Cyber Security News

HR & IT-Related Phishing Emails Are Top-Clicked Among Phishing Email Types

Phishing emails masquerading as HR and IT-related communications are the most likely to be clicked on by employees as unveiled in a recent study, posing a significant cybersecurity risk to organizations across various industries.

The 2024 Phishing by Industry Benchmarking Report, conducted by KnowBe4, analyzed data from over 54 million simulated phishing tests.

While these tests are performed across more than 11.9 million users from 55,675 organizations in 19 different industries.

Through this report researchers at KnowBe4 highlighted the ongoing vulnerability of employees to social engineering attacks, particularly those that mimic internal communications.

Top three riskiest industries by organization size (Source – Knowbe4)

High Initial Vulnerability: The study found that without proper training, organizations across all industries and sizes faced an average Phish-prone Percentage (PPP) of 34.3%. This means that roughly one in three employees were likely to interact with malicious emails.

Industry-Specific Risks: Healthcare & Pharmaceuticals emerged as one of the most vulnerable sectors, with a PPP of 51.4% for large organizations. Other high-risk industries included Insurance (48.8%) and Energy & Utilities (47.8%).

Size Matters: Larger organizations (1000+ employees) generally showed higher vulnerability, with several industries exceeding a 40% PPP.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Technical Analysis

The report emphasizes the crucial role of comprehensive security awareness training:

  • After just 90 days of training, the average PPP dropped to 18.9%, representing a nearly 50% reduction in vulnerability.
  • Organizations that maintained ongoing training for a year or more saw their PPP plummet to an impressive 4.6%.
Methodology and data set (Source – Knowbe4)

Cybersecurity experts stress the importance of continuous education and testing. “Merely paying lip service to security awareness programs does little to shield an organization from attacks that target human vulnerabilities,” the report states.

2024 International Phishing Benchmarks (Source – Knowbe4)

To mitigate risks, organizations are advised to:-

  1. Implement regular, comprehensive security awareness training.
  2. Conduct frequent simulated phishing tests.
  3. Foster a security-conscious culture within the organization.
  4. Invest in both employee training and advanced technological defenses.

However, it’s important to note that the transforming employee behavior requires persistence, but the benefits of a security-aware workforce are invaluable in the face of increasingly sophisticated phishing attempts.

By prioritizing human risk management and encouraging a strong cybersecurity culture, organizations can significantly reduce their vulnerability to phishing attacks and other social engineering threats.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

1 hour ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

2 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

3 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

3 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

8 hours ago

Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…

9 hours ago