HR phishing scams fooled more than just the Belgian federal parliament in 2025

At the end of 2025, we analyzed 7 million simulated phishing emails sent to 500,000 Belgian employees. The results? One in three clicked on HR-related phishing content. The findings were picked up by major Belgian outlets like Het Nieuwsblad, Het Belang van Limburg, Gazet van Antwerpen, QMusic, Joe FM, Solutions Magazine, and TinyNews. Earlier in the year, a payroll fraud incident involving member of parliament Mathieu Michel had already highlighted just how convincing these types of phishing emails can be.

HR messages work so well because they hit close to home. A subject line like "Vacation Request Denied" or "Remote Work Policy Update" immediately triggers an emotional reaction. Fear, stress, or confusion can override a person’s usual security instincts — leading them to click without thinking twice. Messages about traffic violations or taxes have a similar effect.

Thanks to AI, hackers can now generate these kinds of emails quickly and at scale. Personalized and error-free, these phishing attacks tap into sensitive topics and are sent out fully automated. Since the release of ChatGPT, the volume of phishing emails worldwide has doubled.

1. Vacation or salary-related updates (31.5%)
2. Company policy changes (24.7%)
3. HR information or documents (18.1%)
4. Traffic fines and taxes (16.7%)
5. Signing internal documents (9.2%)

Most companies rely on phishing simulations to “train” their teams. Click the wrong link, and you get an instant notification that you’ve made a mistake — and should be more careful next time. This “click & blame” model is still widely seen by IT managers as the go-to solution for security awareness training.

But the numbers tell a different story. Recent academic research from the University of California, San Diego*** confirms what we’ve seen firsthand: phishing simulations on their own don’t work. Why? Because only the people who make a mistake get trained. The vast majority of employees never receive any real guidance.

To make things worse, you’re catching people at the worst possible moment — when they’re busy, mid-task, and just trying to get through their inbox. That’s not a learning moment — it’s a disruption.

If you want employees to learn, you need to give them regular opportunities to do so — not just when they mess up. Two short training moments per month should be the bare minimum. And that training should be interactive, engaging, and focused on building awareness: how to spot red flags, what to do if something feels off, and how to stay calm when dealing with emotionally charged emails.

An employee who has been trained this way won’t just blindly trust a request to update a bank account number. They'll know how to check the sender, verify the request through a separate channel, and protect themselves — and the organization — from fraud.

Our data shows that companies who invest in ongoing cybersecurity training significantly reduce their risk of breaches caused by human error.

And the stakes are higher than ever. In 2025, cybercrime cost the world economy $15 trillion. By the end of 2026, that number is expected to hit $20 trillion — nearly overtaking China as the world’s second-largest economy. Against that backdrop, relying on a handful of phishing simulations is dangerously naïve.

*Source: Phished simulation analysis, 2025
**Percentage of people who click a link, open an attachment, or share company or personal data in a phishing message
***Source: “Understanding the Efficacy of Phishing Training in Practice” — results from an 8-month randomized controlled study by the University of California, San Diego and UC San Diego Health.