SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Office worker opening suspicious email attachment shadowy cyber threat
#
Phishing
#
Advanced Persistent Threat Protection
#
Email Security

Personalised internal emails drive sharp rise in phishing risk

Fri, 31st Oct 2025
Author image
By Sean Mitchell, Publisher

Research by KnowBe4 has found that employees are most likely to engage with phishing emails that impersonate colleagues or refer to internal company systems and topics.

The Q3 2025 Phishing Simulation Roundup, compiled by KnowBe4, draws from data gathered between July and September 2025 using the company's HRM+ platform. Findings indicate that phishing emails personalised to appear as if sent from HR or IT departments cause the highest interaction rates among recipients.

According to the report, personalisation techniques-especially those incorporating the recipient's company name-greatly increased click rates. The two subject lines with the most clicks in the simulation included the company's name, reflecting a sustained pattern of employees responding to messages that appear relevant to their organisation.

Internal topics

The research highlights that 90% of the most-clicked subject lines referenced internal topics, with emails purporting to be from HR accounting for 45% of the top ten. This suggests that phishing simulations mimicking routine workplace communications continue to be effective in eliciting user interaction.

"When a message seems routine, such as something from HR or IT, users are less likely to question it," said Erich Kron, CISO advisor at KnowBe4. "The fact that this trend continues quarter after quarter tells us that this is not just about tricking users, it is about understanding human behaviour. That is exactly why KnowBe4's human and agentic AI risk management platform addresses both training and behaviour change to build lasting security resilience."

This tendency for employees to trust familiar internal communications underlines the challenge organisations face in countering phishing attacks, especially when emails are personalised to the recipient's workplace context.

Branded content

Further analysis in the KnowBe4 report shows that 70% of simulated landing page interactions involved branded content. Microsoft was the most frequently imitated brand, representing a quarter of such interactions, with other notable brands including LinkedIn, X, Okta, and Amazon featuring as well.

These findings indicate that attackers continue to leverage widely recognised brands, often used in enterprise environments, to increase the credibility of phishing attempts and encourage user engagement.

Hyperlinks and spoofed domains

Among the simulation's most-clicked hyperlinks, 82% came from emails styled to appear as internal communications. Additionally, 66% of these successful phishing attempts used domain spoofing techniques, indicating that a significant portion of phishing relies on replicating legitimate company domains or email formats.

Domain spoofing remains a common tactic for cybercriminals, allowing them to disguise phishing emails as genuine internal messages and bypass users' suspicion.

Attachments and file types

The report also examined user interactions with attachments in simulated phishing emails. It found that PDF files constituted 56% of the top 20 attachments opened, followed by Word documents at 25% and HTML files at 19%. This distribution suggests that attackers favour commonly shared file types to maximise the chance of their phishing emails being opened and engaged with by recipients.

The regular use of trusted file formats further demonstrates the importance of user vigilance and security training to prevent successful phishing attempts.

Behavioural patterns

Erich Kron's assessment aligns with the data, observing that email messages which imitate mundane, work-related communications tend to be less scrutinised. The findings underscore the ongoing challenge for organisations in addressing human factors within cybersecurity protocols.

The KnowBe4 platform includes tools designed to reduce such risks, focusing on both training and behaviour modification. As part of this approach, the company incorporates awareness and compliance modules, email security measures, real-time coaching, crowdsourced anti-phishing tools, and AI defence agents within its HRM+ platform.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Fortinet reports strong Q3 revenue growth & SASE adoption surge
Seven critical ChatGPT flaws expose users to data theft risks

Top stories

EXOq research hub to boost Oxford region by GBP £1.4 billion
Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Geneva launches first citywide quantum network for research & industry
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion