CyberheistNews Vol 16 #23 | June 9th, 2026
Now Phishing Attacks Use Real Hotel Reservations to Target Travelers
Scammers are using legitimate hotel booking details to craft targeted phishing attacks, WIRED reports. Victims are far more likely to fall for a phishing attack if a message contains real information that they wouldn't expect a scammer to know. According to researchers at Norton, this phishing campaign is targeting customers of at least 350 hotels and vacation rentals across 50 countries.
The phishing messages impersonate hotel staff and relate to recent bookings a user has made, informing the user that they need to verify their information. If a user clicks the link, they'll be taken to a spoofed website designed to steal their credit card details.
It's unclear how exactly the attackers obtained information about recent hotel reservations, but it likely stems from data breaches or compromises of individual hotels' booking systems. "Hackers could obtain people's specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services," WIRED says.
"For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals."
Aaron Ownbey, vice president of engineering at Cloudbeds, told WIRED, "The reason these scams are so effective is that the attacker isn't guessing: They know exactly who the guest is, when they're arriving, and what they paid.
"The hospitality industry needs to collectively raise the security baseline; better training for front desk staff, wider adoption of phishing-resistant authentication and tighter controls on how guest data can be accessed and exported from any platform."
Users should be aware that threat actors sometimes have access to non-public information, and they can use this data to establish a sense of trust during a social engineering attack.
Blog post with links:
https://blog.knowbe4.com/phishing-attacks-are-using-real-hotel-reservation-info-to-target-travelers
[MUST-SEE NEW] Custom Security Training in Minutes, Not Months
Building custom content used to mean big budgets and weeks of production time, but AI-driven threats don't wait. Your training shouldn't either.
Join us for a live demo to see how KnowBe4's AI agents deliver tailored content that meets your organization's exact needs. FAST. From generating custom training from your own policies to simulating deepfakes of your own executives, see what's now possible in minutes.
What you'll see in this demo:
- Content Creation Agent: Turn simple text prompts or internal documents into custom, interactive training modules and quizzes, no instructional design team required.
- Deepfake Training Content Agent: Safely simulate hyper-realistic executive impersonations, giving your workforce the hands-on experience needed to spot next-gen social engineering tactics before they become a costly mistake.
- Studio-Quality AI Videos at Scale, Powered by Synthesia: Generate professional video training modules with realistic AI avatars and seamless localization across 130+ languages — no production budget required.
The threats targeting your organization are custom-built. Your training can now be custom-built too. Register now and see how KnowBe4 puts the power of custom, relevant security awareness training directly in your hands.
Date/Time: TOMORROW, Wednesday, June 10 at 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/kmsat-demo-3?partnerref=CHN3
AI Agent Governance Part 2 - What Good Looks Like: Governing AI Agents in Practice
By Anna Collard
If AI agents are becoming organizational actors, then governance needs to move beyond principles and into operational structure.
In Camille Stewart Gloster's upcoming book, "The Insider You Build," she explains that governance is not defined by policies or structures, but by whether it can actually influence system behavior at runtime. In an agentic environment, governance only exists where it can shape, constrain and intervene in decisions as they happen.
Her simplified framework focuses on three capabilities:
- Authority design: defining what agents are allowed to do
- Runtime enforcement: ensuring governance operates during execution
- Attribution and learning: maintaining traceability and improving over time
Chinnaraju's 2026 paper argues that effective AI agent governance requires organizations to treat agents as formal organizational actors rather than experimental tools.
This begins with Agent Charters, which function as credentials for each agent. Think of these as an operating license or passport for every AI agent, clearly defining:
- Boundaries: What the agent is allowed to do, what data it can access
- Authority: Where its authority stops
- Escalation: When it must escalate or be shut down
Without this formal documentation, agents operate in a grey zone, where authority is unclear and accountability cannot be enforced.
[CONTINUED] At the KnowBe4 blog with screenshots and links:
https://blog.knowbe4.com/ai-agent-governance-part-2-what-good-looks-like-governing-ai-agents-in-practice
Why Your DLP Is Failing and What to Do About It
Insider-related incidents now cost organizations $19.5 million annually—up 20% in two years—and legacy DLP isn't closing the gap. From accidental mis-deliveries and malicious theft to employees pasting sensitive data into unauthorized Shadow AI tools, a single breach can cause catastrophic damage.
With misdirected emails and unvetted AI usage driving modern security incidents, it's time for intelligent, context-aware data security.
Join Erich Kron, KnowBe4 CISO Advisor, as he deconstructs the hidden risks inside your email environment and shows you a fundamentally different approach to data protection — one built around user intent and behavioral context, not rigid rules and reactive blocks.
You’ll learn how to:
- Use behavioral AI to identify risky behaviors and stop mistakes or malicious actions in real time
- Protect your proprietary and sensitive data from exposure to unapproved Shadow AI tools without disrupting productivity
- Eliminate mis-delivery errors and safeguard sensitive data automatically
- Explore tools to assess your users’ risk levels and gain full audit visibility for compliance
- Use contextual nudges to create teachable moments that improve security awareness across your workforce
Join us to learn how you can proactively prevent data loss while building a more security-conscious culture. You’ll also earn CPE credits for attending.
Date/Time: Wednesday, June 17 at 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/why-your-dlp-is-failing?partnerref=CHN
AI Agent Governance Part 3 - Runtime Governance: The Hidden Performance Cost of Agentic AI
By Anna Collard
At the World Economic Forum cyber meeting in Geneva recently, I had an interesting conversation with Vinh Nguyen, who is a strategic security advisor and Senior Fellow for AI at the Council on Foreign Relations (CFR).
I wanted to know from him how he sees runtime governance in agentic AI working out practically and what approaches actually work.
One of the challenges he mentioned was that yes, we need runtime governance to provide continuous and real time assurance that agents are doing what they are supposed to be doing. But the more context-aware runtime governance becomes, the more computationally expensive it gets.
Many organizations may still underestimate what continuous governance actually means operationally. We talk a lot about making AI agents more capable, more autonomous and more integrated into workflows. But far less attention is being paid to what it takes to continuously monitor, constrain, validate and intervene in those systems while they are operating.
And unlike traditional governance, this doesn't happen once a year during an audit cycle. It needs to happen during execution.
Governance at Machine Speed
In my earlier articles on AI agent governance, I explored how organizations are shifting from decision-support systems to decision-authority systems. AI agents are no longer simply generating outputs for humans to review. Increasingly, they are executing workflows, making decisions and interacting across environments with limited human oversight. This fundamentally changes the governance challenge.
Risk is no longer event-based. It becomes continuous and cumulative, emerging through thousands of small autonomous decisions made at machine speed. That means governance itself must also become continuous.
The Runtime Governance Performance Challenge
For runtime governance to work, it increasingly requires contextual analysis, behavioral monitoring, anomaly detection, and intervention capabilities operating continuously during execution. All of that consumes resources. It may take up to 20% of a model's performance just to monitor for failure events.
That is really expensive. In other words: Runtime governance may become the hidden performance tax of agentic AI.
Why Traditional Safeguards Break
Attackers are no longer simply attempting direct prompt injection. An agent that is otherwise well-designed, properly chartered, and carefully monitored can still be tricked into bypassing its own safeguards through:
- Fragmented malicious intent spread across multiple prompts,
- Contextual obfuscation; requests masked in metaphor, riddle or coded language that appears harmless without context
- Hidden instructions
- Outputs designed to evade detection systems.
These aren't theoretical attacks. In human red-teaming efforts, Anthropic researchers found that previous-generation safeguards (Constitutional Classifiers) had measurable vulnerabilities to these techniques.
Just trying to identify harmful prompts through input and output analysis is not good enough. What we need is the ability to identify harmful intent distributed across interactions, context, memory and execution chains. This becomes especially important for AI agents operating across systems where seemingly benign actions can combine into harmful outcomes.
[CONTINUED] At the KnowBe4 Blog with screenshots and links:
https://blog.knowbe4.com/ai-agent-governance-part-3-runtime-governance-the-hidden-performance-cost-of-agentic-ai
Critical Capabilities When Evaluating Integrated Cloud Email Security
Email is still the #1 way cybercriminals get into your organization. Every day, your users face threats like credential phishing, business email compromise (BEC), ransomware and accidental data loss — all aimed directly at their inboxes. And if you're relying on traditional, gateway-based email security to stop these threats, you're leaving your organization insecure.
Modern attacks have evolved. Your defenses need to evolve, too.
This whitepaper, Critical Capabilities When Evaluating Integrated Cloud Email Security, is a must-read for IT and Security Operations (SecOps) teams looking to close email security gaps in Microsoft 365, Google Workspace and other cloud-first environments.
What's Inside:
- Core Threat Protection Capabilities: Look beyond the basics. Get clarity on how to stop advanced threats that slip through traditional defenses — including AI-driven phishing attacks, payload-less BEC and targeted malware.
- Outbound Security and Data Loss Prevention: It's not just about what gets in. Learn how to prevent sensitive data from leaking out, whether through misdirected emails, insider mistakes or malicious exfiltration attempts.
- Visibility, Management and Reporting: Security without visibility is just guesswork. Find out why detailed logging, user behavior insights and centralized reporting are non-negotiable for today's SecOps teams.
- Cloud-Native Architecture and Integrations: Legacy bolt-ons slow you down. Discover why a true cloud-native platform — one that integrates seamlessly with your existing stack — is critical for performance, scale and ease of use.
Download Now:
https://info.knowbe4.com/critical-capabilities-when-evaluating-integrated-cloud-email-security-chn
Let's stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.
PS: Your KnowBe4 Fresh Content Updates from May 2026:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-may-2026
PPS: [GUESS WHY] US Government Agencies Warn of Cyberattacks Against Fuel Tank Monitoring Systems:
https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/?is=dfc2d22d39450dd63ab59ac76f872acea1dca69961d8ea16d6815219b3e327c8
- Robert A. Heinlein - Sci-Fi Author (1907 - 1988)
- Seneca - Stoic Philosopher (c. 4 BC - AD 65)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-23-now-phishing-attacks-use-real-hotel-reservations-to-target-travelers
[#1 Cyber Threat]: Top CEOs Fear Cybersecurity More Than Geopolitical Tensions and Economic Uncertainty
Cyberattacks are now the top concern of leading CEOs, overtaking fears over geopolitical turmoil or inflation, the Wall Street Journal reports. A survey by the Conference Board and the Business Council found that 65% of CEOs at blue-chip companies cited cyberattacks as their top worry in the second quarter of 2026, an increase from 56% in Q1 2026.
"Data breaches, ransomware and phishing attacks are top of mind among chief executives at some of the world's largest companies, surpassing worries over business risks posed by the war in the Middle East, global trade disruptions and inflation," the Journal says.
Roger W. Ferguson Jr., vice chairman of the Business Council, noted, "The rise in importance of cyber risk is in part a reflection of elevated geopolitical tension and the awareness that cyberwarfare is not limited to attacks on government entities."
The Wall Street Journal adds, "It was the first time in over a year that cyberattack fears outranked all other business threats, the survey said. The results are based on a quarterly survey of more than 100 CEOs, mostly at U.S.-based firms.
"The upswing comes even as the executives' broader outlook plunged. Only 15% of CEOs said economic conditions were better than six months ago, down from 39% in the previous quarter. Close to half said conditions were worse, up from 8%."
The Journal also cites a report from CrowdStrike that found that the growing adoption of AI among attackers is "supercharging cybercrime," increasing threat actors' ability to launch complex cyberattacks.
KnowBe4 empowers your workforce to make smarter security decisions every day.
The Wall Street Journal has the story:
https://www.wsj.com/pro/cybersecurity/cyber-threats-top-ceo-business-fears-7141c6c9
Evasive Smishing Campaign Targets Users Around the World
Researchers at Group-IB are tracking a widespread SMS phishing (smishing) operation targeting 72 countries around the world, with a primary focus on Latin America.
"This campaign has impersonated over 267 unique brands across sectors like telecommunications and financial services, successfully generating thousands of phishing domain instances aimed at harvesting full credit card credentials and personal identifiers," the researchers write.
"The operation has a layered anti-analysis evasion architecture, which uses convincing fake Cloudflare error pages, like the 'Error 524' timeout screen, as a decoy. The malicious content is only revealed to victims matching specific geofencing and mobile device criteria."
The campaign uses anti-analysis measures to block security scanners and researchers from landing on the phishing pages. Unless a user meets certain geolocation and device criteria, they'll simply see a spoofed Cloudflare error page.
"This tactic serves dual purposes," Group-IB says. "For security researchers and automated scanners attempting to enumerate the phishing infrastructure, the decoy page offers no indicators of malicious content, no credential harvesting forms, no brand impersonation assets and no suspicious JavaScript.
"For hosting providers and takedown request recipients reviewing flagged domains, the decoy page reinforces plausible deniability, as the site appears to be a misconfigured or broken legitimate deployment rather than an active fraud operation."
Victims who meet the attackers' criteria will encounter "a precisely engineered five-stage interaction flow, optimized for mobile usability and designed to progressively build victim trust before soliciting the highest-value data: full credit card credentials."
"Victims receive an SMS from a number spoofed to appear local to their country," the researchers write. "The message is constructed with an urgency pretext, most commonly a reward balance about to expire, a benefit pending claim or a delivery requiring confirmation, and embeds a shortened URL.
"URL shorteners obscure the destination domain within the SMS, reducing the likelihood that carriers or security-aware recipients will identify the link as suspicious before clicking."
Group-IB has the story:
https://www.group-ib.com/blog/error-524-decoy-smishing/
What KnowBe4 Customers Say
"Hi Bryan, I’m very happy with the platform. I especially appreciate the proactive support we’ve been receiving for the past few weeks from one of your team members, Ms. Pauline R. We’ve already met twice for brief remote sessions. She’s been offering suggestions on how to set up the training sessions and recommending appropriate content. This has been a huge help to us, and it’s a valuable service."
- H.M., Head of IT
- [WOW] QR code phishing surged by 146% in Q1 2026 -- 18.7 million cases recorded in March:
https://finance.yahoo.com/sectors/technology/articles/quishing-surges-146-q1-2026-120000225.html - Anthropic warns that attackers are increasingly incorporating AI into their operations:
https://red.anthropic.com/2026/attack-navigator/ - Hackers Tricked Meta AI Into Handing Out Access to Major Instagram Account:
https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/ - OpenAI offers rival AI to UK banks blocked from Claude Mythos:
https://www.bbc.com/news/articles/cm2p3j6lvn7o?at_medium=RSS&at_campaign=rss - [#1 Cyber Threat]: Top CEOs Fear Cybersecurity More Than Geopolitical Tensions and Economic Uncertainty:
https://www.wsj.com/pro/cybersecurity/cyber-threats-top-ceo-business-fears-7141c6c9?st=iTNgeC&reflink=article_copyURL_share - White House unveils pared-back AI executive order:
https://therecord.media/white-house-unveils-ai-executive-order - Malicious Notifications Could Trick Google Gemini Users:
https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users - AI continues to accelerate phishing attacks:
https://www.businesswire.com/news/home/20260604282631/en/New-Research-AI-Powered-Phishing-Defenses-Made-Security-Teams-Faster-But-AI-Generated-Attacks-Made-Defense-More-Expensive-Overall - Espionage Campaign Targeted Global Stock Exchange Executive for Five Months:
https://www.security.com/threat-intelligence/stock-exchange-espionage - Five Eyes agencies warn of Chinese social engineering operations on LinkedIn:
https://www.theregister.com/security/2026/06/04/five-eyes-china-expanding-state-secret-recruitment-campaign/5250978
- Virtual Vaca #1 - India in 4K - Incredible Scenes & Hidden Gems:
https://youtu.be/PVDVGFBMeUw - Virtual Vaca #2 - SANTIAGO DE CHILE. Stunning Drone Tour of South America's Most Modern Skyline & The Andes:
https://youtu.be/yc6qBp23Emc - Virtual Vaca #3 - Jamaica in 4K Little Big World; An amazing journey through the miniaturized Caribbean Island:
https://youtu.be/QchmPqRMARE - On the Boardwalk Atlantic City c. 1919 Restored to Life:
https://youtu.be/S2MlXwlDKpY - [SUPER FAVE] A fantastic 295-km solo flight from Fanas Eggli, Switzerland, to Austria, the Engadin, and Churfirsten:
https://youtu.be/n4jtKUsBIIw - [LockPickingLawyer] American Lock’s Best Padlock? (Model A2500):
https://youtu.be/3IlEdLT1esg - Ultimate Football Records by Guinness World Records:
https://youtu.be/NpRJe2nHzyY - This Will Be the Second Tallest Building Ever:
https://youtu.be/gSy487RneZA - Autonomous Drone Teaming at the Edge | V-BAT + Destinus Hornet Powered by Hivemind:
https://www.youtube.com/watch?v=XPh4IjzMHTY - DR02 Humanoid Robot Performance Upgraded. Possibilities Expanded. Terminator's little brother:
https://youtu.be/sQLSAzqKGAk - The $10 Million Private Submarine! I want one:
https://youtu.be/9pIaH_6Hv_Q - For Da Kids #1 - Brave Man Rescues Baby Wild Horse:
https://youtu.be/8f7OGjYVuWM - For Da Kids #2 - Dog And Bird Act Just Like Real Siblings:
https://youtu.be/1eaWXi30ujc - For Da Kids #3 - Tiny Pig Walks Up To Huge Dogs To Say Hi:
https://youtu.be/OdK-bGfoE0E - For Da Kids #4 - Tiny Lamb Refuses To Let Her Dad Work:
https://youtu.be/TrU79MbkR_E - For Da Kids #5 - Fearless Women Rescue Cat from Rooftop Edge:
https://youtu.be/abMeaM7UTwU
