CyberheistNews Vol 10 #31 I Testified Before U.S. Congress About COVID-19 Phishing Scams

CyberheistNews Vol 10 #31
I Testified Before U.S. Congress About COVID-19 Phishing Scams

July 21, 2020, I testified before U.S. Congress about COVID-19 phishing scams. I was invited by the Senate Commerce Committee's subcommittee on manufacturing, trade, and consumer protection, which held a hearing Tuesday about protecting Americans from COVID-19 scams.

Twenty years after KnowBe4's Chief Hacking Officer Kevin Mitnick first testified before Congress, stating that "extensive user education and training" was needed to inoculate employees against social engineering, I had the chance to reinforce that message.

MediaPost reported on the testimony: "Scams related to COVID-19 are proliferating online, with fraudsters becoming both “more aggressive and more targeted,” Stu Sjouwerman, founder and CEO of security company KnowBe4, told the Senate Tuesday.

“COVID-19 phishers prey on both consumers and employees and have sought private information through targeting passport details, the healthcare industry, [and] social media channels, and we can expect to see them use current and future COVID-19 lawsuits as bait in spear phishing attacks,” he said.

In written testimony submitted to the Senate Commerce Committee's subcommittee on manufacturing, trade, and consumer protection, which held a hearing Tuesday about protecting Americans from COVID-19 scams. Sjouwerman specifically said more than 192,000 phishing attacks related to COVID-19 occurred each week in the last month.

He added that fraudsters often are revising phishing emails they ran before last December, when COVID-19 first appeared, but with new “social engineering schemes” relating to the virus. “Everyone should remain very skeptical of any email related to COVID-19 coming into their inbox,” he stated.

Here is a 6-minute clip of my testimony, introduced by Senator Moran with links to the written testimony and the full video:
How to Prevent 81% of Phishing Attacks From Sailing Right Into Your Inbox With DMARC

Did you know that only ~20% of companies use DMARC, SPF, and DKIM, global anti-domain-spoofing standards which could significantly cut down on phishing attacks? But even when they are enabled and your domain is more secure, 81% of phishing attacks still continue to sail right through to your end-user.

In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF and DKIM the right way! Then, you’ll learn the six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

What you’ll learn:
  • How to enable DMARC, SPF, and DKIM
  • Common configuration mistakes
  • How to best configure DMARC and other defenses to fight phishing
  • Techniques to empower your users to identify and avoid the phishing attempts that make it through your surface-level defense
Watch Now!
[Now Confirmed] Testing 1… 2… 3… Stop It and You Lose Ground

By Perry Carpenter, KnowBe4 Chief Evangelist & Strategy Officer

"Let’s face it, very few organizations thought they’d still be in workforce limbo as we near the six-month mark of the pandemic. This situation has stretched many organizations to adopt new modes of work. Most of your employees are also stretched beyond anything they’ve ever prepared for.

And the levels of distraction and stress are likely to get worse before they get better. Early into the pandemic, many organizations put their phishing simulations on hold. They didn’t want to heap further stress or confusion on employees who were already stressed and confused.

And, while those intentions were noble, I provided warning that cyber criminals would seize the opportunity and up their game. They did. And that trend continues, with multiple outlets reporting an over 6,000% increase in COVID-19 related phishing.

Now more than ever it is clear that phish testing your users is crucial. I recently read an article in CIO Dive that made that even more clear. Here’s the excerpt that stood out:

“[T]he Mars team ‘debated the living daylights out of this topic,’ said Stanley, ultimately landing on a slight delay in routine exercises.

Typically, Mars launches anti-phishing exercises every six weeks; instead, the company waited 10 weeks before deploying an exercise to employees.

The result? ‘We did see an increase in vulnerability. We did see issues and we expected it,’ said Stanley.”
Mars put-off phish testing their users. And even though their delay was only four weeks past their normal pattern, they saw that their people were more susceptible to attack. At a time when phishing trends are exponentially increasing, you can’t afford to let your employees lose ground. Training your users is like any other type of training in life: at all times you are either building strength or allowing atrophy.

So how do you do it? You can phish test your users without making them feel confused or alienated. It all comes down to your tone and your process. Getting the right tone is a key factor in helping people not feel tricked, targeted, or embarrassed.

Your tone, combined with your process, form the totality of how you engage your users in your messaging, training, and follow-up.

