Phishing Attacks Now More Common Than Malware

Tony MasonSecurity Awareness & Phishing

Phishing Attacks

Phishing Attacks More Common Than Malware

The latest annual Microsoft Security Intelligence Report (SIR) has just been issued and indicates that phishing attacks are now by far the most frequent cyber threat.  Since their last report, phishing attacks have increased 250%.

Microsoft’s security team are in a great position to analyse trends in cyber security threats.  Their figures are based on their internal scans of O365 email addresses and their latest report is based on over 470 billion messages.  The results show that not only are the phishing attacks more often, but in a short space of time have become significantly sophisticated.

Technology is getting better at detecting phishing attacks, with machine learning improvements automatically blocking phishing emails.  However, unfortunately, phishing continues to be a threat due to the human nature of it.  Cyber criminals focus on human fear, panic, brand trust, or ignorance.  They continue to use this method of attack due to the success they have with it.

The Rise of Phishing Attacks

The report shows that not only are phishing attacks increasing, but they are becoming the criminals’ preferred attack method.  Attackers are often able to convincingly impersonate users and domains.  They bait victims with fake cloud storage links, engage in social engineering and create attachments that look similar to those commonly used in the organisation.

As we reported last week on Ransomware-as-a-service, cyber hacking services are now available to any aspiring cyber criminal in an ‘out-of-the-box’ format. Phishing attacks are also now available in kit form.  These Phishing Kits clone popular websites and operate from temporary servers.  They can be purchased from the Dark Web at reasonable prices.

Avoiding Phishing

On analysing the SIR, KnowBe4 note that simple diligence can defeat just about all the phishing attacks listed.

Most phishing messages succeed through social engineering tactics, leveraging blind trust, impulsiveness and lack of awareness. Proper organisation-wide security awareness training that focuses on recognising common phishing attacks and request response policies can drive down the phish-prone percentage of users dramatically.

Vendor Supply Chain

Both Microsoft and KnowBe4 also highlight that while companies must train their staff and internal users, they must also ensure that their vendors are doing the same.  Supply chain attacks are another new area of focus for cyber criminals. These attacks tend to deliver malware that installs crypto-currency coin miners. Therefore, any outside vendor with access to your systems is a potential point of compromise.

The best defence is a layered approach to security that involves employee training & collaboration with digital supply chain partners.

See the whole story here.


Tony MasonData Protection, Endpoint Security, Enterprise Security, Security Awareness & Phishing

Ransomware-as-a-Service available on the Dark Web

The Dark Web and Ransomware-as-a-Service

This month our partner, Vipre, reported on Ransomware-as-a-Service and the impacts this could have on the industry.  Jason Norton advised, ‘Ransomware is a form of malware that encrypts, or locks a user out of and away from their critical data. Typically, the attacker demands monetary payment in exchange for a decryption key that promises to unlock the hijacked data’.

Reports this week are claiming that more companies are paying the demands, as their insurance companies are paying the bill.   This definitely makes for a lucrative market for potential cyber criminals to focus on. However, this may not result in you getting your data back.


Jason explains how Ransomware-as-a-Service (RaaS) is slightly different to normal ransomware. ‘Unlike traditional ransomware, RaaS doesn’t require the attacker to be necessarily skilled at writing computer code to launch attacks. That is because the RaaS delivery model is similar to a monthly subscription service. This type of affiliate program creates a win-win situation for both the malware author and the subscription buyer. There is usually some type of profit sharing or split between the two parties which is normally agreed upon up front. In the end, the only loser is the victim who pays the demanded monetary ransom in the hope of safely getting their valuable data back’.

For a monthly subscription fee, cyber criminals can provide access to easy-to-use malware and ransomware, packaged for immediate distribution to the buyer. These RaaS packages are found and sold on the Dark Web.

The interesting & most concerning point Jason makes about the advent of RaaS is that it removes a large barrier to bad actors’ entry into this field.

