CyberheistNews Vol 12 #21 [EYE OPENER] Your Cyber Insurance Went up a Whopping 92% Last Year

CyberheistNews Vol 12 #21 | May 24th, 2022

[EYE OPENER] Your Cyber Insurance Went up a Whopping 92% Last Year Stu Sjouwerman SACP

Whoa Nellie, that's getting to be real money here. This is the kind of thing that starts cutting into your whole IT budget.

The WSJ said: "Many U.S. cyber insurers dramatically increased their rates during 2021, alarmed by a rash of cyberattacks that struck companies around the world and drew the attention of national governments. Data from regulatory filings and collated by ratings agencies shows that among the largest insurers, direct written premiums rose a whopping 92%, while direct loss ratios fell slightly.

"Insurers significantly increased premiums for cyber coverage over the course of 2021, as a string of high-profile attacks and government action helped boost demand for products, data collected by industry bodies shows. Analysts say that the increase primarily reflects higher rates, rather than insurers significantly expanding the amount of money they are willing to cover.

"Cyber insurers are also taking a tougher line on would-be clients, demanding security measures such as multi-factor authentication and more sophisticated endpoint protection, brokers say." At KnowBe4 we have also observed that insurers are often mandating effective security awareness training as a prerequisite to get insured. Some insurers even send their customers to us as part of a standing offer.

Getting your employees trained is a must today, and the cost is a total no-brainer. Join the 50,000 organizations that use KnowBe4 and create a strong human firewall as your last line of defense.

Blog post with link to WSJ article. Great budget ammo:
https://blog.knowbe4.com/wsj-cyber-insurance-went-up-a-whopping-92-in-2021

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, June 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! Support for QR-Code Phishing Tests
NEW! Security Culture Benchmarking feature lets you compare your organization’s security culture with your peers
NEW! AI-Driven training recommendations for your end users
Did You Know? You can upload your own SCORM training modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, June 8 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3713729/BD8F8A0FE3D2CE20F847A5BDA6B2BFDA?partnerref=CHN

Why People Fall for Scams

Scammers use a variety of tried-and-true tactics to trick people, according to André Lameiras at ESET. For example, they can easily find open-source information about people on the internet and use this to craft targeted attacks.

“Some scammers will use all available and seemingly harmless data about you to their advantage, watching your every move online, typically on social media, in order to eventually exploit your digital footprint,” Lameiras says.

“Unless you’re careful, the more you interact online, the higher the odds that they’ll know a lot about you – ultimately, they may have an easier time duping you.”

Scammers also know that people are more likely to fall for scams that appear to come from people in positions of authority, such as law enforcement. In targeted attacks, the scammers often pose as the user’s boss or an executive at their organization.

“People tend to trust those in positions of authority,” Lameiras says. “Fraudsters often impersonate people who hold some kind of expertise: a government worker, a lawyer, a company executive or an expert in a specific field. These are all people we were taught to trust. Scammers will try to look official and use the names of companies or organizations you might recognize.”

Additionally, scammers often use phony sob stories or pleas for help to take advantage of their victims’ sympathy. “Ploys that involve requests for help create empathy with the scammer or with the people who the fraudster claims to represent,” ESET says.

“For example, narratives of personal tragedies or public emergencies remain effective. Even if in the back of your mind you know it might not be true, you are still inclined to help ‘just in case.’ Scammers realize that people want to feel useful.”

Blog post with links:
https://blog.knowbe4.com/why-people-fall-for-scams

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, June 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
Vet, manage and monitor your third-party vendors' security risk requirements
Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

Date/Time: Wednesday, June 8 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3714144/AD2312CF5D51664B6E34DCB6118D9449?partnerref=CHN

Phishing Campaign Impersonates Shipping Giant Maersk

Researchers at Vade Secure warn of a large phishing campaign that's impersonating shipping giant Maersk to target thousands of users in New Zealand. Note, cyber criminals often beta-test their campaigns in "good-candidate" small countries before they roll them out globally, so treat this as a heads up.

“Several waves of phishing emails impersonating Maersk have targeted more than 18,000 recipients, 13,000 recipients, and 5,000 recipients respectively between January 2022 and May 2022, exploiting the global supply chain crisis affecting millions of businesses around the world,” the researchers write.

“Users in New Zealand have been targeted with Maersk phishing emails with the subject line ‘Maersk Original Shipping Document’ followed by the email of the recipient and the from address displayed as service@maersk[DOT]com, which mimics a legitimate Maersk email address.”

The emails contain a link to a spoofed login page that asks the user to enter their email address and password in order to access their shipping information. The attackers are using compromised websites to host these phishing pages.

“Maersk phishing campaigns have been active since 2018, but this most recent campaign spiked in March and April 2022,” the researchers write. “Previous research suggests a link between the 2018 Maersk campaign and the ‘MartyMcFly’ investigation into attacks targeting the Italian naval industry. Like the previous campaign, the current campaign is using compromised websites to host phishing kits and potentially malware.”

The researchers add that New Zealand is a prime target for shipping-themed phishing attacks due to its location, particularly during the pandemic.

“New Zealand has been hit hard by the supply chain crisis, with products sitting in warehouses and no ships to transport them,” Vade says. “New Zealand’s size and geographical location makes it particularly vulnerable, with shipping companies prioritizing business with larger and more accessible countries. This makes anxious New Zealand businesses optimal targets for phishing attacks.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to thwart social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/phishing-campaign-impersonates-maersk

Do Users Put Your Organization at Risk With Browser-saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon's Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for cybercriminals to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:

Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
Better manage and strengthen your organization's password hygiene policies and security awareness training efforts

Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Yours Truly at Forbes: "Beware The Tactics Used For CEO Fraud By BEC Scammers":
https://www.forbes.com/sites/forbestechcouncil/2022/05/18/beware-the-tactics-used-for-ceo-fraud-by-bec-scammers/

PPS: Don't Just Have a Compliance Season, Have a Culture of Compliance:
https://blog.knowbe4.com/culture-of-compliance

Quotes of the Week

"Just remember, once you're over the hill you begin to pick up speed."
- Arthur Schopenhauer - Philosopher (1788 - 1860)

"Trust your own instinct. Your mistakes might as well be your own, instead of someone else’s."
- Billy Wilder - Filmmaker (1906 - 2002)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-21-eye-opener-your-cyber-insurance-went-up-a-whopping-92-percent-last-year

Security News

No, Your CEO Does NOT Want Gift Cards

Users should be wary of business email compromise attacks in which criminals impersonate a company’s CEO and ask employees to send them gift cards, according to Mimecast.

“In one nasty example, an attacker pretended to be the CEO of a company telling an employee that the company was looking to donate gift cards to a local hospice care group,” Mimecast says. “However, once the gift cards were acquired, they would be sent directly to the criminals and not the care group.

“Gift cards are a popular form of currency for cyberattackers because they are a fast and easy way to launder money by selling the cards. Plus, they are difficult to trace.”

Mimecast recommends that users set up strong, unique passwords combined with multifactor authentication to protect their accounts. “The easiest way to ensure that you don’t become a victim of business email compromise is to create a strong password that is unique and is not used on multiple accounts,” Mimecast says.

Organizations should adopt a layered security posture that includes technical defenses as well as employee training. “Educating your employees and ensuring that they know what a business email compromise scam looks like is just as important as trying to avoid them altogether,” Mimecast says.

“Your team should also be knowledgeable about the next steps. By understanding how these attacks work and taking the necessary steps to protect your company against them, you can help reduce risk.” The gift card, really, should be a dead giveaway, but that won’t necessarily be obvious to your people.

AP News has the story:
https://apnews.com/press-release/newswire/technology-email-phishing-70b0ee9bf64b48a76aa7cc02448b1e62

Case Study: Spear Phishing a Diplomat

Researchers at Fortinet observed a spearphishing attack that targeted a Jordanian diplomat late last month. The researchers attribute this attack to the Iranian state-sponsored threat actor APT34 (also known as OilRig or Helix Kitten).

The body of the phishing email isn’t particularly detailed, but the attackers put a significant amount of effort into impersonating an employee at the targeted individual’s organization.

“Looking at the headers of the email, we can determine that the email originated from outside the organization,” the researchers write. “But while it came from an external email address, it used the first and last name of an employee in the IT department. The alert diplomat decided to forward this to the real employee.

“This may have been done to verify the authenticity of the original email or, more likely, for further analysis within the IT department. As suggested in the email body, the attached Excel file contained a confirmation form for the targeted diplomat to fill out.”

The threat actor also crafted a sophisticated piece of malware to deliver to the target. “The amount of effort put into developing this attack is much higher than the average run-of-the-mill phishing/spam campaign, putting it on the level of an APT attack,” the researchers write. “From the start, the attackers posed as a valid user and kept the email short without any grammatical errors.

“They then proceeded to use an Excel macro with advanced techniques, including possible anti-analysis techniques with the mouse check and the sheet visibility switch. Furthermore, while state programming is rarely used in malware, in this attack, both the Excel macro and the malware make use of it.

“After checking in, the malware sleeps for 6-8 hours. One likely reason might be that the threat actors expected the diplomat to open the spear phishing email in the morning and then leave at the end of the day. At that point, the attackers would be free to operate.” New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

Fortinet has the story:
https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt

What KnowBe4 Customers Say

"Hello Stu, I am the HR Generalist & Trainer here. We are customers of KnowBe4. My colleague Brian and I have worked with Shannon for the past three years, and we both wanted to write to you and brag on Shannon…

"Brian left us a little over a month ago, and my last day is this Friday, May 20. Before I leave, I wanted to let you know that we both agree that Shannon is an exceptional Customer Success Manager.

"Not only is she available to help us any time we’ve ever called on her, but she is also so knowledgeable about KnowBe4 software and service, that many times she suggested better and more effective ways to set up our campaigns and smart groups. And she does so with such a great attitude and patience, that Brian and I fought any attempts (or even thoughts!) by upper management to look for a different infosec training system.

"In short, she is amazing and I will miss working with her. I told my successor that she is in good hands with Shannon, and that she can call on her anytime to walk her through any feature."

-S.D., PHR, GPHR

"I was sent to you guys after I talked to Roger Grimes. That guy is an encyclopedia when it comes to IT security. So, he got you a customer! Thanks for reaching out."

- P.D., V.P. of Product Development

The 10 Interesting News Items This Week