Phishing attacks impersonating HR are on the rise. Between January 1 – March 31, 2025, our Threat Lab team observed a 120% surge in these attacks reported via our PhishER product versus the previous three months. These attacks have remained at elevated levels since peaking in February.
(FYI in our previous post, we explored the reasons that make these attacks so effective. Now, we'll look at the trends and specific campaigns behind the numbers.)
Our analysis of these attacks in 2025 reveals four overall trends for HR impersonation attacks in 2025:
- Seasonal Alignment: Attacks are strategically timed to coincide with administrative and financial cycles, often creating a sense of urgency through time-sensitive deadlines to socially engineer their targets.
- Increase in Volume and Sophistication: HR-themed attacks are rapidly increasing in both volume and complexity, with attackers investing in specialized social engineering.
- Advanced, Sector-Specific Targeting: Cybercriminals show evidence of extensive reconnaissance, tailoring lures to specific industries like manufacturing (safety messages), healthcare (HIPAA) and finance (regulatory updates).
- Obfuscation tactics to evade secure email gateways (SEGs): Campaigns use multiple tactics to evade SEGs, including disguised payloads and hijacked infrastructure from legitimate services.
See Four Phishing Campaigns Impersonating HR
Vector and type: Email phishing
Primary techniques: Social engineering, impersonation, quishing, payload obfuscation
Targets: Global
Platform: Microsoft 365 and GSuite
Bypassed native and SEG detection: Yes
Key tactic: This attack combines the powerful lure of financial information with a multi-channel QR code attack to bypass technical email filters and deceive targets.
This campaign was initiated in May 2025 and, since then, has systematically targeted organizations globally and across different sectors, using various strategies to optimize their efficacy.
In the example below, a quishing payload is obfuscated in an attachment to bypass native and SEG detection. (Check out this blog for more info on how phishing attacks get through SEG detection.) Although the email body is blank - one of the indicators that likely led to the recipient to report it via the KnowBe4 Phish Alert Button - it’s highly personalized with the recipient's name and company logo, and focuses on the deeply personal topic of remuneration.
By using a QR code designed to be scanned on a mobile device, this multi-channel attack attempts to move the threat from a secure corporate desktop to a less secure personal device to evade detection.
Quishing (QR code phishing) payload impersonating HR displayed within the PhishER portal.
2. HR Policy UpdateKey tactic: By leveraging a legitimate, trusted service (Intuit QuickBooks) and fabricating a tight deadline, this campaign pressures the target to act out of fear and urgency.
Throughout 2025, our Threat Lab team has observed an exponential growth in attackers using legitimate services to bypass legacy email security. In March, we reported a 36.5% spike in attacks using Intuit QuickBook’s infrastructure - and below is an example of cybercriminals continuing to hijack this service.
HR impersonation attack leveraging Intuit QuickBook’s service, as viewed in the PhishER dashboard.
This attack uses a fraudulent deadline - the same date as the email is sent - and a consequence for inaction to create a sense of urgency in the hopes that the target will rush to comply without thinking about the legitimacy of the attack.
3. 401(k) Update CampaignKey tactic: This attack leverages employees' natural concerns about their retirement finances. It builds a false sense of authenticity by using official-looking templates and fake tracking numbers, while deploying malicious SVG attachments to bypass traditional security filters
In June and July 2025, a campaign targeted mid-sized organizations with fraudulent 401(k) documentation requests. To appear legitimate, the attack used HTML templates to mimic system-generated alerts, personalized with the recipient’s name and company.
Phishing email within the PhishER portal referencing changes to the recipient’s 401(k) retirement plan.
Another version prompted targets to open a malicious SVG attachment, adding a fake tracking number in the subject line to enhance its credibility. Earlier this year, we reported a 245% increase in SVG files to obfuscate payload so that they bypass SEG detection.
Inspection of a malicious attachment within PhishER.
4. Electronic Contract and Financial DocumentationKey tactic: This campaign impersonates routine business processes and automated system notifications to lull targets into a false sense of security, exploiting their regular job functions to steal credentials.
In May 2025, we identified a campaign impersonating HR that claimed to circulate fake contracts. Subject lines were personalized with the recipient’s company name and the exact date the email was sent. The attack used stylized HTML templates mimicking automated business emails - complete with support info and disclaimers - to appear credible and direct targets to a credential-harvesting site.
Credential harvesting phishing attack displayed via PhishER.
These examples show just how convincing HR impersonation phishing email can be - but the real sophistication lies in the delivery. How does a QR code embedded in an attachment execute a credential harvesting attack? What does the malicious code inside an SVG file actually look like?
Read the next post in this series, where our researchers will provide a full technical analysis of these advanced evasion techniques.
Missed the first post in this series? Read now.
Lead research: Jewaan Singh Jalal, Anand Bodke and Prabhakaran Ravichandhiran
Here's how it works:
