CyberheistNews Vol 8 #4 New Study: Is Your Phish-Prone Percentage Better or Worse Than Your Peers in the Industry?

CyberheistNews Vol 8 #04
New Study: Is Your Phish-Prone Percentage Better or Worse Than Your Peers in the Industry?

One of your important IT security projects is getting the Phish-prone percentage of your users as low as possible, because phishing is the root cause of many security breaches.

But how are you doing compared to "similar-size peers" in your industry?

We just completed a big-data analytics exercise over the 15,000 customers we have and came up with new baseline phish-prone percentages, and how fast it drops over time. To say the least, the numbers are very interesting, and this time we also broke them out by industry and size, showing the most at-risk industries.

Now having incredible data to analyze, the new research uncovered some surprising results. The overall industry initial Phish-prone percentage benchmark turned out to be a troubling 27%, but with variations by size and industry.

Fortunately, the data showed that this 27% can be brought down more than half to just 13% in only 90 days by deploying new-school security awareness training. The 365-day results show that by following these best practices, the final Phish-prone percentage can be minimized to 2.17% on average.

Key topics covered in the research:
  • New phishing benchmark data by org size and industry
  • Understanding the current phishing landscape
  • Most clicked simulated phishing attacks
  • Top 10 “In the Wild” reported phishing emails
The recording of the full 38-minute webinar is here -- strongly recommended for a Lunch & Learn!
Scam of the Week: The Most Sophisticated Netflix Phishing Yet

This Netflix phishing campaign goes after your login, credit card, mugshot and ID!

Paul Ducklin at Sophos wrote: "Think of the big security stories of recent months. Security holes like KRACK [and Meltdown]; a plethora of ransomware attacks ending in extortion; data breaches that were big, bigger or biggest, there are plenty of candidates for the story that got the most attention.

In contrast, phishing attacks rarely make the news these days, even though (or perhaps precisely because) there are so many of them.

Somehow, phishing seems to have turned into an “obvious” problem that everyone is expected to have experienced, learned from, got the better of, and moved on.

But phishing is still big business for cybercriminals: in the last week alone, for example, SophosLabs intercepted phishing attacks that abused the brands of many financial institutions.

Organizations that had their brands hijacked in this way in the past few days include: eBay, PayPal, VISA, American Express, Bank of America, Chase, HSBC, National Australia Bank – and that’s just a random subset of the list, in one industry sector.

Protecting your brand against abuse by phishers is, sadly, as good as impossible, especially if your brand is well-known and widely advertised."

He is right, phishing and spear-phishing are still the bad guys' No. 1 infection vector of choice. This Scam Of The Week covers a phishing campaign that hijacked the Netflix brand.

This phish tries to trick you into handing over your login details, your credit card data, your mugshot and your ID. Here are the details, screen shots and a ready-to-send email to your family, friends and employees:
Global Risk Report 2018: How Do Cyberattacks Stack up Against Other Threats?

This is a yearly report that always has some interesting high-level data and thinking. For instance, how do cyberattacks stack up against natural disasters, extreme weather or terrorist attacks?

The 13th edition of the World Economic Forum’s Global Risks Report, in partnership with Marsh & McLennan Companies, examines the evolving macro-level risk landscape and highlights the systemic threats that may disrupt expectations.

Is your company’s responsiveness aligned with the risks it faces? Find out more by reading this Global Risks Report 2018 (80-page PDF):
Is Everything You’ve Heard About Password Policy Wrong?

No matter how strong your perimeter security may be, if your users are still using post-it notes to keep track of their passwords, you’re still at huge risk. Recently NIST published updated recommendations on passwords, so the time is right to take another look at your own password policy.

KnowBe4's complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. WPT tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.

Here's how Weak Password Test works:
  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!
This will take you 5 minutes and may give you some insights you never expected! Download Now:

Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
Quotes of the Week
"The trick is in what one emphasizes. We either make ourselves miserable, or we make ourselves strong. The amount of work is the same." - Carlos Castaneda - Author (1925 – 1998)

"To keep the body in good health is a duty... otherwise we shall not be able to keep our
mind strong and clear."
- Buddha

Thanks for reading CyberheistNews
Security News
KnowBe4 Introduces a New Feature, Reporting APIs.

Reporting APIs enable you to customize and obtain reports by integrating with other business systems that present data from your KnowBe4 Console.

With the REST API, you can build custom dashboards to showcase a variety of statistics including trained users, users that haven’t completed compliance requirements, users at highest risk, the results of the most recent phishing test, or correlate user Phish-prone percentage with their training activities, and so much more.

Leveraging KnowBe4 APIs gives you flexibility to automate and customize how your phishing and training performance metrics are presented to your management team or Board of Directors. With Reporting APIs you can:
  • Save time by automating complex reporting tasks
  • Integrate with enterprise BI tools to showcase the efficacy of your security awareness program
  • Import user data into HR or Performance Management platforms to track employees’ history of course completions or failed phishing tests
Reporting APIs are available to all customers at Platinum and Diamond subscription levels.

Support Documentation:

Check out the full details along with samples requests in our API Guide here:
How to Handle Repeat Offenders of Phishing Sim Training.

Article at Info Security Mag: "Once the phishing metrics are analyzed, what do you do with the repeated clickers? Common follow-up actions include additional training and notification to management. In many cases, no action is taken at all."

That is a problem.

Ultimately, to fix the problem, it boils down to the tolerance level for failing the exercises and understanding the importance of correcting the behavior. Implementing a formalized escalation process for test failures would help to complete the life cycle for the phishing simulation training program.

Here is an example of how an escalation process would run during a 12 month period assuming multiple campaigns are conducted. This is excellent information:
New Blockchain Bait and Olympic Phishing

The rapid rise in the value of Bitcoins and other cryptocurrencies have attracted many eager investors, but unfortunately, have also attracted many scammers eager to take advantage of unwary investors. First, one particular scam involves an app that, for a prepaid fee, will mine Bitcoins on your behalf which are then transferred to an account from which you cannot take out the Bitcoins.

Next, there's a new kind of phishbait chumming the online waters: suggestions that something is up with your Bitcoin wallet. Emails are hitting inboxes in the wild that warmly invite the victim to "check your wallet" for a Bitcoin deposit that's just been made in their name, or else that advise with concern that they've "observed unusual activity" in that wallet.

The phishing emails are variations on a common theme, but they all invite you to "check attached slip" or "open attachment." The attachment is an ISO file, and it contains a variety of malicious programs. Sophos, the security company who's warning people of this scam, has observed a variety of malign payloads, but the most common one they're seeing is Fareit, a credential stealer.


We've been following the phishing campaigns that have appeared during the run-up to next month's Winter Olympics. The sort of social engineering we're seeing, however, isn't unique to, or even largely confined to, high-profile events like the Games.

Mark Orlando, CTO of Raytheon Cyber, reminds people that we're likely to see more hostile cyber activity during this Olympiad than we did during the Rio games, and that this is simply a natural result of the increased coordination and logistics that take place online. "It's natural to assume that more individuals and more individuals tied to these games will be targeted this year," he said.

He recommends good cyber hygiene, by which he means, first, solid user training and awareness, and, second, configuring systems for resilience in the face of attack. In the case of the Olympics, "People involved with the games should know that they will be targeted. Everyone involved should be aware of the threats."

We have some new Olympics and Bitcoin Phishing Templates for KnowBe4 customers. The categories and titles are below:

  • Fox News: 2018 Winter Olympics US Women's Figure Skating Athlete Disqualified for Drug Use
Current Events:
  • CNN Alerts: North Korea Refuses to Participate in the PyeongChang 2018 Winter Olympics
  • YouTube: Hurry! Limited access to the 2018 Winter Olympics live stream! Sign up now!
  • BitClubNet/Cryptocurrency/Bitcoin/Mining: $25 for Year of Bitcoin Mining -- While Supplies Last!
  • Coinbase: Claim your free Bitcoin today!
Phishing for Sensitive Information
  • Netflix: Your Netflix account is on hold!
Spearphishing as a Tool of Influence

It's not news that the Russian government has committed itself heavily to hybrid warfare, which has both kinetic, traditional components and a heavy cyber element.

That cyber element has dominated operations against Western governments and societies, and it's taken the form of influence operations. An important component of those influence operations has been spearphishing, closely targeted phishing attempts against specific targets, not the mass-mailed, broadcast spam approach so often followed by ordinary criminals.

Fancy Bear, also known as Pawn Storm, is a prominent cyber unit of Russia's GRU military intelligence agency. It got into the Democratic National Committee during the last election cycle by spearphishing. The GRU is said to be at it again, this time prospecting targets in the US Senate.

Their goal is to compromise email accounts. Some Senators are calling for two-factor authentication to be implemented across their systems, which would be good. What would be better would be user education on the risk that phishing poses to security.

Not only junior staffers but the Senators themselves would benefit. So would any organization. TechCrunch has a useful short account of the threat here:
Strains of CEO Fraud - Urgent Request for W-2s

Soon the news will be packed with W-2 phishing and CEO fraud, also known as "Business Email Compromise" attacks. Last year, the cost of these attacks against organizations totaled over 3.4 billion dollars.

Each year the U.S. Internal Revenue Service warns about these scams where internet criminals successfully combine W-2 and CEO fraud schemes, targeting a much wider range of organizations than ever before.

Prepare yourself for this type of attack by reading this no-charge CEO Fraud Prevention Manual. Download here:
Interesting News Items This Week

Roughly Half of Cybersecurity Incidents Due to Employee Negligence and Weak IT Security Policies:

Beware of USB Gifts- Cybersecurity quiz winners rewarded with malware-infected USB sticks:

Why GDPR will drive a best practice approach - Help Net Security:

88% of employees have no clue about their organization's IT security policies:

75 per cent of IT executives lack control over password security in their organizations. Article concludes too much reliance on control of passwords by employees rather than SSO:

BEC Attacks to Exceed $9B in 2018: Trend Micro$9b-in-2018-trend-micro/d/d-id/1330853

‘Grey’s Anatomy’ Fact Check: What Really Happens When a Hospital Gets Hacked?:

SamSam Ransomware Hits Hospitals, City Councils, ICS Firms. It appears these were all RDP attacks:

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer:

Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware:

The role of trust in security: Building relationships with management and employees:

KnowBe4 2017 Top Clicked Phishing Test Analysis:

KnowBe4 Makes Third Place in Nationwide SMB Top Five Best Place to Work in Technology:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Watch: speedboat driver rams into small boat with three passengers. This is how fast you need to react if you want to survive in an emergency:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

2019 National Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews