CyberheistNews Vol 14 #36

KnowBe4 Expands Youngsters’s Interactive Cybersecurity Exercise Equipment for 2024/2025 Faculty Yr

Are you able to consider it is already back-to-school time for a lot of? The place has the summer time gone?

We’re dedicated at KnowBe4 to offering content material for college kids of all ages to assist them keep protected and possibly get them serious about a profession in cybersecurity sooner or later.

For instance, we launched our profitable KnowBe4 Scholar Version final spring for college kids over the age of 16 that included coaching supplies targeted on subjects which might be related for younger adults.

For college students underneath 16, the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment is obtainable without cost to colleges, lecturers and oldsters. This equipment is linked beneath. Take into account telling the lecturers in your youngsters’s faculty.

New Faculty Yr, New Content material

We’re excited to announce this newest replace to the equipment, which features a new coaching module and a few nice up to date options.

We have now been including contemporary assets to this equipment every faculty yr, together with an AI security video, a password online game, a cybersecurity exercise ebook, and center faculty lesson plans. We have now much more deliberate for the upcoming faculty yr.

Final yr we launched our groundbreaking Roblox recreation known as KnowBe4 Hack-A-Cat, the place college students can play a recreation on the favored platform and find out about issues like phishing, ransomware and different cybersecurity-related subjects. We heard from many educators that they want a companion lesson to incorporate to assist clarify the ideas within the recreation for college kids in a extra direct strategy.

So, I’m excited to announce that this accompanying lesson is now out there on the kids’s equipment web site. It’s titled “Hack-A-Cat: Your Cybersecurity Journey on Roblox,” and lecturers can have college students full this on their very own in a pc lab, with laptops and even on the smartboard on the entrance of the classroom.

This self-paced module can be utilized as a lesson previous to enjoying the Roblox recreation at college or independently with their associates at house. We predict it is an ideal complement to the in-game studying expertise to take advantage of influence for college kids to find out about cybercrime, be ready, and possibly sooner or later be a part of one of many groups serving to defend others.

Youngsters Equipment Now Accessible in Your Personal LMS

One other requested function of our equipment that’s now out there is the power to obtain the content material and use it in your individual Studying Administration System (LMS) and/or Digital Studying Atmosphere (VLE) and make them a studying exercise for college kids.

This function permits admins to obtain the equipment in a standard customary known as Sharable Content material Object Reference Mannequin (SCORM) that’s usually accepted by most studying platforms. The teachings which might be out there in SCORM format embody:

• AI Consciousness for College students
• Bye Bye Bully
• Captain Consciousness: Conquer Web Security for Youngsters
• Password Zapper Sport
• Spot the Phish – Child’s Version

There’s a hyperlink on the backside of the web page that enables for the straightforward obtain of all these supplies in SCORM format. Search for the hyperlink within the textual content, “In search of SCORM recordsdata? Click on HERE to obtain.”

There are additionally supporting supplies out there in picture and doc codecs (not SCORM) you can obtain straight from the equipment web page:

• Clickbait Cootie Catcher Tabletop Train
• Password Warriors Tabletop Train
• Poster: Captain Consciousness: Conquer Web Security for Youngsters
• Safety Cat’s Exercise Guide for Youngsters

KnowBe4 prospects can even nonetheless use the content material on the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment web site, however we needed to make the SCORM choice out there to have the ability to give entry to extra college students (hyperlinks on weblog).

We will probably be including extra content material to the Youngsters’s Equipment and to the KnowBe4 Scholar Version all through the varsity yr, based mostly on the most recent threats and suggestions from our associate establishments and others, so test again typically as you might be planning classes in your college students.

When you’ve got an thought or request of what you wish to see us add, be happy to get in contact. We’re dedicated to offering contemporary instructional content material for college kids and companions to remain protected.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/knowbe4-childrens-interactive-cybersecurity-activity-kit-2024

[New Features] Ridiculously Simple and Efficient Safety Consciousness Coaching and Phishing

Outdated-school consciousness coaching doesn’t hack it anymore. Your electronic mail filters have a mean 7-10% failure price; you want a robust human firewall as your final line of protection.

Be part of us TODAY, Wednesday, September 4, @ 2:00 PM (ET), for a reside demonstration of how KnowBe4 introduces a new-school strategy to safety consciousness coaching and simulated phishing that’s efficient in altering person conduct.

Get a take a look at THREE NEW FEATURES and see how simple it’s to coach and phish your customers.

• NEW! Callback Phishing means that you can see how doubtless customers are to name an unknown cellphone quantity offered in an electronic mail and share delicate data
• NEW! Particular person Leaderboards are a enjoyable approach to assist enhance coaching engagement by encouraging pleasant competitors amongst your customers
• NEW! 2024 Phish-prone™ Proportion Benchmark By Business enables you to evaluate your proportion along with your friends
• Sensible Teams means that you can use workers’ conduct and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
• Full Random Phishing mechanically chooses completely different templates for every person, stopping customers from telling one another about an incoming phishing take a look at

Learn how practically 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: TODAY, Wednesday, September 4, @ 2:00 PM (ET)

Save My Spot!
https://data.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2

Phishing Assaults Are More and more Focusing on Social Media and Smartphone Customers

Menace actors are more and more tailoring their assaults to focus on social media apps and smartphone customers, in keeping with a brand new report from the Anti-Phishing Working Group (APWG).

As electronic mail safety applied sciences enhance, scammers are turning to social media apps, textual content messages, and voice calls to conduct social engineering assaults.

Matthew Harris, Senior Product Supervisor, Fraud at OpSec, defined, “We have now noticed an elevated share of fraud being focused in direction of websites that don’t require excessive safety, akin to social media websites like Fb and LinkedIn, and SAAS and Webmail accounts akin to Microsoft Outlook and Netflix.”

The report additionally discovered that the quantity of phishing assaults focusing on financial institution accounts has fallen in comparison with final yr, however these assaults have grown extra subtle and focused. Attackers must put extra effort into banking-focused assaults since these establishments usually have further layers of safety.

“Banks require two-factor authentication for on-line banking, akin to codes despatched to the customers’ cell phones,” the report says. “With out these authentication codes, phishers cannot get into victims’ on-line monetary accounts.

“So as an alternative, fraudsters are utilizing phone-based strategies to phish financial institution and cost service customers. These are extra quick contact strategies, and permit the fraudster to speak victims out of their delicate data.

“Cellphone-based fraud is initiated by completely different strategies. One is voice phishing or vishing — the place fraudsters name potential victims. One other is SMS-based phishing or smishing – by which fraudsters promote the URLs of phishing websites inside SMS (Quick Message Service) and Web-generated, phone-to-phone textual content messages.”

Nearly all of scams in Q2 2024 concerned present card fraud or advance charge requests. APWG contributor Fortra discovered that the typical amount of cash requested in enterprise electronic mail compromise (BEC) assaults rose by 6.5% final quarter to achieve $89,520.

KnowBe4 empowers your workforce to make smarter safety choices on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/phishing-attacks-are-increasingly-targeting-social-media-and-smartphone-users

[NEW WEBINAR] Code Crimson: How KnowBe4 Uncovered a North Korean IT Infiltration Scheme

A current incident make clear a chilling new tactic: North Korean operatives posing as IT professionals to infiltrate organizations everywhere in the world. And this one hit somewhat too near house… proper right here at KnowBe4.

We’re pulling again the curtain on this occasion that will help you defend your group from this new and rising, terrifying risk.

Be part of us for an unique, no-holds-barred dialog with the workforce who lived by it. Perry Carpenter, our Chief Human Danger Administration Strategist, sits down with Brian Jack, Chief Data Safety Officer, and Ani Banerjee, Chief Human Sources Officer, to talk about how we noticed the purple flags and stopped it earlier than any harm was performed.

Throughout this webinar, you will get the within scoop on:

• The methods and instruments utilized by these covert operatives to sneak by the cracks
• How we found one thing was flawed, and the way we shortly stepped in to cease it
• How one can spot pretend IT staff in your hiring course of and office
• Sensible recommendation for fortifying your group in implementing sturdy screening processes and safety protocols to safeguard in opposition to infiltration

Achieve unique insights and actionable methods to guard your group from these subtle threats. Do not miss this chance to remain forward within the ever-evolving panorama of cybersecurity, plus earn CPE credit score for attending!

Date/Time: Thursday, September 12 @ 2:00 PM (ET)

Cannot attend reside? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://data.knowbe4.com/code-red-webinar?partnerref=CHN

Electronic mail Compromise Stays High Menace Incident Kind for the Third Quarter in a Row

New evaluation of Q2 threats reveals a constant sample of conduct on the a part of risk actors and risk teams, offering organizations with a transparent path to guard themselves.

It is each cybersecurity skilled’s fear; whether or not the safety controls they’ve put in place will truly cease assaults.

However it’s truly fairly simple to calm these fears by merely taking note of trade information that paint an image of what techniques and strategies risk actors are utilizing and to make sure the suitable controls are in place to cease such malicious exercise.

In response to Kroll’s Q2 2024 Menace Panorama Report, there are some constant traits which might be turning into evident. Going again three quarters, Kroll demonstrates by information that the next risk incident sorts (in descending order) are being skilled throughout cyber assaults: electronic mail compromise, ransomware, unauthorized entry and net compromise.

Wanting on the chart, you possibly can see how essential gaining access to electronic mail is for risk actors. And even with the substantial enhance in unauthorized entry this yr it seems that the risk actor “leopard” would not change its spots.

It is clear that defending electronic mail entry with multi-factor authentication, sturdy passwords and safety consciousness coaching is crucial. These measures assist stop social engineering assaults aimed toward stealing credentials, a development that reveals no indicators of slowing down.

Weblog publish with hyperlinks and graphics:
https://weblog.knowbe4.com/email-compromise-remains-top-threat-incident-type-for-the-third-quarter-in-a-row

[Popular Whitepaper] The Safety Tradition How-to Information

Bettering the safety tradition of your group can appear daunting. A whole tradition sounds nearly too massive to affect. However influencing safety tradition is feasible with the precise plan, buy-in and content material.

With the precise tradition supporting them, your customers will probably be higher outfitted to establish doubtlessly devastating cyber assaults and social engineering threats earlier than they have an effect on your community.

This how-to information will stroll you thru the best way to construct a step-by-step plan, serving to you perceive the basics of safety tradition and what you are able to do to maneuver the tradition needle in your group.

You will study:

• The basic ABCs of tradition change and the way every builds off one another
• A seven-step cycle for bettering your safety tradition
• Recommendation and finest practices for making probably the most out of every step within the course of

Obtain this information in the present day!
https://data.knowbe4.com/wp-security-culture-how-to-guide-chn

Extra Carrots and Fewer Sticks

This weblog was co-written by Perry Carpenter and Roger A. Grimes.

As I sit within the 2024 Seattle Convene convention this week and hearken to speaker after speaker discuss their profitable safety consciousness coaching packages, one factor is completely clear. All of them choose carrots and fewer sticks.

A query human danger managers steadily ask me is what function destructive penalties ought to play in a profitable safety consciousness coaching program? This touches on a basic precept that my colleague, Perry Carpenter, is well-known for emphasizing — the significance of working with human nature slightly than in opposition to it.

Due to that, I invited him to co-write this weblog publish with me. Take into account this a two-for-one weblog particular…The remainder of this publish represents our mixed ideas.

What is the end-goal, anyway?

A few of our prospects have a coverage of firing folks for first-time offenses, whether or not that offense is clicking on a simulated phishing electronic mail URL hyperlink or interacting with an actual phishing rip-off. We have now many purchasers who haven’t any outlined coverage for “missed” phishing exams and who by no means work together with an worker for both “failing” or not failing a simulated phishing take a look at. The fitting coverage lies someplace in between.

The aim is to cut back cybersecurity danger most effectively and successfully with out considerably impacting enterprise and revenues. Firing your finest workers as a result of they failed a phishing take a look at would not appear overly productive.

Punitive approaches typically backfire and may create a tradition of worry slightly than one in every of shared duty.

That is very true as a result of anybody…ANYONE!! could be phished. When you assume you possibly can’t be socially engineered into doing one thing in opposition to your individual finest pursuits, you might be at increased danger for a profitable phishing assault, not much less.

Nobody needs to click on on a phish. And sure, we’ve people who find themselves extra vulnerable to phishing than others. And we want a method to inspire the poorer performers to change into higher. However how can we do that successfully?

Extra Carrots

Listed below are some frequent carrot concepts.

[CONTINUED] Weblog publish with hyperlinks:
https://weblog.knowbe4.com/more-carrots-and-fewer-sticks

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Contemporary Content material Updates from August 2024:
https://weblog.knowbe4.com/knowbe4-content-updates-august-2024

PPS: [BUDGET AMMO] This Safety Firm [Cinder] Has Been Flooded With Job Candidates From North Korea:
https://www.forbes.com/websites/davidjeans/2024/08/26/cinder-north-korea-jobs/

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-36-knowbe4-expands-children’s-interactive-cybersecurity-activity-kit-for-2024-2025-school-year

Menace Actors Abuse Microsoft Sway to Launch QR Code Phishing Assaults

Researchers at Netskope final month noticed a 2000-fold enhance in site visitors to phishing pages delivered by Microsoft Sway. The phishing assaults are focusing on orgs within the know-how, manufacturing and finance sectors in Asia and North America.

Most of those assaults concerned QR code phishing (quishing) to trick victims into visiting the malicious websites.

“Attackers instruct their victims to make use of their cell gadgets to scan the QR code in hopes that these cell gadgets lack the stringent safety measures usually discovered on company issued ones, guaranteeing unrestricted entry to the phishing web site,” Netskope explains.

“Moreover, these QR phishing campaigns make use of two strategies from earlier posts: using clear phishing and Cloudflare Turnstile. Clear phishing ensures victims entry the precise content material of the authentic login web page and may enable them to bypass further safety measures like multi-factor authentication.

In the meantime, Cloudflare Turnstile was used to cover the phishing payload from static content material scanners, preserving the nice status of its area.” Notably, the risk actors abused Sway, a free Microsoft 365 presentation app, to evade safety applied sciences.

“Through the use of authentic cloud purposes, attackers present credibility to victims, serving to them to belief the content material it serves,” the researchers write. “Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as effectively.

“Sway can be shared by both a hyperlink (URL hyperlink or visible hyperlink) or embedded on an internet site utilizing an iframe. Over the previous six months, Netskope Menace Labs noticed little to no malicious site visitors utilizing Microsoft Sway. Nonetheless, in July 2024, we noticed a 2,000-fold enhance in site visitors to distinctive Microsoft Sway phishing pages. The pages we investigated have been focusing on Microsoft 365 accounts.”

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/threat-actors-abuse-microsoft-sway-to-launch-qr-code-phishing-attacks

Fewer, Excessive-Profile Ransomware Assaults Are Yielding Increased Ransoms

Evaluation of cryptocurrency funds made on the blockchain highlights shifts within the dimension and frequency of ransomware assaults and should paint a bleak image for the rest of the yr.

Every quarter, blockchain evaluation firm, Chainalysis, analyzes cybercriminal exercise from the angle of blockchain use to facilitate funds, crypto theft, and so forth.

Of their 2024 Crypto Crime Mid-year Replace Half 1, we see a couple of notable adjustments in ransomware assaults:

• 2024 is ready to be the highest-grossing yr but for ransomware funds
• The median ransom cost made to ransomware strains receiving a minimal of $1 million, spiked from just below $200,000 in early 2023 to $1.5 million in mid-June 2024

Chainalysis gives an attention-grabbing chart to visualise ransomware funds revamped time. Because the chart reveals, we’re seeing a development the place ransomware funds are rising. The median cost dimension within the first week of 2023 was simply $198,939. Compared, the median cost in mid-June of 2024 was $1.5 million — an almost 800% enhance! Keep in mind — these are funds and never calls for; so we’re seeing the true impacts of ransomware assaults, that are trending in direction of being dearer.

This can be a key cause why organizations must concentrate on stopping such assaults to a larger diploma, which ought to embody safety in opposition to phishing assaults through safety consciousness coaching to make sure a corporation’s customers act as a part of the defenses, siding with vigilance when interacting with a doubtlessly malicious electronic mail or web site, slightly than merely turning into a sufferer and enabling an assault.

KnowBe4 empowers your workforce to make smarter safety choices on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Weblog publish with hyperlinks and charts:
https://weblog.knowbe4.com/fewer-high-profile-ransomware-attacks-yield-higher-ransoms-and-a-mid-year-total-of-just-over-450-million

Most Phishing Websites Are Now Cellular-Suitable

A brand new report from Zimperium has discovered that 78% of phishing websites are designed to focus on cell browsers. These assaults can provide risk actors a foothold inside a corporation’s community, particularly if an worker makes use of their cellphone for work-related actions.

“Cellular phishing contains varied varieties akin to SMS phishing (smishing), voice phishing (vishing), app-based phishing, electronic mail phishing and social media phishing,” the researchers clarify. “Whereas a few of phishing campaigns seem to focus on shoppers, they’ll function a malicious program to ship malware, seize reused passwords, or hijack OTPs, in the end infiltrating company networks and purposes on the machine.”

The researchers additionally warn that almost all phishing websites now use HTTPS, which is indicated by a lock icon subsequent to the URL within the browser bar. Customers must be conscious that the lock icon merely signifies that the location’s site visitors is encrypted, not that the location is essentially authentic.

“Attributable to adjustments in browser conduct to deal with non encrypted websites as much less safe, and the power to evade detection because of encrypted communication, attackers have been migrating to make use of safe communications (HTTPS) for contemporary phishing assaults,” the researchers write.

“For the time being of writing, our evaluation reveals that solely 12.9% of phishing URLs make use of an unencrypted HTTP scheme, whereas 87.1% utilized the safer HTTPS (together with people who redirected from HTTP to HTTPS). Using secured connections to serve malicious content material can create a false sense of safety for the person or masks malicious intent behind the ‘lock’ icon on the browser.”

Zimperium discovered that 60% of newly created phishing domains obtain an SSL certificates inside two hours of being registered. The researchers notice, “Because of this in simply 2 hours, a brand new phishing area could be created and be absolutely operational over a safe HTTPS connection.”

KnowBe4 empowers your workforce to make smarter safety choices on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Zimperium has the story:
https://www.zimperium.com/weblog/deep-dive-into-phishing-chronology-threats-and-trends/

What KnowBe4 Prospects Say

“Hello Edmond, I’m writing to precise my honest gratitude for the distinctive help I’ve obtained from you over the previous few months to create coaching & phishing campaigns.

Your help has been marked by professionalism, effectivity, and a real want to assist. Your dedication to offering top-notch technical help has made a big distinction and reworked my expertise with KnowBe4.

You’ve gotten persistently demonstrated persistence, intensive information, and immediate responses. Your consideration to element and willingness to go above and past really exemplify wonderful help.

Thanks as soon as once more in your excellent help. I look ahead to persevering with to work carefully with you sooner or later.”

– H.C., Supervisor, IT

“Hello Stu, I have been a buyer of KnowBe4 for practically 10 years now (throughout 2 corporations). Been a terrific experience…Our workers are higher off on account of the coaching! Sustain the good work! Thanks!”

– B.L., CIO