CyberheistNews Vol 12 #39 [HEADS UP] Bank of America Warns About Recent Scams That Request Zelle Payment Due to 'Suspicious Activity'

Cyberheist News

CyberheistNews Vol 12 #39  |   September 27th, 2022

[HEADS UP] Bank of America Warns About Recent Scams That Request Zelle Payment Due to 'Suspicious Activity'Stu Sjouwerman SACP

Bank of America recently sent a customer service email warning users to watch out for this new phishing attack.

Threat actors are sending realistic texts requesting that you send money using Zelle® as payment due to a "fraud alert." These texts make the warning look legitimate, and if you respond to the text then you'll receive a call from a fake representative.

This person will use social engineering techniques and will trick your users into asking for you to send money to yourself through the Zelle® payment method. In reality you'll be sending the money directly to these scammers' pockets, and they will be able to receive your money into their account.

Check out this 1:22 animated video from Zelle on how to spot this type of scam and share it with your users:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, October 5 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-code phishing tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 5 @ 2:00 PM (ET)

Save My Spot!

[FBI ALERT] Social Engineering Targets Healthcare Payment Processors

The U.S. Federal Bureau of Investigation (FBI) has issued an alert warning of an increase in phishing and other social engineering attacks against healthcare payment processors.

"In each of these reports, unknown cyber criminals used employees' publicly available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites," the Bureau says.

"In one case, the attacker changed victims' direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims' payments." The FBI describes three successful social engineering attacks against these entities:


[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, October 5 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!

  • NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, October 5 @ 1:00 PM (ET)

Save My Spot!

Do Not Use Easily Phishable MFA and That Is Most MFA!

Everyone should use multifactor authentication (MFA), where they can, to protect valuable information. Everyone!

The problem is that the MFA used by most people and companies is barely better than passwords and just as easy to compromise. If possible, you and your company should strive to use phishing-resistant MFA.

Unfortunately, you usually do not have a choice. The vendor or service you are using forces you to use the MFA solution they have picked and almost always that solution is easily phishable. But where you do have control, try to pick and use phishing-resistant MFA. And when you can, pressure your vendors and service providers to select and use phishing-resistant MFA.

How Is MFA Easily Phishable?

In a nutshell, most MFA solutions can be bypassed by tricking the end user into clicking on a rogue URL that redirects them to a man-in-the-middle (MitM) proxy service, which then captures everything the user types into what they think is their legitimate website (including MFA login codes).

The best video demo of this is one by KnowBe4's Chief Hacking Officer and infamous hacker, Kevin Mitnick. The summary of the steps include:

  • Phishing email contained URL to fake look-alike/sound-alike website that was really a malicious MitM proxy
  • Email tricks user into visiting malicious MitM proxy website
  • User typed in credentials, which proxy, now pretending to be the legitimate customer, presented to legitimate website
  • Legitimate website sent back legitimate session token, which Kevin then stole and replayed to take over the user’s session


[NEW TOOL] Is Your Organization Ready for the HIPAA Security Rule Section of a HIPAA Compliance Audit? Find Out Now!

When it's time to complete a compliance audit of your cybersecurity readiness plan, are you thinking, "Ugh, is it that time again?"

And, if you have access to confidential protected health information (PHI), passing a compliance audit based on the Health Insurance Portability and Accountability Act (HIPAA) Security Rule is a business requirement.

The HIPAA Security Rule contains the standards to safeguard and protect electronically created, accessed, processed or stored PHI. The rule applies to any organization or system that has access to confidential patient data.

If you're trying to wrap your head around the HIPAA Security Rule, you likely have a lot of questions. You want answers and need guidance on how to best meet the requirements of the HIPAA Security Rule to get your organization HIPAA compliant - fast.

Find out if your organization is ready for the HIPAA Security Rule section of a HIPAA compliance audit now!

KnowBe4's new Compliance Audit Readiness Assessment (CARA) is a free tool that helps you gauge your organization's readiness in meeting control requirements for the HIPAA Security Rule. The assessment guides you through a selection of common requirements from the framework to help you assess your organization's current cybersecurity plan.

CARA asks you to rate your readiness for each requirement and then provides an analysis of your results. It also provides guidance to help you create and implement controls to help get your organization ready for a compliance audit.

Here's how CARA works:

  • You will receive a custom link to take your assessment
  • Rate your organization's readiness for each requirement as Met, Partially Met or Not Met
  • Get an instant analysis and summary of potential gaps in your cybersecurity preparedness
  • Receive a personalized report with control guidance suggestions to help you meet compliance
  • Results in just a few minutes!

Take your first step toward finding out if your organization is ready for the HIPAA Security Rule section of a HIPAA compliance audit now!

Phishing Attacks Reach an All-Time High, Quadrupling That of Early 2020

New quarterly data from the Anti-Phishing Working Group (APWG) shows unprecedented phishing activity with increases in BEC, use of social media, vishing and smishing.

It's never good when phishing attacks are moving, proverbially, "up and to the right." But that’s exactly what we're seeing in APWG's Phishing Activity Trends Report for Q2 of this year. According to the report, phishing of all kinds is on the rise, with some metrics hitting a high:

  • Q2 saw 1,097,811 total phishing attacks – a quadrupling of attacks per quarter when compared with early 2020, where APWG reported an average of 81,000 attacks in a single month.
  • June saw over 381,000 attacks – an all-time high since the report's inception
  • The average BEC transfer amount was just above $109K – a nearly 20% increase from Q1
  • Social media-based threats increase 47% over Q1
  • Mobile phone-based fraud, with smishing and vishing collectively seeing a nearly 70 percent increase over Q1

It's bad. Really bad.

Organizations serious about stopping this threat need a layered security strategy that includes DNS protection, web protection, email protection, endpoint protection, and  security awareness training to ensure that either nothing malicious comes in, and – if it does – users are trained to recognize it, not engage, and are empowered to immediately report it.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Great article- CISO Success Strategy: People, Process And Technology:

PPS: NY Times on new massive Chinese espionage capability:

Quotes of the Week  
"To travel is to discover that everyone is wrong about other countries."
- Aldous Huxley - Writer (1894-1963)

"Do the difficult things while they are easy and do the great things while they are small. A journey of a thousand miles must begin with a single step."
- Lao Tzu - Philosopher (604 - 531 BC)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Security Practices Are Improving, but Cybercriminals Are Keeping Up

A survey by the Spanish GetApp software rating site has found that the number of organizations using phishing simulations has risen from 30% in 2019 to 70% in 2022.

Despite this positive trend, however, attackers continue to increase both the sophistication and volume of their phishing emails, which has led to a significant rise in employees clicking on phishing links.

"Phishing schemes and their effectiveness have reached a critical point in 2022," the researchers write. "For the first three years of our survey, the rate of companies reporting phishing emails had remained fairly steady.

"But in the last year, the percentage of companies reporting phishing has jumped from 77% to 89%. More concerning, the number of companies that report someone actually clicking a link in a phishing email leapt from 64% to 81% in only the last year. In the last three years, the percentage of employees clicking on phishing links has absolutely skyrocketed, from 43% to 81%.

"Combined, these numbers are even more alarming because they show a clear upward trend in both phishing volume and effectiveness over the last three years."

Likewise, the amount of organizations requiring multi-factor authentication has steadily increased over the past three years, but attackers are increasingly finding ways to bypass these measures.

"In 2019, our survey found that 64% of U.S. companies used 2FA for all (21%) or some (43%) business applications," the researchers write. "In 2022, that number has increased to 91%. Perhaps more importantly, the percentage of companies that use 2FA for all business applications has more than doubled, from only 21% in 2019 to nearly half (45%) in 2022."

GetApp says organizations need to continue implementing security best practices to keep up with the evolving threat landscape.

"The gap between companies reporting phishing emails and those reporting employees clicking on phishing emails has narrowed year over year, from a 30-point gap in 2019 to only eight points in 2022," the researchers write. "In response, companies must prioritize email security and educate staff on the increasingly sophisticated social engineering strategies that threat actors use in phishing emails to manipulate employees into turning over network credentials or downloading malware."

New-school security awareness training can give your employees an essential layer of defense by teaching your employees how to avoid falling for phishing emails.

Blog post with links:

To counter this problem you can now use AIDA, KnowBe4's Artificial Intelligence Driven Agent.

Diamond level and Phishing Premium customers have the option to use AIDA Selected phishing templates. This feature uses AIDA to select the most relevant and challenging template for each user. AIDA Selected templates are chosen based on a user's training history, phishing events, and performance metrics, such as their Phish-prone Percentage and Security Awareness Proficiency Assessment (SAPA) results. The more data AIDA has, the better it works, so we recommend using these templates for users who have some prior training or phishing history.

To avoid repetition in recurring campaigns, the AIDA Selected feature remembers the last five emails sent to each user and selects a different template for subsequent tests.

More at our knowledge base:

Salesforce Co-CEO Benioff Says There's 'No Finish Line When It Comes to Security and Social Engineering' After Uber Hack

CNBC reported: "Salesforce co-CEO Marc Benioff said the cloud software company has much more to do in the area of cybersecurity following an attack at Uber involving Salesforce's Slack chat app.

"Uber said on Monday that it believed a hacking group dubbed Lapsus$ was behind a cyberattack last week and noted that other victims of the group's attacks this year included Cisco, Nvidia, Okta and Samsung. Microsoft also said that Lapsus$ had accessed one of its accounts.

"According to Uber, the attacker probably bought a company contractor's password on the dark web after a malware attack, and the contractor accepted a two-factor authentication request. The attacker downloaded some Slack messages and posted a note to a Slack channel that "many of you saw," the ride-sharing company said.

"Hackers often use so-called social engineering, which involves exploiting trusted individuals rather than just going after hardware and software."

"There's no finish line when it comes to security and social engineering," Benioff said during a press conference at Salesforce's Dreamforce conference in San Francisco on Tuesday. "There's things that we're going to need to do to help our customers prevent these kinds of issues. We've been through almost every possible situation," Benioff said. "There's a lot for us to do in perpetuity, and we're going to just keep working on it."

Full article at:

What KnowBe4 Customers Say

"We are quite happy with KnowBe4! Currently we are on the tail end of our first Security Awareness Training and it has been quite successful.

"Our team looks forward to continuing to leverage KnowBe4 for both training and compliance requirements. I truly appreciate the personal reach out and must say I have been impressed with our end-to-end experience so far.

"From sales, to onboarding, and even the support we received during a technical issue we experienced. Your team has been quite amazing. Keep up the great work!"

- E.J., VP, Technology & Innovation

The 10 Interesting News Items This Week
  1. Google Sees Russia Coordinating with Hackers in Cyberattacks Tied to Ukraine War:

  2. Basic cyber requirements are likely to become standard for public companies, a senior U.S. cyber official said:

  3. CISA Plans to Measure the Effect of Coming Standards on Industry’s Cybersecurity:

  4. Mobile phone hackers wield "Violence-as-a-service" for money, revenge:

  5. Business Application Compromise & the Evolving Art of Social Engineering:

  6. U.S. government indicts Iranian nationals for ransomware and other cybercrimes:

  7. SIM Swapper Abducted, Beaten, Held for $200k Ransom:

  8. Feds Sound Alarm on Rising OT/ICS Threats From APT Groups:

  9. HHS alerts health sector to monkeypox-themed phishing campaign:

  10. Zelle Emerges as Lawmakers' Surprise Villain for Fraud and Scams at Bank Hearings:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews