally interact with them.
Key Takeaways
- HR is a high-risk area for cybersecurity because HR teams manage sensitive employee data and are trusted sources of internal communication, making them attractive targets for impersonation attacks
- Cybersecurity human resources risk is driven by human behavior, not just technical gaps, as attackers exploit authority, trust, and urgency in HR-themed phishing emails
- HR impersonation attacks are increasing, with phishing campaigns frequently timed around payroll, benefits enrollment, and policy updates to appear legitimate
- Employees are targeted, not at fault, as cybercriminals use social engineering and AI-generated content to closely mimic real HR communications
- Reducing HR-related cybersecurity risk requires a behavior-based approach, combining visibility into how people interact with HR communications and adaptive measures to reduce human-driven risk over time
Why HR Is a High-Risk Cybersecurity Function
HR teams sit at the intersection of people, data, and internal systems, making them a uniquely high-risk area from a cybersecurity perspective. HR departments routinely handle large volumes of sensitive information, including personally identifiable information (PII), payroll data, tax documents, benefits details, and employment records. This concentration of sensitive data makes HR an attractive target for cybercriminals seeking financial gain, identity theft opportunities, or access to broader organizational systems.
In addition to the data they manage, HR teams communicate frequently with employees across the organization. Emails related to compensation, performance reviews, policy updates, and benefits enrollment are expected and trusted, creating ideal conditions for impersonation and social engineering attacks. When attackers successfully mimic HR communications, they can bypass technical defenses by exploiting employee trust rather than system vulnerabilities.
HR functions also rely heavily on third-party platforms for recruiting, payroll, benefits administration, and performance management. Each additional system and vendor introduces new access points and potential weaknesses, increasing overall cybersecurity risk if controls are not properly managed.
Together, these factors make HR not just a support function, but a critical component of an organization’s cybersecurity risk surface. Reducing cybersecurity human resources risk requires visibility into how employees interact with HR-related communications and systems, along with ongoing efforts to address the human behaviors attackers are most likely to exploit.
Why HR Communications Are So Effective for Social Engineering Attacks
When someone receives an email from HR - whether it’s legitimate, a simulation or a phishing attack - they will rely on ‘mental shortcuts’ (or heuristics) that help them to make snap judgments about the email.
One is authority bias. People can place unreasonably high confidence in information they believe has come from a person or team with formal authority. This is quite often a deeply internalized heuristic that starts from a young age with authority figures such as parents, guardians and relatives, or schoolteachers. Additionally, authority bias can be more or less prevalent based on macro factors such as culture.
Once we reach the workplace, we enter a hierarchy with CEOs and boards of directors at the top - and, crucially, with HR acting as the official internal voice that confirms changes or new policies, etc.. Over time, we learn to trust what they say and become familiar with receiving updates from HR over email, which can lower people’s suspicions to an impersonation attack.
This brings us to representativeness, a heuristic that leads people to make judgments of how likely something belongs to a general category based on how similar it is to other members of that category. It might be quite easy for people to identify a phishing email when it doesn’t fit in with normal HR communications. However, with the increased use of GenAI, it’s becoming easier than ever for cybercriminals to create well-written attacks with appropriate branding, etc., that at first - or even second - glance would be enough to deceive someone.
They might also play on social proof; people’s fear of missing out or decision to “follow the herd” in an ambiguous situation. For example, cybercriminals can imply someone has forgotten to do something the rest of their department or company has already completed, or even that there is an urgent payroll issue they need to resolve.
As well as tapping into these heuristics, cybercriminals also use a variety of other tactics in the pretext of their attacks. We’ve already noted that people are naturally curious about HR-related topics, making these subjects an obvious choice for impersonation.
Cybercriminals then take this one step further. They exploit employee concerns about job performance, salary adjustments and retirement benefits to create a sense of urgency. The fear of missing a critical deadline for benefits enrollment or facing consequences for not complying with a new policy can compel immediate action, often creating urgency that pushes people to act quickly, leaving little time for careful verification, which are exactly the conditions cybercriminals design their attacks to exploit.
These are not simple, opportunistic attacks. Cybercriminals are now using advanced, sector-specific targeting based on extensive reconnaissance. For example, employees in manufacturing might receive fraudulent safety messages, while those in healthcare are targeted with fake HIPAA-related correspondence. To evade security tools, attackers use complex multi-redirect infrastructures, sending users through a series of compromised websites and URL shorteners before they ever reach the final credential-stealing page.
The Rising Risk of HR Impersonation Attacks
Our Threat Lab team has uncovered a 120% increase in the volume of phishing attacks impersonating HR between January 1 - March 31st, 2025, versus the previous three months. The threat has remained elevated since then, with campaigns spiking around administrative and financial calendar events, as cybercriminals hope their attacks will appear more convincing amongst noisy inboxes filled with legitimate emails on similar topics or people will interact quickly with something they’re expecting to receive.
Why HR Data Is a Prime Target for Cybercriminals
HR data is targeted more frequently than data from many other departments because it combines high sensitivity, broad access, and inherent trust. HR teams manage personally identifiable information (PII) such as names, addresses, Social Security numbers, tax forms, direct deposit details, and benefits information, data that can be directly monetized through fraud or identity theft. In many cases, HR systems also serve as gateways to payroll platforms, benefits providers, and other internal systems, increasing their value to attackers.
Beyond the data itself, HR communications carry an assumption of legitimacy. Employees expect HR to request information, announce policy changes, and prompt action around time-sensitive matters. Cybercriminals exploit this trust by impersonating HR to bypass skepticism and encourage fast responses, making HR-related attacks particularly effective compared to phishing attempts that originate from unknown or external senders.
How Organizations Can Reduce Cybersecurity Human Resources Risk
Reducing cybersecurity human resources risk requires more than technical controls, it requires understanding and addressing human behavior. Since HR impersonation attacks are designed to look routine and credible, traditional security tools alone may not be enough to stop them. Organizations benefit from continuously monitoring how employees interact with HR-related communications and identifying patterns of risky behavior before they lead to incidents.
A behavior-based approach allows organizations to reinforce secure decision-making, prioritize users or actions that introduce the most risk, and adapt defenses as attack techniques evolve. By focusing on how people respond to HR-related messages, not just whether an email is malicious, organizations can reduce the likelihood that trusted HR communications become an entry point for cyberattacks.
Reduce Cybersecurity Risk in Human Resources with KnowBe4
HR communications remain one of the most effective tools cybercriminals use to gain access. Reducing cybersecurity human resources risk requires more than awareness, it demands continuous insight into behavior and adaptive risk reduction. Discover how KnowBe4 helps organizations protect employees, HR data, and internal trust from impersonation attacks.
Lead researchers: Jeewan Singh Jalal, Anand Bodke and Prabhakaran Ravichandhiran
Here's how it works:
