HR professionals are privy to large amounts of sensitive company data, which can make them vulnerable to cyber attacks. Cybercriminals will often use phishing scams to target HR personnel – they’ll use virtual communication, such as email or other messaging programmes, to masquerade as a legitimate sender and gain access to private data.

The more a HR professional knows about phishing scams, the better they can protect themselves from attacks. In this guide, we run through a few important things to keep in mind, to help protect yourself, your company and your colleagues from savvy cyber scams.

The scams you might encounter

You won’t always be the direct target of a phishing scam. In fact, it could be other company employees that are being targeted, with the cyber criminal impersonating you or someone else on the HR team. They may create fake messages that imitate HR notifications, such as emails encouraging employees to check their payslip, asking for updated personal details, or even encouraging them to fill in company satisfaction surveys. Cybercriminals can also target non-employees, by posting fraudulent job advertisements for roles at your company on job hunting websites.

Of course, HR professionals aren’t immune from falling victim to phishing attacks themselves. For example, you might receive false communications from a company you’re working with – notices that appear to be from a trusted sender can make it hard to recognise that a message is a phishing scam. HR departments work closely with payroll departments, so they should also be wary of false invoices or other requests for funds.

You may even receive false applications for a job role that you’re advertising, whereby a scammer tries to weed out information about the business under the guise that they’re interested in the job role. Ultimately, there are endless ways that a cybercriminal could try to attack, and their methods are always evolving – so you should be wary of all electronic communication that doesn’t seem quite right.

How to recognise phishing scams

It’s not always easy to recognise a phishing attempt, particularly if you find yourself distracted while you’re busy at work. It’s best to vet each and every communication you receive thoroughly, even if it doesn’t seem particularly out of the ordinary at first glance.

Checking the source of a message is a good action to take in the first instance, but it won’t always prove whether or not something is a scam – cybercriminals are capable of hacking into your contacts’ email accounts, so phishing attempts won’t always be from a suspicious unknown email address. Look at a myriad of indicators, such as how unusual the content is (is it a message you were expecting, and what is it asking you to do?) and be mindful of any links included in the message – you’ll want to ensure that the displayed link matches the underlying hyperlink.

Try also to pay attention to the language used in the message. Words like ‘urgent’ and ‘request’ are commonly used in phishing scams in order to grab the recipient’s attention.

What you should do if you encounter a phishing scam

If you’re suspicious about a message you’ve received, it’s best to first try to contact the sender via more trustworthy means, such as in person, or over the phone – this way, you can confirm that it truly is them sending the message. Conversely, if you come to find it’s a phishing scam, you’ll want to report it immediately – usually, this will mean forwarding it to your company’s IT department to look into.

It’s important never to engage with a message that you believe to be a phishing scam. Avoid responding or even clicking on any links in the message. Cybercriminals can obtain sensitive information from even the smallest of actions, so it’s important to stay vigilant.

Lastly, speak to your employer about introducing a training plan if you find that yourself or others are regularly having to deal with phishing scams. This can help to add an extra layer of security and protect the company as a whole against problematic cyber attacks.


Written for HRTech247 by Emma Haswell.

Emma is an HR manager, and is familiar with the kinds of phishing scams her team are often targeted with. She regularly provides training sessions for her colleagues to learn to better protect themselves from cyber attacks.