To become a hacker, you used to need to have the ability to code. With this new RaaS service, that need has now been taken away.  The problem that creates is, there is no guarantee you will get your data back.  There used to be an unwritten rule in the world of ransomware that once you had paid the ransom, you would receive your data back.  Sadly, the new hackers using RaaS don’t have the skill set to retrieve this for you.

Additionally, the volume of attacks may rise as it becomes easier for new entrants to come in to the market.  Jason relates this to pyramid selling schemes, where, in this instance, the ransomware authors stand to make a lot of money by maximising the number of hackers using their service.

Key ways to counter Ransomware

  • Use a Next-Gen Endpoint Security Solution, such as Vipre
  • Train Your Users: using simulated phishing of latest scams, together with engaging & interactive training, such as KnowBe4
  • Regularly Back Up Your Data


Check here for Vipre’s full report.

Phishers Shift Efforts To Attack SaaS and Webmail Services

Tony MasonSecurity Awareness & Phishing

A new report out today provides us with some good news and some bad for the beginning of 2019. According to Help Net Security ‘the good news is that the total number of conventional, spam-based phishing campaigns declined as 2018 came to a close.  The bad news is that users of software-as-a-service (SaaS) systems and webmail services are being increasingly targeted.’

APWG have just issued their Q4 2018 Phishing Activity Trends Report and it shows the number of confirmed phishing sites declined towards the end of 2018.  They report 138,328 in Q4,versus 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1. Although, overall phishing sites grew 220% over the course of the year and phishing attacks increased 36%.

Phishing Sites

This new decline in the number of phishing campaigns may have been down to anti-phishing efforts. It may also be because criminals are moving to more specialised and lucrative forms of e-crime than pure mass-market phishing.  However, there is also a growing concern that the decline may actually be down to the fact they are going undetected. It is suggested that techniques are becoming ever more sophisticated.  Detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes. Also attackers are creating multiple redirects in spam-based phishing campaigns.  They take users (and automated detectors) from an email, through multiple URLs on multiple domains before finally depositing the potential victim at the actual phishing site.

New Preferred Targets

Phishing targeting SaaS and Webmail services increased from 20.1% of all attacks in Q3 to almost 30% in Q4. Attacks against cloud storage and file hosting sites continued to decrease, falling from 11.3% of all attacks in Q1 2018 to only 4% in Q4 2018.


Phishing Attacks Hosted on HTTPS & SSL


Phishing Attacks Hosted on HTTPS

Interestingly, researchers at APWG member Phish Labs noted that in Q4 2018, the number of phishing attacks hosted on websites that have HTTPS and SSL certificates declined for the first time in history. However, 47% of phishing attacks are still hosted on sites that use digital certificates to make attacks look legitimate, fooling users into thinking they are secure, and to avoid any browser warnings.

So whatever the shift in trends, we still need to remain vigilant and aware of the developments and increased sophistication of the attackers at large.

Black Friday Scam

Tony MasonSecurity Awareness & PhishingLeave a Comment

Black Friday Scam

Black Friday & Cyber Monday Scam

Black Friday & Cyber Monday Scams

This week sees the return of the phenomena of Black Friday and Cyber Monday. These marketing events are significantly driving up the increase in online sales in the run up to Christmas.  2017’s Cyber Monday was the largest online shopping day in history and was mobile’s first $2 billion day.

This weekend has become an unbridled online spending extravaganza, but threat actors have taken notice. It’s Holiday Season for these bad guys too, but not the way you might think. They go into scam-overdrive mode.

Black Friday and Cyber Monday are the busiest on-line shopping days and they are out to get rich with your money

With their latest report, the team at RiskIQ summarised it well:

“Ever the opportunists, threat actors set up their operations where the money is; and in the case of the Black Friday and Cyber Monday phenomena, it’s e-commerce. According to Adobe Digital Index, in 2017, online shoppers stuffed e-commerce cash registers with more than $19.6 billion in sales through the Black Friday weekend—a more than 15 percent increase over 2016.

“With more people than ever poised to partake in this year’s November shopping frenzy, attackers will capitalise by using the brand names of leading e-tailers to exploit users looking for Black Friday deals and coupons by creating fake mobile apps and landing pages to fool consumers into downloading malware, using compromised sites, or giving up their login credentials and credit card information.”

Sales this weekend are forecast to be up 19.4% on last year with $7.8 billion expected in e-commerce on Cyber Monday.

What starts out as a search for Christmas presents at bargain prices can turn into a financial nightmare. For brands, what starts as a marketing campaign to boost sales can turn into a security fiasco that not only affects them financially but can destroy trust with their customers.

This year, Magecart, which is made up of several groups of digital credit card-skimming actors with ties to Russia, adds a serious new layer of threat. They are responsible for large-scale breaches that stole thousands of customer credit cards.  Only put your details in a secure shopping portal, not on sites for coupons and competitions and be restrictive with your personal data.

It’s worth sending an email to staff over this weekend and the Christmas season reminding them to be vigilant.  It is crucial to pay attention to detail while shopping online.

So what to look out for?  At the moment, there are literally thousands of fake sites, looking just like the real thing. Don’t fall for it.

Key Things to Consider:

  1. Make sure the site you go to is the real one, including subsequent link addresses.
  2. Type in the address or use your bookmark.
  3. Do not click on links in emails with special offers.
  4. Be aware of permissions the site is requesting, is it relevant to what’s required?
  5. Watch out for alerts via email or text that you just received a package from FedEx, UPS or DPD, and then asks you for some personal information.  Don’t enter anything.
  6. Don’t download fake mobile apps that promise big shopping savings.
  7. Be very wary of online discount coupons. Don’t input your details unless you trust the site’s official web address & be restrictive with your data.
  8. Ensure the site is ‘https’, security protected.
  9. Only use Credit Cards online, instead of Debit Cards & if possible, only use credit card information saved in your online shopping account to avoid being intercepted by Magecart.

Think Before You Click! 

KnowBe4 Security Awareness Training

GDPR & Data Breaches

Tony MasonData Protection, News, Security Awareness & PhishingLeave a Comment

GDPR & Data Breaches Under The New Rules


GDPR & Data Breaches 6 Months On.

The value of the average data breach fine issued by the Information Commissioner’s Office (ICO) in the UK has doubled in one year, reaching £ 146,000, according to the City Law firm, RPC.

The total value of fines imposed by the ICO has risen by 24% compared to 2017, reaching just under £ 5m at the end of September.

Credit reporting agency, Equifax was issued the maximum £ 500k last month, for failing to protect the data of 15million people when their data was stolen in a cyber attack in 2017.

According to Richard Breavington, a partner at RPC, ‘A doubling in the average size of fine should serve as a wake-up call to business. However, political pressure is mounting.’

The ICO issued its first enforcement notice under the new rules in September.  They fined AggregateIQ, who allegedly used the data of 87m Facebook users to sway voters during the 2016 EU referendum.

Facebook have also just been fined £ 500K for failing to protect users’ information and lack of transparency about how this data was being used.  Companies need to understand the new rules and ensure all their staff is aware, and ensure there is full compliance.  As this activity was prior to the new European GDPR ruling, the fine isn’t included in the figures above and was capped at the maximum of £ 500K.  However, should such a serious data breach occur today, their maximum fine would be 4% of global turnover – which could be as much as $ 1.9billiion.

Also, Heathrow Airport saw a fine of a mere £ 120K for a ‘serious’ data breach, for failing to secure ‘sensitive personal data’ when an employee lost a memory stick that was not encrypted or password protected (only 2% of staff had been trained in data protection and there was widespread practice of staff downloading sensitive data onto memory sticks, which contravened the company policy as well as GDPR rules).  Had Heathrow been penalised under the new rules, it could have seen a penalty of £ 17million or 4% of turnover.

Now BA has an open case by the ICO for the recent data breach from its website and since this is post May, legal experts are questioning whether the new data laws could now see BA receive fines of up to £500 million if they are found to be in breach of the new rules.

Not only from the Data Watchdog, the ICO, but also fines are coming from elsewhere.  Morrisons has just lost its appeal against a High Court ruling that it is legally liable for a former employee leaking personal information about 100,000 staff members and it may now face compensation bills running into millions. This result will sound alarm bells to other businesses and have huge ramifications for others in the future.  Companies need to take responsibility for their data; it’s about protecting people as much as their data.

It is becoming increasingly clear that we need to create a strong culture of responsibility. 

A recent Versasec survey examining the impact of GDPR 6 months on, shows that the privacy regulation cost more to implement than was anticipated.  However other non-Eu companies are also beginning to adopt similar regulations in anticipation of new rules in their own territories as 30% believe that more stringent privacy rules are likely worldwide.

The biggest concern of those surveyed was to ensure all employees comply with the rules. Their fears are more down to the fines they could face due to GDPR & data breaches, than losing revenue or customers.

59% of respondents admitted their company was still not fully compliant on May 25; their challenges centred around educating employees and having enough resources to implement the new regulation.

Data is important and the fines and ramifications for businesses are huge. From the directors down, all staff need to be aware of the importance of data and cyber security, from passwords, to encryption, downloading, to memory sticks.  Training staff in an engaging and motivating way will go a long way to ensuring processes and policies are followed and systems are protected.

The repercussions can be devastating, whether financially, legally, personally, your reputation or much worse…


KnowBe4’s Security Awareness Training library includes GDPR training modules, videos, posters & newsletters as part of their extensive library of training modules.

Security Training-Marketing

Tony MasonSecurity Awareness & PhishingLeave a Comment

Consider Security Training as Security Marketing

As over 90% of security incidents are connected to human error, many companies are initiating security training to counter the risks to business.

However, that exceedingly high figure would make you reconsider what’s happening with the security training. The problem can be that the content is boring, mandatory and a one case fits all does not mitigate the risks.

Making end users aware of cyberthreats has great potential for the business and therefore, security awareness training should be part of a layered defence strategy.

According to a study authored by cybersecurity executive Calvin Nobles titled “Shifting the Human Factors Paradigm in Cybersecurity, Nobles found that while organisations are investing heavily in security technology, they are still lagging behind when it comes to security training initiatives.

Lisa Plaggemier, security evangelist at InfoSec Institute, feels similar, stating that employees may well be aware of the cyber risks but do not necessarily change their behaviour. She states that employees openly violate security policies.  They log in using unsecured public networks, use work devices for personal transactions, download unapproved software, share passwords and unknowingly open malicious attachments from phishing attacks.

She believes this should be more a case of not whether companies train, but actually how they engage their employees and empower them to feel a sense of ownership of the company’s security.

Nobles also found that the culture of the company plays a significant role.   A culture that is employee-focused and team-oriented, with open communication and a positive work atmosphere, is more likely to have employees who feel both empowered and valued. In turn, they value the company.

One of the greatest challenges to the success of cybersecurity is to create a change in the culture rather than just training the staff. To change the culture of a company, its employees need to buy in, and that buy-in must come from the top down.  Fortunately, cybersecurity is moving from being a mysterious, frightening, negative aspect of a business and is now receiving ongoing investment, rather just being an option.

Plaggemier suggests that awareness campaigns should look more like marketing campaigns.  Most current training is one size fits all and can be disengaging, mandatory, hard line messages.  However, a tailored approach, to the right person at the right time, can be engaging & funny and can spark interest. Employees are then more likely to get on board with the security culture and are much more likely to learn.  If employees are fully engaged, they are more likely to feel they have a responsibility for the business and therefore more likely to take action.

It is important to offer a clear message as to why security matters and put it on a level with other messages that your employees view throughout the day.

One off training exercises also lack any tracking. Tracking facilities enable you to see whether people are actually learning and changing their behaviour. It’s not about who has had the training, but who has learnt and is also engaged for the future.

Need assistance to implement a fully integrated security training campaign?

Check here:

KnowBe4, the largest library of training modules, simulated Phishing campaigns, marketing material and management reports: Phish, Analyse, Train, Repeat.

Cyber Attack on UK ‘in little doubt’.

Tony MasonNewsLeave a Comment

NCSC report Cyber Attack ‘in little doubt’

Major life-threatening cyber attack on UK ‘in little doubt’ in near future warns security chief.

The National Cyber Security Centre (NCSC), part of GCHQ, warns that a life-threatening incident will almost inevitably strike the UK in the near future. Over the last 12 months they have handled over 557 attacks by groups of hackers who are directed, sponsored or tolerated by governments of countries hostile to the UK and they are the most acute and direct cyber threat to our national security.  None were category 1, a strike with potential risk to life, but the NCSC warned that this is likely.  Last year’s category 2 attack on the NHS affected 80 out of the 236 hospital trusts as well as 595 GP practices, and cost the NHS £92 million.  

With cyber security threats continuing to escalate worldwide, the ISACA/CMMI Institute Cybersecurity Culture Report found that only 5% of employees think their organisation’s cyber security culture is as advanced as it needs to be to protect their business from internal and external threats. More than 4,800 business and technology professionals shared their insights in the global research study, conducted via online polling in June 2018 and the results were issued this week.  9 in 10 companies report gaps between the cyber security culture they have, and the one they want.  42% do not have an outlined cyber security culture management plan or policy.  

The NCSC also monitors and defends the UK against ‘high volume commodity attacks’ such as phishing emails designed to fool people into installing malware on their devices and in the year up to August 18 they removed 138,389 phishing sites hosted in the UK.

These phishing emails are becoming increasingly sophisticated to fool victims into giving their details or more recently opening pdfs.   In one recent case, a user downloaded a document that seemingly offered information on upcoming releases from a major media streaming site. The document had a macro enabled that opened the file as expected, so the user was completely unaware that it had also installed a rogue application to upload and download files on demand.  This particular file was able to avoid detection for a long time by limiting its core functionality to avoid detection.  Hackers can then establish a persistent foothold on a network, and take their time to conduct network reconnaissance, sourcing other users to target on the network and also accessing sensitive documents stored in cloud-based services.

Companies must therefore develop and nurture a cyber security culture across the whole business, not just within their IT teams.

It’s worth auditing your cyber security culture before it’s too late.

Cybersecurity Awareness Month

Tony MasonNewsLeave a Comment

National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month (NCSAM).  Set up 15 years ago in the US, NCSAM was a collaboration between government and industry and is ever more relevant today.

Last week’s theme focussed on online security in the home, ensuring parents train their kids in online security as part of their usual life-skills.  This goes from the internet, to mobile devices, social media and even adjusting the thermostat; everyone in the household needs to learn the importance of protecting their homes against cyber threats.

This week’s focus is on educating for a career in Cybersecurity.  We have a continuing shortage of cybersecurity professionals worldwide. At a time when there is an increase in cybercrime and our cyber needs continue to grow as we become ever more digitally connected, there is a massive risk to businesses and the economy.  GCHQ UK works closely with educational bodies across the UK to encourage young people to take an interest in cybersecurity.  They ran a Code Club in the summer, have 40 STEM Ambassadors inspiring youngsters and supporting teachers by explaining current applications of STEM in industry or research today and are now offering degree level apprenticeships and university bursaries.

As an industry we need to do more to train our staff to be more vigilant online.  In the past security awareness training was considered a nice to have.  It was pushed back due to budget or lack of in-house expertise on training.  For this reason, it is particularly the SMBs that have suffered.  Today many companies are now putting security awareness training among their top 3 security expenditures alongside firewalls and endpoint security.  This is due to the increased annual losses following a ransomware or data loss breach.  If you aren’t educating your users in security awareness, then you are putting your business at risk.

€3 Million CEO Fraud | Phishing Attack

Tony MasonSecurity Awareness & PhishingLeave a Comment

CEO Fraud Cyber Criminals

CEO Fraud – Cyber Criminals

€3 Million CEO Fraud from a Phishing Attack on an Office 365 Account.

Finnish antivirus company, ‘F-Secure’, reports on a phishing attack on an Office 365 account this week that nearly cost the company €3 Million.  One of the employees of the Finnish investment firm received a phishing email that enabled a €3 Million CEO Fraud Scam.  It started with an email that looked like it was from delivery firm DHL but which led to a fake site.