Want some practical advice and tools to achieve the right tone and process? Have a look back at my blog from March 31. And, if you have any questions or want specific advice on how to best engage your users or gain executive buy-in for phishing testing, please contact me. I’m always happy to help."

Now let’s get ready to test in 3… 2… 1... Blog post with links here:
Does Your Domain Have an Evil Twin? Find Out for a Chance to Win Two Pairs of Beats Headphones!

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

Plus, if you're in the US or Canada, you’ll be entered for a chance to win two pairs of Beats Studio3 Wireless Headphones*!

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.

Find Your Look-Alike Domains!

*Terms & Conditions Apply
[Heads Up] CISA and NSA Urge “Immediate Action” to Secure National Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that foreign hackers are targeting systems that support US critical infrastructure.

The advisory urges critical infrastructure operators to secure their operational technology (OT) and control systems as soon as possible. The advisory lists several “recently observed tactics, techniques, and procedures,” including spear phishing, ransomware, connecting to Internet-accessible PLCS that do not require authorization for initial access, and modifying control logic and parameters on PLCs.

The alert adds, "Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet...are creating a 'perfect storm' of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks."

Here is a link to with the full warning text: (PDF)
KnowBe4 Achieves Highest and Furthest Overall Position in the Gartner Security Awareness CBT Leaders' Quadrant

KnowBe4 has achieved the highest and furthest overall position as a Leader for its ability to execute and completeness of vision in the 2019 Magic Quadrant for Security Awareness Computer-Based Training. This was the third consecutive year that we were recognized as a Leader in this report.

We believe, as the world's largest security awareness training platform, this placement in the Leaders’ quadrant validates the success of our ability to carry out our mission. We enable organizations and their users to make smarter security decisions — every day. Using world-class training and simulated phishing, we help customers to improve their security posture, mitigate risk, and manage the ongoing problem of social engineering.

Read the Security Awareness CBT report to find out what we believe sets KnowBe4 apart.

Download Your Complimentary Copy of the Report Now!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Meed to train your employees for COVID-19 safety? We just released a module that will help:

Quotes of the Week
"Natural talent only determines the limits of your athletic potential. It's dedication and a willingness to discipline your life that makes you great."
– Billie Jean King, American former World Number 1 professional tennis player

"Working because you want to is the best sort of play."
- Robert Heinlein, Science Fiction Author

"You don't have a soul, you are a soul."
- Elon Musk, Engineer & Entrepreneur (born 1971)

Thanks for reading CyberheistNews

Security News
Phishing in the Time of the Pandemic: Security Is an Ongoing Process

Organizations should treat security as a continuous undertaking, according to Richard Torres, Director of Security Operations at Syntax. On the CyberWire’s Hacking Humans podcast, Torres explained that the threat landscape is constantly changing, and organizations need to adapt their defenses accordingly.

“When you look at the way cyberattacks happen, they tend to happen in waves,” Torres said. “And it's very much like the market is changing. People are getting interested in different types of vulnerabilities. And when I say people, I mean your professional hackers, the folks that look at the internet and look at the worldwide web and the cyber universe as a playground.

And they try to determine, what's the newest, most exciting way for me to wreak havoc with some of these companies and, additionally, a way to make some pretty decent revenue if I'm a pretty good hacker or a pretty good pirate?” Torres said organizations need to focus on making sure their employees can identify and thwart social engineering tactics.

“Now that there's a lot more focus on working from home and trying to get people to improve some of those behaviors that could lead to falling for some of these phishing attempts, we're trying to create a lot more awareness of what phishing attempts look like,” Torres said.

“Not just what they can do, because to the layperson, understanding exactly what it can do isn't as important as understanding how to respond when I see it or how to identify it when it hits my inbox.”

Torres added there are two sides to defending against phishing attempts. One side involves teaching the humans that they will be targeted by these attacks, and the other side involves technical defenses.

“There's the education part, which is making sure that your folks are aware that it's happening, aware that they are being targeted,” he said. “You don't want them to ever feel like they are behind a protected firewall where this couldn't happen to them. So being sure that they're aware that they are being targeted and giving them enough information so they can identify what phishing looks like.

It could be very, very innocent. It doesn't have all kinds of bells and whistles on it. And you go back to, if you are not expecting this type of email or to hear from this particular person or this particular group, you should question it. So reinforcing that from the top down and making sure that it's part of routine conversations, not just one memo a month, is extremely important so that it stays in the forefront of their mind.”

Torres concluded that awareness training should be complemented by email security technology that can help filter out phishing emails and flag malicious links.

“So that is kind of putting technology on the forefront. And in the background, now I'm educating the users,” he said. “So where the technology may fail, I have defense in depth. Now I have someone who's smart enough to recognize what could be phishing attempts and the forms that they could possibly take.”

Attackers are aware that security technologies are getting better at blocking their emails, so they’re constantly finding new ways to bypass these defenses. New-school security awareness training can enable your employees to avoid falling for both well-known and novel phishing techniques.

The CyberWire has the story:
Don't Overlook Policy When Designing Security

There’s no single defense against phishing and other social engineering attacks, according to Kevin O’Brien, CEO and co-founder of email security company GreatHorn. On the CyberWire’s Daily Podcast, O’Brien explained that the social engineering tactics used in phishing attacks are well-documented, but the attackers still use them because they’re effective.

“What you're looking for whenever you're talking about social engineering in high-risk events is something that creates a sense of urgency on the victim's behalf,” O’Brien said. “So global events that everybody is nervous about – and the pandemic that we're currently experiencing certainly qualifies – would be a good example case of that.”

O’Brien said COVID-19-themed phishing attacks are a manifestation of a wider strategy in which criminals exploit emotional response to trick people. In many cases, these attacks are predictable if you know what to expect.

“You can also see it where an organization might have people who are nervous about their taxes,” he said. “So every year you get a spate of phishing attacks that are focused around tax season – your W-2 is attached. Why? Because money is involved, and that's something that creates a sense of urgency.

Oh, my taxes are due, or I owe on my taxes, or I'm going to get paid money from the government because I overpaid. People are inherently like, I want to go look at that right now. So, money, health, family, jobs status – those are all the sorts of things that create high-risk moments.”

O’Brien added that attackers are increasingly putting in more effort to execute more convincing social engineering attacks, so users need to be constantly vigilant for new tactics.

“And social engineers and attackers who get this understand how to condition people to certain responses,” he explained. “And it’s trivial to send you an email that says, oh, I’ve got your COVID-19 update from the boss. But you know, more advanced and sophisticated attackers will do this over the course of days or weeks or months, and you don't even realize you're being played.

It’s just another con. And it can be a short con or a long con. Email is just a convenient delivery mechanism because every professional has an email address.”

O’Brien concluded that organizations need to implement defense-in-depth to maximize their security posture. “The problem is, there's no one thing that you do,” he said. “There is almost this assumption that this is a problem that can't be solved because it's difficult to solve....[T]hat is really the thing that we need to challenge – the assumption that this is an intractable problem – because it is not.

And I think that overcoming that fatigue is the story behind the story. Why are things like COVID-19 emails out there? Because they work. But we can still address that. We can do better, but we do better by thinking about this strategically and laying out a defense-in-depth strategy around security posture rather than, here's a thing you can buy.”

New-school security awareness training can provide your organization with an essential layer of defense by enabling your employees to recognize and thwart social engineering tactics in the real world.

The CyberWire has the story:
What KnowBe4 Customers Say

"Stu, just wanted to take a minute to acknowledge Haley Knight. I seldom like or participate in surveys but if you had one she would get the highest score possible. She is courteous, patient, knowledgeable and pleasant to talk to. I just finished a long call with her on some training I needed and the time invested was well worth it. She could train the trainers."
- K.L., Purchasing & Inventory Manager
The 10 Interesting News Items This Week
    1. Accused Cypriot scammer threatened to publish stolen data if victims didn't pay huge extortion fees:

    2. New 'Shadow Attack' can replace content in digitally signed PDF files::

    3. Epic Opsec Fail by Iranian Advanced Persistent Threat operatives:

    4. Sharp Spike in Ransomware in U.S. as Pandemic Inspires Attackers:

    5. North Korea's Lazarus Group Developing Cross-Platform Malware Framework:

    6. Phishing attacks and ransomware are the most challenging threats for many organizations:

    7. New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials:

    8. Nearly Half of Employees Make Mistakes with Cybersecurity Repercussions:

    9. Phishing campaign uses Google Cloud Services to steal Office 365 logins:

    10. BadPower attack corrupts fast chargers to melt or set your device on fire:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews