CyberheistNews Vol 10 #19
[Heads Up] 'Florentine Banker Group' Use Microsoft 365 Functionality to Scam Private Equity Firm out of 1.2 Million 
A new investigation by Check Point’s Incident Response Team (CPIRT) demonstrates how brazen cybercriminals are and the lengths they will go to in order to see their scam succeed.
Cybercriminals were able to divert well over 1 million dollars in funds from a PE firm back in December, according to a newly released CPIRT report. This business email compromise (BEC) attack involved the targeting of specific firms, a ton of intel gathering, the use of malicious mailbox rules, lookalike domains, impersonation, and either intercepting or starting new wire transfers.
Here’s how the scam works:
In all, the PE firm was scammed out of 1.2 mil, with only about half of the money being recovered.
So, what can organizations learn from this kind of scam?
There are a few best practices to put into place that could have prevented this scam:
https://blog.knowbe4.com/florentine-baker-group-use-microsoft-365-functionality-to-scam-private-equity-firm-out-of-1.2-million
A new investigation by Check Point’s Incident Response Team (CPIRT) demonstrates how brazen cybercriminals are and the lengths they will go to in order to see their scam succeed.
Cybercriminals were able to divert well over 1 million dollars in funds from a PE firm back in December, according to a newly released CPIRT report. This business email compromise (BEC) attack involved the targeting of specific firms, a ton of intel gathering, the use of malicious mailbox rules, lookalike domains, impersonation, and either intercepting or starting new wire transfers.
Here’s how the scam works:
- Target the CEO or CFO of a PE firm with malware designed to take over their machine
- Watch the email conversations, looking for opportunities to misdirect wire transfers
- Divert inbound emails related to pending wire transfer transactions to an attacker-used mailbox folder
- Setup a lookalike domain impersonating the PE firm
- Send emails using the lookalike domain impersonating those involved with the wire transfer to the PE firm, taking over the email thread without the PE firm realizing (think cut and paste, including those in the other firm, and using the new domain as the from address. All replies will now no longer involve the other PE firm.)
- Continue to reroute inbound emails from the other firm, isolating any legitimate communications from the other firm
- Commit wire fraud by providing new banking details to an existing (but pending) wire transfer
In all, the PE firm was scammed out of 1.2 mil, with only about half of the money being recovered.
So, what can organizations learn from this kind of scam?
There are a few best practices to put into place that could have prevented this scam:
- Use security awareness training to teach users how to spot malicious emails, impersonated logon pages, and suspicious content. This attack started with a simple email impersonating Microsoft 365, requiring the PE firm employee to provide their credentials online to a spoofed website. Training would also teach users to identify when they are being socially engineered by an attacker impersonating a company with which you do business.
- Use two-factor authentication with Microsoft 365 (formerly Office 365) to ensure only the mailbox owner has access. While we have seen Microsoft’s two factor authentication broken by some sophisticated attackers, gaining initial access doesn’t provide ongoing access with two-factor authentication enabled.
- Put policy in place that requires verification of email-based wire requests via another medium. Phone is a good choice, providing the call is made immediately and to a number establish well before the request (as scammers have begun to use deepfake audio). This goes for both changes to inbound wires and any outbound wire requests.
https://blog.knowbe4.com/florentine-baker-group-use-microsoft-365-functionality-to-scam-private-equity-firm-out-of-1.2-million
Prepare Your Organization to Work From Home More Securely With Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense especially when working from home.
Join us TOMORROW, Wednesday, May 6 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.
See how easy it is to train and phish your users:
Date/Time: TOMORROW, Wednesday, May 6 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2311125/C5B5E9642E95E8DD0E20DBFFCC269664?partnerref=CHN2
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense especially when working from home.
Join us TOMORROW, Wednesday, May 6 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.
See how easy it is to train and phish your users:
- Train your users with access to the world's largest library of 1000+ pieces of awareness training content including 300 training resources on work from home scenarios.
- Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
- Advanced Reporting on 60+ key awareness training indicators.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: TOMORROW, Wednesday, May 6 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2311125/C5B5E9642E95E8DD0E20DBFFCC269664?partnerref=CHN2
[Eye Opener] The Best and First Defenses You Should Implement
Every good defense has three pillars of controls: policy, technical, and education. People are always asking what they should do for each to minimize cybersecurity events the most and what they should do first and best.
The Scope of the Problem
There are a lot of things to worry about. There were 12,174 new vulnerabilities announced last year alone and hundreds of defenses you are told you need to deploy ASAP. The MITRE Common Weakness Enumeration list provides 839 potential cybersecurity weaknesses. The original, fairly small MITRE ATTACK framework now has 12 columns and 70 rows, and growing, showing you all the different ways you can be compromised.
The defense-in-depth guidelines are growing each year. The NIST Cybersecurity Framework, one of the most popular guides, is 55 pages long. The SANS Top 10 list of controls has turned into the Center for Internet Security’s Top 20 list.
And let’s not forget programmers. The OWASP Top 10 list is still a great guide. This is on top of all the millions of new malware programs and hackers of every stripe (e.g., nation-state, script kiddie, financial thief, etc.) trying to break into your organization. I don’t know of any field that has so many simultaneous threats. It’s a lot to worry about.
What You Should Do First and Best
You cannot do everything you need to do first and best. You just can’t. Although you need to do it all…or at least most of it…you have to pick what to start with. The data is in.
Since social engineering and phishing accounts for 70% to 90% of all malicious data breaches and unpatched software accounts for 20% to 40% of them, anything you can do to best fight those root exploit causes is what you should be doing first and best. These are the controls you should start with under each of the control pillars.
Best Technical Controls
Any technical control you can implement to decrease successful phishing (e.g., content filters, anti-spam, anti-malware, anti-phishing) and increase the percentages of patching should be done. This is where your defense-in-depth strategy needs to concentrate on.
I have a webinar where I discuss all the things I could think of (policies, technical controls, and education) to fight phishing. It contains a lot of useful hints and nearly 100 slides of information.
Interested in learning more about SPF, DKIM, and DMARC, try this webinar. If you want to learn more about social engineering and how to best fight it, check out any of these KnowBe4 webinars. There is truly some great knowledge in those webinars taught by a variety of presenters, including KnowBe4’s Chief Hacking Officer Kevin Mitnick.
Best Education
No matter how great your technical controls are, bad things will get past your defenses and to your co-workers. It’s just a matter of life. So, until the perfect technical controls come into existence, employee training is required. On the educational front, we now know what works for the best security awareness training.
You want to create a culture of healthy skepticism against social engineering schemes that might motivate someone to click on a link, run a program, or provide their credentials to someone against their own best interests. That takes good, consistent training and testing.
You should do monthly short trainings (e.g., videos, posters, tests, games, etc.) along with at least monthly simulated phishing tests. Training and testing should cover how to spot the basic, most common signs of potentially malicious content and what employees should do (which is report them to you and then delete).
At least once a year, all employees should take a longer educational session, perhaps 15 to 45 minutes long. Then at least once a month, short, more targeted training that focuses on the most likely social engineering events.
This month’s coronavirus scam education is a great example:
https://www.knowbe4.com/coronavirus-security-awareness-resources.
Do monthly training and testing and you will significantly reduce the risk that someone will click on something risky.
Best Policy
So, what should you do policy wise? What’s the best single policy you can add to your security policies?
Well, I actually think it’s two things. First, everyone should be trained to hover over URLs and be able to determine rogue versus legit locations before clicking. Hovering should be a policy, backed by education on how to determine good versus bad.
Second, there should be a policy that anyone requesting something unexpected that could result in financial harm, such as changing a bank account number or sending a new invoice, should require to be confirmed by voice at a pre-determined phone number prior to the transaction being approved. Nothing sent only via email should happen automatically.
We love email. We use it as a daily part of our lives to conduct business. But it is used far too successfully by spammers and phishers to be automatically trusted for all business transactions. It should be a policy to call the requestor to confirm the transaction request.
Summary
You can’t do every possible computer security control at once. You have to pick a handful of the best ones that are most likely to decrease risk the best and fastest to start with. Anything you can do to reduce the risk from social engineering and unpatched software should be first and best.
And once you have those taken care of, move on to the other hundred things the world is telling you that you need to do.
Send this full blog post with lots of links to your friends:
https://blog.knowbe4.com/the-best-and-first-defenses-you-should-implement
Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, is a 30-year computer security consultant, instructor, holder of dozens of computer certifications and an award-winning author of 12 books and over 1,000 magazine articles on computer security. He has worked at some of the world’s largest computer security companies, including Foundstone, McAfee and Microsoft. He was the weekly security columnist for InfoWorld and CSO magazines from 2005-2019.
Every good defense has three pillars of controls: policy, technical, and education. People are always asking what they should do for each to minimize cybersecurity events the most and what they should do first and best.
The Scope of the Problem
There are a lot of things to worry about. There were 12,174 new vulnerabilities announced last year alone and hundreds of defenses you are told you need to deploy ASAP. The MITRE Common Weakness Enumeration list provides 839 potential cybersecurity weaknesses. The original, fairly small MITRE ATTACK framework now has 12 columns and 70 rows, and growing, showing you all the different ways you can be compromised.
The defense-in-depth guidelines are growing each year. The NIST Cybersecurity Framework, one of the most popular guides, is 55 pages long. The SANS Top 10 list of controls has turned into the Center for Internet Security’s Top 20 list.
And let’s not forget programmers. The OWASP Top 10 list is still a great guide. This is on top of all the millions of new malware programs and hackers of every stripe (e.g., nation-state, script kiddie, financial thief, etc.) trying to break into your organization. I don’t know of any field that has so many simultaneous threats. It’s a lot to worry about.
What You Should Do First and Best
You cannot do everything you need to do first and best. You just can’t. Although you need to do it all…or at least most of it…you have to pick what to start with. The data is in.
Since social engineering and phishing accounts for 70% to 90% of all malicious data breaches and unpatched software accounts for 20% to 40% of them, anything you can do to best fight those root exploit causes is what you should be doing first and best. These are the controls you should start with under each of the control pillars.
Best Technical Controls
Any technical control you can implement to decrease successful phishing (e.g., content filters, anti-spam, anti-malware, anti-phishing) and increase the percentages of patching should be done. This is where your defense-in-depth strategy needs to concentrate on.
I have a webinar where I discuss all the things I could think of (policies, technical controls, and education) to fight phishing. It contains a lot of useful hints and nearly 100 slides of information.
Interested in learning more about SPF, DKIM, and DMARC, try this webinar. If you want to learn more about social engineering and how to best fight it, check out any of these KnowBe4 webinars. There is truly some great knowledge in those webinars taught by a variety of presenters, including KnowBe4’s Chief Hacking Officer Kevin Mitnick.
Best Education
No matter how great your technical controls are, bad things will get past your defenses and to your co-workers. It’s just a matter of life. So, until the perfect technical controls come into existence, employee training is required. On the educational front, we now know what works for the best security awareness training.
You want to create a culture of healthy skepticism against social engineering schemes that might motivate someone to click on a link, run a program, or provide their credentials to someone against their own best interests. That takes good, consistent training and testing.
You should do monthly short trainings (e.g., videos, posters, tests, games, etc.) along with at least monthly simulated phishing tests. Training and testing should cover how to spot the basic, most common signs of potentially malicious content and what employees should do (which is report them to you and then delete).
At least once a year, all employees should take a longer educational session, perhaps 15 to 45 minutes long. Then at least once a month, short, more targeted training that focuses on the most likely social engineering events.
This month’s coronavirus scam education is a great example:
https://www.knowbe4.com/coronavirus-security-awareness-resources.
Do monthly training and testing and you will significantly reduce the risk that someone will click on something risky.
Best Policy
So, what should you do policy wise? What’s the best single policy you can add to your security policies?
Well, I actually think it’s two things. First, everyone should be trained to hover over URLs and be able to determine rogue versus legit locations before clicking. Hovering should be a policy, backed by education on how to determine good versus bad.
Second, there should be a policy that anyone requesting something unexpected that could result in financial harm, such as changing a bank account number or sending a new invoice, should require to be confirmed by voice at a pre-determined phone number prior to the transaction being approved. Nothing sent only via email should happen automatically.
We love email. We use it as a daily part of our lives to conduct business. But it is used far too successfully by spammers and phishers to be automatically trusted for all business transactions. It should be a policy to call the requestor to confirm the transaction request.
Summary
You can’t do every possible computer security control at once. You have to pick a handful of the best ones that are most likely to decrease risk the best and fastest to start with. Anything you can do to reduce the risk from social engineering and unpatched software should be first and best.
And once you have those taken care of, move on to the other hundred things the world is telling you that you need to do.
Send this full blog post with lots of links to your friends:
https://blog.knowbe4.com/the-best-and-first-defenses-you-should-implement
Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, is a 30-year computer security consultant, instructor, holder of dozens of computer certifications and an award-winning author of 12 books and over 1,000 magazine articles on computer security. He has worked at some of the world’s largest computer security companies, including Foundstone, McAfee and Microsoft. He was the weekly security columnist for InfoWorld and CSO magazines from 2005-2019.
See How You Can Get Audits Done in Half the Time at Half the Cost
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!
Join us TOMORROW, Wednesday, May 6 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits:
Save My Spot!
https://event.on24.com/wcc/r/2311124/7C7652FF075E3F0F560287F15FF560F5?partnerref=CHN2
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!
Join us TOMORROW, Wednesday, May 6 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits:
- NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
https://event.on24.com/wcc/r/2311124/7C7652FF075E3F0F560287F15FF560F5?partnerref=CHN2
[Click Alert] So, What Is the Phish-Prone Percentage on Recent Coronavirus Phishing Tests?
I had some numbers run on the usage of our new, dedicated COVID-19 phishing templates to find out what the Phish-prone percentage was, since this is an unprecedented worldwide event.
Since these templates were released—note, we warned against this for the first time Jan 31, 2020—here are the numbers. You will not see figures as reliable as these anywhere else because we are by far the largest provider of new-school security awareness training in the world:
COVID-19:
Banking Templates:
IT Templates:
You could draw some quick & dirty conclusion that people value their health twice higher than they value money, or that they are willing to take double the risk, but that is all just speculation at this time.
Fact is, people are clicking on simulated COVID-19 phishing attacks at high rates. In the wild, the bad guys are having a field day. If you have not done this yet, run a COVID-themed campaign in your own organization, and see how your employees stack up against the average. We have a free Phishing Security Test that allows you to do that for 100 users, so you get your own phish-prone percentage you can use to demand budget for security awareness training!
Yes, in the free test we have just added a Coronavirus template you can choose to phish your users with. Try it now.
Please send this to your friends:
https://blog.knowbe4.com/click-alert-so-what-is-the-phish-prone-percentage-on-recent-coronavirus-phishing-tests
I had some numbers run on the usage of our new, dedicated COVID-19 phishing templates to find out what the Phish-prone percentage was, since this is an unprecedented worldwide event.
Since these templates were released—note, we warned against this for the first time Jan 31, 2020—here are the numbers. You will not see figures as reliable as these anywhere else because we are by far the largest provider of new-school security awareness training in the world:
COVID-19:
- Delivered: 2,183,318
- Failed: 192,042
- PPP: 8.80%
Banking Templates:
- Delivered: 1,582,493
- Failed: 59,096
- PPP: 3.73%
IT Templates:
- Delivered: 1,925,059
- Failed: 137,936
- PPP: 7.17%
You could draw some quick & dirty conclusion that people value their health twice higher than they value money, or that they are willing to take double the risk, but that is all just speculation at this time.
Fact is, people are clicking on simulated COVID-19 phishing attacks at high rates. In the wild, the bad guys are having a field day. If you have not done this yet, run a COVID-themed campaign in your own organization, and see how your employees stack up against the average. We have a free Phishing Security Test that allows you to do that for 100 users, so you get your own phish-prone percentage you can use to demand budget for security awareness training!
Yes, in the free test we have just added a Coronavirus template you can choose to phish your users with. Try it now.
Please send this to your friends:
https://blog.knowbe4.com/click-alert-so-what-is-the-phish-prone-percentage-on-recent-coronavirus-phishing-tests
[NEW WEBINAR] Your Ransomware Task Force: Response, Recovery, and Remediation Tips From the Pros
When you realize your organization has been hit with a ransomware attack there are a few things that need to happen. One… take a deep breath. Two… contain the damage. And three… initiate your recovery plan IMMEDIATELY.
To help you prepare for a rapid response Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, is moderating a two-part series where he’ll interview two seasoned, hands-on ransomware and data loss professionals.
Earn CPE Credit for attending.
In this session you’ll learn:
Save Your Spot for Session 1:
https://event.on24.com/wcc/r/2332115/4C4C6B23A971AB46034FAA7FE4D351D2?partnerref=CHN1
In this session you’ll learn:
Save Your Spot for Session 2:
https://event.on24.com/wcc/r/2332143/4E4F8103CCAB1D9390CB24C1861DB32C?partnerref=CHN1
When you realize your organization has been hit with a ransomware attack there are a few things that need to happen. One… take a deep breath. Two… contain the damage. And three… initiate your recovery plan IMMEDIATELY.
To help you prepare for a rapid response Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, is moderating a two-part series where he’ll interview two seasoned, hands-on ransomware and data loss professionals.
Earn CPE Credit for attending.
Session 1 – Critical Steps for Responding to a Ransomware Attack
Join us on Wednesday, May 13 @ 2:00 PM ET when Roger interviews John Mullen, of Mullen Coughlin LLC. John has served as a “Breach Coach” to thousands of affected organizations to help them contain and investigate ransomware attacks.In this session you’ll learn:
- The number one mistake most ransomware victims are making today
- When you need to call a “Breach Coach” and what they can do to help
- Rapid response steps you need to take when your organization gets hit
- Why new-school security awareness training is more critical than ever before
Save Your Spot for Session 1:
https://event.on24.com/wcc/r/2332115/4C4C6B23A971AB46034FAA7FE4D351D2?partnerref=CHN1
Session 2 – Ransomware Expert Guide: Extortion, Crisis Management, and Recovery
Join us on Wednesday, May 20 @ 2:00 pm ET when Roger interviews Bill Hardin of Charles Rivers Associates. Bill specializes in forensics. He’s the guy that comes in to figure out what happened, secure the environment and perform containment/eradication, restore operations back to normal and more.In this session you’ll learn:
- Of the thousands of cyber events Bill's investigated what is different in 2020
- Tactics and techniques your security team can use to hunt within your environment
- Bill’s top 3 takeaways regarding ransomware recovery
- How to enable your users to spot suspicious attacks before they affect you
Save Your Spot for Session 2:
https://event.on24.com/wcc/r/2332143/4E4F8103CCAB1D9390CB24C1861DB32C?partnerref=CHN1
New KnowBe4 Study Finds Leaders Value Strong Security Culture but Struggle to Define and Implement It
KnowBe4 asked Forrester Consulting to conduct “The Rise of Security Culture” study. 1,161 respondents in security or risk management took part. All knew the value of a strong security culture but struggled to define and implement one with the speed of the market. 94% say security culture is important for business success and 92% say they have embedded security within their companies.
Yet they still experience security incidents. Security strategies are not yet woven into their overall business strategies. Perhaps the long-familiar trick of bolting security on at the end of the process design will finally die someday, but not yet.
Read more key findings at DarkReading:
https://www.darkreading.com/prnewswire2.asp?rkey=20200428FL90259&filter=3849&
Let's stay safe out there.
PS:Here's something special on Kevin Mitnick. These 5 super short videos are absolute classics!:
https://cybersecurityventures.com/cybersecuritys-greatest-show-on-earth-kevin-mitnick/
PPS: Here is a Public Service Announcement video you can send to your users so they report phishy emails:
https://vimeo.com/413269928
KnowBe4 asked Forrester Consulting to conduct “The Rise of Security Culture” study. 1,161 respondents in security or risk management took part. All knew the value of a strong security culture but struggled to define and implement one with the speed of the market. 94% say security culture is important for business success and 92% say they have embedded security within their companies.
Yet they still experience security incidents. Security strategies are not yet woven into their overall business strategies. Perhaps the long-familiar trick of bolting security on at the end of the process design will finally die someday, but not yet.
Read more key findings at DarkReading:
https://www.darkreading.com/prnewswire2.asp?rkey=20200428FL90259&filter=3849&
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS:Here's something special on Kevin Mitnick. These 5 super short videos are absolute classics!:
https://cybersecurityventures.com/cybersecuritys-greatest-show-on-earth-kevin-mitnick/
PPS: Here is a Public Service Announcement video you can send to your users so they report phishy emails:
https://vimeo.com/413269928
Quotes of the Week
"Find a place inside where there's joy, and the joy will burn out the pain."
- Joseph Campbell, Writer (1904 – 1987)
"Success is not final, failure is not fatal: it is the courage to continue that counts."
- Winston Churchill, Statesman (1874 - 1965)
Thanks for reading CyberheistNews
- Joseph Campbell, Writer (1904 – 1987)
"Success is not final, failure is not fatal: it is the courage to continue that counts."
- Winston Churchill, Statesman (1874 - 1965)
Thanks for reading CyberheistNews
Security News
Scammers Can Use Your Recent Transactions to Trick You
KrebsOnSecurity reports that scammers are using caller ID spoofing to impersonate their victims, and then socially engineering victims’ banks into divulging information about recent transactions. The scammers then use this information to more convincingly impersonate the bank when they call the victim.
In some cases, the scammers don’t even need to interact with a bank employee in order to obtain this information. Krebs heard from a reader whose wife was targeted by scammers who were able to trick Citibank’s automated phone system by spoofing her phone number.
“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” the reader explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online.
As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”
Fortunately, in the reader’s case, the bank happened to send a physical check to the victims rather than wiring it to the scammers. Krebs confirmed that he could indeed use a caller ID spoofing service to access recent transactions in his Citibank account, although he was required to provide his PIN or Social Security number. The reader also noted that an employee in Citibank’s fraud department didn’t seem to know what caller ID spoofing was.
