CyberheistNews Vol 13 #05 [Eye Opener] Is Cybercrime the World's Third Largest Economy After the U.S. and China?

CyberheistNews Vol 13 #05 | January 31st, 2023

[Eye Opener] Is Cybercrime the World's Third Largest Economy After the U.S. and China? Stu Sjouwerman SACP

Cybersecurity Ventures released a new report that claims cybercrime is going to cost the world $8 trillion in 2023. If it were measured as a country, then cybercrime would be the world's third largest economy after the U.S. and China.

The number sounds outlandish, but they stated: "We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

"Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm."

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it.

Link to the article where you can download the report and see the VIDEO:
https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, February 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! KnowBe4 Mobile Learner App - Users Can Now Train Anytime, Anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own SCORM training modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, February 1, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4070983/65E8D5CFC418A57E30B99FB87D520251?partnerref=CHN2

[INFOGRAPHIC] Q4 2022 Report Confirms Business-Related Phishing Emails Trend

KnowBe4's latest reports on top-clicked phishing email subjects have been released for 2022 and Q4 2022. We analyze "in the wild" attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, top attack vector types and holiday email phishing subjects.

Business-Related Phishing Emails Continue

Business phishing emails have always been effective and continue to be successful because of their potential to affect a user's workday and routine. The 2022 results reveal that 49% of email subjects are HR related, creating a sense of urgency in users to act quickly, sometimes before thinking logically and taking the time to question the email's legitimacy.

Cybercriminals constantly refine their strategies to outsmart end users and organizations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.

Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails. This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. Phishing emails are a year-round threat. An educated workforce is an organization's best defense to remain vigilant and stay safe online from cybercriminals and their attempted threats.

Download Infographic and Top Phishing Subjects here:
https://blog.knowbe4.com/2022-report-confirms-business-related-phishing-emails-trend-infographic

Artificial Intelligence, ChatGPT and Cybersecurity: A Match Made in Heaven or a Hack Waiting to Happen?

AI is no longer science fiction.

Software vendors have been integrating AI into products for years, which has led to innovations such as improved threat detection and training opportunities. But the emergence of newer technologies like DALL-E and ChatGPT has raised new questions about the real threats AI poses.

In this presentation, James McQuiggan, Security Awareness Advocate at KnowBe4, will discuss the benefits of AI, the potential threats, and strategies you can use to protect your network today and in the future.

You'll learn:

The key benefits and uses of AI for cybersecurity
How AI could put your organization at risk
Strategies for integrating AI into your cybersecurity defenses
Why security awareness training is your best, last line of defense

Get the information you need now to protect your network and earn CPE credit for attending!

Date/Time: Wednesday, February 8 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/ai-chatgpt-and-cybersecurity?partnerref=CHN

What Is a Good Completion Percentage for Security and Compliance Training?

By John Just, KnowBe4 Chief Learning Officer.

Completion percentages on compliance and security training campaigns have become a popular topic of discussion.

In a draft of National Institute of Standards and Technology's (NIST) recent report on measuring effectiveness of these training programs, they cited completion percentages as the highest indicator of the health of your program.

Not too long ago we released a popular whitepaper, webinar, and infographic addressing the topic of getting more users to complete training. As part of that we talked to a number of organizations that were at 100% completion on required training, or darn close.

But what is a good completion percentage? As the largest provider of security awareness training and a growing provider of compliance training, we thought it might be interesting to look at this data within our customer base and share it with you.

The results were interesting because I thought they would have been lower, but maybe that is my bias from talking to so many people that are struggling with getting people to complete. Also, as you can see it depends on the training type and format, but there are pretty small variations. Hopefully these results can help you set goals for your program and get buy-in from leadership that are identified as a critical factor for success.

The following table was taken from the required training campaigns running from September 1, 2022, and ending on or before October, 31, 2022:

CONTINUED at the KnowBe4 blog:
https://blog.knowbe4.com/good-completion-percentage-for-security-compliance-training

Does Your Domain Have an Evil Twin?

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it's a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as "safe" domains for your organization.

With Domain Doppelgänger, you can:

Search for existing and potential look-alike domains
Get a summary report that identifies the highest to lowest risk attack potentials
Generate a real-world "domain safety" quiz based on the results for your end users

Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!
https://info.knowbe4.com/domain-doppelganger-chn

Hacker's Movie Guide: The Complete List of Hacker and Cybersecurity Movies

Is alert fatigue getting to you? I found a guide that allows you some well-deserved personal downtime, and still has something to do with work so that you can justify getting away with taking some PTO and veg out. But sometimes there are 1,000 channels and it still looks like there is nothing to watch. This might help...

"Hackers Movie Guide" is the most complete list of hacker and cybersecurity movies from 1956 to present. Most of the movies have a central theme around hacking. Others have a certain character or enough footage on the subject matter to be included.

Steve Wozniak, co-founder of Apple, wrote in his foreword: "My whole life has been wanting to be more like movie protagonists, who are younger, poorer or weaker, having to overcome Goliath, but having brains that think outside of the rules. I have always been for the young and powerless, the consumers vs. the producers. This is almost always the theme ascribed to hackers in movies. The young hackers use their brains for good and fairness. We all take their sides in these movies."

Blog post with links:
https://blog.knowbe4.com/hackers-movie-guide-the-complete-list-of-hacker-and-cybersecurity-movies

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: 6 cybersecurity buzzwords to know in 2023:
https://www.techtarget.com/searchsecurity/opinion/6-cybersecurity-buzzwords-to-know-in-2023

PPS: CISA released their recommendations for K-12 cyberdefense and we are happy to see it includes security awareness training:
https://www.cisa.gov/sites/default/files/publications/Implement_Most_Impactful_Security_Measures_K-12_508c.pdf

Quotes of the Week

"Optimism is the fuel of heroes, the enemy of despair and the architect of the future."
- Max More (* 1964) - Philosopher and Futurist

"You get the future you ignore."
Link to https://blog.knowbe4.com/stus-law-you-get-the-future-you-ignore
- Yours Truly

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-05-eye-opener-is-cybercrime-the-worlds-third-largest-economy-after-the-us-and-china

Security News

Phishing Campaign Against U.S. Government Agencies

A large-scale phishing campaign compromised a significant number of networks belonging to federal civilian executive branch (FCEB) agencies in the U.S., according to a joint advisory issued by CISA, the National Security Agency (NSA), and MS-ISAC.

Beginning in June 2022, the threat actors sent phishing emails posing as the Geek Squad to convince victims to install legitimate remote monitoring and management (RMM) tools in order to carry out a scam.

"In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient's system and enticed the recipient to log into their bank account while remaining connected to the system.

"The actors then used their access through the RMM software to modify the recipient's bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to 'refund' this excess amount to the scam operator."

Remote access tools can avoid detection by antivirus software, since they're usually used for legitimate purposes. The agencies add that the access gained during these attacks could be sold to other, more nefarious threat actors.

"Although this campaign appears financially motivated, the authoring org's assess it could lead to additional types of malicious activity," the advisory says. "For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors.

"This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2)."

New-school security awareness training teaches your employees to recognize phishing and other social engineering attacks.

CISA has the story:
https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

QR Code Phishing

Researchers at Fortinet warn that a phishing campaign is impersonating the Chinese Ministry of Finance. The phishing emails contain a document with a QR code that leads to a credential-harvesting site.

"A QR code requires an application to read and translate it into something actionable," the researchers write. "Most mobile phones have this functionality through their camera, and software packages are available on all major platforms to do this from a computer. In each of the examples FortiGuard Labs found, the QR code contained in the Microsoft Word attachments provided a URL for the user to follow.

"When the user does this using their desktop platform or mobile device, they arrive at a website controlled by the threat actor." The QR code leads to a phony version of the Chinese business communication app DingTalk.

"It is a spoofed facsimile of a DingTalk instance (it should be noted that as of the publication date, this site is now offline)," Fortinet says. "DingTalk is a broadly used enterprise communication platform developed by Alibaba Group.

"Given the reach of the platform and its large number of users, credentials for it would be valuable. The user is directed to a pop-up message box that suggests their DingTalk account has committed some unspecified business violation(s) and that it will be frozen without verification in 24 hours."

Blog Post with links:
https://blog.knowbe4.com/new-qr-code-phishing-campaign-is-impersonating-the-chinese-ministry-of-finance

What KnowBe4 Customers Say

"Stu, Thank you for taking the time to ask! We are enjoying both the testing and the training, at least I am, some users may feel differently.

"That said, the results speak for themselves. We have run two campaigns since late November with excellent results. In my opinion since we added KnowBe4, we went from the bank's leadership pulling users along to avoid being vulnerable to phishing to a very proactive organization where those same users are now pushing us to address suspicious emails.

"Miko A., our Customer Success Manager, is great to work with and has made navigating and learning the software and portal seamless and fast. I enjoy working with him and he is representing your company well. Thank you for what you and your company does and again appreciate the note!"

- H.B., Chief Information Officer

"Stu, I wanted to let you know that Tyler N. my CSM at KnowBe4 is an outstanding success manager as he was assisting me in 2022 with the implementation of the "Automation with Smart Groups: Dynamic Phishing and Remedial Training Plan", Tyler's assistance to my needs/questions were always timely and answers where very detailed.

"Thanks to Tyler we created a mock integration of the automation with Smart Groups so that I could not only build, document and implement the final solution, but in addition assisted me in educating management on their roles with the dashboards, and gamification, as well manage the training modules used.

"Tyler's effort were exemplary as he coached me through the 3 months of testing in our mock up campaigns and training's right up too implementation of the new program in November 2022.

"Tyler's strengths in my eyes are his ability to speak through domain knowledge, data requirements, strategic and problem-solving issues, as well was a great team player and leader, and was always mindful of our time management and when I asked ridiculous questions he would approach them with empathy and straighten me out technically. Thank You."

- C.J., Cyber Security Senior

The 10 Interesting News Items This Week