KnowBe4 has released its Q1 2025 Phishing Report, which reveals the most deceptive email subjects users click in phishing simulations, indicating HR and IT-related emails account for over 60% of top-clicked phishing emails.
All data for this report was taken from the KnowBe4 HRM+ platform between January 1, 2025, and March 31, 2025.
KnowBe4’s Q1 2025 Phishing Report reveals that impersonating internal communications, such as from HR or IT, received the most failures.
An overwhelming 60.7% of the simulations clicked mentioned an internal team and 49.7% mentioned HR specifically. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks.
Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.
Top reported subjects included “Zoom Clips” from managers, HR training reports, and mail server warnings.
The report highlights the ongoing threat posed by email-embedded phishing links, which continue to be a primary attack tactic. Analysis shows people were more likely to click on links related to internal topics or impersonating known brands (61.6%), with 68.6% involving domain spoofing.
Organisations are highly susceptible to branded landing pages from Microsoft, LinkedIn and Google, which ranked as the top three most effective phishing destinations for harvesting credentials.
The report also reveals people’s continued susceptibility to phishing emails leveraging QR codes. The top three QR codes people scanned in simulations related to: a new drug and alcohol policy from HR (14.7%), a DocuSign for review and signing (13.7%) and a Workday happy birthday message (12.7%).
In attachment-based campaigns, people were most likely to open PDFs (53%), HTML files (28.5%) and Word files (18.5%).
“It is evident that attackers understand that employees are conditioned to respond quickly to messages that appear to come from HR or IT, and trust branded content from platforms they use daily like Microsoft, LinkedIn and Google,” said Stu Sjouwerman, CEO of KnowBe4. “The psychological sophistication behind these attacks demonstrates why human risk management must be central to cybersecurity strategy.
“Organisations must respond by cultivating a security culture that encourages healthy skepticism and verification habits, where employees feel empowered to verify suspicious communications, even when they appear to come from leadership or critical internal departments.”
To download a copy of the Q1 2025 KnowBe4 Phishing Report infographic, visit here. Equally, to read more Eskenzi news, click here.