Continued:
https://blog.knowbe4.com/scammers-can-use-recent-transactions-to-trick-you
KrebsOnSecurity reports that scammers are using caller ID spoofing to impersonate their victims, and then socially engineering victims’ banks into divulging information about recent transactions. The scammers then use this information to more convincingly impersonate the bank when they call the victim.
In some cases, the scammers don’t even need to interact with a bank employee in order to obtain this information. Krebs heard from a reader whose wife was targeted by scammers who were able to trick Citibank’s automated phone system by spoofing her phone number.
“When they originally called my wife, there were no fraudulent transactions on her account, but they were able to specify the last three transactions she had made, which combined with the caller-ID had mistakenly earned her trust,” the reader explained. “After we figured out what was going on, we were left asking ourselves how the crooks had obtained her last three transactions without breaking into her account online.
As it turned out, calling the phone number on the back of the credit card from the phone number linked with the card provided the most recent transactions without providing any form of authentication.”
Fortunately, in the reader’s case, the bank happened to send a physical check to the victims rather than wiring it to the scammers. Krebs confirmed that he could indeed use a caller ID spoofing service to access recent transactions in his Citibank account, although he was required to provide his PIN or Social Security number. The reader also noted that an employee in Citibank’s fraud department didn’t seem to know what caller ID spoofing was.
Continued:
https://blog.knowbe4.com/scammers-can-use-recent-transactions-to-trick-you
Most Remote Employees Lack Security Training
66 percent of employees working remotely in the UK haven’t received any kind of cybersecurity training in the past twelve months, a survey by application security company Promon has found. Security Magazine reports that Promon’s survey also found that 77 percent of remote employees aren’t worried about their cybersecurity.
Furthermore, Promon determined that 61 percent of these employees are using their personal devices to conduct their work. Security Magazine notes that personal devices are often less secure than company-provided devices.
This presents an ideal situation for cybercriminals. If most employees are complacent, untrained, and using insecure devices to access corporate resources, attackers can potentially gain access to far more valuable data than they would under normal circumstances. They’ve hit a trifecta of vulnerabilities.
Ransomware operators, for example, may find it much easier to breach a company’s network by going through an employee’s personal device.
Compounding this situation is the fact that the COVID-19 pandemic offers excellent phishbait for all types of social engineering attacks. The pandemic and its effects are topics that almost everyone in the world is familiar with, and it’s something that most people are concerned about. As a result, many cybercriminals are incorporating the subject into their phishing campaigns.
Continued at the KnowBe4 blog:
https://blog.knowbe4.com/two-thirds-of-remote-workers-received-no-security-awareness-training-in-the-last-year
66 percent of employees working remotely in the UK haven’t received any kind of cybersecurity training in the past twelve months, a survey by application security company Promon has found. Security Magazine reports that Promon’s survey also found that 77 percent of remote employees aren’t worried about their cybersecurity.
Furthermore, Promon determined that 61 percent of these employees are using their personal devices to conduct their work. Security Magazine notes that personal devices are often less secure than company-provided devices.
This presents an ideal situation for cybercriminals. If most employees are complacent, untrained, and using insecure devices to access corporate resources, attackers can potentially gain access to far more valuable data than they would under normal circumstances. They’ve hit a trifecta of vulnerabilities.
Ransomware operators, for example, may find it much easier to breach a company’s network by going through an employee’s personal device.
Compounding this situation is the fact that the COVID-19 pandemic offers excellent phishbait for all types of social engineering attacks. The pandemic and its effects are topics that almost everyone in the world is familiar with, and it’s something that most people are concerned about. As a result, many cybercriminals are incorporating the subject into their phishing campaigns.
Continued at the KnowBe4 blog:
https://blog.knowbe4.com/two-thirds-of-remote-workers-received-no-security-awareness-training-in-the-last-year
[NEW FEATURE] Brandable Content Is Now LIVE in the KnowBe4 platform!
You asked, we listened! We’re excited to introduce the new Brandable Content feature within your KnowBe4 platform! You now have the option to add branded custom content to the beginning and end of select KnowBe4 training modules. The Brandable Content feature is available to customers across all subscription levels.
This self-service feature enables you to add your organization’s branding elements to your introductory and concluding content slides. Use branding elements including your logo, custom graphics, and corporate brand colors to customize any messaging you want to deliver to your users such as instructions on Incident Response or Social Media information.
Here is a quick video that show how it works and how easy it is:
https://support.knowbe4.com/hc/en-us/articles/360047007514
Support Documentation here:
https://support.knowbe4.com/hc/en-us/articles/360047284433
You asked, we listened! We’re excited to introduce the new Brandable Content feature within your KnowBe4 platform! You now have the option to add branded custom content to the beginning and end of select KnowBe4 training modules. The Brandable Content feature is available to customers across all subscription levels.
This self-service feature enables you to add your organization’s branding elements to your introductory and concluding content slides. Use branding elements including your logo, custom graphics, and corporate brand colors to customize any messaging you want to deliver to your users such as instructions on Incident Response or Social Media information.
Here is a quick video that show how it works and how easy it is:
https://support.knowbe4.com/hc/en-us/articles/360047007514
Support Documentation here:
https://support.knowbe4.com/hc/en-us/articles/360047284433
What KnowBe4 Customers Say
"I asked Liza for your email addresses in order to express my deepest appreciation to you for her tireless efforts in assisting and supporting me in acquiring the KnowBe4 solution for our Firm. I have been engaging with Liza and her team since October, when my internal process began, just as I engaged with several other vendors.
Liza and her team promptly responded to my every inquiry, provided supporting materials for my internal presentations and budget proposals, made available a POC so I could demo the platform to key stakeholders internally, and then made one gigantic push at the very end just this past Friday to close this deal.
Our budget process ran from November until yesterday, when the deal received final approval due to Liza’s above-and-beyond efforts on Friday. I have just issued the PO. I am confident that the Firm has made the right decision in choosing KnowBe4, and I look forward to the significant benefits we will reap.
This is only possible thanks to Liza: I am most grateful to her and commend her service to you most highly. Thank you."
- O.R., Data Protection Officer
"Hi Stu, I appreciate the follow up. The onboarding experience was great. We got up and running in quick fashion. We sent out a phish sim last week and got some users. Next week we go live with training. The platform is great, keep the innovation coming! Thanks."
- H.D., VP Development Security & Cloud
From an MSP Channel Partner (of which we have many hundreds)
"Thank you for pushing us through so quickly. If you offer surveys, please feel free to pass one my way -- otherwise, please feel free to forward to your manager that you've made this an exceptional experience by communicating clearly, promptly, and exceeding both our and our clients' expectations in terms of the overall experience as well as the turnaround time. Thank you. This has us looking very forward to doing business with you."
- J.K., Service Desk Manager
"I asked Liza for your email addresses in order to express my deepest appreciation to you for her tireless efforts in assisting and supporting me in acquiring the KnowBe4 solution for our Firm. I have been engaging with Liza and her team since October, when my internal process began, just as I engaged with several other vendors.
Liza and her team promptly responded to my every inquiry, provided supporting materials for my internal presentations and budget proposals, made available a POC so I could demo the platform to key stakeholders internally, and then made one gigantic push at the very end just this past Friday to close this deal.
Our budget process ran from November until yesterday, when the deal received final approval due to Liza’s above-and-beyond efforts on Friday. I have just issued the PO. I am confident that the Firm has made the right decision in choosing KnowBe4, and I look forward to the significant benefits we will reap.
This is only possible thanks to Liza: I am most grateful to her and commend her service to you most highly. Thank you."
- O.R., Data Protection Officer
"Hi Stu, I appreciate the follow up. The onboarding experience was great. We got up and running in quick fashion. We sent out a phish sim last week and got some users. Next week we go live with training. The platform is great, keep the innovation coming! Thanks."
- H.D., VP Development Security & Cloud
From an MSP Channel Partner (of which we have many hundreds)
"Thank you for pushing us through so quickly. If you offer surveys, please feel free to pass one my way -- otherwise, please feel free to forward to your manager that you've made this an exceptional experience by communicating clearly, promptly, and exceeding both our and our clients' expectations in terms of the overall experience as well as the turnaround time. Thank you. This has us looking very forward to doing business with you."
- J.K., Service Desk Manager
The 10 Interesting News Items This Week
- Microsoft Office 365: This new feature will keep you safe from malware-filled documents:
https://www.techrepublic.com/article/microsoft-office-365-this-new-feature-will-keep-you-safe-from-malware-filled-documents/ - Microsoft Office 365: US issues security alert over rushed remote deployments:
https://www.zdnet.com/article/microsoft-office-365-us-issues-security-alert-over-rushed-remote-deployments/ - Coronavirus-themed Threat Reports Haven’t Flattened The Curve:
https://labs.bitdefender.com/2020/04/coronavirus-themed-threat-reports-havent-flattened-the-curve/ - Pirated Movies Are Used to Distribute Malware – HOTforSecurity:
https://hotforsecurity.bitdefender.com/blog/pirated-movies-are-used-to-distribute-malware-23165.html - US sends 32x more COVID-19 related spam emails than Russia:
https://atlasvpn.com/blog/us-sends-32x-more-covid-19-related-spam-emails-than-russia/ - Coronavirus Worries Allow New Scams To Take Hold:
https://www.forbes.com/sites/waynerash/2020/04/21/coronavirus-worries-allow-new-scams-to-take-hold/#24b101e7515c - Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway:
https://www.zdnet.com/article/microsoft-ransomware-gangs-that-dont-threaten-to-leak-your-data-steal-it-anyway/ - Cyberscammers: Pay Up or We’ll Infect Your Family With Coronavirus:
https://www.thedailybeast.com/new-coronavirus-scam-threatenspay-up-or-well-infect-your-family-with-covid-19 - New Video: Why Make KnowBe4 your trusted Security Awareness Training provider:
https://vimeo.com/410731358 - Experts Detect 30,000% Increase in #COVID19 Threats:
https://www.infosecurity-magazine.com/news/experts-detect-30000-increase/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Your 7-minute Virtual Vacation! The Gorgeous Andes Mountains in 4k Ultra HD with 60fps:
https://www.youtube.com/watch?v=Xr2oPZUr0HQ - US Thunderbirds and Blue Angels salute frontline workers with flyover:
https://www.youtube.com/watch?v=fAQrUeecXqA - Other Flying Things Department. Pentagon: "UFOs are real". You may have seen this footage before, but now it's confirmed. Raw Video:
https://www.youtube.com/watch?v=IqHm-69NsPE&feature=youtu.be - Prepare yourselves for a major OMG moment on the BGT stage, as unicyclist Wesley Williams reaches unbelievably dizzy heights!:
https://www.flixxy.com/unicyclist-wesley-williams-britains-got-talent-2020.htm?utm_source=4 - Woody Aragon from Spain In Penn And Teller Fool Us. "The Chameleon Pieces" Trick:
https://www.youtube.com/watch?v=zcbfZOrphRU - Penn & Teller Fool Us with John Michael Hinton "completely blows away" with a Rubik's Cube:
https://www.youtube.com/watch?v=Gdj5GXXV4uM - Young & Strange on Penn & Teller: Fool Us (second attempt!):
https://www.youtube.com/watch?v=q2ranVtcc5M - HUMOR- Man's 'life-changing revelation' about vegetable peeler stuns Twitter: 'This is monumental':
https://www.foxnews.com/food-drink/mans-life-changing-revelation-vegetable-peeler-twitter - 20 Awesome Tricks with WD-40:
https://youtu.be/xepEEBTgxjQ - Miley Cyrus Slays It Singing “Wish You Were Here” at SNL:
https://youtu.be/zUYo8xQf4PY - The Future of Quantum Computing Could Live on a New Cryogenic Chip:
https://www.youtube.com/watch?v=HhBFs5qEJ5U - An explanation of the various forms of government and political systems, and why America is not a democracy, but a republic:
https://www.flixxy.com/political-systems.htm?utm_source=4 - 24 Language Jokes And Puns That’ll Crack Up The Grammar Nerds:
https://www.boredpanda.com/grammar-jokes-and-puns/ - Close Tornado Tears Through Town - Madill Oklahoma 4-22-20:
https://www.newsweek.com/tornado-madill-oklahoma-deadly-twister-1499744 - Spacer Installation on 765,000-volt line. Yikes!:
https://www.youtube.com/watch?v=DPNK7bc2qvM - Friday Freakout: Super Sketchy Zipline BASE Jump, Almost Loses Fingers!:
https://www.youtube.com/watch?v=F723rIlW_No - The Race to Build the World's First Hyperloop | The B1M:
https://www.youtube.com/watch?v=luDqbIZGgQM - For Da Kids #1 Foxes Jumping on my Trampoline
https://www.youtube.com/watch?v=c8xJtH6UcQY - For Da Kids #2 8-year-old Elisey Mysin Plays Mozart's Concerto No.3
https://www.flixxy.com/8-year-old-elisey-mysin-plays-mozarts-concerto-no-3.htm?utm_source=4 - For Da Kids #3 This cute video of two sea otters floating around, napping and holding hands at the Vancouver Aquarium
https://www.flixxy.com/otters-holding-hands.htm?utm_source=4 - For Da Kids #4 - Pip, A Short Animated Film. Dog’s heroics will make you cry!
https://www.flixxy.com/pip-animated-short-film.htm?utm_source=4
