CyberheistNews Vol 9 #5 [INFOGRAPHIC] Q4 2018 Top-Clicked Phishing Email Subjects From KnowBe4


CyberheistNews Vol 9 #05
[INFOGRAPHIC] Q4 2018 Top-Clicked Phishing Email Subjects From KnowBe4

KnowBe4 reports every quarter on the top-clicked phishing emails. Here we have the results for Q4 2018. We track three different categories: general email subjects, those related to social media and 'in the wild' attacks. The results come from a combination of the simulated phishing emails used by our customers as well as from the millions of users that click our no-charge Phish Alert Button to report suspicious emails to their IT Incident Response team.

Trends That Persisted Throughout 2018

In reviewing the Q4 2018 most clicked subject lines, trends were easily identified; five subject line categories appeared quarter-over-quarter throughout 2018, including:
  • Deliveries
  • Passwords
  • Company Policies
  • Vacation
  • IT Department (in-the-wild)
Additionally, three “in-the-wild subject lines” were clicked three out of four quarters and included Amazon, Wells Fargo and Microsoft as keywords.

The Subject Lines Tell Us Users Are Concerned About Security

“Clicking an email is as much about human psychology as it is about accomplishing a task,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “The fact that we saw ‘password’ subject lines clicked four out of four quarters shows us that users are concerned about security.

Likewise, users clicked on messages about company policies and deliveries each quarter showing a general curiosity about issues that matter to them. Knowing this information gives corporate IT departments tangible data to share with their users and to help them understand how to think before they click.”

Here is the full InfoGraphic of top subjects in all categories for the last quarter, the top 10 most-clicked general email subjects in Q4 2018, and most common 'in the wild' attacks during that period.

This Infographic is great to send to your users! Download here:
[TODAY] The Real World: New-School Security Awareness Training… From the Trenches

This is the true story of an IT Manager who was tired of his users clicking on everything and wanted to teach them a lesson… in a good way. Find out what happens, when you stop being polite, and start getting real, new-school security awareness training!

In this "From the Trenches" event, we’ll talk with Tory Dombrowski, IT Manager at Takeform and a KnowBe4 customer, about his experiences and lessons learned while designing and delivering a security awareness training plan for his users.

Erich Kron, KnowBe4's Security Awareness Advocate, and Tory will dive deep to share best practices and creative ideas, so you know what to expect when executing your own program.

In this webinar you'll learn:
  • Why it's so important to empower your users to become a "human firewall"
  • What it's really like to get executive buy-in and implement security awareness training and simulated phishing
  • The good, the bad and the truly hilarious results of training and testing your users
Join us Today, January 29th @ 1:00 pm ET to get the real story from this KnowBe4 customer!
Online Job Offer Turns Would-Be Applicant Into Unwitting Conspirator in Malware Attack

The context of contacting the victim via a credible website may be all that was needed to trick one job seeker into installing malware on the network of a bank.

Imagine you’re on LinkedIn and you see an ad for an open position that you’re perfect for. See anything wrong with that? Given you’re on a website that knows your job title, industry sector, location, etc. I’d say none of us would give it a second thought and assume it was legitimate.

That was exactly what hackers were hoping for when they used LinkedIn ads to target employees of the victim bank (which include company as a part of their ad filtering). A bank employee responded to an ad seeking a developer position. The employee was contacted and even had a call with the would-be employer via Skype.

All this social engineering was in place to lower the employee’s defenses when the actual attack occurred – the cybercriminals asked him to install a program (ApplicationPDF.exe) that would generate his online application. The program didn’t trigger any alarms on the bank's antivirus (and, from the look of the article, nor the potential “applicant”).

The thinking is that hackers were attempting to gain entry to the bank’s network in an attempt to reach applications that control ATMs and debit cards.

Continued at the KnowBe4 blog:
NEW! KnowBe4 Offers No-Cost Children’s Interactive Cybersecurity Activity Kit

A workbook, poster and video module are available to help families teach children how to protect themselves from online dangers

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform is offering an interactive, no-cost, children’s cybersecurity activity kit to the public.

The activity kit consists of two workbooks with puzzles and games, a poster and a video module featuring KnowBe4’s security awareness hero Captain Awareness. The workbook also includes a cyber hero pledge consisting of helpful tips to help children stay safe online, along with a family agreement that parents can review with their children to set guidelines for using online devices.

With this activity kit, parents, teachers and other guardians have some concrete tools to help teach their children about online safety and security in a fun and engaging way. By offering these tools at no-cost, we hope to open the dialogue between children and their parents about the real threats that exist online today. Protecting our most vulnerable population from the online dangers that are out there is a top priority.

Here is the kit, and tell your friends and family. There is no charge, check out the 2-min cartoon:
[Don't Miss the Feb Live Demo] See Ridiculously Easy Security Awareness Training and Phishing in Action!

Old-school awareness training does not hack it anymore. Your email filters have an average 10-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a 30-minute live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Identify and respond to email threats faster. Enhance your incident response efforts with PhishER add-on!
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 23,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, February 6, 2019 at 2:00 pm ET

Save My Spot!
Did You Know That 91% of Successful Data Breaches Started With a Spear Phishing Attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new Phishing Industry Benchmarks!

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

Here's how it works:
  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Go Phishing:
Get the Unique "2019 Security Threats and Trends" Survey Results *First*

Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months.

It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.

Anyone who completes the survey and includes their Email address in the essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best essay comment will win a USD 100 Amazon gift card.

Here's the link to the new 2019 survey:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The less secure a man is, the more likely he is to have extreme prejudice."
- Clint Eastwood, Actor (born 1930)

"At any given moment, public opinion is a chaos of superstition, misinformation and prejudice."
- Gore Vidal, American Novelist (1925 -2012)

Thanks for reading CyberheistNews
Security News
State Governments Are Ripe for Phishing Attacks

Many US state governments are vulnerable to phishing attacks because they don’t require their staffers to undergo cybersecurity awareness training, according to Jenni Bergal at Stateline.

The National Association of State Chief Information Officers (NASCIO) and Deloitte surveyed all 50 US state CISOs and found that only 45% of states have mandatory cybersecurity training programs for executive branch employees.

While most states offer optional training, a significant number of employees pass up the opportunity. Bergal points to the 2018 ransomware attack against Colorado’s Department of Transportation as an example of the damage that can be caused by attacks against state governments.

This attack disrupted the department’s operations for months and cost over a million dollars. Some states are reluctant to burden their employees with additional training programs. Connecticut’s CIO Mark Raymond told Bergal that implementing mandatory security awareness training in his state would require clearing a number of hurdles, including getting approval from employee unions.

“I think eventually it will become mandatory,” said Raymond. “It just takes much longer to create a mandatory program and monitor it than it does for a voluntary one.”

Ryan Allen, Alabama’s CISO, believes that implementing mandatory training is worth the effort. His state requires every executive branch employee with access to state computers to undergo a minimum level of training. The state also offers optional training programs with small rewards as incentive.

“If 90 percent of ransomware comes in through email, raising awareness about cyber issues across the state is one of the things that will pay the biggest dividend,” Allen told Bergal. “The weakest link in the chain is the one that’s going to get you in trouble.”

The cost of a successful phishing attack is far greater than the cost of training. All state governments should be working towards setting up mandatory cybersecurity education for their employees. New-school security awareness training can give employees experiential knowledge of phishing attacks by using real-life examples. Government Technology has the story:
Bitcoin Phishing Scam Targets Parents of UK Private-School Students

Scammers sent phishing emails to the parents of students attending Royal Grammar School in the UK, offering a 25% discount on school fees for parents who paid in Bitcoin. The emails were sent from the email address of the school’s financial administrator.

The attacker had apparently gained access to parents’ email addresses and contact details, so the school is working with the UK’s Information Commissioner’s Office (ICO) to investigate a potential data breach. The ICO said additional schools had been targeted by similar attacks, but didn’t provide further details.

The school’s headmaster told parents that the school would never request money in this fashion. Although the attack appears to have required sophisticated planning, the emails themselves were not particularly convincing.

The messages were rife with grammatical and spelling errors, some of which were quite glaring. The attacker misspelled “cryptocurrency” as “cyptocurrency” in the first sentence, and the email’s subject line referred to “Cypto Payment.”

Parents who send their children to private schools are viewed by attackers as potentially lucrative targets. In the case of Royal Grammar School, a parent falling for the scam could have netted the attackers thousands of pounds. Schools around the world are popular targets for phishing attacks because they often have poorly-trained students and employees, as well as insecure networks. BBC News has the story:
Law Firm Culture Needs to Conform to Security Best Practices

Lawyers and their firms have to adapt their security cultures to mesh with rapidly-changing technology, according to WindTalker’s CEO Christopher Combs and CTO Michael Lester. Writing for Legaltech News, Combs and Lester discuss the need for law firms to realize that the nature of their practice necessitates proper security protocols.

Law firms deal with extremely sensitive personal, financial, and business information on a daily basis. Over the past several decades, this information has shifted from the paper world to the digital world, and lawyers need to adjust their routines accordingly. “Changing the culture of law firms when it comes to information security has less to do with age and generational differences and more to do with acknowledging and accepting the current environment,” write Combs and Lester.

“To reach the same page as their clients, law firms and lawyers must embrace technology,” they continue. “A culture of minimal adequacy is not the way to forge the future and instill confidence. Though not required by any ABA ethical rules, encryption, differential sharing, differential access, color-coded privilege protection, cradle-to-grave monitoring of private and privileged information all must be incorporated into the fabric of every law firm.”

New-school security awareness training can be an essential resource for law firms that want to improve their employees’ security stances. Up-to-date education on security defenses and threats can help your organization build a lasting culture of security that can adapt to changing technologies. Legaltech News has the story:

Read more how law firms can be at risk of a data breach and extortion:
We Hope Sebastian Was Authorized to Do This

Sebastian Conijn, an Interaction Designer at Hike One, published an article detailing how he tested his company’s security awareness by setting up a fake website and sending phishing emails to his colleagues. It should be noted that Conijn is responsible for Hike One’s digital security, and he says he obtained approval from a colleague before carrying out this test.

Conijn first registered a domain called “dropboxforbusiness[.]info” and bought a security certificate for €11. The domain would then display a green lock in the address bar, along with “https” in the URL. Conijn notes that a website’s certificate only means that your communication with the site is private; it doesn’t mean that the website is trustworthy.

Next, Conijn set up a fake Dropbox login page by saving the real Dropbox login page as a zip file to his computer. This allowed him to easily create an identical copy of the login page on his own website. He wrote a short script that emailed him the credentials that were entered on his site and then forwarded the user to the real Dropbox site.

Conijn then created emails using a template that resembled Dropbox’s official emails, and sent these emails to his colleagues. Within minutes, he began receiving his colleagues’ passwords in his inbox. After Conijn modified the emails to say “You deleted 2641 files, is that correct?,” he saw a much higher rate of success. “The passwords in my mailbox were absolutely piling up,” he says.

Overall, Conijn sent phishing emails to thirty-eight of his colleagues, and nine of them fell for the trick. He notes that this is a 26% phishing success rate, which is a bit below the average of about 30%. Most organizations don’t realize how vulnerable they are to phishing attacks until they perform a test like the one Conijn carried out.

One of the most effective ways to gauge your defenses and lower the number of employees who fall for phishing emails is through new-school security awareness training. Realistic training drastically increases employees’ ability to resist social engineering by making them realize how easy it is to fall for these attacks. Hakin9 Magazine has the story:
What KnowBe4 Customers Say

"Hi Stu, Yep I’m really happy camper. The training is brilliant, I’ve tried for years to get my staff to participate in IT training with mixed results. The feedback I’ve had from my staff is awesome – they love KnowBe4, they like the format and style and say its really easy to use.

All the line managers have asked to see the training / modstore contents to see I there is more they can use. Being able to group the staff into their geographic teams and have them compete against each other is a really effective motivator for our workforce.

The Phishing service is a brilliant brilliant piece of software, it allows my users to fight back, it empowers them with the ability to regain control of their inbox and as the admin it enables me to react quicker. Thanks for asking."
- M.K., IT Manager in the U.K.

"Hi Stu, Thanks for mentioning that this is not an automated email. Things are going well. We have been happy with the way that things have started. I am particularly impressed with ASAP as it has been a good guide for us in getting our awareness program up-and-running.

So far we have gotten our baseline phishing test done and have started folks on training with the “Kevin Mitnick Security Awareness Training” course to start. We have the Phish Alert button installed and have several folks making use of it. Also today our first “Scam of the Week” email went out to our users. So things are going well here.

I have also been pleased with how your folks have been checking in with us to make sure things are going well. That is much appreciated. Thanks for checking in. PS: By the way please reply to this email with your username, password and SSN. :P"
- H.P., Director of Technology

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check the Gartner Peer Insights site, where KnowBe4 is a 2019 Customer's Choice:
The 10 Interesting News Items This Week
    1. Can You Pass Google's Phishing Quiz? Their JigSaw subsidiary created a quiz that features realistic examples with real brands like Dropbox and eFax:

    2. Deepfakes and the New Disinformation War:

    3. The Cybersecurity 202 - FBI cyber investigations hit hard by shutdown:

    4. Pretty selling zero-click Apple iMessage exploit:

    5. Here’s Why Foreign Intelligence Agencies Want Your Data:

    6. How Cybercriminals Clean Their Dirty Money:

    7. Google Play malware used phones’ motion sensors to conceal itself:

    8. Qealler — The Silent Java Credential Thief:

    9. Huge Trove of Leaked Russian Documents Is Published by Transparency Advocates:

    10. Check Point Forensic Files: GandCrab Returns with Friends (Trojans):
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews