[EPIC FAIL] Phishing Failures: How Not to Phish Your Users
We asked our security awareness advocates Javvad Malik and Erich Kron to dive into the cautionary world of phishing simulations gone wrong. You know, those attempts to train users not to fall for phishing that somehow end up setting off more alarms than a Hawaiian missile alert system.
Let's explore why we need to phish our users, but more importantly, how not to phish them.
JM - First off, let's acknowledge the elephant in the room — or should I say, the 6.4 billion fake emails floating around every day trying to scam Aunt Edna out of her retirement savings. Yes, you read that right. With phishing being as popular as pineapple on pizza (controversial, I know), it's crucial we prepare our users to dodge these deceitful darts.
EK - Phishing and social engineering in general are becoming way more popular than ever for bad actors. Now we've got deepfakes and AI generated materials without the obligatory grammar and spelling errors we used to have, and much better translations. Given the popularity of the attack vector and the number of successful breaches caused by phishing, helping to educate people and giving them simulated phishing messages to practice on is a no brainer.
[CONTINUED] at the KnowBe4 blog. This is the Most Popular Blog post this week!: https://blog.knowbe4.com/phishing-failures-how-not-phish-your-users
[New Features] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, May 8, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
Find out how 65,000+ organizations have mobilized their end users as their human firewall.
Date/Time: TOMORROW, Wednesday, May 8, @ 2:00 PM (ET)
Save My Spot! https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN3
Navigating the Masquerade; Recognizing and Combating Impersonation Attacks
With all great power, there comes an equal potential for misuse. Among the sophisticated arsenal of threat actors, impersonation attacks have surged to the forefront, which questions our sense of trust.
Visual technologies, like the new audio-to-visual example of portrait video generation, showcase the stunning potential for creating lifelike animated portraits from a single photo.
However, if creating a speaking, emotive virtual persona is this accessible, how do we distinguish reality from deception? This question is at the crux of today's cyber defense strategies.
Recognizing and Reporting Impersonation
Impersonation attacks come cloaked in numerous guises, each more convincing than the last. From emails and social media messages to voice and video interactions, the impersonator's game is one of psychological manipulation, seeking to exploit trust to gain unauthorized access, disseminate misinformation or commit fraud.
Awareness and education are essential in building a robust defense. Just as you would study a magician's sleight of hand to grasp his tricks, learning the telltale signs of impersonation bolsters your ability to spot them:
Reporting is equally crucial; if you detect signs of impersonation, your organization must act immediately. Encourage a culture where your users can report any suspicious activity.
The Menagerie of Impersonation Attacks
Let's explore the common masks worn by cyber tricksters:
[CONTINUED] Blog post with links, and learn more in the webinar below: https://blog.knowbe4.com/navigating-masquerade-recognizing-combating-impersonation-attacks
Reality Hijacked: Deepfakes, GenAI and the Emergent Threat of Synthetic Media
"Reality Hijacked" isn't just a title — it's a wake-up call. The advent and acceleration of GenAI is redefining our relationship with "reality" and challenging our grip on the truth. Our world is under attack by synthetic media.
We've entered a new era of ease for digital deceptions: from scams to virtual kidnappings to mind-bending mass disinformation. Experience the unnerving power of AI that blurs the lines between truth and fiction.
Join us for this webinar where Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, cuts through the noise, spotlighting how these digital illusions are easily weaponized.
Get ready for a demo-driven journey — a no-holds-barred look at AI's dark artistry. See the unseen. Hear the unheard. Question everything.
This is your reality check. Can you trust what you see and hear? Join us and find out, and earn CPE credit for attending!
Date/Time: Wednesday, May 15 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
[BUDGET AMMO] Russians Team Up With Young, English-Speaking Hackers For Cyberattacks
There is a new ultimate-budget-ammo 60 Minutes segment that is a great primer on what the cybersecurity community knows all too well—that good old-fashioned social engineering (a hustle or a con, like some of the stunts Sinatra and the gang pulled in the original Ocean's 11) remains the main point of entry for most large-scale ransomware hacks.
Can someone say the Podesta emails (a fake password change email from the IT department)? Or Stuxnet (which came down to, in the end, someone unwittingly walked into the Iranian nuclear facility with a USB drive with malware on it).
We have been on the social engineering beat (aka Human Risk Management) for 13 years now and help you to mitigate its threat vectors and vulnerabilities.
View the 13-minute segment on YouTube and forward to your budget decision makers: https://youtu.be/lEwC1tN2jb8
Identify Weak User Passwords in Your Organization With the Newly Enhanced Weak Password Test
Cybercriminals never stop looking for ways to hack into your network, but if your users' passwords can be guessed, they've made the bad actors' jobs that much easier.
The new 2024 Verizon's Data Breach Investigations Report showed that Basic Web Application Attacks are caused by using stolen credentials (77%), or brute force (usually easily guessable passwords) (21%).
The Weak Password Test (WPT) is a free tool to help IT administrators know which users have passwords that are easily guessed or susceptible to brute force attacks, allowing them to take action toward protecting their organization.
Weak Password Test checks the Active Directory for several types of weak password-related threats and generates a report of users with weak passwords.
Here's how Weak Password Test works:
Don't let weak passwords be the downfall of your network security. Take advantage of KnowBe4's Weak Password Test and gain invaluable insights into the strength of your password protocols.
Download Now: https://info.knowbe4.com/weak-password-test-chn
KnowBe4 to Acquire Egress
We're excited to announce the addition of Egress' cloud email security solution to KnowBe4's product suite. It will create the largest, advanced AI-driven cybersecurity platform for managing human risk.
Egress' Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats.
领英推荐
By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk.
The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture.
As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.
"KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee," said Tony Pepper, CEO, Egress. "One of the biggest challenges organizations face is accurately identifying who the next source of compromise is — and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most."
KnowBe4 press release: https://www.knowbe4.com/press/knowbe4-to-acquire-egress
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO] Cybersecurity Lessons Businesses Can Learn From The Russia-Ukraine War: https://www.forbes.com/sites/forbestechcouncil/2024/05/03/cybersecurity-lessons-businesses-can-learn-from-the-russia-ukraine-war/
PPS: KnowBe4's very own Perry Carpenter and Jessica Barker MBE PhD are delighted to launch Awareness to Action - A Mastermind for Human-Centric Cybersecurity Leaders: https://www.dhirubhai.net/posts/perrycarpenter_securityawareness-humanrisk-humanriskmanagement-activity-7191847411139383297-hT-Q/?
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure." - Marcus Tullius Cicero - Roman Statesman (106 BC- 43 BC)
"Success is not final, failure is not fatal: It is the courage to continue that counts." - Sir Winston Churchill - British Prime Minister (1874-1965)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog https://blog.knowbe4.com/cyberheistnews-vol-14-19-epic-fail-phishing-failures-how-not-to-phish-your-users
New Verizon DBIR: The Percentage of Users Clicking Phishing Emails is Still Rising
The long-awaited annual Verizon Data Breach Investigations Report is out, and it's made very clear that users continue to be a problem in phishing attacks. I've said it before, if you only read one report each year, the Verizon Data Breach Investigations Report is one you shouldn't miss.
And this year's report starts off with a topic close to our hearts here at KnowBe4: users engaging with phishing emails and clicking links.
First the good news: according to Verizon, the rate at which users are reporting phishing emails is increasing, regardless of whether a potentially malicious link was clicked or not:
Additionally, the chart shows that nearly double the percentage of users report emails that did not click a malicious link (20%) versus those that did click the link (11%).
Now the bad news: of those that did not click the link, 80% of them did not report it. Those that did click the link, 89% of them did not report it!
The median time a user takes to click a phishing link is only 21 seconds — that's 21 seconds to comprehend the content of the email, scrutinize it to determine its validity, and then to click the link. Add to that Verizon's findings that the median amount of time a user enters data in a credential, credit card, or account harvesting scam is another 28 seconds.
This means it takes less than a minute for users to fall for a phishing scam.
Blog post with links and graphs: https://blog.knowbe4.com/verizon-the-percentage-of-users-clicking-phishing-emails-is-still-rising
The U.S. Federal Bureau of Investigation (FBI) has issued an advisory warning of a scam campaign targeting users of online dating platforms. The scammers are attempting to trick users into signing up for fraudulent monthly subscriptions in order to be verified as a real person. "Fraudsters meet victims on a dating website or app," the FBI explains.
"Fraudsters express an interest in establishing a relationship and quickly move the conversation off the dating app or website to an encrypted platform. Under the guise of safety, the fraudster provides a link that directs the victim to a website advertising a 'free' verification process to protect against establishing a relationship with predators, such as sex offenders or serial killers. The website displays fake articles alluding to the legitimacy of the website."
The Bureau continues, "The verification website prompts the victim to provide information such as their name, phone number, email address, and credit card number to complete the process. Once the victim submits the information, they are unwittingly redirected to a private, low-quality dating site charging costly monthly subscription fees. Eventually, the victim's monthly credit card statement displays a charge to an unknown business."
The FBI offers the following advice to help users avoid falling for these scams:
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links: https://blog.knowbe4.com/fbi-warns-verification-scams-targeting-dating-users
"Hi Stu, I wanted to reach out to feedback and express my appreciation for the brilliant work of Ali L., who is the Customer Success Manager for our org. Their dedication and expertise have been brilliant in understanding how we can achieve with our SETA strategy [Security Education, Training, and Awareness] using the KB4 platform.
Their efforts have not only streamlined a newly designed SETA strategy but also recommended further exercises to supplement the basic training such as tailored training, phishing simulations complemented by remedial training – not to mention how self-sustaining he has made it by way of automation which has made security training much easier to manage and track.
This message is also a positive reflection on the rest of the team over at KnowBe4.
- L.T., Information Security Analyst
"Hi Stu, this is an appreciation note for Zoya S. who used to be our Account Manager from KnowBe4. I have just learned that Zoya moved on to a new role and I wanted to wish her all the best.
I also wanted to express my sincere gratitude for Zoya's guidance over the past few years. Zoya has always made herself available, even on very short notice, and was always happy to assist with any issue, no matter how big or small. Her dedication was truly inspiring. Zoya, thank you for being an exceptional support."
- C.K. Compliance Project Manager
And to end off, here is a TrustRadius Compliance Plus Mid-Sized Utilities Customer Story. "Compliance Plus will help keep you and your employees out of hot water" [PDF] https://www.knowbe4.com/hubfs/KnowBe4_Compliance_Plus_Customer_Story_Utilities_EN-US.pdf
This Week's Links We Like, Tips, Hints and Fun Stuff