Seasonal Surge: Why HR Phishing Peaks in Q4 and the Seven Themes Behind It

December 3, 2025

By: Jacob Malimban, Intelligence Team

Q3 and Q4 of each year tend to see the most Human Resources (HR) task-related phishing threats, but the specific theme used by threat actors changes based on current events. This has led to the explosion of termination as a phishing lure, particularly during Q3 2025. By exploiting fear, threat actors can lower an employee’s guard and increase their likelihood of falling victim to an attack. Such malicious emails can appear legitimate as they spoof trusted and generally known entities, like the HR department.

Impersonating HR provides many benefits to threat actors. Tasks from HR are typically mandatory, so HR emails carry authority. Legitimate HR tasks can also have strict deadlines, which a threat actor can use to impose urgency. Finally, regular HR tasks are expected by employees. Sent at the right time, employees may not recognize an email as phishing and automatically click on any link to resolve the HR issue. This analysis focuses on the statistics of HR-themed phishing from January 2024 to September 2025.

Key Points

  • Threat actors typically send more HR-themed phishing in Q3 and Q4 of each year.
    • World events can cause an anomalous increase in specific categories, like termination.
  • Compensation adjustments-themed emails constitute the largest of HR-themed phishing at 35%.
  • Benefits-themed emails fell 33% across 2025 as compared to 2024, but they are still in the top three of HR task-themed phishing categories.
  • HR task-themed phishing may bypass email security controls like secure email gateways (SEGs) due to the mimicry of legitimate HR emails.

Definitions and Background Information

  • Cofense Intelligence has determined that there are seven major sub-types of HR-based phishing:
  • Open Enrollment
  • 401k Updates and Statements
  • Employee Assessments and Surveys
  • Compensation Adjustments
  • Benefits
  • Handbook and Policy Update
  • Termination

Previously, in 2024, Cofense covered four major HR themes used in phishing emails. These were open enrollment, 401k updates and statements, employee assessment and surveys, compensation adjustments, and benefits. Open enrollment is when people usually add or change their health insurance. 401k updates and statements relate to the employer-sponsored retirement account. Employee assessment and surveys include both annual performance reviews and sentiment surveys regarding the organization. Compensation adjustments encompass everything from pay stubs, wage raises, and bonuses.

While gathering statistics, three new categories were identified: benefits, handbook and policy update, and termination. In the 2024 analysis, the benefits category was a part of compensation adjustments—it is separated for this report. Benefits include vacation time, holiday leave or events, and related timesheet information. The handbook and policy update category relates to policy updates or HR documents that require signing. Termination is about an employee termination notice sent via email. These three themes, combined with the previous four, make up the major lures used by threat actors when impersonating HR departments to deliver phishing.

Seasonal-Surge-Why-HR-Phishing-Peaks-in-Q4-and-the-Seven-Themes-Behind-It_Figure1.png

Figure 1: A personalized, benefits-themed, HR-spoofing email that delivers a credential phishing page.

Overall Proportions

  • The largest HR task phishing category from 2024 to 2025 is compensation adjustments.
  • For 2024 and 2025, Every year, HR task phishing was most prevalent in Q3 and Q4.

Seasonal-Surge-Why-HR-Phishing-Peaks-in-Q4-and-the-Seven-Themes-Behind-It_Figure2.png

Figure 2: The overall proportions of HR task-themed phishing from Q1 2024 to Q3 2025.

Phishing attempts about a change in the benefits plan made a large enough category to be separated from compensation adjustments. From Q1 2024 to Q3 2025, the benefits theme ranked #2 by overall volume (Figure 2). After separating benefits, compensation adjustments still rank #1 by overall volume. It is typically the biggest category in every quarter except Q2 (Figure 3). Third place is taken by the handbook and policy update category.

In Q2 2024, instead of compensation adjustments, benefits took the lead in phishing volume. There appears to be a downward trend, as analyzed more in the Decreasing Threats due to Threat Actor Pivots section. In Q2 2025 handbook and policy update made up most of the phishing volume.

Seasonal-Surge-Why-HR-Phishing-Peaks-in-Q4-and-the-Seven-Themes-Behind-It_Figure3.png

Figure 3: The relative proportion of the top four of the HR task-themed phishing categories per quarter.

Growing Threats

  • Termination grew 2% as a proportion of the overall total in Q3 2025 compared to the previous year’s Q3.
    1. This 2% overall growth represents a doubling (104% increase) in termination-themed phishing emails.
  • Handbook and policy update grew 18% as a proportion of the overall total in Q2 2025 compared to the previous year’s Q2.
  • Compensation adjustments, which are usually 35% of all HR task phishing volume, exploded to 55% of total volume in Q3 2025.

Threat actors prioritize certain categories over others based on the time of year. The most concerning is the surge in termination-themed phishing in Q3 2025. Due to economic uncertainties from rising tariffs, an increasing unemployment rate, and the government shutdown, legitimate termination notices are more likely. Correspondingly, threat actors send more termination-themed phishing emails and emotionally manipulate the 

recipient into clicking. When faced with a termination notice, employees might not recognize the usual signs in a phishing email.

As one of the top three HR task phishing categories, an increase in handbook and policy update phishing is concerning. This category saw an unusual rise in Q2 2025. Instead of the baseline 17%, it doubled to 35% of all HR task phishing. This phishing category started rising during Q1 2025. The rise may be explained by organizations adapting policies due to the change from the previous US administration to the new one. The handbook and policy update category appears to have normalized for Q3 2025, due to an increase in termination and compensation adjustments-themed phishing.

Compensation adjustments-themed phishing involving annual raises and bonuses is typically around 35% of any quarter’s HR task phishing volume. An increase to 55% of all volume in Q3 2025 is alarming. The compensation adjustments theme is already the most abused HR task, so the 20% increase represents an anomalous explosion in phishing volume. The increase may be due to similar reasons as termination-themed phishing, namely, the economic uncertainties. This likely explains the surge in malicious payout plan updates and fake salary adjustment notices.

Decreasing Threats due to Threat Actor Pivots

  • Benefits-themed campaigns decreased 33% across Q1 to Q3 2025 compared to Q1 to Q3 2024.
    1. Benefits-themed phishing is still in the top three.
  • 401k updates and statements decreased 73% across Q1 to Q3 2025 compared to Q1 to Q3 2024.
  • Open enrollment decreased 64% across Q1 to Q3 2025 compared to Q1 to Q3 2024.

Due to threat actors pivoting to the other four categories in 2025, the other three categories decreased. Benefits, which was the second largest category, decreased by 33% in 2025 compared to 2024. Still, this category continues to appear consistently every quarter, as denied PTO or updates to the benefits policy can happen at any time.

The decrease in 401k updates and statements phishing (Figure 4) is surprising, as one may expect threats to future financial stability to be an especially effective phishing lure. It’s possible that threat actors found this lure to be ineffective and focused their efforts elsewhere. Compared to Q3 2024, it plummeted in Q3 2025. It may be that threat actors focused more on termination-themed phishing, that Q3 2024 was uncharacteristically high, or that 401k updates and statements phishing will increase come the end of Q4 2025. The same reasons likely apply to the decrease in open enrollment phishing as well. Cofense will continue to monitor these potential trends.

Seasonal-Surge-Why-HR-Phishing-Peaks-in-Q4-and-the-Seven-Themes-Behind-It_Figure4.png

Figure 4: The volume declined in Q1-Q3 2025 compared to the same period in 2024 for these three HR task-themed phishing categories.

In Figure 4, the volumes for these three categories are shown. Notice how the peak 2024 volume dwarfs the 2025 volume. The 2025 volume is a fraction of the previous year’s highs.

Conclusions

This report shows seven different phishing lures related to HR tasks. Some key insights include the eruption in termination-themed phishing in late 2025 and the quarterly peaks in HR task phishing volume from 2024 to 2025. Threat actors like to use emotional manipulation to carry out their attacks. HR-related phishing can be especially effective at causing breaches, as HR content is expected and typically requires urgent action from the employee.