CyberheistNews Vol 13 #22 [Eye on Fraud] A Closer Look at the Massive 72% Spike in Financial Phishing Attacks

Cyberheist News

CyberheistNews Vol 13 #22  |   May 31st, 2023

[Eye on Fraud] A Closer Look at the Massive 72% Spike in Financial Phishing AttacksStu Sjouwerman SACP

With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all.

When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That's right – the financial services industry, at least according to cybersecurity vendor Armorblox's 2023 Email Security Threat Report.

According to the report, the financial services industry as a target has increased by 72% over 2022 and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn't get any better for the financial industry:

  • 51% of invoice fraud attacks targeted the financial services industry
  • 42% were payroll fraud attacks
  • 63% were payment fraud

To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means one in five email-based attacks made it all the way to the Inbox.

The next layer in your defense should be a user that's properly educated using security awareness training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage.

Blog post with links:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, June 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Executive Reports - Can create, tailor and deliver advanced executive-level reports
  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • Did you know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, June 7, @ 2:00 PM (ET)

Save My Spot!

Cyber Insurance: Is Paying a Ransom Counter-Productive?

By Jacqueline Jayne.

Food for thought as discussed on May 18, 2023, an article posted in The Australian Insurance Council: Banning paying a ransom to cyber hackers is counter-productive where Andrew Hall, the Chief Executive of the Insurance Council of Australia (ICA), stated that "attempts to ban businesses from paying ransoms for cyber attacks risks eroding trust and relationships with government."

The premise of this comment comes from the recent Australian Federal Budget announcement of AUD $23.4 million in funding for a program designed to uplift cybersecurity for 50,000 small businesses with a cyber warden program.

The details of this program are yet to be finalized. Mr. Hall encourages more consultation between the government and the small business community.

In relation to the proposed ban on paying ransoms for cyber attacks, Mr. Hall brings up a valid point that the "decision for a business to pay or not pay a ransom is a decision for the business." If a ban on paying ransoms was to come into effect, there is a high chance that businesses would decide to pay to keep their business running despite the potential fallout.

The steady nature of ransomware attacks is a reminder that no company is immune. As the threat landscape continues to evolve, it is more important than ever for Australian businesses to cultivate a security culture. This means having a comprehensive security strategy and focusing on preventative measures to reduce the risk of human error and investing in security technologies.

We can't (yet) stop ransomware. What we can do is limit the effectiveness and frequency of ransomware by increasing basic cyber awareness.

There are several things that Australian businesses can do to increase their basic cyber hygiene and cultivate a security culture. These include:

  • Implement ongoing, relevant, and engaging employee education on security best practices
  • Provide an opportunity for employees to test their knowledge with simulated social engineering activities, e.g., simulated phishing programs
  • Create relevant cyber security policies that specify the desired guidelines, expectations, actions, attitudes, and behaviors aligned with security

Blog post with links:

Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4's Mailserver Security Assessment (MSA) is a complementary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:

  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!

More Than Half of All Email-Based Cyber Attacks Bypass Legacy Security Filters

New data shows that changes in cybercriminals' phishing techniques are improving their game, making it easier to make their way into a potential victim user's inbox.

I wrote about how ~12% of all email threats were getting all the way to the inbox. But new data from cybersecurity vendor Armorblox's 2023 Email Security Threat Report shows that the number is much higher, depending on the security solutions in place.

Of all phishing attacks that targeted organizations in 2022, 78% used more sophisticated techniques to successfully bypass native email security tools – and were able to reach the inbox 56% of the time!

According to the report, the following is the breakdown of the kinds of specific attacks and threats found within the phishing attacks:

  • 51% of email attacks focused on credential phishing
  • 41% focused on social engineering-based threats
  • 3% were VIP impersonation attacks
  • 3% were extortion attacks
  • 2% were payroll fraud scams

By looking at the breakdown of the two largest techniques used, you can begin to see reasons why these attacks are getting through. Credential phishing attacks are successful because they are using new sophisticated ways to avoid detection. Social engineering attacks most often have no malicious content within them, making it difficult to detect.

The risk of such attacks succeeding is high, making it necessary for you to enroll users into continual security awareness training to educate them on what to look for, the techniques used, and how to spot a malicious email a mile away.

Blog post with links:

[NEW Whitepaper] The Power of the PhishER Blocklist

The unsung heroes of your security operations center (SOC) can use all the help they can get when it comes to email management.

If your users are already reporting suspicious emails, your SOC team should be using this effort to strengthen their email filtering and blocklisting decisions.

In this whitepaper, learn how the blocklist feature built into PhishER, KnowBe4's lightweight security orchestration, automation and response (SOAR) tool, helps make the most of its machine-learning capabilities through user input. See how you can improve your Microsoft 365 email filters using reported messages to keep similar phishing emails from reaching the rest of your user base.

Read this whitepaper to learn how the PhishER blocklist feature can:

  • Relieve an overworked SOC
  • Incorporate user input to augment existing infosec tools
  • Support a strong security culture

Download this whitepaper today!

[SEG Headache] More Than Half of Cybersecurity Leaders Say That Too Many Phishing Attacks Get Through

Egress, a cybersecurity company that provides intelligent email security, recently released their Email Security Risk Report 2023.

It's solid research that shows 99% of cybersecurity leaders are stressed about their email security with good reason. The numbers are scary. We mentioned their report a few weeks ago, but there are many important findings there.

Frustration with Traditional SEG technologies

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

  • 58% - It isn't effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment
  • 53% - Too many phishing emails end up in employees' inboxes
  • 50% - It takes a lot of administrative time to manage

DarkReading has a good summary of the report, and a link to their website for the whole report which is recommended.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from May 2023:

PPS: [BUDGET AMMO] WSJ: "Security chiefs say that proper employee training is key to managing leak risks from ChatGPT and similar platforms":

[BONUS BUDGET AMMO] By yours Truly in Forbes: "How AI Is Changing Social Engineering Forever":

Quotes of the Week  
"There is a driving force more powerful than steam, electricity and nuclear power: the will."
- Albert Einstein - Physicist (1879 - 1955)

"The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge."
- Stephen Hawking - Physicist (1942 - 2018)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Microsoft: 'Volt Typhoon Targets U.S. Critical Infrastructure With Living-off-the-land Techniques'

The NSA, together with its U.S. and Five Eyes partner agencies, issued a press release on May 24, 2023, revealing the activities of a state-sponsored cyber actor from the People's Republic of China (PRC). This actor has been detected using "living off the land" techniques to target U.S. critical infrastructure sectors.

This strategy involves using built-in network tools to evade defenses and leave no trace of their activities.

The NSA, along with U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK), have collectively released a Cybersecurity Advisory (CSA) to assist network defenders in identifying and mitigating the malicious activities of this PRC bad actor.

CISA Director, Jen Easterly, highlighted that China has been conducting operations globally to steal intellectual property and sensitive data from critical infrastructure organizations. The advisory aims to give network defenders more insights into how to detect and mitigate such malicious activity.

The FBI echoed this sentiment, warning against China's intent to target critical infrastructure organizations and mask their detection. UK's NCSC Director of Operations, Paul Chichester, emphasized the importance of operators of critical national infrastructure taking action to prevent attackers from hiding on their systems.

The CSA provides hunting guidance, best practices, examples of the actor's commands, and detection signatures. It also includes a summary of indicators of compromise (IOCs), such as unique command-line strings, hashes, file paths, exploitation of certain vulnerabilities, and file names commonly used by this actor.

The PRC cyber actor is known to use tools already installed or built into a target's system as one of their primary tactics. This allows them to blend in with normal Windows systems and network activities, evade endpoint detection and response (EDR) products, and limit the amount of activity captured in default logging configurations. The NSA recommends network defenders apply the detection and hunting guidance in the CSA and monitor logs for certain events, among other measures.

More data at:

[NEW RELATED READING] Mastering Minds: China's Cognitive Warfare Ambitions Are Social Engineering At Scale:

New Top-Level .ZIP and .MOV Domains as Potential Phishing Risk

Google has recently introduced a set of new top-level domains: .dad, .esq, .prof, .phd, .nexus, .foo, .zip and .mov. They're now available for purchase, and it's the last two that are attracting attention due to the risk of abuse in phishing attacks.

WIRED describes why .zip and .mov have raised concerns. "The two stand out because they are also common file extension names. The former, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which is already starting to play out, is that URLs that look like file names will open up even more possibilities for digital scams like phishing that trick web users into clicking on malicious links that are masquerading as something legitimate."

There's another potential problem, the obverse of the first. "And the two domains could also expand the problem of programs mistakenly recognizing file names as URLs and automatically adding links to the file names. With this in mind, scammers could strategically buy .zip and .mov URLs that are also common file names—think,—so online references to a file with that name could automatically link to a malicious website."

Experts are divided as to whether the new domains represent a real increase in the risk of phishing. On the one hand, criminals have been observed purchasing and experimenting with domains that use the new extensions, so the risk isn't a purely theoretical one. On the other hand, as experienced (and jaded) observers note, users tend to be so careless with respect to URLs, and so easily gulled by malicious domains, that any increase in phishing activity associated with the news domains is likely to be lost in the noise.

Whatever proves to be the case, this is the sort of risk that new school security awareness training can help your people learn to recognize and avoid.

Blog post with links:

[CASE STUDY PDF] Listrak Uses PhishER To Save a Month of Work per Year

This PDF is a case study about how Listrak, a provider of a cross-channel marketing platform, uses the KnowBe4 PhishER platform to reduce phishing risk and save IT nearly a month of work annually. Here are the key points:

  • Listrak has a highly standardized security training and testing program using KnowBe4's training and phishing platform. They run annual user training for all employees and separate monthly training to keep employees aware of phishing threats. They also run monthly phishing tests for all employees.
  • They have seen their Phish-prone Percentage (PPP), or the likelihood that employees will click on a phishing email, remain low over the years due to effective training. Employees are particularly engaged with the content, especially with the episodic series "The Inside Man."
  • Listrak implemented PhishER, KnowBe4's lightweight security orchestration, automation, and response (SOAR) platform. This platform has saved the IT department significant time by automating the evaluation of suspicious emails.
  • Before PhishER, Listrak had to manually investigate around 70 suspicious emails per month. With PhishER, this number dropped to around 20, saving at least 12.5 hours of the IT department's time per month.
  • The case study concludes with strong recommendations for KnowBe4 from Listrak's Information Security Manager and IT Manager, who praise the platform for its efficiency, risk reduction and engaging training content.

Link to the PDF - no registration required:

What KnowBe4 Customers Say

"Hi Stuart, I am the Training Manager here. I work very closely with Ali, one of your Customer Success Managers. I have asked for your details as I wanted to provide some feedback on the support that Ali has provided to our company.

From day one he has gone above and beyond in offering advice and support when we have been using KnowBe4 and always makes time for conference calls when we need him.

Recently he has supported us in presenting in one of our Lunch & Learn training sessions where we took everyone through the dangers that phishing poses to an organization, which we have recently received great feedback from. Thank you."

- L.M., Training Manager

The 10 Interesting News Items This Week
  1. [PDF] Mapping The Ransomware Payment Ecosystem: A Comprehensive Visualization of the Process and Participants:

  2. Salon: "Why we need a "Manhattan Project" for A.I. safety":

  3. UBS Analysts See Fake AI Content Feeding Market Disruptions:

  4. Senators Introduce Bill to Create Digital and AI Oversight Agency:

  5. A real "Inside Man". IT employee impersonates ransomware gang to extort employer:

  6. Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam:

  7. AI Indirect Prompt Attacks Are Very Similar To Jailbreaking:

  8. The Most Prolific Ransomware Families: 2023 Edition:

  9. Now this infographic is interesting, it's about Load Phishing:

  10. Did you know that loading a pretrained AI model can give bad actors a new attack vector?:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews