CyberheistNews Vol 15 #12 Key Takeaways from the KnowBe4 2025 Phishing Threat Trends Report

Key Takeaways from the KnowBe4 2025 Phishing Threat Trends Report

Our latest Phishing Threat Trends Report explores the evolving phishing landscape in 2025, from renewed tactics to emerging attack techniques.

Ransomware may be an "old" threat, but new tactics are making people more susceptible than ever. In this edition, we break down a highly advanced attack detected by KnowBe4 Defend that bypassed native security and a secure email gateway (SEG)—and would have been nearly impossible to stop if launched.

We also examine how cybercriminals are using AI for polymorphic phishing, infiltrating the hiring process and evading traditional security defenses.

Unless otherwise cited, all statistics in the report have been generated using data from KnowBe4 Defend, our integrated cloud email security (ICES) solution that detects the full spectrum of advanced phishing attacks.

Read the full report which covers the following topics:

• A Spike in Phishing
• AI-Polymorphic Phishing Campaigns
• Ransomware is Once Again on the Rise
• Cybercriminals are Hijacking the Hiring Process
• Bypassing Secure Email Gateways (SEGs)

To find out more about the latest Phishing Threat Trends, read the full report here:

Blog post with links and INFOGRAPHIC:
https://blog.knowbe4.com/key-takeaways-from-the-2025-phishing-threat-trends-report

Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering is the #1 cyber threat to your organization. 68% of all data breaches are caused by human error.

Join us for a live demonstration of KnowBe4 in action. See how we safeguard your organization from sophisticated social engineering threats using the most comprehensive human risk management platform.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

• NEW! Artificial Intelligence Defense Agents allows you to personalize security training, reduce admin burden and elevate your human risk management strategy
• NEW! SmartRisk Agent provides actionable data and metrics to help you lower your organization's human risk score
• NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
• Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
• Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, April 2, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-1?partnerref=CHN

Be Vigilant: BEC Attacks Are on the Rise

Business email compromise (BEC) attacks rose 13% last month, with the average requested wire transfer increasing to $39,315, according to a new report from Fortra.

"The average amount requested from BEC wire transfer attackers was $39,315 in February compared to $24,586 in January 2025, an increase of 60%," the report says.

"During the month of February, 25% of wire transfer BEC attacks requested less than $10,000, while 62% of wire transfer BEC attacks requested between $10,000 and $50,000. For the other 12% of wire transfer BEC attacks, 0% requested between $50,000 and $100,000, and 12% requested more than $100,000."

Most of these attacks abused legitimate email services, making them more likely to evade detection by security filters.

"73% of BEC attacks were sent from email addresses hosted on free webmail providers compared to 27% of attacks sent from maliciously registered domains," the researchers write. "The percentage of free webmail providers used decreased in February compared to 72% in January 2025.

"For February 2025, Google was the primary webmail provider used by actors to send BEC campaigns, comprising 76% of the 1,036 free webmail accounts used by scammers. Other popular webmail providers included Microsoft and Verizon Media."

The researchers warn that threat actors are putting more effort into preparation in order to increase the likelihood of a major payoff. Fortra states, "Threat actors have intensified reconnaissance and profiling efforts, prioritizing larger financial targets and leveraging delayed fraud detection to increase operational success."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/be-vigilant-bec-attacks-are-on-the-rise

Meet AIDA: The KnowBe4 Approach to Human Risk Management

AI-powered scams are now dangerously sophisticated, outpacing traditional security awareness training at every turn.

It's time to fight AI with AI. Meet KnowBe4 AIDA — Artificial Intelligence Defense Agents. AIDA transforms your human risk management approach, delivering adaptive, personalized training that actually changes behavior.

Download this whitepaper to explore how AIDA's capabilities empower you to:

• Automate tailored training assignments based on roles and risk scores
• Generate realistic, multi-lingual phishing simulations at scale
• Reinforce learning with AI-powered knowledge refreshers
• Ensure comprehension of key policies through AI-generated quizzes

Get an in-depth look at AIDA's first four agents and preview future agents that will help you build your employees into an unshakable last line of defense.

Download Now:
https://info.knowbe4.com/resources/whitepapers-and-ebooks/meet-aida-knowbe4-human-risk-management-chn

Agentic AI: Why Cyber Defenders Finally Have the Upper Hand

By Roger Grimes.

My two previous recent postings on AI covered "Agentic AI" and how that impacts cybersecurity and the eventual emergence of malicious agentic AI malware.

Both of those articles started to touch on the idea of automated agentic AI defenses. This posting goes into a little more detail on what agentic AI defenses might mean.

It starts with agentic AI, which is a collection of automated programs (i.e., bots or agents) working toward a common goal. Agentic AI somewhat comes out of a machine-learning concept known as a Mixture of Experts, which has been around for over four decades.

Instead of creating a single program that does a bunch of things, you create a team of separate cooperating experts who are more specialized and better at what they do.

For a real-world example allegory, think about how we build most houses and buildings. One person usually does not do it all. You have people who do the architecting, surveying, landscaping, creating the foundation, pouring concrete, building up the wooden or steel framing, people who put up the walls, windows, and roofing. You have separate people who do electrical, plumbing, drywall, flooring and painting.

You usually have a general contractor or construction manager overseeing the whole thing. Each of these individual experts is likely better at what they do than if one person knew and tried to do it all. There are exceptions, of course, but in the grand scheme of things, most societies build their homes and buildings with teams of cooperating laborers who are each an expert in their field.

It is the same overall concept with agentic AI, but it is done using individual software components. Today's software and services are usually made up of one central program/service that tries to do it all. There could be dozens to hundreds of files supporting that program, but they are all part of that program and could not function standalone. They are called with one executable launching point. And they all start and end execution based on the overall program starting and stopping.

The future of software and services is agentic AI — teams of cooperating AI programs. The various components, like building subcontractors, are experts at what they do and can function standalone. They take input from the construction manager (called the orchestrator agent in AI vernacular) and return expert output to achieve a common, larger goal.

CONTINUED at the KnowBe4 blog:
https://blog.knowbe4.com/emergent-agentic-ai-defense

How Vulnerable is Your Network Against Ransomware and Cryptomining Attacks?

Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4's Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.

Here's how RanSim works:

• 100% harmless simulation of real ransomware and cryptomining infections
• Does not use any of your own files
• Tests 25 types of infection scenarios
• Just download the installer and run it
• Results in a few minutes!

This is complimentary and will take you five minutes max. RanSim may give you some insights about your endpoint security you never expected!

Download RanSim Now!
https://info.knowbe4.com/ransomware-simulator-tool-1chn

Phishing Attacks Abuse Microsoft 365 to Bypass Security Filters

Threat actors are abusing Microsoft's infrastructure to launch phishing attacks that can bypass security measures, according to researchers at Guardz.

The attackers compromise multiple Microsoft 365 tenants in order to generate legitimate transaction notifications that contain phishing messages.

"This attack exploits legitimate Microsoft services to create a trusted delivery mechanism for phishing content, making it difficult for both technical controls and human recipients to detect," the researchers write.

"Unlike traditional phishing, which relies on lookalike domains or email spoofing, this method operates entirely within Microsoft's ecosystem, bypassing security measures and user skepticism by leveraging native M365 infrastructure to deliver phishing lures that appear authentic and blend in seamlessly."

The attackers use Microsoft 365's built-in tenant display name feature to display the phishing message rather than placing it in the email body. In one case, for example, the attackers set the display name to the following: "(Microsoft Corporation) Your subscription has been successfully purchased for 689.89 USD using your checking account. If you did not authorize this transaction, please call 1(888) 651-4716 to request a refund."

The researchers explain, "The attacker weaponizes the tenant's organization name field to inject a phishing lure directly into the email. Instead of embedding malicious links, the message instructs victims to call a fraudulent support number, leading to a social engineering attack designed to lure the victim to install a stealer (malware) / steal financial information or creds."

The attackers are using this technique to carry out business email compromise (BEC) attacks. Guardz notes that since the messages tell the victim to call a phone number, the scam is less likely to be stopped by technical security measures.

Blog post with links:
https://blog.knowbe4.com/phishing-attacks-abuse-microsoft-365-to-bypass-security-filters

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

[BUDGET AMMO #1] How agentic AI will drive the future of malware:
https://www.scworld.com/perspective/how-agentic-ai-will-drive-the-future-of-malware

[BUDGET AMMO #2] From convenience to compromise: The rising threat of quishing scams:
https://www.fastcompany.com/91302057/from-convenience-to-compromise-the-rising-threat-of-quishing-scams

[BUDGET AMMO #3] How a Toxic Work Culture Can Amplify Security Threats:
https://www.inc.com/stu-sjouwerman/how-a-toxic-work-culture-can-amplify-security-threats/91164281

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-12-key-takeaways-from-the-knowbe4-2025-phishing-threat-trends-report

The Cybersecurity Confidence Gap: Are Your Employees as Secure as They Think?

By Anna Collard

Our recent research reveals a concerning discrepancy between employees' confidence in their ability to identify social engineering attempts and their actual vulnerability to these attacks.

While 86% of respondents believe they can confidently identify phishing emails, nearly half have fallen for scams in the past. This disconnect between perceived competence and demonstrated vulnerability, the "confidence gap," poses a substantial risk to organizations.

The Danger of Overconfidence

The survey research, titled "Security Approaches Around the Globe: The Confidence Gap," surveyed 12,037 professionals across the UK, USA, Germany, France, Netherlands and South Africa. It found that South Africa leads in both high confidence and high scam victimization rates.

This is in line with our recent Africa Cybersecurity Awareness 2025 survey which revealed that while 83% of African respondents are confident in their ability to recognize cyber threats, more than half (53%) do not understand what ransomware is and 35% have lost money to scams.

These figures suggest that the Dunning-Kruger effect, which is a cognitive bias where people overestimate their ability, is alive and well in cybersecurity. Overconfidence can create a false sense of security, making employees more susceptible to advanced cyber threats.

Key Findings

• 86% of employees believe they can confidently identify phishing emails
• 24% have fallen for phishing attacks
• 12% have been tricked by deepfake scams
• 68% of South African respondents reported falling for scams—the highest victimization rate

Beyond Training: Fostering a Security Culture

The report highlights the importance of fostering a transparent security culture. While 56% of employees feel "very comfortable" reporting security concerns, 1 in 10 still hesitate due to fear or uncertainty. Interestingly, South Africans felt most comfortable: 97% of South African respondents expressed some level of comfort in reporting their concerns, showing a level of trust in their security organizations.

Overconfidence fosters a dangerous blind spot—employees assume they are scam-savvy when, in reality, cybercriminals can exploit more than 30 susceptibility factors, including psychological and cognitive biases, situational awareness gaps, behavioral tendencies and even demographic traits.

Leverage the "Prevalence Effect"

To combat the overconfidence trap in cybersecurity awareness, organizations should leverage the "prevalence effect" by maintaining a steady and meaningful exposure to phishing simulations. The prevalence effect is based on research which indicates that when phishing attempts are rare, users become less adept at recognizing them, leading to decreased detection ability.

By regularly exposing users to simulated phishing attacks, organizations can enhance detection skills, reinforce vigilance and mitigate the risks associated with overconfidence in their ability to spot threats.

To combat this, organizations need:

• Hands-on, scenario-based training: To counteract misplaced confidence
• Continuous education: To keep up with evolving cyber threats
• Prevalence effect: Expose users to phishing simulation tests as frequently as possible
• Foster an adaptive security mindset: To respond effectively to new threats

The Bottom Line

The survey findings emphasize the critical need for effective human risk management. Personalized, relevant and adaptive training that caters to employees' individual needs should be implemented while also considering regional influences and evolving cyber tactics. In the battle against digital deception, the most dangerous mistake employees can make is assuming they are immune.

"Security Approaches Around the Globe: The Confidence Gap," is available for download at the KnowBe4 blog:
https://blog.knowbe4.com/the-cybersecurity-confidence-gap-are-your-employees-as-secure-as-they-think

Hundreds of Malicious Android Apps Received 60 Million Downloads

Bitdefender warns that a major ad fraud campaign in the Google Play Store resulted in more than 60 million downloads of malicious apps.

The attackers managed to place at least 331 malicious apps in the Play Store. In addition to displaying full-screen ads, some of the apps also directed users to phishing sites designed to harvest their credentials.

"Most applications first became active on Google Play in Q3 2024," Bitdefender says. "After further analysis, we saw that older ones that had been published earlier were initially benign and did not contain malware components. The malicious behavior was added afterward, starting with versions from the beginning of Q3.

"To be clear, this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March, 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play."

The apps posed as popular utility services, such as QR scanners, budget planners, health apps and many others. "One way to keep a malicious app hidden from the user is to hide the icon – a behavior that is no longer allowed in the Android OS," the researchers write.

"We notice that attackers used multiple approaches to solve this problem. The most popular and interesting one is also likely the most efficient. The app comes with the Launcher Activity (e.g., that the user sees and clicks on) disabled by default.

"Afterwards, by abusing the startup mechanism provided by the content provider, the samples use native code to enable the launcher, which is likely carried out as an additional technique to evade detection."

Blog post with links:
https://blog.knowbe4.com/hundreds-of-malicious-android-apps-received-60-million-downloads

What KnowBe4 Customers Say

"Hello Stu, I am a very happy camper — things are going quite well with our KnowBe4 implementation. Our Customer Success representative Aariel F. has been a tremendous help with getting us up to speed quickly. We are seeing very positive results from our training and phishing campaigns."

- S.K., Support Team Lead

1. Many workers are overconfident at spotting phishing attacks:
   https://www.techradar.com/pro/security/many-workers-are-overconfident-at-spotting-phishing-attacks
   
   
2. $20B loss estimated from potential March Madness hacks:
   https://www.securitymagazine.com/articles/101476-20b-loss-estimated-from-potential-march-madness-hacks5
   
   
3. AI is turbocharging organized crime, EU police agency warns:
   https://www.ajc.com/news/nation-world/ai-is-turbocharging-organized-crime-eu-police-agency-warns/EXCCZUAIEBG5ZACPZ7LXM7FEKE/
   
   
4. Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers:
   https://therecord.media/windows-lnk-files-nation-state-hacking-campaigns
   
   
5. Gartner Predicts AI Agents Will Reduce The Time It Takes To Exploit Account Exposures by 50% by 2027:
   https://www.gartner.com/en/newsroom/press-releases/2025-03-18-gartner-predicts-ai-agents-will-reduce-the-time-it-takes-to-exploit-account-exposures-by-50-percent-by-2027
   
   
6. Browser-based phishing attacks up 140 percent:
   https://betanews.com/2025/03/19/browser-based-phishing-attacks-up-140-percent/
   
   
7. Scareware phishing attacks target Mac users:
   https://www.securityweek.com/scareware-combined-with-phishing-in-attacks-targeting-macos-users/
   
   
8. Chinese espionage group launches spear phishing attacks against European entities:
   https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
   
   
9. Phishing-as-a-service platforms launched more than a million attacks in January and February:
   https://blog.barracuda.com/2025/03/19/threat-spotlight-phishing-as-a-service-fast-evolving-threat
   
   
10. Our very own Perry Carpenter said: "I tested 5 deepfake detectors. All of them had *major* issues.":
    https://youtu.be/8wnOwEP3ZgA
    
    

• Virtual Vaca #1 - Explore The Most Breathtaking Views At Crater Lake National Park:
  https://youtu.be/FFS0n86LqxQ
  
  
• Virtual Vaca #2 - Hello Heidelberg, Germany from Little Big World:
  https://youtu.be/Mo__gSbDB38
  
  
• Virtual Vaca #3 - Top 10 Places To Visit in Argentina - Travel Guide:
  https://youtu.be/OnrJkX4LDBs
  
  
• LockPickingLawyer: "You're Doing it Wrong... The REAL Double Wrench Method":
  https://youtu.be/dBSSA5ot0tA?si=tMdcYwNtaQFpOlzK
  
  
• Sunset Run - Table Mountain / Wingsuit BASE Jump / South Africa / 2025:
  https://youtu.be/CbzNOTjUroA
  
  
• AI Brings Ancient Rome to Life:
  https://www.flixxy.com/ai-brings-ancient-rome-to-life.htm?utm_source=4
  
  
• Laser Kiwi: PENN & TELLER FOOLED by an Olive! (Full FOOL US Performance):
  https://youtu.be/gX0kmv0vll0
  
  
• [Terminator here we come #1] Cartwheels? Walk, Run, Crawl, RL Fun @ Boston Dynamics:
  https://youtu.be/I44_zbEwz_w
  
  
• [Terminator here we come #2] Riding a bike or a self-balancing scooter? Dang...:
  https://youtu.be/CYK_50GbP0A?si=L_243cpbFNWh2uY6
  
  
• Google Gemini 2.0 Just Changed Ai Image Generation Forever!:
  https://youtu.be/TmpYMPZvj3Q
  
  
• Splashdown! Starliner astronauts finally back on Earth with NASA's SpaceX Crew-9:
  https://www.youtube.com/watch?v=_-uR41UCVWw
  
  
• World's Most Dangerous Bus Route In Peru - BBC Earth Explore:
  https://youtu.be/uU_VOhP8z2w
  
  
• For Da Kids #1 - Abandoned Guinea Pigs Rescued After Being Dumped in a Park:
  https://youtu.be/wpkU17CYJOk
  
  
• For Da Kids #2 - Exhausted Dog Stranded on Rocks Rescued in Intense Rescue Mission:
  https://youtu.be/sEi1Yw5WLAQ
  
  
• For Da Kids #3 - Parrot Brothers Annoyed Each Other Until One Day:
  https://youtu.be/dSpS-0wlu2s
  
  
• For Da Kids #4 - Cat Loves Being Pushed In Sled By His Mom:
  https://youtu.be/Y_-1Gn4W1Bo
  
  
• For Da Kids #5 - Tiny Turtle Follows This Man Wherever He Goes Every Day:
  https://youtu.be/k9_AlefZXRk