top of page

Is my HR team at risk of a phishing attack?

Statistics show that 32% of businesses were a victim of a cyber-attack in 2022. Additionally, 79% of cyber-attacks reported in 2023 so far were identified as phishing. The threat that these attacks present cannot be overstated. With Human Resources playing an integral role to the functionality of your company; it is important that your HR department, alongside the rest of the workforce, is educated and vigilant against phishing attempts, how to spot them, and what to do with them.

HR systems are a gold mine of personally identifiable information (PII), pertaining not just to current employees but contractors, potential job applicants and financial applications. This information is hugely valuable to fraudsters, who can use this data for various criminal purposes; either to target employees personally, or to launch further attacks against the business and its partners in the future. It is therefore unsurprising they are a target for cyber criminals. These data compromises generate not only a large financial cost to businesses, but a massive reputational hit as well.

phising, business email compromise, HR phishing

What does a phishing attack look like?

Phishing is when attackers attempt to trick you into doing the ‘wrong thing’, such as clicking a bad link that installs malware, or tricking you into revealing sensitive information.

Whilst phishing is conducted through a variety of channels, the word generally describes attacks which arrive by email. It is estimated that 3.4 billion phishing emails are sent globally every single day. 83% of UK businesses that suffered a cyber-attack in 2022 reported being the victim of phishing.

Email phishing takes various forms, some of which are highly sophisticated and not easily identifiable. For example, ‘spear phishing’ is targeted, so personal information is included to make the message sound genuine. Another type is ‘whaling’, where criminals impersonate senior executives of the company, to make the emails urgent and believable. The personal information in these emails use may come from company websites or social media.

One way HR firms and departments are targeted is through business email compromise (BEC) attacks. For example, scammers may impersonate an employee, requesting a change be made to their payroll account. These attacks are targeted and difficult to detect, relying purely on social engineering. Another example could be cybercriminals impersonating a senior member of staff, looking for personal employee information or making financial requests. Cybercriminals can be very thorough with their research and can time their attacks to come at a time when this staff member is out of office or on a holiday.

phishing, personal data, data breach, phishing emails, spear phishing,

Would your HR Team be able to identify a phishing attack?

Some indicators of phishing can be obvious, such as spelling mistakes and misleading links. However, phishing is becoming increasingly more sophisticated. It is imperative that you and your employees are aware of what to look for, such as:

  • Who is emailing you: Be suspicious if they are from a person or organisation that you do not normally deal with.

  • Check the senders address: The ‘From’ field may have a different address. You cannot always see this if you are viewing emails on a phone. Criminals will often use webmail services like Gmail, Outlook and Yahoo to send the email.

  • Authority: Look out for emails claiming to be from high-ranking personnel.

  • Urgency: Phishing emails often convey a sense of urgency.

  • Attachments: Do not open any attachments unless you are fully confident that they are legitimate. Importantly, there has also been a recent rise in ‘quishing’, which is phishing through QR codes. Do not scan any QR codes that appear in emails.

If you believe you have received a phishing email, you should notify your line manager and/or IT company immediately. Additionally, phishing emails can be reported to

How can we help you?

Signing up as a free member of the Eastern Region Cyber Resilience Centre ensures that your business and its employees are supported in implementing simple changes that will protect your organization. You will be enrolled on our ‘Little Steps’ programme which drip feeds you bite-sized practical information to build cyber resilience.

If you feel you need more thorough support, take a look at the affordable student services we can offer your business.

If you are unsure or simply want to know more about cyber resilience and the ECRC, why don’t you book a chat with us today? Alternatively, you can send us any enquiries here.

cyber resilience, ecrc, eastern region cyber resilience centre

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page