CyberheistNews Vol 14 #19 [EPIC FAIL] Phishing Failures: How Not to Phish Your Users

Cyberheist News

CyberheistNews Vol 14 #19  |   May 7th, 2024

[EPIC FAIL] Phishing Failures: How Not to Phish Your UsersStu Sjouwerman SACP

We asked our security awareness advocates Javvad Malik and Erich Kron to dive into the cautionary world of phishing simulations gone wrong. You know, those attempts to train users not to fall for phishing that somehow end up setting off more alarms than a Hawaiian missile alert system.

Let's explore why we need to phish our users, but more importantly, how not to phish them.

JM - First off, let's acknowledge the elephant in the room — or should I say, the 6.4 billion fake emails floating around every day trying to scam Aunt Edna out of her retirement savings. Yes, you read that right. With phishing being as popular as pineapple on pizza (controversial, I know), it's crucial we prepare our users to dodge these deceitful darts.

EK - Phishing and social engineering in general are becoming way more popular than ever for bad actors. Now we've got deepfakes and AI generated materials without the obligatory grammar and spelling errors we used to have, and much better translations. Given the popularity of the attack vector and the number of successful breaches caused by phishing, helping to educate people and giving them simulated phishing messages to practice on is a no brainer.

[CONTINUED] at the KnowBe4 blog. This is the Most Popular Blog post this week!:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, May 8, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, May 8, @ 2:00 PM (ET)

Save My Spot!

Navigating the Masquerade; Recognizing and Combating Impersonation Attacks

With all great power, there comes an equal potential for misuse. Among the sophisticated arsenal of threat actors, impersonation attacks have surged to the forefront, which questions our sense of trust.

Visual technologies, like the new audio-to-visual example of portrait video generation, showcase the stunning potential for creating lifelike animated portraits from a single photo.

However, if creating a speaking, emotive virtual persona is this accessible, how do we distinguish reality from deception? This question is at the crux of today's cyber defense strategies.

Recognizing and Reporting Impersonation

Impersonation attacks come cloaked in numerous guises, each more convincing than the last. From emails and social media messages to voice and video interactions, the impersonator's game is one of psychological manipulation, seeking to exploit trust to gain unauthorized access, disseminate misinformation or commit fraud.

Awareness and education are essential in building a robust defense. Just as you would study a magician's sleight of hand to grasp his tricks, learning the telltale signs of impersonation bolsters your ability to spot them:

  • Inconsistencies in Communication: Watch for atypical language, unusual requests, or deviations from established communication patterns.
  • Urgent or Unverified Requests: Be skeptical of urgent demands, especially those involving money or sensitive information.
  • Mismatched or Manipulated Audio/Visual Elements: If using audio-visual media, look for synchronization issues between audio and visuals, unnatural facial movements or vague backgrounds that might indicate manipulation.

Reporting is equally crucial; if you detect signs of impersonation, your organization must act immediately. Encourage a culture where your users can report any suspicious activity.

The Menagerie of Impersonation Attacks

Let's explore the common masks worn by cyber tricksters:

  • Email Impersonation: Often called "phishing," these attacks mimic legitimate correspondence, with attackers posing as reputable entities to extract personal data or credentials.
  • Social Media Deception: Attackers adopt fake profiles or hijack existing ones to manipulate, extort information or spread malware.
  • Voice and Video Impersonation: Advanced algorithms now enable convincingly fake audio and video calls that can dupe individuals into taking detrimental actions.

[CONTINUED] Blog post with links, and learn more in the webinar below:

Reality Hijacked: Deepfakes, GenAI and the Emergent Threat of Synthetic Media

"Reality Hijacked" isn't just a title — it's a wake-up call. The advent and acceleration of GenAI is redefining our relationship with "reality" and challenging our grip on the truth. Our world is under attack by synthetic media.

We've entered a new era of ease for digital deceptions: from scams to virtual kidnappings to mind-bending mass disinformation. Experience the unnerving power of AI that blurs the lines between truth and fiction.

Join us for this webinar where Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, cuts through the noise, spotlighting how these digital illusions are easily weaponized.

Get ready for a demo-driven journey — a no-holds-barred look at AI's dark artistry. See the unseen. Hear the unheard. Question everything.

  • Crack the code: Learn how GenAI and deepfakes tick
  • Engage with the possible: See how easy it is to use consumer-grade tools to create weapons-grade deceptions
  • See the future: Grasp the real risk to you, society and trust itself
  • Fight back with knowledge: Arm yourself with the latest detection and understand why security awareness training can help build your organization's defenses

This is your reality check. Can you trust what you see and hear? Join us and find out, and earn CPE credit for attending!

Date/Time: Wednesday, May 15 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:

[BUDGET AMMO] Russians Team Up With Young, English-Speaking Hackers For Cyberattacks

There is a new ultimate-budget-ammo 60 Minutes segment that is a great primer on what the cybersecurity community knows all too well—that good old-fashioned social engineering (a hustle or a con, like some of the stunts Sinatra and the gang pulled in the original Ocean's 11) remains the main point of entry for most large-scale ransomware hacks.

Can someone say the Podesta emails (a fake password change email from the IT department)? Or Stuxnet (which came down to, in the end, someone unwittingly walked into the Iranian nuclear facility with a USB drive with malware on it).

We have been on the social engineering beat (aka Human Risk Management) for 13 years now and help you to mitigate its threat vectors and vulnerabilities.

View the 13-minute segment on YouTube and forward to your budget decision makers:

Identify Weak User Passwords in Your Organization With the Newly Enhanced Weak Password Test

Cybercriminals never stop looking for ways to hack into your network, but if your users' passwords can be guessed, they've made the bad actors' jobs that much easier.

The new 2024 Verizon's Data Breach Investigations Report showed that Basic Web Application Attacks are caused by using stolen credentials (77%), or brute force (usually easily guessable passwords) (21%).

The Weak Password Test (WPT) is a free tool to help IT administrators know which users have passwords that are easily guessed or susceptible to brute force attacks, allowing them to take action toward protecting their organization.

Weak Password Test checks the Active Directory for several types of weak password-related threats and generates a report of users with weak passwords.

Here's how Weak Password Test works:

  • Connects to Active Directory to retrieve password table
  • Tests against 10 types of weak password related threats
  • Displays which users failed and why
  • Does not display or store the actual passwords
  • Just download, install and run. Results in a few minutes!

Don't let weak passwords be the downfall of your network security. Take advantage of KnowBe4's Weak Password Test and gain invaluable insights into the strength of your password protocols.

Download Now:

KnowBe4 to Acquire Egress

We're excited to announce the addition of Egress' cloud email security solution to KnowBe4's product suite. It will create the largest, advanced AI-driven cybersecurity platform for managing human risk.

Egress' Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats.

By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk.

The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture.

As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.

"KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee," said Tony Pepper, CEO, Egress. "One of the biggest challenges organizations face is accurately identifying who the next source of compromise is — and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most."

KnowBe4 press release:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Cybersecurity Lessons Businesses Can Learn From The Russia-Ukraine War:

PPS: KnowBe4's very own Perry Carpenter and Jessica Barker MBE PhD are delighted to launch Awareness to Action - A Mastermind for Human-Centric Cybersecurity Leaders:

Quotes of the Week  
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure."
- Marcus Tullius Cicero - Roman Statesman (106 BC- 43 BC)

"Success is not final, failure is not fatal: It is the courage to continue that counts."
- Sir Winston Churchill - British Prime Minister (1874-1965)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

New Verizon DBIR: The Percentage of Users Clicking Phishing Emails is Still Rising

The long-awaited annual Verizon Data Breach Investigations Report is out, and it's made very clear that users continue to be a problem in phishing attacks. I've said it before, if you only read one report each year, the Verizon Data Breach Investigations Report is one you shouldn't miss.

And this year's report starts off with a topic close to our hearts here at KnowBe4: users engaging with phishing emails and clicking links.

First the good news: according to Verizon, the rate at which users are reporting phishing emails is increasing, regardless of whether a potentially malicious link was clicked or not:

Additionally, the chart shows that nearly double the percentage of users report emails that did not click a malicious link (20%) versus those that did click the link (11%).

Now the bad news: of those that did not click the link, 80% of them did not report it. Those that did click the link, 89% of them did not report it!

The median time a user takes to click a phishing link is only 21 seconds — that's 21 seconds to comprehend the content of the email, scrutinize it to determine its validity, and then to click the link. Add to that Verizon's findings that the median amount of time a user enters data in a credential, credit card, or account harvesting scam is another 28 seconds.

This means it takes less than a minute for users to fall for a phishing scam.

Blog post with links and graphs:

FBI Warns of Verification Scams Targeting Dating Site Users

The U.S. Federal Bureau of Investigation (FBI) has issued an advisory warning of a scam campaign targeting users of online dating platforms. The scammers are attempting to trick users into signing up for fraudulent monthly subscriptions in order to be verified as a real person. "Fraudsters meet victims on a dating website or app," the FBI explains.

"Fraudsters express an interest in establishing a relationship and quickly move the conversation off the dating app or website to an encrypted platform. Under the guise of safety, the fraudster provides a link that directs the victim to a website advertising a 'free' verification process to protect against establishing a relationship with predators, such as sex offenders or serial killers. The website displays fake articles alluding to the legitimacy of the website."

The Bureau continues, "The verification website prompts the victim to provide information such as their name, phone number, email address, and credit card number to complete the process. Once the victim submits the information, they are unwittingly redirected to a private, low-quality dating site charging costly monthly subscription fees. Eventually, the victim's monthly credit card statement displays a charge to an unknown business."

The FBI offers the following advice to help users avoid falling for these scams:

  • "Avoid clicking on links, downloading files, or opening attachments from someone you only met online. Only open attachments from known senders and scan all attachments for viruses, if possible
  • Avoid moving the conversation from a reputable dating site's messaging service, since many of these offer some safety features
  • Report suspicious user profiles to the dating site administrator and cease all contact with suspicious users
  • Be cautious of someone you only met online professing their love quickly, expressing a need for help, and/or enticing you with provocative pictures and text topics. Fraudsters use social behavior to deceive you and separate you from your hard-earned money"

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

What KnowBe4 Customers Say

"Hi Stu, I wanted to reach out to feedback and express my appreciation for the brilliant work of Ali L., who is the Customer Success Manager for our org. Their dedication and expertise have been brilliant in understanding how we can achieve with our SETA strategy [Security Education, Training, and Awareness] using the KB4 platform.

Their efforts have not only streamlined a newly designed SETA strategy but also recommended further exercises to supplement the basic training such as tailored training, phishing simulations complemented by remedial training – not to mention how self-sustaining he has made it by way of automation which has made security training much easier to manage and track.

This message is also a positive reflection on the rest of the team over at KnowBe4.

- L.T., Information Security Analyst

"Hi Stu, this is an appreciation note for Zoya S. who used to be our Account Manager from KnowBe4. I have just learned that Zoya moved on to a new role and I wanted to wish her all the best.

I also wanted to express my sincere gratitude for Zoya's guidance over the past few years. Zoya has always made herself available, even on very short notice, and was always happy to assist with any issue, no matter how big or small. Her dedication was truly inspiring. Zoya, thank you for being an exceptional support."

- C.K. Compliance Project Manager

And to end off, here is a TrustRadius Compliance Plus Mid-Sized Utilities Customer Story. "Compliance Plus will help keep you and your employees out of hot water" [PDF]

The 10 Interesting News Items This Week
  1. For the first time ever, ransomware payments surpassed $1 billion in 2023:

  2. Change Healthcare hackers gained access via stolen credentials and a lack of MFA:

  3. Most people still rely on memory or pen and paper for password management:

  4. Standard Chartered CEO on why cybersecurity has become a 'disproportionately huge topic' at board meetings:

  5. Millions of Docker repos found pushing malware, phishing sites:

  6. Unearthing APT44: Russia's Notorious Cyber Sabotage Unit Sandworm:

  7. Federal agencies need to rethink culture in the fight against ransomware:

  8. CISA unveils guidelines for AI and critical infrastructure:

  9. Muddling Meerkat uses China's Great Firewall to manipulate DNS queries:

  10. REvil hacker behind Kaseya ransomware attack gets 13 years in prison:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews