CyberheistNews Vol 14 #22 [HEADS UP] A Whopping 90% of Attacks Involve Social Engineering

Cyberheist News

CyberheistNews Vol 14 #22  |   May 29th, 2024

[HEADS UP] A Whopping 90% of Attacks Involve Social EngineeringStu Sjouwerman SACP

Analysis of over 3.5 billion cyber attacks provides insight into where threat actors are placing their efforts and where you should focus your cyber defenses.

It's said you can predict the outcome of the presidential election with a small number of votes. That's the power of statistics and a valid sample size.

So, when you have 3.5 billion cyber attacks as your sample data, it's a very accurate reflection of the state of attacks. This is the case in Avast's recently released Q1/2024 Threat Report. Here is an overview of what organizations should be most concerned about:

  • Scams and phishing dominate all attacks involving malware
  • Social engineering attacks dominated as 90% of mobile attacks and 87% of desktop attacks leveraged some form of social engineering (likely why we see the preponderance of scams and phishing in the chart on the blog)

The data here alone speaks volumes. To summarize, most of the attacks your organization will face:

  • Reside either on the web or from within email
  • Contain social engineering elements to fool your users
  • Have the intent of either scamming your users or phishing them for credentials, remote access, the installation of malware or to commit digital fraud

The proper response here is to first shore up security controls around email and the web — finding solutions that proactively protect the organization from malicious content. Second, it's time to leverage the individuals interacting with these social engineering attacks, arming them with security awareness training designed to reduce the risk of user engagement and increase the level of your organization's security culture.

Blog post with links and [INFOGRAPHIC]:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, June 5, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, June 5, @ 2:00 PM (ET)

Save My Spot!

I Am Excited to Announce the KnowBe4 Student Edition

I am excited to announce that KnowBe4 Student Edition officially launched last week. It's security awareness training curated to help students 16 years and up recognize and navigate cybersecurity threats in and out of the classroom.

This training provides crucial knowledge to students and academic institutions, forming a strong human firewall as the last line of defense against cyber attacks.

KnowBe4's Student Edition aims to:

  • Ingrain cybersecurity vigilance into students' daily internet usage and practices
  • Mitigate human risk in schools by empowering students with cybersecurity knowledge
  • Prepare students for the workforce by enabling a strong security culture

Here's how KnowBe4's Student Edition helps:

  • Cyber Vigilance as Second Nature: the content will help students adopt a cybersecurity-first mindset, making safe online behavior a habitual part of their digital interactions
  • Empowered Student Body: Interactive, relatable courses are uniquely formulated to resonate with students
  • Career Preparation: By building a solid foundation of cybersecurity know-how, students are not merely securing their academic lives but also gaining invaluable readiness for the professional world

Special Student Pricing: This special offering adds exceptional value to your existing KnowBe4 subscription, helping you invest in your students' cybersecurity proficiency.

Blog post with links:

Re-check Your Email Attack Surface Now

Cybercriminals are actively exploiting exposed user data to initiate sophisticated attacks against organizations, including yours. If your employees' email addresses have potentially fallen into the hands of adversaries, the threat of a targeted breach becomes immediate, and every second counts.

It's time to re-check your email attack surface.

Discover your current email attack surface now with KnowBe4's Email Exposure Check Pro (EEC Pro). EEC Pro identifies your at-risk users by crawling business social media information and thousands of breach databases.

EEC Pro helps you find your users' compromised accounts that have been exposed in the most recent data breaches — fast.

Get your EEC Pro Report in less than five minutes. It's often an eye-opening discovery. You are probably not going to like the results...

Get Your Free Report:

The Shadow War: Cognitive Warfare and the Politics of Disinformation

For better or for worse, we live in a world that is an anarchy of nations.

Over the last few decades, warfare has transcended traditional battlefields. We may already be experiencing a cold World War III, not with bombs and tanks, but through the covert methods of cognitive warfare and disinformation campaigns. IT professionals find themselves literally in the trenches of this war.

The Silent Battlefield

Global conflicts now often are fought in the digital realm. Bad actors supported by nation states use advanced strategies to manipulate public perception and political outcomes. This "shadow war" involves cyber operations, disinformation, and cognitive warfare to undermine adversaries without direct confrontation.

China's Cognitive Warfare Tactics

Modern cognitive warfare leverages advancements in artificial intelligence (AI) allowing deepfake attacks. Taking a page out of Russia's playbook, China's People's Liberation Army (PLA) has integrated information and psychological operations into its military doctrine, focusing on dominating the cognitive domain. By exploiting social media and other digital platforms, China seeks to control narratives and influence public opinion, often through disinformation campaigns.

Implications for IT Security

IT professionals must be aware of these tactics, as they represent significant cybersecurity threats. For example a country like the Philippines, with a combination of extensive social media use but lower digital literacy, is particularly vulnerable.

Effective countermeasures on a country-wide scale would include strategic communication, enhanced cybersecurity, data privacy and promoting digital literacy.

The Politics of Disinformation

It is a thin, sharp line to walk, because the battle against disinformation — which is nothing but social engineering on a grand scale — can sometimes blur into political censorship. Efforts to combat fake news might risk infringing on free speech. This raises the issue of balancing national security and civil liberties. We do not claim to have answers here, but we do need to enlighten our stakeholders.

A Call to Action for IT Professionals

As this shadow war escalates, IT security experts together with their C-level execs and HR must develop robust strategies to address both technological and psychological threats. Building resilience against cognitive warfare and disinformation requires collaboration on a company, industry and national level. It starts with a concerted effort to build an organization with a strong security culture.

The future battlefields are both on earth and in space, digital and ideological, and shaped by invisible forces. IT professionals play a crucial security role in defending against these threats, often fighting a war they did not sign up for.

Blog post with links:

Here is how KnowBe4 prevents phishing through advanced training and AI. Here's the complete video interview, part of SiliconANGLE's and theCUBE Research's coverage of the RSA Conference:

[New Product] Secure the Digital Future by Preparing Your Students to Act Against Cyber Threats

We're thrilled to announce security training content designed specifically for students to help keep them secure in an evolving digital world.

Introducing the KnowBe4 Student Edition, security awareness training specifically curated to help students recognize and navigate cybersecurity threats in and out of the classroom. This training provides crucial knowledge to students and academic institutions, forming a strong human firewall as the last line of defense against cyber attacks.

Read full article:

Stark Industries Solutions: An Iron Russian Hammer in the Cloud

Krebs on Security wrote: "Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe.

"An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia."

Scary reading. Another in-depth, excellent report by intrepid reporter Brian Krebs:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Yours Truly in Inc Mag. "Vishing Meets AI: The Changing Nature of Phishing Threats - Are your employees prepared for deepfake phone attacks?":

PPS: HR and IT related phishing scams still most popular according to KnowBe4's latest Phishing Report:

Quotes of the Week  
"There are two ways to be fooled. One is to believe what isn't true; the other is to refuse to believe what is true."
- Soren Kierkegaard, Danish philosopher. (1813 - 1855)

"It's easier to fool people than to convince them that they have been fooled."
- Mark Twain, Author. (1835-1910)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

UK Cybersecurity Org Offers Advice for Thwarting BEC Attacks

The UK's National Cyber Security Centre (NCSC) has issued guidance to help medium-sized organizations defend themselves against business email compromise (BEC) attacks, especially those targeting senior staff members.

The NCSC says employees should be cautious about the type of personal info they post on the internet, since criminals can use this knowledge to make their attacks more convincing.

"If there is information about senior staff on work and private websites, including social media accounts and networking sites, criminals can use this to make their phishing emails appear more convincing," the advisory says.

"This information, freely available on the internet, is known as a 'digital footprint'. Without this information, the phishing emails used to conduct BEC should be easier to spot as fraudulent. All staff, but especially senior executives who have access to valuable assets or information, should review their privacy settings on their social media accounts, and think about what they post in order to reduce their digital footprint."

The NCSC stresses that BEC attacks are more targeted than most phishing emails and are more likely to bypass technical security measures.

"Since BEC emails are normally sent in low volume, standard email filters (designed to identify 'scam emails') may struggle to detect them, especially if they come from a legitimate email account that has already been hacked," the advisory says.

"Alternatively, a BEC email may have been sent from a 'spoofed' domain, designed to trick users that they are dealing with a legitimate organisation. Some BEC emails may contain viruses disguised as invoices, which are activated when opened."

The NCSC says users should be on the lookout for the following red flags associated with BEC attacks:

  • "Think about your usual working practices around financial transactions. If you get an email from an organisation you don't do business with, treat it with suspicion
  • Look out for emails that appear to come from a senior person within your organisation, requesting a payment to a particular account. Look at the sender's name and email address. Does it sound legitimate, or is it trying to mimic someone you know
  • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of phrases like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately.'"

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Vishing Attacks Are on the Rise

The Anti-Phishing Working Group (APWG) has released its latest Phishing Activity Trends Report, finding that phone-based phishing (vishing) surged in the first quarter of 2024.

"APWG founding member OpSec Security found that the number of phone numbers used to perpetrate fraudulent activities has exploded over the last three years," the report states. "Phone numbers used for fraud represented more than 20 percent of all fraud-related assets that OpSec identified in Q1 2024.

"OpSec tallies fraud assets including fraudulent URLs (such as phishing URLs), phone numbers used in frauds, and email accounts used to perpetrate frauds (including those used for BEC attacks, job advertisement frauds, etc.)."

The report says many of these scams begin with an email containing a receipt for a phony purchase. The emails contain a phone number for the victim to call in order to dispute the charge.

"The most common form of phone-based phishing OpSec has observed is known as hybrid phishing," the report states. "The typical scam involves sending the victim a fake purchase receipt via email, commonly for a few hundred U.S. dollars, which requests that the recipient call a support phone number within a limited amount of time to dispute the charge.

"This 'urgent call to action' is a common social engineering tactic. Once on the phone with the victim, the scammer collects the victim's personal and financial information, or persuades the victim to send money or gift cards to the scammer."

Matthew Harris, Senior Product Manager, Fraud at OpSec, explains that as email filtering technology improves, criminals are increasingly turning to phone calls to conduct social engineering attacks.

Harris stated, "Contrast this with phone calls, which go directly to a user with very little filtering. And with phone scams, the victim only sees an easily spoofable telephone number or caller name. Finally, phone calls are more engaging.

A live person is calling the victim, interacting them, and has a chance to gain the victim's trust—or has a chance to alarm and confuse the victim and trick them."

You can train your employees with KnowBe4's Callback Phishing tests.

Callback Phishing templates in KnowBe4 are available in over 34 languages. You can customize these templates to fit the language preferences of your users.

For detailed info on creating and editing Callback Phishing templates, here are some resources:
Video Tutorial:

KB Article on Creating and Editing Callback Phishing Templates:

The APWG has the story:

What KnowBe4 Customers Say

"Greetings, Stu! Thank you for reaching out to us. I am really enjoying working with KB4. I am very glad that we chose to partner with you on educating our users. Personally, I have to say, I also really enjoy the articles & posts you share via email and social media. I'm a huge advocate of information sharing, especially on LinkedIn.

I firmly believe in the age-old method of applying the "Rule of 7." Social media is the perfect playground for it. Apologies for the lengthy email but I wanted to take this opportunity. A few things that I am loving about KB4:

  • PhishER (with PhishRip) is beautiful, and we are loving it!
  • Love being able to really drill down into the weeds of simulations & trainings. Many of KB4 competitors don't offer the same granularity, or if they do, it's not very affordable or user friendly.
  • Some of the videos are really entertaining and our users seem to be responding well.

We look forward to growing with KB4. Stay vigilant!"

- P.M., Information Security | Risk & Awareness Advisor

The 10 Interesting News Items This Week
  1. Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale:

  2. RSAC 2024 reveals the impact AI is having on strengthening cybersecurity infrastructure:

  3. CISA to tap cyber policy veteran Jeff Greene for top role:

  4. Family offices become prime targets for cyber hacks and ransomware:

  5. Chinese hackers hide on military and govt networks for 6 years:

  6. Majority of Humans Fooled by GPT-4 in Turing Test, Scientists Find:

  7. Here's what's really going on inside an LLM's neural network:

  8. Microsoft spots gift card thieves using cyber-espionage tactics:

  9. The UK will propose mandatory reporting and licensing for ransomware attacks and payments:

  10. Georgia resident gets ten years in prison for role in BEC attacks:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews