Staying One Step Ahead: How to Protect Yourself from the Latest Phishing Trends

Cybercriminals are constantly evolving, and phishing scams have become increasingly sophisticated and targeted. In this edition of our newsletter, we’ll highlight the latest phishing trends, including QR code, payroll and HR-related phishing attacks. Understanding these new tactics is essential for keeping your personal and company data safe.

Quishing (QR Code Phishing)

QR codes have become a convenient tool for quickly accessing websites or making payments, but criminals are exploiting this technology to steal your personal information.

Quishing, or QR code phishing, works by embedding fraudulent QR codes in emails that appear legitimate. When scanned, these codes redirect users to fraudulent websites designed to steal personal data, such as login credentials or payment information. In some cases, scanning the QR code can also trigger the download of malicious apps or files, putting your device and sensitive information at risk.

How to Protect Yourself:
  • Verify before scanning: If you receive a QR code via email, double-check with the sender first.
  • Manually check URLs for authenticity before submitting any personal information.
  • Use reputable QR code scanners that offer a preview of the URL before you visit the site.

Payroll & HR Phishing

Another common attack focuses on impersonating HR or Payroll personnel as well as online HR platforms like BambooHR.

These scams typically unfold in a few ways. First, you might receive a fake email that appears to be from Payroll, HR, or a senior executive, asking you to update your banking details or salary information. In another scenario, you may be directed to log in to an HR system like BambooHR, only to find that the link leads to a fraudulent page designed to steal your login credentials. Additionally, cybercriminals may send emails claiming that your salary has been adjusted or that your annual review report is ready, directing you to a phishing site or prompting you to download a malicious file.

How to Protect Yourself:
  • Verify all HR and payroll-related requests: If you receive an email asking for account updates, contact HR directly.
  • Use bookmarks for HR platforms: Access HR systems by typing the URL directly or using saved bookmarks, instead of clicking on links in emails.
  • Enable Multi-Factor Authentication (MFA): Even if threat actors get your password, MFA helps block unauthorized access.
  • Never open attachments or click on links in unsolicited emails.

The Human Element

Phishing attacks are not just an IT issue; they are a significant financial risk. While security tools like firewalls, and endpoint detection software help protect systems, cybercriminals still rely on human error to succeed.

Now, with the rise of AI-powered cyberattacks, threats are becoming more convincing and harder to detect than ever before. Anyone, anywhere, can appear to be anyone else, anywhere else. All it takes is one click on a malicious link or one mistaken response to expose personal and company data.

Why We Are the Weakest Link:
  • Threat actors don’t discriminate—they actively target anyone with access to critical systems and sensitive data.
  • Cybercriminals manipulate emotions, using urgency, fear, or overconfidence, prompting quick, uncritical responses.
  • Phishing emails exploit the natural tendency to comply with authority figures, creating a sense of urgency that pressures employees into acting without verification.
  • Cybercriminals use AI to craft professional, error-free phishing emails while analyzing public data to create highly personalized attacks that are more convincing and harder to detect.

How You Can Help Strengthen Security and Prevent Phishing Attacks

  • Think Before You Click: Avoid opening attachments, clicking links, or scanning QR codes in unexpected emails.
  • Verify Requests: If you receive urgent HR, payroll, or financial requests, call to confirm before acting.
  • Use Strong Passwords: Weak passwords make it easier for cybercriminals to access accounts—ensure yours are strong and unique.
  • Check URLs Before Entering Credentials: Fake websites often look like the real thing but have slight differences in their addresses.
  • Stay Informed: Cybercriminals constantly evolve their tactics—stay updated on the latest scams.
  • Report Suspicious Emails and Activity: If something feels off or you suspect phishing, don’t click—report it immediately to IT.

As phishing threats become more sophisticated in 2025, businesses face greater risks than ever. Cybersecurity is a shared responsibility—if you suspect a phishing attempt, don’t click, report it!