When we talk about cybersecurity, most people picture IT teams, servers, and technical jargon. But the truth is, some of the biggest risks live outside the tech department.
Across the UK, HR, legal, and finance teams are being targeted in cyberattacks every day. Why? Because attackers know these departments handle sensitive data, access payment systems, and often lack specialist cybersecurity training.
And it’s working.
The New Front Line: HR and Legal
In 2025, cybercriminals are no longer sending random phishing emails. They research companies, build fake LinkedIn profiles, mimic suppliers, and craft convincing messages designed to land in front of people like your HR officer or in-house counsel.
Take recruitment scams, for example. In June, a widespread scam used WhatsApp to impersonate hiring managers. Victims were tricked into providing personal details or clicking malicious links, believing they were applying for real jobs. Some companies never even realised their names were being misused until the damage was done.
These kinds of attacks don’t just hurt candidates. They damage brand trust and can lead to legal consequences. Yet most HR teams still receive less security training than any other department.
Real Threats in Familiar Inboxes
Here are just a few examples of what HR, legal, and finance teams are facing:
- Fake invoices that look identical to real supplier templates
- Impersonation of directors or CEOs asking for urgent payments
- Phishing attempts disguised as job applications, loaded with malware
- Contracts and agreements containing malicious links or macros
- Email compromise that silently redirects salaries or pensions
These aren’t theoretical risks. We’ve heard from members with experience in recruitment, retail, and education who have caught threats early thanks to simple awareness and the confidence to question what doesn’t feel right.
Why Training Needs to Go Beyond IT
Cybersecurity training is often built around technical tools and policies. But HR and legal professionals don’t need to become IT experts. They need practical support to help them spot red flags and make confident decisions.
This includes:
- Knowing how spoofed emails and domains work
- Recognising emotional manipulation in urgent requests
- Understanding when to verify a request before acting
- Feeling encouraged to report something unusual, without fear of overreacting
A Quick Checklist for Your HR or Legal Team
Ask your team if they would recognise any of these situations:
- An email from a known supplier asking to update bank details
- A CV that includes a suspicious attachment
- A message from a director asking for a quick favour involving payment
- A contract that arrives unexpectedly, requiring urgent signature
- A job application sent via WhatsApp or text message
If any of these raise questions, your team may need better tools and support.
Cybersecurity is a Team Sport
Protecting your organisation is not just about firewalls and endpoint detection. It’s about people. HR and legal professionals handle sensitive processes and interact with external contacts every day. That makes them prime targets and critical defenders.
From recruitment to education to healthcare, OxCyber members come from a wide range of industries. Many have seen these threats up close, and what works best is a culture of curiosity, communication, and shared responsibility.
No one should feel like cybersecurity is someone else’s job.
Sometimes, the biggest threat is not knowing what to look for. And the strongest defence is someone who pauses, asks the right question, and speaks up.
