Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 15 #17 [Warning] The Cyber "Broken Windows Theory" You Can't Afford to Ignore

    Cyberheist News
    CyberheistNews Vol 15 #17  |   April 29th, 2025

    [Warning] The Cyber "Broken Windows Theory" You Can't Afford to IgnoreStu Sjouwerman SACP

    By Javvad Malik

    Have you ever walked down a street with broken windows, burnt out cars, graffiti and felt a bit uneasy? There's a reason for that, and it's not just about aesthetics.

    The Broken Windows Theory, introduced by social scientists James Q. Wilson and George L. Kelling in 1982, suggests that visible signs of crime and antisocial behavior encourage further crime and disorder. But what does this have to do with cybersecurity? More than you might think.

    The Cybersecurity Parallel: Neglected Digital Environments

    In many organizations, cybersecurity awareness feels like a losing battle. Employees ignore security policies, download unapproved software and use weak passwords. It's as if our digital environments are full of "broken windows," signaling that it's a culture where no one really cares about security.

    Traditional approaches often focus on punitive measures or dry, technical training that fails to engage employees. It's like trying to reduce crime by simply increasing fines, without addressing the underlying issues that make an area feel unsafe or neglected.

    Applying the Broken Windows Theory to Cybersecurity

    Just as fixing broken windows and cleaning up graffiti can reduce crime by fostering a sense of order and care, we can apply similar principles to our digital environments:

    • Create a Culture of Vigilance: Encourage employees to report potential security issues, no matter how small. This is like neighborhood watch programs for your network.
    • Address Small Issues Quickly: Respond promptly to minor security infractions. This shows that security is taken seriously at all levels.
    • Improve the "Look and Feel" of Security: Make security tools and processes user-friendly and aesthetically pleasing. A clean, well-designed security interface is like a well-maintained storefront.
    • Celebrate Security Wins: Publicly recognise employees who spot phishing attempts or follow good security practices. This is akin to community awards for neighborhood improvement.

    Practical Steps for Implementation

    Conduct a Digital Environment Audit Walk through your organization's digital spaces as an average user would. Where are the "broken windows"? Look for outdated software, clunky security processes or confusing policies.

    Implement a "See Something, Say Something" Program Create an easy way for employees to report potential security issues. Make it as simple as sending a quick message or clicking a button.

    Redesign Security Communications Transform your security awareness materials. Replace dense text with infographics, short videos or even memes. Make security information as engaging as a well-designed public space.

    Create Security Champions Identify and empower individuals across departments to be security advocates. These champions can help maintain a secure "neighborhood" in their area of the organization.

    Regular "Digital Community" Events Host regular cybersecurity events that feel more like community gatherings than lectures. Think cybersecurity fairs, hacking demos or even escape rooms with a security twist.

    The Path to a Strong Security Culture

    By applying the principles of the Broken Windows Theory to cybersecurity, we can create digital environments where security feels natural and everyone plays a part. It's not just about preventing breaches; it's about fostering a community where secure behavior is the norm.

    As we move forward, let's reimagine our approach to cybersecurity awareness. Instead of building walls and enforcing rules, let's create digital neighborhoods where everyone takes pride in keeping things secure.

    Every fixed "window" in your digital environment is a step towards a more secure future. So, let's roll up our sleeves and start cleaning up our digital streets. The neighborhood—and your data—will thank you.

    Blog post with links:
    https://blog.knowbe4.com/broken-cyber-windows-theory

    Ridiculously Easy AI-Powered Security Awareness Training and Phishing

    Phishing and social engineering is the #1 cyber threat to your organization. 68% of all data breaches are caused by human error.

    Join us for a live demonstration of KnowBe4 in action. See how we safeguard your organization from sophisticated social engineering threats using the most comprehensive human risk management platform.

    Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

    • NEW! Artificial Intelligence Defense Agents allows you to personalize security training, reduce admin burden, and elevate your human risk management strategy
    • NEW! SmartRisk Agent provides actionable data and metrics to help you lower your organization's human risk score
    • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
    • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
    • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

    Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.

    Date/Time: Wednesday, May 7, @ 2:00 PM (ET)

    Save My Spot:
    https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN

    China Cybercriminals Behind Toll-Themed Smishing Attacks Surge in the US and UK

    Resecurity warns that a China-based cybercriminal gang dubbed the "Smishing Triad" is launching a wave of road toll-themed SMS phishing (smishing) attacks against users across the U.S. and the UK.

    The researchers predict that these campaigns will spread to other countries as well.

    Resecurity states, "These campaigns involve fraudulent text messages claiming unpaid toll bills or payment requests related to toll services like FasTrak, E-ZPass, and I-Pass, which is expected to expand to similar services worldwide as their earlier campaigns did." This particular campaign has used tens of thousands of domains to target millions of users since the beginning of the year.

    "The campaign has utilized over 60,000 domain names, making it difficult for platforms like Apple and Android to block fraudulent activity effectively," the researchers write. "A significant spike in these activities was observed at the beginning of Q1 2025, with millions of consumers targeted. Some malicious texts have been sent from UK numbers leveraging underground bulk IM/SMS services."

    Resecurity notes that abusing SMS and other messaging services to send phishing texts can be more likely to reach users than other methods. "These techniques are challenging for consumers to mitigate because actors are impersonating legitimate organizations by spoofing Senders ID (SID)," the researchers explain.

    "They also leverage SMS, iMessage, and similar instant messaging (IM) apps that have reduced spam protection compared to email service providers. End users place more trust in these types of messages than in email, and these messages also create a sense of urgency for users to resolve the issue. This results in a significantly higher expected conversion rate than email, SEO, and other techniques the actors could use."

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    Blog post with links:
    https://blog.knowbe4.com/toll-themed-smishing-attacks-surge-in-us-and-uk

    KB4-CON 2025 is Now On Demand!

    Great news! KB4-CON on-demand sessions are now ready for your viewing.

    This year's program not only showcased strategies for avoiding sophisticated threats but also provided practical strategies to manage human risk within your organization. You'll learn from top security professionals, see product demos and learn industry-specific tactics to apply immediately.

    Watch On Demand:
    https://www.knowbe4.com/kb4-con

    Threat Actors Are Increasingly Abusing AI Tools to Help With Scams

    Cybercriminals are increasingly using AI tools to assist in malicious activities, according to Microsoft's latest Cyber Signals report.

    "AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate," the report says.

    "AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground."

    Notably, these tools can streamline the reconnaissance phase to help threat actors easily craft personalized spear phishing attacks.

    "AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures," the researchers write.

    "In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale."

    Crooks are also using generative AI to quickly spin up phony job postings on employment sites.

    "The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms," Microsoft says. "They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions and AI-powered email campaigns to phish job seekers.

    "AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers."

    Blog post with links:
    https://blog.knowbe4.com/threat-actors-are-increasingly-abusing-ai-tools-to-help-with-scams

    Most Frequently Asked Questions About Human Risk Management

    Human Risk Management (HRM) has emerged as both a "buzz phrase" and an essential enterprise cybersecurity competency. Yet many IT and security administrators are still unclear on what it means for their teams.

    To help, KnowBe4 has put together concise answers to five of the most frequently asked questions about HRM:

    Download this whitepaper to understand

    • What is HRM
    • Why now is the time for HRM
    • How you can operationalize HRM
    • Does HRM replace security awareness training
    • How you should evaluate HRM vendors

    Download Now:
    https://info.knowbe4.com/5-faqs-human-risk-management-chn

    Let's stay safe out there.

    Warm Regards,

    Stu Sjouwerman, SACP
    Founder and CEO
    KnowBe4, Inc.

    PS: AI-Powered Polymorphic Phishing Is Changing the Threat Landscape:
    https://www.securityweek.com/ai-powered-polymorphic-phishing-is-changing-the-threat-landscape/

    Introducing the KnowBe4 Academy: Your Path to Mastering Human Risk Management
    https://blog.knowbe4.com/introducing-the-knowbe4-academy-your-path-to-mastering-human-risk-management/

    Quotes of the Week  
    "Very little is needed to make a happy life; it is all within yourself, in your way of thinking."
    - Marcus Aurelius - Roman Emperor (121 -180 AD)
    "he mind is everything. What you think, you become."
    - Buddha - Spiritual Teacher (c. 563–483 BC)
    Thanks for reading CyberheistNews

    You can read CyberheistNews online at our Blog
    https://blog.knowbe4.com/cyberheistnews-vol-15-17-warning-the-cyber-broken-windows-theory-you-cant-afford-to-ignore

    Security News

    Offensive Cyber Deception Masterclass

    This course equips students with the skills to deploy Generative AI in Red and Blue team operations, exploring how adversaries use AI-generated text, voice and video to manipulate perception, erode trust and exploit cognitive biases.

    Attendees will learn how to:

    • Construct AI-powered scam bots leveraging large language models (LLMs) for high-impact phishing and persuasion campaigns
    • Develop countermeasures like "honeybots"—AI-powered deception detectors designed to neutralize these threats.
    • Understand and build synthetic and manipulated media attacks, including AI generated audio and video deception and AI-enhanced information warfare tactics
    • Understand how these tools can be weaponized to fabricate identities, impersonate trusted figures, and orchestrate social engineering attacks at scale.
    • Master deception and counterdeception frameworks that have been used in military and political contexts.

    Sign up here:
    https://www.cyberdeception.ai/

    Perry Carpenter just started an AI/Deepfake newsletter on LinkedIn. Please subscribe and help get the word out when you have a sec!:
    https://www.linkedin.com/newsletters/7319922626200510464/

    Half of Organizations Lack Protection Against Email Spoofing

    A new report from Valimail has found that 50% of organizations lack effective protection against email spoofing.

    Specifically, many organizations have lenient DMARC policies that don't actually prevent spoofing. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that helps prevent attackers from spoofing organizations that have the protocol in place.

    "In many industries, a significant number of companies have implemented a policy of p=none, likely in response to the Microsoft, Yahoo, and Google email sender requirements (Yahoo/Google announced in 2023, Microsoft in 2025), not realizing that while this 'checks the box' for delivering mail to mailbox providers, it does nothing to actually protect email domains against malicious, false use," the report states.

    "So, while DMARC adoption rates might appear high, a significant percentage of tracked domains in each segment are unprotected."

    Valimail's CEO Alexander García-Tobar explains, "What's particularly concerning is that while many organizations have taken initial steps toward securing their email domains, a significant percentage have implemented overly permissive or non-protective policies.

    "This creates a false sense of security while leaving these organizations vulnerable to impersonation attacks that can damage reputation, erode customer trust, and compromise sensitive information."

    The report notes that many organizations fail to implement DMARC effectively because they don't understand how the protocol can thwart convincing email spoofing. "A big part of the problem is that many organizations don't know what DMARC is or why it matters," the researchers write.

    "There's a common belief that other security measures like firewalls or antivirus software are enough to stop phishing. Unfortunately, that's just not true. Email is one of the weakest links in most organizations' security."

    It's worth noting that while DMARC can make an attacker's job more difficult, threat actors can still find ways to launch impersonation attacks. New-school security awareness training give your organization an essential layer of defense against social engineering.

    Blog post with links:
    https://blog.knowbe4.com/half-of-organizations-lack-protection-against-email-spoofing

    Warning: Ransomware Remains a Top Threat for SMBs

    A new report from Sophos found that ransomware attacks accounted for over 90% of incident response cases involving medium-sized businesses in 2024, as well as 70% of cases involving small businesses.

    "While the overall number of incidents in 2024 was slightly down—in part because of better defenses and the disruption of some major ransomware-as-a-service operators—ransomware-related crime is not fading away," Sophos says.

    "If anything, the tactics of ransomware actors are evolving to be faster on the attack and more willing to extort the victim over stolen data when they fail to encrypt the victim's files. Sometimes the attackers don't even bother trying to encrypt the files."

    The researchers note a 50% increase in the use of ransomware designed to execute from devices that aren't monitored by technical defenses.

    "When attackers do run ransomware, it's often done from outside of the detection range of endpoint protection software—that is, from an unmanaged device either remotely or directly connected to the targeted network," the researchers write.

    "These 'remote' ransomware attacks use network file-sharing connections to access and encrypt files on other machines, so the ransomware never executes on them directly. This can conceal the encryption process from malware scans, behavioral detection, and other defenses."

    The report also observed an increase in business email compromise (BEC) attacks, driven by credential phishing attacks that can bypass multi-factor authentication.

    "Business email compromise activity is a growing proportion of the overall initial compromises in cybersecurity incidents—leveraged for malware delivery, credential theft, and social engineering for a variety of criminal purposes," Sophos says.

    "One of the drivers of business email compromise is the phishing of credentials with adversary-in-the-middle multifactor authentication (MFA) token capture, a constantly evolving threat."

    Blog post with links:
    https://blog.knowbe4.com/warning-ransomware-remains-a-top-threat-for-smbs

    What KnowBe4 Customers Say

    "Hi Stu - if that's really who you are. It's a pleasure to meet you, sir.

    "I am indeed a happy camper. First and foremost, my account team, Shelby B., Matty M., and Tom C., have all been fantastic to work with. Concerning the product itself, it has exceeded my expectations in terms of ease of use, quality of content, and tracking capabilities.

    "You're running a tight ship. I only wish all my other service providers were as diligent. At this point, I don't even have any constructive criticisms to share with you.

    "I do appreciate your reaching out, though. Again, if you're the real Stu Sjouwerman and not the marketing director."

    - B.S., Chief Technology Officer
    [NOTE] - It's indeed me. :-D

    The 10 Interesting News Items This Week
    1. Southeast Asian cyber fraud industry at 'inflection point' as it expands globally:
      https://therecord.media/southeast-asia-cyber-fraud-at-inflection-point

    2. All Gmail users at risk from clever replay attack:
      https://www.malwarebytes.com/blog/news/2025/04/all-gmail-users-at-risk-by-clever-replay-attack

    3. FBI: Scammers pose as FBI IC3 employees to 'help' recover lost funds:
      https://www.bleepingcomputer.com/news/security/fbi-scammers-pose-as-fbi-ic3-employees-to-help-recover-lost-funds/

    4. Russia attempting cyber sabotage attacks against Dutch critical infrastructure:
      https://therecord.media/dutch-mivd-report-russian-cyber-sabotage

    5. ChatGPT crosses a new AI threshold by beating the Turing test:
      https://www.techradar.com/computing/artificial-intelligence/chatgpt-crosses-a-new-ai-threshold-by-beating-the-turing-test

    6. Texas men convicted in phishing scam that cost city of Memphis $773K:
      https://wreg.com/news/local/texas-men-convicted-in-phishing-scam-that-cost-city-of-memphis-773k/

    7. New KnowBe4 Report Exposes Critical Cyber Threats in European Energy Sector:
      https://www.knowbe4.com/hubfs/Europe-Energy-Report-UK-EN.pdf

    8. How Gen Z Became the Most Gullible Generation:
      https://www.politico.com/news/magazine/2025/04/23/gen-z-media-tiktok-misinformation-00287561?

    9. Anthropic finds alarming 'emerging trends' in Claude misuse report - "influence-as-a-service" operation:
      https://www.zdnet.com/article/anthropic-finds-alarming-emerging-trends-in-claude-misuse-report/

    10. Ransomware now plays a role in nearly half of all breaches, new research finds:
      https://therecord.media/ransomware-in-half-of-all-data-breaches-verizon

    Cyberheist 'Fave' Links
    This Week's Links We Like, Tips, Hints and Fun Stuff

     

    Return To KnowBe4 Security Blog

    Topics: Cybercrime, KnowBe4

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews