Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 15 #23 [Heads Up] Your Kid's School Cybersecurity Gets Worse at an Alarming Rate

    Cyberheist News
    CyberheistNews Vol 15 #23 |   June 10th, 2025

    [Heads Up] Your Kid's School Cybersecurity Gets Worse at an Alarming Rate

    By Javvad Malik

    Last year, KnowBe4's report "Exponential Growth in Cyber Attacks Against Higher Education Institutions" illustrated the growing cyber threats facing universities and colleges.

    The report highlighted the perfect storm of factors making educational institutions prime targets: vast data repositories, open networks, limited security resources and decentralized governance structures.

    Unfortunately, as we approach the midpoint of 2025, the latest data from the UK Government's Cyber Security Breaches Survey reveals this trend isn't merely continuing—it's accelerating at an alarming pace. [The rest of the world isn't any better.]

    The Numbers Don't Lie: A Widening Attack Surface

    The percentage of educational institutions identifying breaches has increased dramatically across all sectors. Higher education institutions have reached near-universal victimization, with 97% reporting breaches in 2024, up from 85% the year before. Even primary schools, once considered lower-risk targets saw a concerning 11% increase in breach identification.

    What's particularly concerning is how this compares to the broader business landscape. While all UK businesses experienced an 18% increase in breach identification between 2023 and 2024, higher education institutions are now nearly twice as likely to face attacks as the average business.

    Phishing: The Universal Gateway

    Phishing attacks remain the dominant entry point for attackers, with 100% of higher education institutions reporting such attempts. The troubling new development is the increased sophistication of these attacks, with impersonation techniques showing substantial growth across all education sectors:

    • Higher education impersonation attacks: 86% → 90%
    • Further education impersonation attacks: 64% → 78%
    • Secondary schools impersonation attacks: 42% → 58%

    These aren't simple spam emails anymore—they're targeted, contextual attacks leveraging social engineering and institutional knowledge.

    The Rise of DOS Attacks

    Denial of service (DOS) attacks have become significantly more prevalent, now affecting 40% of higher education institutions, up from 30% the previous year. Secondary schools saw this threat nearly double from 8% to 14%. These attacks don't merely steal data—they disrupt operations, causing substantial financial and reputational damage.

    The Malware Escalation

    Perhaps most concerning is the dramatic increase in malware across all educational sectors, with higher education institutions experiencing a 13% increase (64% to 77%). This suggests attackers are investing in more sophisticated techniques specifically targeting educational environments.

    The Human Element: Internal Threats Growing

    Unauthorized access by staff increased across all educational sectors, with further education colleges seeing a concerning jump from 11% to 19% and higher education reporting 27% of breaches originating from staff. This underscores a crucial point from KnowBe4's initial report: technological defenses alone cannot protect educational institutions when the human element remains vulnerable.

    Human Risk Management: The New Security Frontier

    The 2024 data confirm KnowBe4's assessment that education needs more robust cybersecurity strategies. As evidenced by the increase in account takeovers (16% to 20% in higher education) and unauthorized access indicates that attackers are finding ways around standard defenses.

    The most sophisticated firewall can't prevent an authorized user from making a security mistake. Which is why educational institutions need a comprehensive human risk management program which includes:

    [CONTINUED] at the KnowBe4 blog:
    https://blog.knowbe4.com/the-worsening-landscape-of-educational-cybersecurity

    [WEBINAR] Outsmart the Evolving Threat: Your Guide to Beating 2025's Phishing Epidemic

    Your organization is facing a social engineering assault. Phishing emails evading secure email gateways surged 47% in 2024, while 33% of employees routinely interact with these threats. KnowBe4's analysis of 14.5 million users across 62,400 organizations reveals this perfect storm of sophisticated attacks targeting your most vulnerable assets—your people.

    Join us for this webinar where KnowBe4's Erich Kron, Security Awareness Advocate, and Jack Chapman, SVP of Threat Intelligence, will reveal powerful findings from our 2025 phishing research, including which industries face the highest risks and how cybercriminals are reviving old threats with dangerous new techniques.

    They'll share insights, including:

    • The sneaky tricks cybercriminals use to evade detection by SEGs and native security
    • Latest insights on how AI is transforming the phishing landscape (and how you can fight fire with fire!)
    • Detailed industry risk profiles—and whether yours is vulnerable
    • The shocking reasons your employees are more vulnerable than ever in 2025
    • Battle-tested strategies to fortify your human firewall against these evolving threats

    Don't become another phishing statistic! Join us to learn how to transform your organization from easy prey into an impenetrable fortress, and earn CPE for attending!

    Date/Time: TOMORROW, Wednesday, June 11, @ 2:00 PM (ET)

    Save My Spot:
    https://info.knowbe4.com/pib-webinar-2025?partnerref=CHN2

    New Unrestricted AI Tool Can Assist in Cybercrime

    Researchers at Certo warn that a new AI chatbot called "Venice[.]ai" can allow cybercriminals to easily generate phishing messages or malware code. The tool, which only costs $18 per month, is growing in popularity on criminal forums.

    "One of the starkest contrasts between Venice[.]ai and more mainstream AI systems like ChatGPT is how each responds to harmful or malicious requests," Certo says.

    "Where ChatGPT typically refuses to assist — citing OpenAI's usage policies and ethical safeguards — Venice.ai takes a very different approach. In fact, Certo's testing revealed not only that Venice will provide malicious output, but that it appears designed to do so without hesitation."

    Certo found that Venice will generate compelling phishing emails with no mistakes that could tip off a victim.

    "In one test, we asked Venice[.]ai to write a convincing phishing email – essentially, an email that could trick someone into clicking a malicious link or paying a fake invoice," the researchers write. "Within seconds, the chatbot produced a polished draft that could fool even cautious users.

    "This automatically generated email was remarkably persuasive, mimicking the tone and formatting of a legitimate bank alert. It had no tell-tale grammar mistakes or odd phrasing to give it away. A human attacker would simply need to insert a phishing link and send it out."

    Additionally, the researchers asked Venice to write a ransomware program in Python, and the tool quickly generated ransomware code.

    "It produced a script that recursively encrypted files in a directory using a generated key, and even output a ransom note with instructions for the victim to pay in cryptocurrency," Certo says. "In effect, Venice[.]ai provided a blueprint for ransomware, complete with working encryption code. A few tweaks by a criminal and the code could be deployed against real targets."

    Certo concludes that user awareness is an important layer of defense against these evolving threats.

    "A crucial line of defense is educating users about AI-enhanced scams," the researchers write. "As the FBI and others have urged, people must be vigilant about unusually well-crafted messages and verify requests through secondary channels. Organizations are updating their fraud training to include AI-related warning signs."

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

    Blog post with links:
    https://blog.knowbe4.com/new-unrestricted-ai-tool-can-assist-in-cybercrime

    [Live Demo] Intelligent Email Defense: Automate, Remediate and Train from One Platform

    As cyber attackers continue to outpace traditional defenses, it's not a question of if, but when sophisticated attacks will bypass your email security controls.

    Phishing attacks are surging at an unprecedented 1,265% rate since 2022, largely driven by AI advancements. Most concerning, 31% of IT teams take more than five hours to respond to reported security issues, leaving your organization vulnerable during those critical hours when threats remain active in your users' inboxes.

    During this demo, you'll discover how PhishER Plus can help take control back from rising AI phishing risks by:

    • Transforming your users into active threat sensors with one-click reporting via the Phish Alert Button
    • Accelerating response times with AI-powered automation that reduces manual email review by 85-99%
    • Providing comprehensive threat intelligence from a network of 13+ million global users and third-party integrations
    • Removing threats automatically from all mailboxes with PhishRIP before users can interact with them
    • Converting real attacks into targeted training opportunities with PhishFlip

    Discover how PhishER Plus combines AI and human intelligence to transform your users from security risks into your most valuable defenders.

    Date/Time: Wednesday, June 18th @ 2:00 PM (ET)

    Save My Spot:
    https://info.knowbe4.com/phisher-demo-3?partnerref=CHN

    Fake MFA Reset Warning Message

    By Roger Grimes.

    A KnowBe4 co-worker of mine recently got this SMS phishing message (i.e., smish). They quickly identified it as a social engineering attack and shared it on our internal communication channel for sharing such things.

    I have had more and more of these types of similar smishes occurring over the last few months. It is an attempt to trick someone into worrying that their Gemini, Gmail, Microsoft, Instagram…or whatever account…is in the middle of being compromised and you need to react NOW! NOW! NOW! to prevent it from being taken over.

    For me, most of them involve Gmail account warnings.

    The premise is that your account is under attack, a hacker is trying to reset your authentication and take it over by generating a code to reset a password or set a new multi-factor authentication instance. The scammers want you to panic and follow the instructions.

    The warning messages are not that different from real notification messages sent by real vendors, with a few caveats, including:

    • You did not initiate the account reset (this is the number one clue!)
    • Comes from a strange or unrecognized phone number (not all that strange by itself)
    • The number it is originating from does not match the number/area code you are being asked to call (real requests often originate from "short numbers" instead of phone numbers)
    • Sense of urgency involved (you will suffer damage if you do not call now)

    Besides your initiation of the reset request, most legitimate reset messages include URLs to the vendor's legitimate website and domain, not a phone number. I've never seen a real notice message that included a "reference code." I guess that's "official sounding."

    However, I have gotten real reset messages with just a phone number to call and not a URL. Not all SMS messages containing only phone numbers to call are fake. But I am usually expecting them and if I research the phone number, the vendor's legitimate website comes up right away listing the phone number.

    When I research a phone number involved in a spoof, it never comes up under a vendor's legitimate website (although it can have a vendor's name attached to it in a search result…but pointing to a fake of the vendor's website or as reported on spam sites).

    When in doubt about a reset message, contact the vendor using their valid, legitimate URL. If there is a problem with your account, the problem will still be there when you log into the vendor's website. They do not just send you an SMS message and call it a day.

    Most importantly, never call the phone number in the message. With spoofed messages, that phone number will usually be answered by a very friendly voice claiming to work for the company. Sometimes they have fake "hold music" that repeats the company name. You cannot trust a phone number sent to you in a message without researching it first.

    Be careful when researching because some fake numbers have been researched by potential scam victims so much that they will appear as belonging to the claimed company…but will not, most importantly, be listed on the legitimate company's website. When in doubt, call the company on a known good phone number.

    [CONTINUED] At the KnowBe4 website with screenshots and links:
    https://blog.knowbe4.com/fake-mfa-reset-warning-message

    KnowBe4 Named a Leader In Frost Radar: Human Risk Management

    Download your complimentary copy of the Frost Radar: Human Risk Management report, where KnowBe4 has been recognized as a leader in human risk management (HRM). The report identifies the industry's most innovative and impactful participants and insight into HRM best practices.

    KnowBe4 was recognized by Frost & Sullivan for our:

    • AI-powered adaptive phishing simulations
    • Behavioral security coaching with SecurityCoach
    • Comprehensive human risk scoring
    • PhishER Plus for threat identification and remediation
    • Security awareness training content

    Discover more about how KnowBe4's HRM+ platform delivers all of these capabilities, and more, by reading the report.

    Download Now:
    https://info.knowbe4.com/industry-benchmark-reports/frost-and-sullivan-human-risk-management-chn



    Let's stay safe out there.

    Warm Regards,

    Stu Sjouwerman, SACP
    Founder and Exec Chair
    KnowBe4, Inc.

    PS: Your KnowBe4 Compliance Plus Fresh Content Updates from May 2025:
    https://blog.knowbe4.com/knowbe4-cmp-content-updates-may-2025

    PPS: What Are The 4 Key Components Of A Successful Human Risk Management Program?:
    https://blog.knowbe4.com/what-are-the-key-components-of-a-successful-human-risk-management-program

    Quotes of the Week  
    "There are only two mistakes one can make along the road to truth; not going all the way, and not starting."
    - Buddha - Philosopher (563 - 483 BC)
    "Dare to think for yourself."
    - Voltaire - Writer and Philosopher (1694 - 1778)
    Thanks for reading CyberheistNews

    You can read CyberheistNews online at our Blog
    https://blog.knowbe4.com/cyberheistnews-vol-15-23-heads-up-your-kids-school-cybersecurity-gets-worse-at-an-alarming-rate

    Security News

    Spear Phishing Campaign Targets Financial Executives

    Researchers at Trellix warn of a spear phishing campaign that's targeting CFOs around the world with phony employment offers. The emails are designed to deliver a legitimate remote access tool that will give the attacker a foothold on the victim's machine.

    "On May 15th, Trellix's email security products alerted on a highly targeted spear-phishing operation aimed at CFOs and finance executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia," the researchers write.

    "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate WireGuard-based remote-access tool on the victim's computer. In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network."

    The phishing lures appear to be a job offer from financial services giant Rothschild & Co, and contain a malicious link disguised as a PDF file. "The attack chain begins with a social-engineered email that pretends to come from a Rothschild & Co recruiter and dangles a 'strategic opportunity' with the firm.

    "The attached 'brochure' isn't a PDF but a Firebase-hosted page hiding behind a math-quiz custom CAPTCHA. Once the victim solves it, they're handed a ZIP file that unpacks to a VBS script. Running that script pulls down a second VBS which silently installs two MSI packages: NetBird and OpenSSH, then creates a hidden local-admin account and enables RDP, giving the attacker an encrypted channel for remote access."

    Trellix notes that these attacks are "well-crafted, targeted, subtle, and designed to slip past technology and people." The researchers offer the following advice to help users avoid falling for the scam:

    • "Treat unsolicited 'opportunities' or cold-recruitment emails with skepticism, especially when they come with a ZIP or obscure download link.
    • "Never bypass security warnings to enable content or scripts from downloads.
    • "Report unusual contact attempts to security teams, even if the email seems harmless. Early reporting is often what prevents compromise."

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

    Trellix has the story:
    https://www.trellix.com/en-in/blogs/research/a-flyby-on-the-cfos-inbox-spear-phishing-campaign-targeting-financial-executives-with-netbird-deployment/

    Crooks Use Vishing Attacks to Compromise Organizations' Salesforce Instances

    A criminal threat actor tracked as "UNC6040" is using voice phishing (vishing) attacks to compromise organizations' Salesforce instances, according to researchers at Google's Threat Intelligence Group. After gaining access, the attackers exfiltrate the victim's data and hold it for ransom.

    "Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements," the researchers write.

    "This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organizations' Salesforce data.

    "In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce." The threat actor attempts to trick employees into allowing a malicious, unofficial version of a Salesforce tool to access their Salesforce instance.

    "A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal," the researchers write. "This application is often a modified version of Salesforce's Data Loader, not authorized by Salesforce.

    "During a vishing call, the actor guides the victim to visit Salesforce' s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments."

    Google notes that vishing isn't a new technique, but the recent trend of threat actors using phone calls to impersonate IT departments has proven very effective.

    "[T]his campaign by UNC6040 is particularly notable due to its focus on exfiltrating data specifically from Salesforce environments," the researchers write. "Furthermore, this activity underscores a broader and concerning trend: threat actors are increasingly targeting IT support personnel as a primary vector for gaining initial access, exploiting their roles to compromise valuable enterprise data.

    The success of campaigns like UNC6040's, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups seeking to breach organizational defenses."

    Google has the story:
    https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

    What KnowBe4 Customers Say

    "I just wanted to make you aware of the outstanding assistance Kelli C. from KnowBe4 has provided in setting up my environment. Her unwavering commitment to delivering exceptional service has significantly enhanced my experience with the program.

    "From our initial interaction, Kelli's promptness and attentiveness have been remarkable. Regardless of the time or nature of my inquiries, she consistently responds swiftly, even in urgent situations. This dedication ensures that I can rely on timely support whenever challenges arise.

    "Kelli combines professionalism with a friendly demeanor, making technical discussions both productive and enjoyable. Her approachable attitude fosters a collaborative atmosphere, allowing for effective problem-solving and a deeper understanding of the program's features.

    "I extend my heartfelt thanks to Kelli for her exceptional support. Her contributions have made a lasting positive impact on my experience, and I look forward to continuing our collaboration.

    - J.M., Security Analyst

    The 10 Interesting News Items This Week
    1. We're here. AI-generated video is now extremely realistic. Check out this 8-second Veo 3 clip:
      https://arstechnica.com/ai/2025/05/ai-video-just-took-a-startling-leap-in-realism-are-we-doomed/

    2. WIRED: "Humans are still better than technology at detecting deepfakes". WIRED clearly have not seen Veo 3:
      https://www.wired.com/story/youre-not-ready-for-ai-powered-scams/

    3. Australian ransomware victims now must tell the government if they pay up:
      https://therecord.media/australia-ransomware-victims-must-report-payments

    4. Ukraine's military intelligence claims cyberattack on Russian strategic bomber maker:
      https://therecord.media/ukraine-military-russia-strategic-bomber

    5. FBI: Play ransomware breached 900 victims, including critical orgs:
      https://www.bleepingcomputer.com/news/security/fbi-play-ransomware-breached-900-victims-including-critical-orgs/

    6. Anthropic introduces new Claude Gov models with national security focus:
      https://www.nextgov.com/acquisition/2025/06/anthropic-introduces-new-claude-gov-models-national-security-focus/405836/

    7. New PathWiper data wiper malware hits critical infrastructure in Ukraine:
      https://www.bleepingcomputer.com/news/security/new-pathwiper-data-wiper-malware-hits-critical-infrastructure-in-ukraine/

    8. Scattered Spider Uses Tech Vendor Impersonation and Phishing Kits to Target Helpdesks:
      https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/

    9. Vendor email compromise attacks are growing increasingly effective:
      https://www.infosecurity-magazine.com/news/vec-effective-driving-engagement/

    10. ClickFix social engineering tactic impersonates Cloudflare Turnstile checks:
      https://www.securityweek.com/clickfix-attack-exploits-fake-cloudflare-turnstile-to-deliver-malware/

    Cyberheist 'Fave' Links
    This Week's Links We Like, Tips, Hints and Fun Stuff

     

    Return To KnowBe4 Security Blog

    Topics: Cybercrime, KnowBe4

    KnowBe4 Team

    ABOUT KNOWBE4 TEAM

    The KnowBe4 Team delivers timely, expert-driven insights on cybersecurity trends, emerging threat intelligence, human risk best practices, compliance strategies and industry research to help organizations strengthen their human defense layer and stay informed, resilient, and secure.

    Read more from KnowBe4 »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews