
Internal-themed phishing emails drive sharp rise in staff clicks
The report shows that 98.4% of the top 10 most-clicked phishing email templates imitated internal messages, with attackers frequently posing as HR or IT departments.
These findings indicate a persistent susceptibility among employees to social engineering techniques that leverage trust in familiar internal sources.
According to the data gathered from the KnowBe4 HRM+ platform between April and June 2025, phishing simulation patterns remain largely unchanged from the previous quarter.
The report specifies that internal-themed topics overwhelmingly led to clicks, demonstrating that workplaces continue to struggle with identifying fraudulent emails disguised as routine company communications.
Among the internal communications strategies employed in phishing simulations, HR-themed emails accounted for 42.5% of incidents where employees clicked on malicious links, while IT-themed messages were responsible for 21.5%.
This highlights the particular vulnerability of employees to phishing attempts that exploit organisational trust and daily business processes.
Phishing campaigns using branded content were also prevalent, with 71.9% of malicious landing page interactions featuring recognisable brands.
Microsoft was the most frequently impersonated brand, cited in 26.7% of such incidents. LinkedIn, X, Okta, and Amazon followed, showing that attackers use brand familiarity to further their fraudulent aims.
Analysis of clicked links within these campaigns revealed similar trends.
Internally themed email simulations accounted for 80.6% of the top 20 most-clicked links, and of these, 68.2% used domain spoofing methods to deceive recipients. This trend underscores the complexity of modern phishing attempts which go beyond simple deception and rely on technical measures that closely imitate legitimate domain names.
Attachment-based phishing methods also posed a challenge for employees. Clicks on PDF attachments saw an 8.1% increase compared with the first quarter of 2025, and PDFs constituted 61.1% of the top 20 clicked attachments. HTML files and Word documents made up the remainder, with 20.9% and 18.0% respectively.
Erich Kron, Cybersecurity Advocate at KnowBe4, commented on the findings: "One of the key takeaways from the Q2 Simulated Phishing Roundup is the critical role trust plays in cybersecurity. Whether that is trust in internal communications, familiar brands, or even known individuals, phishing emails that appear to originate from reputable sources will always have a higher chance of lowering a recipient's suspicions." "We see this time and time again in real-word scenarios, where attackers use sophisticated social engineering tactics to take advantage of this fundamental human instinct, making it harder for employees to distinguish legitimate and malicious emails."
Elaborating further, Kron said: "The Q2 findings reinforce the need for organisations to strengthen their human defences through a layered approach centred on human risk management. This includes employee empowerment through a combination of relevant, timely and adaptive security training and intelligent detection technology that can identify and mitigate threats in real time."
The Q2 2025 findings suggest that combating phishing threats requires ongoing prioritisation from organisational leadership, particularly in the areas of training and technological support.
The data indicates a need for adaptive educational programmes and advanced detection mechanisms to ensure that staff can recognise and neutralise phishing attempts disguised as routine communications.
Follow us on:
Share on:
Hashtags

Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles


NZ Herald
11 minutes ago
- NZ Herald
Global hacking attack on Microsoft product hits US, state agencies, researchers say
Hackers exploited a major security flaw in widely used Microsoft server software to launch a global attack on government agencies and businesses in the past few days, breaching US federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers. The US


Otago Daily Times
21 hours ago
- Otago Daily Times
CEO resigns after viral video from Coldplay concert
The chief executive of an American IT company captured in a widely circulated video showing him embracing an employee at a Coldplay concert has resigned. Andy Byron resigned from his job as CEO of Cincinnati-based Astronomer, according to a statement posted on LinkedIn and X by the company on Saturday. "Astronomer is committed to the values and culture that have guided us since our founding. Our leaders are expected to set the standard in both conduct and accountability, and recently, that standard was not met," the company said in its post on LinkedIn. The move comes a day after the company said that Byron had been placed on leave and the board of directors had launched a formal investigation into the jumbotron incident, which went viral. The pair were captured embracing at the Coldplay concert. Image: YouTube A company spokesman later confirmed in a statement to AP that it was Byron and Astronomer chief people officer Kristin Cabot in the video. The short video clip shows Byron and Cabot as captured on the jumbotron at Gillette Stadium in Foxborough, Massachusetts, during a Coldplay concert on Wednesday. Lead singer Chris Martin asked the cameras to scan the crowd for his Jumbotron Song, when he sings a few lines about the people the camera lands on. "Either they're having an affair or they're just very shy," he joked. Internet sleuths identified the man as the chief executive officer of a US-based company and the woman as its chief people officer. Pete DeJoy, Astronomer's cofounder and chief product officer, has been tapped as interim CEO while the company conducts a search for Byron's successor. Most concert venues warn attendees that they can be filmed and it is common practice especially when bands like to use performances for music videos or concert films. Once captured, a moment can be shared widely. "They probably would have got away with it if they hadn't reacted," said Alison Taylor, a clinical associate professor at New York University's Stern School of Business. And by the time the alleged identities emerged on social media, it hit a classic nerve around "leaders acting like the rules don't apply to them", she added.


Otago Daily Times
21 hours ago
- Otago Daily Times
Boss resigns after viral video from Coldplay concert
The chief executive of an American IT company captured in a widely circulated video showing him embracing an employee at a Coldplay concert has resigned. Andy Byron resigned from his job as CEO of Cincinnati-based Astronomer, according to a statement posted on LinkedIn and X by the company on Saturday. "Astronomer is committed to the values and culture that have guided us since our founding. Our leaders are expected to set the standard in both conduct and accountability, and recently, that standard was not met," the company said in its post on LinkedIn. The move comes a day after the company said that Byron had been placed on leave and the board of directors had launched a formal investigation into the jumbotron incident, which went viral. The pair were captured embracing at the Coldplay concert. Image: YouTube A company spokesman later confirmed in a statement to AP that it was Byron and Astronomer chief people officer Kristin Cabot in the video. The short video clip shows Byron and Cabot as captured on the jumbotron at Gillette Stadium in Foxborough, Massachusetts, during a Coldplay concert on Wednesday. Lead singer Chris Martin asked the cameras to scan the crowd for his Jumbotron Song, when he sings a few lines about the people the camera lands on. "Either they're having an affair or they're just very shy," he joked. Internet sleuths identified the man as the chief executive officer of a US-based company and the woman as its chief people officer. Pete DeJoy, Astronomer's cofounder and chief product officer, has been tapped as interim CEO while the company conducts a search for Byron's successor. Most concert venues warn attendees that they can be filmed and it is common practice especially when bands like to use performances for music videos or concert films. Once captured, a moment can be shared widely. "They probably would have got away with it if they hadn't reacted," said Alison Taylor, a clinical associate professor at New York University's Stern School of Business. And by the time the alleged identities emerged on social media, it hit a classic nerve around "leaders acting like the rules don't apply to them", she added.