CyberheistNews Vol 14 #24 [NEW 2024 RESEARCH] Reveals that 34% of Green Users Will Fail a Phishing Test

Cyberheist News

CyberheistNews Vol 14 #24  |   June 11th, 2024

[NEW 2024 RESEARCH] Reveals that 34% of Green Users Will Fail a Phishing TestStu Sjouwerman SACP

KnowBe4 has released the seventh annual Phishing by Industry Benchmark Report. The report analyzes Phish-prone™ Percentage (PPP) across millions of individual users pulled from anonymized KnowBe4 customer data. The report underscores the vital importance of organizations investing in their workforce to reinforce overall defensive capabilities, support a robust security culture and move the needle favorably on human risk management.

This year's inclusion dataset spanned 19 industries and comprised over 11.9 million users across 57,000 organizations with over 54.1 million simulated phishing security tests. It also provides a thorough analysis across seven geographical regions: Africa, Asia, Australia/New Zealand, Europe, North America, South America and the United Kingdom/Ireland.

Here's what we found:

  • For 2024, the overall PPP baseline average across all industries and size organizations was 34.3%, meaning just more than a third of an organization's employee base could be at risk of clicking on a phishing email prior to receiving training.
  • However, only 18.9% of those same users will fail within 90 days of completing their first KnowBe4 training.
  • After at least a year on the KnowBe4 platform, only 4.6% of those users will fail a phishing test.
  • Organizations improved their susceptibility to phishing attacks by an average of 86% (+4 points over prior) in one year by following our recommended approach.

Here is the extensive new report. Find out how you are doing compared to your peers of similar size.

[INFOGRAPHIC] Blog post with links and charts:

Everything You Can Do to Fight Social Engineering and Phishing

Social engineering and phishing are not just IT buzzwords; they are potent threats capable of devastating damage to your organization.

How can you safeguard your assets and data and shore up your defenses against these risks?

Join us for this new webinar hosted by Roger A. Grimes, author of the new book, "Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing." He will speak to these growing threats and share a blueprint for fending them off.

By attending this webinar, you will:

  • Learn methods to help your users avert social engineering scams
  • Discover the latest tools and strategies to protect your data and avoid future breaches
  • Understand how to implement technology and security policies to safeguard your organization
  • Foster an enduring and integrated strong security culture
  • Enter for a chance to win a signed copy of Roger's book "Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing"*

Join us in this insightful webinar and learn how to defeat hackers and malware by deploying a great defense-in-depth strategy. Plus, you'll earn CPE for attending!

Date/Time: TOMORROW, Wednesday, June 12 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterward.

Save My Spot:

*Terms and conditions apply.

Best Buy/Geek Squad Impersonation Scams Surged in 2023

The U.S. Federal Trade Commission (FTC) has found that Best Buy, and its tech support subsidiary Geek Squad, were the most commonly impersonated brands by scammers in 2023.

The FTC received 52,000 reports about scammers impersonating these brands last year. Amazon and PayPal were the third and fourth most impersonated brands, respectively.

The FTC also found that consumers lost the most money to scams impersonating Microsoft and Publishers Clearing House, with $60 million lost to Microsoft impersonation scams and $49 million to Publishers Clearing House impersonation scams.

"The scammers impersonating these businesses work in very different ways," the FTC said in a report. "For example, phony Geek Squad emails tell you that a computer service you never signed up for is about to renew – to the tune of several hundred dollars."

"Microsoft impersonation scams start with a fake security pop-up warning on your computer with a number to call for 'help.' And calls from the fake Publishers Clearing House say you'll have to pay fees to collect your (fake) sweepstakes winnings."

The FTC offers the following advice to help people avoid falling for these scams:

  • Stop and check it out. Before you do anything else, talk with someone you trust. Anyone who's rushing you into sending money, buying gift cards, or investing in cryptocurrency is almost certainly a scammer
  • Never click on links or respond to unexpected messages, and never trust caller ID. If you think a story might be legit, contact the company or agency using a phone number or website you know is real
  • Don't pay anyone who demands that you pay by gift card, cryptocurrency, money transfer, or payment app. Only scammers say there's only one way to pay

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Rip Malicious Emails With KnowBe4's PhishER Plus

Rip malicious emails out of your users' mailbox with KnowBe4's PhishER Plus! It's time to supercharge your phishing defenses using these two powerful features:

1) Automatically blocking malicious emails that your filters miss
2) Being able to RIP malicious emails before your users click on them

With PhishER Plus you can:

  • NEW! Detect and respond to threats faster with real-time web reputation intelligence with PhishER Plus Threat Intel, powered by Webroot!
  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: Wednesday, June 19, @ 2:00 PM (ET)

Save My Spot:

Social Engineering Scams Can Come in the Mail, Too

Social engineering scams can come through any communications channel (e.g., email, web, social media, SMS, phone call, etc.). They can even come in the mail as the Nextdoor site warns. They can even come in person and on the television.

In this case, someone is receiving a fake "refund" check supposedly from American Express. Although unstated, I am sure the "Chase Bank" letter strongly states the person should deposit the refund check into their bank account and then send some portion of it to someone else for some made-up reason (e.g., taxes, etc.). For example, the refund check totals $10,000, and they are instructed to send $1,500 for taxes.

Most people do not know that their bank will readily accept realistic-looking fake checks (that anyone can easily create) and give them the money or transfer it to some other account. But within a few days, the bank will finally verify that the check is fake and the depositor will be on the hook for the full amount of the check. It is sad that in today's electronic world, a check cannot be verified in seconds before it is deposited into someone's account and their account balance is updated.

Fake check scams have been going on for as long as we have had checks. The famous "Catch Me If You Can" Frank Abagnale was forging checks in 1965, and he did not invent the crime. Early "Nigerian scams" were first spotted in the late 1800s. The Internet just made all scams a lot easier to perform and scale.

Blog post with links:

[New Report] Here Are Your Updated 2024 Phishing By Industry Benchmark Results

With phishing on the rise, your employee's mindset and actions are critical to maintaining a strong security culture in your organization.

You need to know what happens when your employees receive phishing emails: are they likely to click the link? Get tricked into giving away their credentials or download malware? Or will they report the suspected phish and play an active role in your human defense layer?

Perhaps more importantly, do you know how effective new-school security awareness training is as a mission-critical layer in your security stack?

Find out with the 2024 Phishing By Industry Benchmarking Report, which analyzed a data set of 11.9 million users across 55,675 organizations with over 54.1 million simulated phishing security tests.

In this unique report, research from KnowBe4 highlights employee Phish-prone™ Percentages by industry, revealing the likelihood that users are susceptible to phishing or social engineering attacks. Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Do you know how your organization compares to your peers of similar size?

Download this new whitepaper to find out!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Fresh Content Updates from May 2024:

PPS: PhishER now has integrated Threat Intel. The deets at the KB!

Quotes of the Week  
"It takes something more than intelligence to act intelligently."
- Fyodor Dostoyevsky. Author of Crime and Punishment. (1821 - 1881)

"You must be the change you want to see in the world."
- Mahatma Gandhi - Leader (1869 - 1948)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Russia's Military Intelligence Service Launches Spear Phishing Attacks in Europe

Researchers at Recorded Future warn that BlueDelta, a threat actor tied to Russia's GRU, is launching spear phishing attacks against European defense and transportation entities. The threat actor is abusing legitimate services to avoid detection, and some of its phishing pages can bypass multifactor authentication.

"BlueDelta's tactics, which primarily involve credential capture for initial access, are engineered to mimic regular network traffic, making detection difficult," the researchers write. "Some of BlueDelta's credential harvesting pages can bypass two-factor authentication by relaying requests between legitimate services and compromised Ubiquiti routers, increasing their effectiveness.

"The abuse of LIS, such as GitHub, to host redirection scripts also complicates the identification of malicious activity. Throughout these campaigns, BlueDelta has continuously refined its operations, demonstrating notable sophistication and adaptability."

The threat actor has targeted the defense sector in Ukraine and railway infrastructure across Europe, as well as a think tank based in Azerbaijan.

"Successfully infiltrating networks associated with Ukraine's Ministry of Defence and European railway systems could allow BlueDelta to gather intelligence that potentially shapes battlefield tactics and broader military strategies," the researchers explain.

"Moreover, BlueDelta's interest in the Azerbaijan Center for Economic and Social Development suggests an agenda to understand and possibly influence regional policies." Recorded Future says organizations should implement a defense-in-depth strategy that includes security training in order to thwart these attacks.

"For orgs within government, military, defense, and related sectors, the rise of BlueDelta's activities is a call to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting access to non-essential internet services, and enhancing surveillance of critical network infrastructure," the researchers write.

"Continuous cybersecurity training to recognize and respond to advanced threats is essential to defend against such state-level adversaries."

Recorded Future has the story:

Email Compromise Continues to Dominate as Top Threat Incident Type as Tactics Evolve

As email compromise attacks increase, analysis of tactics provides context on how organizations need to evolve their defenses. Kroll's Q1 2024 Cyber Threat Landscape Report covers the analysis of a wide range of threats and data covering the last three quarters shows how email compromise has been consistently growing:

What's more interesting is the commentary by Kroll, where they mention that "while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce others, such as SMS lures and voice phishing, which seem to be rising in popularity."

We've seen corroborating data around the rise of vishing and smishing, giving credence to the Kroll data's view of the current state of threats.

This shift in email compromise tactics signals that threat actors are evaluating what is and isn't working, and making changes to their methods to increase the likelihood of a successful compromise.

But the one thing attackers require to compromise email is a user who is not paying attention and willingly gives up their credentials. It's why security awareness training shines as the mitigating control that will teach users to be watchful for any kind of attack intent on stealing credentials.

Tactics will continue to evolve, so it's imperative that organizations put the right controls in place that will continually thwart threat actor efforts.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links and graphics:

What KnowBe4 Customers Say

"Hi Stu, I just re-read this and saw that it wasn't an automated mail. Thank you for checking. Yes, we are very pleased with KnowBe4. We have thoroughly integrated training and phishing detection into our company culture. This is due to the depth and variety of your training options, but I want to point out the primary factor in our success: our customer success manager, Regan C.

Without her help, KnowBe4 could be another service that we add but never fully utilize. Regan is knowledgeable, consistent, and proactive and has made all the difference for us. KnowBe4 is an indispensable component of our security strategy."

"Hi Stu, Thanks for the check-in. Yes, I'm a happy camper. This is the third company in which I've introduced and rolled out KnowBe4, but first time using PhishER. I continue to appreciate the core KnowBe4 product, but PhishER has been extremely valuable. Thank you to you and the KnowBe4 team. Keep up the great work."

- T.D., Chief Information Security Officer

The 10 Interesting News Items This Week
  1. The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever:

  2. Urgent O-type blood donors needed after London ransomware attack:

  3. WSJ: 'She Hooked Me': How an Online Scam Cost a Senior Citizen His Life's Savings:

  4. London hospitals disrupted by ransomware attack:

  5. This Hacker Tool Extracts All the Data Collected by Windows' New Recall AI:

  6. FBI recovers 7,000 LockBit decryption keys:

  7. Suspected state-sponsored hackers hit 22 Canadian provincial government inboxes:

  8. Chinese State-Sponsored cyber-espionage Operation "Crimson Palace" Revealed:

  9. FBI Warns of Rise in Work-From-Home Scams:

  10. AI jailbreaks: What they are and how they can be mitigated:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews