It's a great honor for KnowBe4 to be named the Cyber Security Educator of the Year at the prestigious IT Europa Channel Awards 2024. This award recognizes our continued commitment and innovative approach to building a strong security culture and empowering organizations to manage the ongoing problem of social engineering. This achievement is a testament to the hard work and passion of our team in building the world's most comprehensive security awareness training and simulated phishing platform.

In a concerning development, TeamViewer, one of the world's leading remote access software providers, has disclosed a cyber attack that breached its corporate network environment. The incident was first detected on June 26, 2024, when TeamViewer's security team identified irregularities in their internal IT infrastructure. Responding swiftly, TeamViewer activated its incident response procedures and engaged renowned cybersecurity experts to investigate and mitigate the breach.

The US FBI and the Department of Health and Human Services (HHS) have released a joint advisory warning of a social engineering campaign that’s targeting the healthcare industry. “Threat actors are using phishing schemes to steal login credentials for initial access and the diversion of automated clearinghouse (ACH) payments to US controlled bank accounts,” the advisory states.

France’s cybersecurity agency ANSSI has issued an alert outlining a Russian spear phishing campaign targeting French diplomats, the Record reports. The agency attributes the campaign to “Nobelium,” a threat actor tied to Russia’s Foreign Intelligence Service (the SVR).

If you had to choose between regular cybersecurity training and simulated phishing testing, the data shows you should choose simulated phishing tests. When the security awareness training (SAT) industry started over a decade ago, there was some controversy about whether simulated phishing tests should be conducted. The idea of simulated phishing testing was relatively new and some people took them as not only unusual, but potentially unethical and unneeded.

The BBC recently reported that Booking.com is warning that AI is driving an explosion in travel scams. Up to 900% in their estimation - making it abundantly clear that while AI can be a force for good, it can also be a formidable weapon in the arsenal of cybercriminals. One of the most concerning trends we've observed is the increasing use of AI by cybercriminals to carry out sophisticated phishing attacks.

Over 11 million phishing attacks have been reported to the UK’s Suspicious Email Reporting Service (SERS) over the past year, according to new data from Action Fraud. The UK’s National Cyber Security Centre has also taken down more than 329,000 phishing sites since the SERS program started in 2020.

A crafty group of cybercriminals has been relentlessly pursuing Mexican banks, cryptocurrency platforms and other organizations in an extended campaign stretching back over two years. Their weapon of choice? A heavily customized version of the AllaKore remote access trojan (RAT). These threat actors are ruthlessly targeting any large Mexican enterprise they can get their hands on. With a sweet spot for companies pulling in over $100 million in annual revenue, they're not messing around with small fry.

My hacker story does not paint me in the best light, and it is not intended to. I am a firm believer in sharing one's mistakes and being open to learning from them. My incident taught me so much, and many years later, I am still benefiting from the learning opportunities. As the wise quote goes, "We have met the enemy, and they are us" — a sentiment that perfectly sums up my experience.

A new report from Barracuda has found that email conversation hijacking attacks have risen by 70% since 2022. Additionally, business email compromise (BEC) attacks accounted for 10.6% of social engineering attacks in 2023, compared to 8% in 2022 and 9% in 2021. These attacks require more effort on the part of attackers, but they typically have a much higher payout than other forms of social engineering.

Scammers are now impersonating legitimate services like Booking.com and Kayak to target people planning their summer vacations. One out of every 33 vacation-themed domains registered last month was malicious, researchers at Check Point warn. “In May 2024, Check Point Research (CPR) detected a significant surge in summer-related cyber scams, highlighting the need for travelers to stay informed and proactive in safeguarding their personal information,” the researchers write.

In this mad, mad world of breaches, organizations are scrambling to keep their heads above water. It's like trying to navigate a minefield while blindfolded and riding a unicycle — one wrong move, and everything goes up in flames. So, how do you know your security controls are up to the task of defending your organization? This is where red teaming comes in.

We live in a world where the term "cybersecurity" tends to make folks either shiver with anxiety or yawn with boredom. The narrative has always been about hacking, phishing, and all sorts of digital skullduggery. However, the overlooked truth is that users don't adopt best security practices because they’re designed without the slightest nod to the user experience.

Mandiant has published a report looking at cyber threats targeting Brazil, finding that more than 85% of government-backed phishing activity comes from threat actors based in China, North Korea and Russia. “The Brazil-focused targeting of these groups mirrors the broader priorities and industry targeting trends we see elsewhere,” the researchers write.

Increasing phishing attacks are a constant threat to organizations, making it crucial for users to report suspicious emails. This practice not only helps in identifying and mitigating potential threats, but also plays a significant role in educating and creating awareness among employees. The importance of reporting suspected phishing emails cannot be overstated, as it acts as a last line of defense against cyber threats.

Researchers at Trustwave warn that a phishing campaign is distributing malware via HTML attachments disguised as invoices. Notably, the HTML files abuse the Windows Search protocol to launch Windows Explorer and trick users into installing the malware. “Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware,” the researchers state.

Based on news cycles within cybersecurity, it's easy to fall into the trap of thinking that threats only come from certain parts of the world or that they only target specific industries. However, the reality is that cyber attacks know no borders, and no organisation is immune. The recent report by Cisco Talos showcasing the discovery of a six-year campaign by Pakistani hackers targeting Indian government and defence organisations is a stark reminder of this fact.

A phishing campaign is impersonating recruiting firms to target job seekers with a new strain of malware, according to researchers at Elastic Security. “Since late April 2024, our team has observed new phishing campaigns leveraging lures tied to recruiting firms,” the researchers write.

My hacker story occurred not too long ago at the Hong Kong office of an undisclosed multinational corporation. The hackers pulled off a first-of-its-kind scam that leveraged a phishing email as the initial attack vector followed by a deepfake video call. In this instance, there was enough information to establish a perceived authority for a finance worker who transferred a total of HK$200 million in 15 transactions to five different Hong Kong bank accounts until the scam was detected.

A new phishing-as-a-service toolkit that leverages credential interception and anti-detection capabilities has put EU banks at severe risk of fraud. One of the growing dangers of the cyber crime economy is the phishing toolkit. Putting well-designed, expertly-coded webpages, authentication services, and obfuscation features into the hands of even a would-be cybercriminal creates havoc for the intended victim organizations.

Cybercriminals never sleep, and their aim keeps getting better. According to new research from Abnormal Security, phishing attacks targeting organizations in Europe shot up by a staggering 112.4% between April 2023 and April 2024. Meanwhile, US organizations weren't spared either, with phishing attempts increasing by 91.5% over the same period. Phishing may be an old-school social engineering tactic, but it's no joke.

A new phishing campaign is exploiting the eSignature platform Yousign. There have been plenty of phishing attacks that leverage legitimate platforms to help establish credibility with security solutions – including online email services, web hosting, payment processors and more.

A phishing campaign is spreading the DarkGate malware using new techniques to evade security filters, according to researchers at Cisco Talos. “The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations” the researchers explain.

When the news first broke about a potential data breach at Ticketmaster, the details were murky. The Department of Home Affairs confirmed a cyber incident affecting Ticketmaster customers, but the extent of the breach and the veracity of the claims made by the hacker group ShinyHunters were unclear. As the story unfolded, it became evident that the breach was indeed real, and the personal details of millions of customers had been compromised.

I have created a comprehensive webinar, based on my recent book, “Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing”. It contains everything that KnowBe4 and I know to defeat scammers. The evidence is clear – there is nothing most people and organizations can do to vastly lower cybersecurity risk than to mitigate social engineering attacks. Social engineering is involved in 70% to 90% of all successful attacks.

More than a quarter (26%) of organizations around the world provide no security awareness training for their employees, according to a survey by Hornetsecurity. The researchers found that smaller companies in particular tend to lack security training programs. “This significant oversight in cybersecurity education highlights a critical vulnerability within the corporate world, particularly in smaller companies,” the researchers write.

Social engineering scams can come through any communications channel (e.g., email, web, social media, SMS, phone call, etc.). They can even come in the mail as the Nextdoor warning below shares. Source: Nextdoor They can even come in person and on the television.

The prevalence of cyber crime continues to soar, victimizing individuals in both their work and private lives. Cybercriminals are indiscriminate, targeting around the clock and across the globe. With digital security advancing, these criminals shift their focus to exploiting human weakness amidst increasingly secure technological environments.

The NIS2 Directive, also known as the Network and Information Security Directive, is a crucial piece of legislation designed to enhance cybersecurity and protect critical infrastructure across the European Union (EU). Building on the previous NIS Directive, it addresses its shortcomings and expands its scope to improve security requirements, reporting obligations, and crisis management capabilities.

As email compromise attacks increase, analysis of tactics provides context on how organizations need to evolve their defenses.

An increasing number of phishing campaigns from several threat groups are being tracked as they leverage legitimate Cloudflare services as part of account compromise attacks. Security analysts at Netskope take an expository look at the misuse of Cloudflare services for the purpose of enabling phishing attacks that leverage HTML Smuggling and Transparent Phishing tactics. We’ve seen HTML Smuggling attacks for several years, including its continued use this year.