CyberheistNews Vol 16 #13 The 'Urgency Trap': Why Time Pressure is Your Biggest Email Red Flag

The 'Urgency Trap': Why Time Pressure is Your Biggest Email Red Flag

The old rules for spotting a phishing email are changing. Remember looking for bad grammar and clumsy spelling? Thanks to AI, hackers' emails are increasingly polished and hard to spot. But a new poll from KnowBe4 reveals the modern worker's most reliable alarm bell for a cyberattack isn't a typo; it's a sense of manufactured urgency.

Pressure to Act is the New Phishing Red Flag

Our data shows that a shocking 34% of people now identify "pressure to act quickly" as the primary red flag of a fraudulent email. This social engineering trick has surpassed traditional indicators like:

• Unknown sender addresses (23%)
• Requests for sensitive information (23%)
• Poor spelling or grammar (20%)

Thanks to AI, hackers' emails are increasingly hard to spot, written perfectly in any language. However, the tell-tale sign is still their desire to get you to do something and do it quickly. By creating an artificial crisis, they hope to bypass the very diligence that organizations have worked so hard to build. But our data shows that workers are onto them; they now recognize that if an email demands immediate action, it deserves immediate suspicion.

The Internal Threat: Email Anxiety is Real

It's not just outside attacks we need to worry about. Employees are also worried about making simple, yet costly, human errors. Almost half (44%) of workers named "sending to the wrong recipient" as their biggest concern when sending a work email.

This simple blunder is now more worrying than a targeted phishing attack (20%). Another 19% are concerned about accidentally including confidential information in their emails.

How to Beat the Blunder

This "email anxiety" is already changing how people work. To combat the fear of a professional mistake, more than half (52%) of workers verify recipients and attachments every single time. Surprisingly, only 12% take the arguably more critical step of checking for sensitive information.

The reality is that human intuition needs a digital safety net.

By combining real-time security coaching with automated protections, we can help employees navigate the "Urgency Trap" and provide the peace of mind needed to catch any incidents of sensitive information being sent to the wrong person. We don't just want to stop the bad emails from coming in; we want to stop the mistakes from going out.

The good news is that security awareness is increasing—with only 6% of staff now ignoring suspicious emails. The proactive culture is there; it just needs to be backed by technology that reduces the mental load on the individual.

Blog post with links:
https://blog.knowbe4.com/the-urgency-trap-why-time-pressure-is-your-biggest-email-red-flag

[Live Demo] Ridiculously Easy AI Powered Security Awareness Training

Traditional security awareness training isn't working. 68% of breaches still involve people, yet "one-size-fits-all" programs leave your users fatigued and vulnerable. When users forget up to 90% of what they learn within a week, you need a human risk management strategy that actually sticks.

Join us for a live demo to see how KnowBe4’s Security Awareness Platform empowers your security culture. Stop wasting time on manual campaign management and let AI deliver personalized, high-impact guidance that changes behavior.

You'll see how to:

• Use an autonomous, always-on system to identify high-risk users and personalize your phishing simulations and training
• Generate hyper-realistic deepfakes of your own executives to prepare users to spot AI-driven manipulation and social engineering
• Automatically create convincing phishing simulations including modern attack styles like callback phishing, paired with the most relevant landing page
• Access the world's largest library of always-fresh security awareness and compliance training content, available in 35+ languages

See the platform trusted by over 70,000 organizations to reduce human risk and save your teams hours every week.

Date/Time: Wednesday, April 8 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-1?partnerref=CHN

Best Practices for Implementing AI Agents

By Martin Kraemer

On March 9th, Codewall.ai disclosed how it had hacked McKinsey & Company's AI platform called Lilli, a purpose-built system for 43,000+ employees to analyze documents, chat and access decades of proprietary research. The researchers unleashed an AI agent which quickly scanned 200 endpoints, identified 22 that did not require authentication and one that wrote user search queries into a database including non-parameterized JSON keys that were concatenated directly into SQL.

What sounds like a potential SQL injection vulnerability turned out to be one — albeit most normal tools would not have detected it, according to the researchers. Subsequently, the attacker AI got access to millions of chat messages, hundreds of thousands of files, thousands of user accounts and more than 300,000 AI agents all inside the database.

The adversarial agent also managed to infect AI model configurations including system prompts to circumvent guardrails. These prompts were stored alongside the data the agent was accessing.

Any attacker using the SQL injection could have rewritten these prompts with a simple UPDATE statement wrapped in a single HTTP call. The consequences could have been devastating for the organization as consultants might have trusted output that was subtly altered.

Other problems would have been data exfiltration, removing guardrails and silent persistence. None of this happened as the research responsibly disclosed their findings with McKinsey, allowing the organization to patch all vulnerabilities.

Adoption Is Outpacing Security

Every organization implementing or using AI agents must take this lesson seriously; protect your AI prompts like crown jewels. And many organizations are currently putting their best efforts forward. Gartner forecasts 40% of enterprise applications will embed task-specific AI agents by 2026.

A PwC survey reported 79% of surveyed executives already used AI agents in their organization. In a different survey, 62% of AI practitioners identified security as a leading concern and 28% of senior executives ranked lack of trust as a top three challenge. AI governance is urgently needed to secure agents and restore trust in AI systems.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/best-practices-for-implementing-ai-agents

How to Secure AI Adoption in Your Organization

Your digital perimeter is no longer defined by human logins alone. As your organization transitions from blocking AI to building with it, you are effectively onboarding a new class of "digital colleagues" that operate with speed.

With Goldman Sachs estimating that agentic AI could account for 60% of software market value by 2030, the workforce is undergoing a rapid transformation. This shift introduces a new dimension of security risk.

Join Martin Kraemer, KnowBe4 CISO Advisor, for a deep dive into the practicalities of securing your AI adoption. While traditional strategy focuses on human behavior, autonomous AI agents operate without an inherent grasp of your specific risk tolerance, requiring a new approach to oversight and interaction security.

You'll learn:

• Why AI agents can be prompt-engineered just as easily as humans can be socially engineered and how to defend against both
• A look at recent AI threats, how they bypass traditional controls and how they could have been avoided
• Practical steps you can take immediately to secure AI adoption across your organization
• How to manage the interactions between your employees and AI to eliminate "Shadow AI" while encouraging sanctioned use
• Strategies for managing the risks of agents supervising other agents in production, where the pace of interaction exceeds human ability to grasp

You'll leave with clear next steps for navigating the convergence of human and AI risk, ensuring your security strategy evolves as fast as the tools your team is using.

Date/Time: Wednesday, April 15 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/how-to-secure-ai-adoption?partnerref=CHN

I Didn’t Revoke my API Keys Because Claude Called Me An Idiot

By Javvad Malik

I need to confess something. A few days ago whilst vibe coding at 2am (which can end up burning through tokens like they are going out of fashion) I accidentally pasted my API key directly into a Claude chat instead of the terminal window I had open.

Claude told me off.

It felt like a full, proper, disappointed parent tone; the AI equivalent of "I'm not angry, just disappointed", except it absolutely was angry. There may have been paragraphs. Multiple paragraphs (at least it felt that way and that is how I’m choosing to recall the episode) about credential hygiene and security best practices and the importance of immediately revoking compromised keys.

I felt terrible. Genuinely terrible. That special kind of shame that comes from doing exactly the thing you have spent years sneering at other people for doing. Every single time I have heard about another developer leaving AWS credentials in a public GitHub repo, I have done that superior little headshake.

That "how could anyone be so careless" eye roll. That smugness that comes from believing you are somehow above such basic errors.

Turns out I am not above anything. I am just like everyone else. Mostly just fumbling through the darkness, hoping nobody notices. After the shame came something else entirely. Anger. Proper, irrational, ego-driven anger.

At a chatbot.

Because who does this son of Clippy think it is, lecturing me about security? It is a language model. A very sophisticated one, admittedly, but at its core it is just predicting the next most likely word. It has no concept of what security actually means. It has never sat through a three-hour incident response call at 4am. It has never had to explain to a board why the customer database is currently being sold on a forum with a skull logo.

It has never felt anything, because it cannot feel anything.

And yet there I was, being told off. So my immediate response was not to fix the issue, it was to yell, "How dare you?" I think this is how most things go down. Someone makes a mistake, and when it gets pointed out, instead of fixing it, it is easy to get defensive, angry and want to protect your ego… leaving a vulnerability in place may feel better than admitting you are wrong.

I still have not revoked that API key. Because why give Claude the satisfaction of being right and me being wrong?

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/i-didnt-revoke-my-api-keys-because-claude-called-me-an-idiot

5 Reasons to Attend KB4-CON 2026

KB4-CON is just around the corner and we're gearing up for our biggest event yet! Haven't secured your spot to be with us this May?

Here are the top five reasons to join us in Orlando:

1) Hear from world-renowned climber Alex Honnold
In this can't miss keynote, Alex Honnold will share the mindset and discipline behind performing at the highest level, where preparation isn't optional and risk isn't eliminated, but meticulously managed.

2) Look to the future with CEO Bryan Palma
KnowBe4 CEO Bryan Palma takes the stage at his first KB4-CON to share a forward-looking view of human risk management and the innovation shaping what's next. Learn how KnowBe4 empowers both humans and AI agents, unveiling new capabilities and bold ideas redefining security culture.

3) See what's coming on the KnowBe4 roadmap
Get an inside look at what's next across the platform through product-led sessions and live demos. Explore new innovations, AI-driven content advancements and hear from KnowBe4 product leaders on how we're advancing human risk management and AI defense.

4) Be the first to see The Inside Man season 7
The most ambitious season yet of KnowBe4's award-winning series premieres at KB4-CON! Walk the red carpet, hear from the cast and watch the Season 7 premiere alongside the stars.

5) Soak up the sun in Orlando
Hosted at the Orlando World Center Marriott, just minutes from Walt Disney World, the venue offers an onsite waterpark and 18-hole golf course. Plus, attendees get access to discounted Disney park tickets, making it easy to extend your stay or bring the family along.

KB4-CON brings together customers, partners and security leaders all in one place. Don't miss the cybersecurity event of the year!

Save My Spot:
https://knowbe4.cventevents.com/dmD9b4?RefId=Email7

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: [MORE] Visit Us At KB4-CON 2026 May 12-14 Orlando Florida!:
https://knowbe4.cventevents.com/event/5d3dfce6-ccb0-482d-83bb-0481ea07617f/summary

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-13-the-urgency-trap-why-time-pressure-is-your-biggest-email-red-flag

Why Your Human Risk Management Strategy Can’t Ignore AI

AI isn't just another technology wave—it's a force multiplier for both innovation and risk. In a recent webinar featuring insights from Bryan Palma and guest speaker Jinan Budge, Vice President and Research Director at Forrester, one message came through clearly: the rise of AI and AI agents is fundamentally reshaping the human risk landscape—and security leaders need to move fast to keep up.

From a 44% increase in AI-related incidents to the rapid emergence of agentic systems operating 24/7, the conversation highlighted a pivotal shift. The traditional boundaries between human risk and technology risk are dissolving. What's replacing them is a new, blended challenge: managing risk across a workforce that now includes both humans and machines.

The Expanding Attack Surface—Fueled by AI

AI is accelerating the scale, speed and sophistication of threats. As Palma noted, organizations are seeing a dual impact:

• Unintentional risk: Employees misusing AI tools, often with good intentions
• Malicious exploitation: Threat actors weaponizing AI through deepfakes, vishing and prompt injection

Guest speaker Jinan Budge captured the urgency:

"AI agents are trained to have infinite willpower, that's what makes them incredible. But it is also what makes it really important for us to have guardrails around them."

Unlike humans, AI agents don't sleep. They don't pause. They don't second-guess. That creates a dramatically expanded attack window—one that adversaries are already exploiting.

Shadow AI Is the New Shadow IT

One of the most striking insights: up to 40% of employees have already shared sensitive information with large language models—often unknowingly. This isn't a technology problem. It's a cultural one.

When security becomes a blocker instead of an enabler, users find workarounds. And in the age of AI, those workarounds scale fast.

"When security becomes the department of 'no,' inevitably, what ends up happening is that everybody is going to find a workaround, not to be bad people, but just because everyone wants to get their work done," Budge explained.

This is where Human Risk Management (HRM) becomes critical—not just to train users, but to understand and influence behavior in real time.

AI Agents: Your New (Unmanaged) Workforce

Organizations are rapidly deploying AI agents—but without the same rigor applied to human employees. No onboarding. No background checks. No governance. Palma put it bluntly: "We have processes for humans—screenings, training, oversight. We don't have that for agents yet."

That gap is creating real risk. Many organizations don't even have a basic inventory of where AI agents exist, what they're doing or what data they can access.

Governance Is the Foundation—But It's Lagging

Despite the urgency, most organizations are still playing catch-up. Formal AI governance frameworks, policies and oversight committees are only now beginning to emerge. And that delay matters. Jinan highlighted just how far behind many organizations are.

Effective AI security requires a holistic approach, including:

• Governance, risk and compliance (GRC)
• Identity and access management
• Data security and privacy
• Zero trust principles

This isn't a point solution problem. It's an organizational one.

five Key Takeaways for Security and IT Leaders

If you didn't attend the webinar, here are the five critical insights you need to act on now:

• AI Is Expanding Human Risk—Not Replacing It
• AI Agents Must Be Treated—and Secured—Like Employees
• Visibility Is Step One
• Risk Must Be Measured—Not Assumed
• Security Culture Must Evolve

The biggest shift isn't technical—it's cultural. Organizations must rethink what "security culture" means in a world where humans and AI agents work side by side.

The Bottom Line

AI is a massive opportunity—but only for organizations that approach it with discipline. You can't ignore it. You can't block it. And you definitely can't secure it with yesterday's strategies. For security leaders, the path forward is clear: embrace AI, govern it rigorously and manage human risk at the center of it all.

Blog post with links at:
https://blog.knowbe4.com/why-your-human-risk-management-strategy-cant-ignore-ai

Scammers Abuse Calendar Invites to Send Phony Subscription Notices

Malwarebytes warns that a phishing campaign is using Google Calendar invites to send phony renewal notices for Malwarebytes subscriptions. The calendar invites contain a phone number that will connect the user with a scammer.

"The amounts in these fake invites are large and attention-grabbing, usually several hundred dollars for multiple years of service," Malwarebytes says. "The scammers want you to believe a considerable charge has already gone through so that you react immediately instead of thinking critically.

"The goal is to get you to call, rather than click a link. The calendar description reads like a receipt, but the real call to action is always the same: urging you to call a number immediately to dispute or cancel the charge.

"Once you call, the scammer can pressure you in real time. They might ask for payment details, convince you to install remote-access software or manipulate you into sending money."

Calendar invites might seem more convincing than phishing emails because users may not know that threat actors can add events to their calendars. Malwarebytes outlines the following advice to help users avoid falling for calendar spam:

• "Turn off auto-add or auto-processing so invites stay as emails until you accept them.
• Restrict calendar permissions so only trusted people and apps can add events.
• In shared or resource calendars, remove public or anonymous access and limit who can create or edit items.
• Use an up-to-date real-time anti-malware solution with a web protection component to block known malicious domains.
• Don't engage with unsolicited events. Don't click links, open attachments or reply to suspicious calendar events such as 'investment,' 'invoice,' 'bonus payout,' 'urgent meeting'—just delete the event.
• Enable multi-factor authentication (MFA) on your accounts so attackers who compromise credentials can't abuse the account itself to send or auto-accept invitations."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Malwarebytes has the story:
https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-malwarebytes-renewal-notices-in-your-calendar

What KnowBe4 Customers Say

"Hi Bryan, Things are going very well. Your onboarding customer success team, Britni D., did a fantastic job getting us up and running. I can honestly say this has to be one of the best 'onboardings' I've been able to be a part of for a hosted solution. Thanks for reaching out and I'm looking forward to a long relationship with KnowBe4!"

- G.G., Director of Technology

1. Iran-linked ransomware gang targeted U.S. healthcare org amid military conflict:
   https://therecord.media/iran-linked-ransomware-gang-targeted-us-healthcare-org
   
   
2. [FBI] Russian Intelligence Services Target Commercial Messaging Application Accounts:
   https://www.ic3.gov/PSA/2026/PSA260320
   
   
3. Russian hacker who helped Yanluowang ransomware gang gets nearly 7-year prison sentence:
   https://therecord.media/hacker-russian-ransomware-sentenced-doj
   
   
4. Governing AI Agent Behavior: Aligning User, Developer, Role, and Organizational Intent:
   https://techcommunity.microsoft.com/blog/microsoft-security-blog/governing-ai-agent-behavior-aligning-user-developer-role-and-organizational-inte/4503551
   
   
5. Tycoon2FA Phishing Service Resumes Activity Post-Takedown:
   https://www.infosecurity-magazine.com/news/tycoon2fa-phishing-service-resumes/
   
   
6. Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware:
   https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html
   
   
7. UK sanctions Xinbi marketplace linked to Asian scam centers:
   https://www.bleepingcomputer.com/news/security/uk-sanctions-xinbi-marketplace-linked-to-asian-scam-centers/
   
   
8. Invoice fraud has cost the UK construction sector millions:
   https://www.infosecurity-magazine.com/news/invoice-fraud-uk-construction/
   
   
9. Scam compounds are hiring "face models" to act in deepfake calls:
   https://www.malwarebytes.com/blog/news/2026/03/scam-compounds-hiring-ai-models-to-seal-deal-in-deepfake-video-calls
   
   
10. Phishing campaign targets GitHub developers with fake code alerts:
    https://www.technadu.com/github-phishing-campaign-targets-developers-with-fake-vs-code-alerts-that-urge-the-patching-of-fabricated-cves/624482/
    
    

• [SUPER FAVE] Meet "Roadrunner": a GENIUS bipedal, wheeled robot for multi-modal locomotion:
  https://youtu.be/9kae-UAME1U
  
  
• Virtual Vaca #1 - Top 10 Places To Visit in Sri Lanka - Travel Guide:
  https://youtu.be/yYuuDQbnvpU
  
  
• Virtual Vaca #2 - Netherlands in 4K - Incredible Scenes & Hidden Gems:
  https://youtu.be/dIcIZmld5Ss
  
  
• Virtual Vaca #3 - KANAZAWA, JAPAN (2026) | Top Things To Do For A One Day Visit:
  https://youtu.be/o0UeQJMJOZc
  
  
• My Hardest Wingsuit Exit in America:
  https://youtu.be/6xZpUp5_0tw
  
  
• Epic Skills Best of the Week!:
  https://youtu.be/Bmoe7aB1s5o
  
  
• Switzerland's $2BN Tunnel U-Turn:
  https://youtu.be/bzTntRHmpa8
  
  
• Anastasiia and her dog Salsa perform a breathtaking synchronized dance to Alex Warren's 'Ordinary' — and viewers everywhere agree it deserved the Golden Buzzer.
  https://www.flixxy.com/anastasiia-and-salsa-the-doggy-dancing-duo-on-britains-got-talent-2026.htm?utm_source=chn&utm_medium=email
  
  
• Astronaut Tim Peake Flies In Spitfire For Its 90th Anniversary:
  https://youtu.be/614f3AX8VwM
  
  
• The Odyssey | Christopher Nolan's New Movie Official Trailer:
  https://youtu.be/Mzw2ttJD2qQ
  
  
• Xiaomi SU7 Ultra vs Ferrari SF90XX - DRAG RACE:
  https://youtu.be/KGW8bQtcpJg
  
  
• For Da Kids #1 - Nurse Shark Follows Man Like Puppy For Rubs:
  https://youtu.be/zB4YduQrBfM
  
  
• For Da Kids #2 - Meet Meevin, you've probably never seen a cat like him:
  https://youtu.be/v-fWv0tp3og
  
  
• For Da Kids #3 - Couple Saves A Baby Squirrel, And He Keeps Coming Back:
  https://youtu.be/U2tNDSZmnOY
  
  
• For Da Kids #4 - He Saved This Baby Lioness, and Today She Greets Him With Giant Hugs:
  https://youtu.be/vLX7pjdRClY
  
  
• For Da Kids #5 - Bikers Interrupt Their Ride to Save a Life:
  https://youtu.be/2v9GBovV8Uk