CyberheistNews Vol 12 #44 [INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects for Q3 2022

CyberheistNews Vol 12 #44 | November 1st, 2022

[INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects for Q3 2022 Stu Sjouwerman SACP

KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. We analyze "in the wild" attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, and top attack vector types.

Business-Related Phishing Attempts Still Trending

Business phishing emails have always been effective and continue to be successful because of their potential to affect a user’s workday and routine. This quarter's results reveal that 40% of email subjects are HR related, creating a sense of urgency in users to act quickly, sometimes before thinking logically and taking the time to question the email's legitimacy.

We also see that the top attack vector for this quarter is phishing links in the body of an email. These combined tactics can have destructive outcomes for organizations and lead to a multitude of cyberattacks such as ransomware and business email compromise.

My Take...

As phishing emails evolve and become more sophisticated, it is imperative that organizations prioritize security awareness training for all employees, now more than ever. Phishing emails that disguise themselves as internal communications are especially concerning since they are sure to grab the attention of users and typically incite action.

New-school security awareness training for employees helps combat phishing and malicious emails by educating users on what to look out for. It is the key to creating a healthy level of skepticism to better protect an organization and build a stronger security culture.

Q3 2022 Top-Clicked Phishing Emails

In Q3 2022, we examined "in-the-wild" email subject lines that show actual emails users received and reported to their IT departments as suspicious. We also reviewed tens of thousands of email subject lines and categories from simulated phishing tests, and top attack vector types in both categories.

[CONTINUED] The list with results and an infographic you can download are on our blog:
https://blog.knowbe4.com/knowbe4-top-clicked-phishing-email-subjects-for-q3-2022-infographic

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, November 2 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! KnowBe4 Mobile Learner App - Your Users Can Now Train Anytime, Anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own SCORM training modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, November 2 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3947021/2F2FD9B91E67A4D9191D17466E31D0F3?partnerref=CHN2

[Eye Opener] Work in IT? You Get Attacked Much More Than Other Employees

We received an interesting email from Elevate Security you need to be aware of. Their recent research showed: "Social engineering attacks are growing more sophisticated every day, victimizing your workforce users and triggering security breaches. The worst part? Social engineering attacks are on the rise. And your IT engineers and developers are being attacked more often than other organizational departments."

July 2022, IT engineers were targeted 8x more often than non-engineers

They continued: "Since April 2022, social engineering attacks on IT engineers, on average, have increased 142% from 5.79 times per month to 8.25 times per month. In fact, in July 2022, IT engineers were targeted 8x more often than non-engineers. They published an infographic that illustrates this increased risk."

Elevate Security notes that although engineers are not inherently riskier than other workforce users, this increased frequency of attacks raises their likelihood of unintentionally triggering a security breach, regardless of their behavior.

They invited us to check out their infographic, The Rise of Social Engineering Attacks: An Overview of the State of Cybercrime to explore the state of cyber crime and social engineering attacks as they stand today, and they even mentioned Kevin Mitnick, our Chief Hacking Officer. Recommended.

Blog post with links:
https://blog.knowbe4.com/eye-opener-work-in-it-you-get-attacked-much-more-than-other-employees

[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, November 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!

NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
Vet, manage and monitor your third-party vendors' security risk requirements
Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

Date/Time: TOMORROW, Wednesday, November 2@ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3946861/3A90FBA37F51FD30E69A881264C94458?partnerref=CHN2

[APPLY TODAY] Security Awareness Training Eligible for 185 Million DHS Cybersecurity Grant Opportunity

The Department of Homeland Security (DHS) is providing $185 million of grant money this year to U.S. states and territories to bolster their cybersecurity defenses, which includes security awareness training. The program will provide one billion dollars over the next four years to help states and territories become more resilient to cyber threats.

The State and Local Cybersecurity Grant Program seeks to make targeted cybersecurity investments in state, local and tribal government agencies to improve the security of critical infrastructure and boost the resilience of the services these governments provide their communities.

The program ranks security awareness training as a priority for the cyber security posture of state and local governments. Such training is listed as one of four top objectives of the program.

The deadline for states to apply for grant funding this year is Nov. 15, 2022, at 5 p.m. ET

Local governments (counties, cities, etc.) cannot apply directly for funds and must work with their respective states' when/if their states receive funding. That said, the program requires states to pass along 80% of funds received to local governments, so this is definitely something for local governments to keep an eye on.

The DHS will make funding selections no later than Nov. 30, 2022, and states will be notified no later than Dec. 31.

More about the grant application requirements at the KnowBe4 blog:
https://blog.knowbe4.com/apply-today-security-awareness-training-eligible-for-185-million-dhs-cybersecurity-grant-opportunity

[Hacking Biometrics] If You Thought Your Fingerprints Were Safe, Think Again!

When you think of using biometric technology as part of your multi-factor authentication process, you assume these attributes are safe. Cybercriminals can't hack your fingerprints, can they? The answer may surprise you!

Biometric attributes aren't as safe as they once were. Cybercriminals are always coming up with new ways to get around safeguards, and biometric based hacks are on the rise.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he dives into how biometrics can work, how they can be used against you, and how you can best protect your organization.

In this session you'll learn:

How biometric attributes are stored and used
Why your digital fingerprint is not nearly unique as you think
How cybercriminals steal biometric data and use it against you
Attributes of strong biometric solutions
Why training your users is your best, last line of defense

Get the information you need now to protect your network and earn CPE credit for attending!

Date/Time: Wednesday, November 9 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/hacking-biometrics?partnerref=CHN

Stolen Devices and Phishing

Researchers at Cyren describe a phishing attack that resulted from the theft of a stolen iPad. The iPad was stolen on a train in Switzerland, and briefly appeared on Apple's location services in Paris a few days later. The owner assumed the iPad was lost for good, but sent a message to the iPad with her phone number just in case.

More than six months later, the owner received a text message claiming to be from Apple Support, claiming that her iPad had been found. The message included a link to a spoofed iCloud website that asked for her Apple login details. Fortunately, she didn't fall victim to this attack.

Cyren's researchers then tied this attack to a sophisticated phishing kit designed to spoof multiple Apple services. The attacker receives the stolen data via a custom-made Telegram bot.

"A Telegram bot is useful for this purpose since it allows for easy broadcast via the cloud – in technical terms, a http API," the researchers write. "It's surprisingly easy to set up a Telegram bot for this purpose, the process can be done in about one minute. After creating a bot, you receive an authentication token.

"The authentication token allows you to control the bot and send messages. The reason that the attackers are using it is because Telegram has an HTTP-based interface which allows bot owners to send messages just using a HTTP request that includes the token of the bot, a chat id, and the message. This is all completely free of charge and the bot owner doesn't need their own separate server to handle the communication. It is also user friendly for the attacker as he conveniently receives the victim info in a telegram chat."

After stealing the credentials and logging into the victim's account, the phishing kit will automatically remove the linked iCloud account from the device. This allows the attacker to "reset the stolen devices and set them up as new devices so they can be sold."

Blog post with links:
https://blog.knowbe4.com/stolen-devices-and-phishing

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from October 2022:
https://blog.knowbe4.com/knowbe4-fresh-content-updates-october-2022

PPS: [HACKING GOOGLE VIDEO] Five elite security teams. Six never-before-told stories. Go behind the scenes with the hacking teams at Google keeping more people safe online than anyone else in the world:
https://www.youtube.com/playlist?list=PL590L5WQmH8dsxxz7ooJAgmijwOz0lh2H

Quotes of the Week

"What you think you become. What you feel you attract. What you imagine you create."
- Buddha

"The mind is the limit. As long as the mind can envision the fact that you can do something, you can do it, as long as you really believe 100 percent."
- David Hockney - Artist (*1937)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-44-infographic-knowbe4-top-clicked-phishing-email-subjects-for-q3-2022

Security News

Phishing for Student Email Accounts

University student accounts are being exploited for business email compromise. Researchers at Avanan have observed a rise in attacks that compromise legitimate college student accounts in order to carry out business email compromise (BEC) attacks.

"In this attack," the researchers say, "hackers are compromising student accounts to launch broader BEC and credential harvesting attacks. We've seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages. In this case, this same compromised account sent out numerous messages to a variety of organizations. The university, based in Arizona, is not an Avanan customer, and it's not clear how the compromise began.

"Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it's easy to send out multiple of the same messages to a variety of targets. That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise."

The phishing emails sent from the accounts appear to be support messages informing the user that several emails are being held for review. The user is directed to click a link in order to view the blocked emails. Avanan notes that there are several red flags in the emails, "such as where the URL goes to and also the fact that a university account wouldn't be used to send support messages."

The goal of acquiring credentials to university email accounts, then, is to enable further phishing operations. Avanan suggests that the ultimate goal of the phishing would be business email compromise, a form of cybercrime based on social engineering that’s growing increasingly dangerous.

New school security awareness training, however, can afford any organization a measure of protection, both from the initial phishing and the subsequent BEC attempts.

Blog post with links:
https://blog.knowbe4.com/phishing-for-student-email-accounts

New From CISA: Cross-Sector Cybersecurity Performance Goals

In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors.

These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.

Cybersecurity training within 10 days of onboarding

OF NOTE: Item 4.3 "At least annual trainings for all organizational employees and contractors that covers basic security concepts, such as phishing, business email compromise, basic operational security (OPSEC), password security, etc., as well as fostering an internal culture of security and cyber awareness. New employees receive initial cybersecurity training within 10 days of onboarding, and recurring training on at least an annual basis."

The simplest way to get new employees their mandatory security training in 10 days or less is to fully automate the process. KnowBe4 allows you to do that with Active Directory / SCIM integration and smart groups. Voilà!

Summary writeup from CISA:
https://www.cisa.gov/cpg?mod=djemCybersecruityPro&tpl=cy

And this is the full CISA report:
https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf

What KnowBe4 Customers Say

"Hello Stu, thank you for reaching out and assessing our experience with KnowBe4! We are efficiently utilizing KnowBe4's phishing and training services and have experienced tremendous feedback from our end-users!

"We have received such remarks as:

"I actually really enjoyed the game! I kept the hacker right in his place and he didn't even get a chance to move because I never got a question wrong!"
"I want to share that the training was very well received. I really enjoyed it and learned several new things that I would have never even thought of before! Thank you!"

"The physical ModStore resources (newsletters, posters, etc.) have also been a phenomenal addition to our curriculum as we have continued to provide modern, eye catching and informative content to our Cyber Security Awareness and Education bulletin board and the Cyber Security portion our regular newsletter.

"We continue to provide and expand KnowBe4's phishing and training programs, across all of our hospital with great results, thus far. Thank you and best regards."

- L.N., IT Network Administrator

The 10 Interesting News Items This Week