Employees interacting more with emails that impersonated colleagues, report finds
Phishing emails disguised as HR communication ranked among the most frequently clicked in simulations run by cybersecurity platform KnowBe4 during the second quarter of the year.
KnowBe4's Q2 2025 Phishing Simulation Roundup report revealed that internal-themed topics made up 98.4% of the top 10 most-clicked phishing email templates.
Among these topics, HR was cited in 42.5% of phishing failures, while IT accounted for 21.5%.
The most-clicked subject line in the phishing simulations is: "Microsoft Teams: You have been added as a guest to [[company_name]] Strategic Planning."
Emails purportedly from HR about reimbursement, performance review, dress codes, and even Time Off Requests were also among the top-clicked phishing emails, according to the report.
"People interacted most with emails that impersonated colleagues or referenced internal systems or topics," the report read.
Among the top 20 hyperlinks clicked, 80.6% were part of internally themed simulations.
Three of the top five QR codes that were scanned by employees referenced HR.
Scammers taking advantage of 'human instinct'
Erich Kron, cybersecurity advocate, KnowBe4, said phishing emails that appear to originate from reputable sources will always have a higher chance of lowering a recipient's suspicions.
"We see this time and time again in real-world scenarios, where attackers use sophisticated social engineering tactics to take advantage of this fundamental human instinct, making it harder for employees to distinguish legitimate and malicious emails," Kron said in a statement.
A well-known cyberattack in Hong Kong involved a clerk who was duped into transferring HK$200 million after participating in a video conference where all other participants turned out to be AI-generated deepfake personas posing as colleagues.
In Singapore, a multinational firm earlier this year also nearly lost half a million dollars after a deepfake video conference scam preyed on the company's finance director.
Kron said their findings at KnowBe4 underscore the need for organisations to strengthen their human defences.
"This includes employee empowerment through a combination of relevant, timely and adaptive security training and intelligent detection technology that can identify and mitigate threats in real time," he said.