The employee not only clicked on the email, using his own email account, but also left his details including payment information, thereby becoming the next social engineering victim.

Now able to monitor his communication, the cyber criminals then resent the victim further emails. They sent a correction to a new account number which went undetected.  They attached an Excel file which included details of the new account where the money should go, and this was unfortunately arranged.

Typical of phishing attacks, the translation of the language in the Excel spreadsheet was so awful that concerns were then raised but sadly much too late.

The company was however, able to freeze the transaction at the last minute and they found that this employee’s account had in fact been compromised.

The bad guys almost won again.


CEO Fraud is on the rise, responsible for over $3 billion in losses and has ruined many careers. Staff, especially finance departments, are often compromised, and there is little likelihood of getting this money back.  Be prepared and strengthen your workforce with security awareness training and simulated phishing programmes. 

Check out how easy & successful training can be.

CyberheistNews Vol 7 #26 [HEADS UP] Ransomware Now Hits Linux – Web Hosting Provider Pays a Million

Tony MasonSecurity Awareness & PhishingLeave a Comment

CyberheistNews Vol 7 #26

[HEADS UP] Ransomware Now Hits Linux – Web Hosting Provider Pays a Million

South Korean web hosting company Nayana agreed to pay a whopping 1 million in Bitcoin after a ransomware attack hit their 153 Linux servers.

The attack took place June 10 and resulted in over 3,400 business websites the company hosts being encrypted. According to the Nayana’s initial announcement, the attacker demanded 550 Bitcoins to decrypt the infected files. Following a few days of negotiations, they lowered the ransom demand to 397.6 Bitcoins (around a Mil at the time but the rates are volatile).

Trend Micro revealed that the ransomware used in this attack was Erebus, a piece of malware that was initially spotted in September 2016 and which was already seen in Windows attacks earlier this year, when it had a User Account Control bypass feature.

Bad guys now have ported the Erebus ransomware to Linux and are using it to target vulnerable servers. Nayana’s website was running on Linux kernel, and old version compiled back in 2008, and is vulnerable to a great deal of exploits that could provide attackers with root access to the server, such as DIRTY COW, Trend Micro noted.


Nayana don’t just need to patch their systems, they need to get all of their servers upgraded to newer versions of whatever Linux distro they use, and then properly secure those upgraded systems. With 153 servers, they’re going to have to take their entire service offline for weeks (maybe longer) in order to get that done. More technical detail at the KnowBe4 Blog:

Windows 10 Stops Ransomware Cold? Not So Fast!

Recently, Microsoft claimed that no known ransomware could penetrate the new Win10 Creators Update.

Presenting new anti-ransomware protection features added in Win 10 CU, Robert Lefferts, Director of Program Management, Windows Enterprise and Security, said that no Windows 10 customer was affected by the recent WannaCry ransomware outbreak that took place in mid-May and no currently known ransomware strain can infect Windows 10.

ZDNet decided to not listen, but look for themselves. They hired a pro hacker and wanted to see if such a bold claim would hold up.

Spoiler alert: It didn’t. Story at the KnowBe4 Blog:

FBI: “Extortion and CEO Fraud Are the Top Online Fraud Complaints”

And victims aren’t reporting ransomware attacks…

Online extortion, tech support scams and phishing attacks that spoof the boss (CEO Fraud) were among the most damaging and expensive scams according to new figures from the FBI’s Internet Crime Complaint Center (IC3).

The IC3 report released Thursday identifies some of the most prevalent and insidious forms of cybercrime today, but the total financial losses tied to each crime type also show that victims do not report these crimes to law enforcement very much.

Note that the FBI calls CEO fraud “Business Email Compromise” and commented: “Business Email Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses who regularly perform wire transfer payments. The Email Account Compromise (EAC) component of BEC targets individuals who perform wire transfer payments.

“The techniques used in both the BEC and EAC scams have become increasingly similar, prompting the IC3 to begin tracking these scams as a single crime type in 2017. The scam is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

People Only Report 15% of Ransomware Attacks

Writing for — a great tech support forum run by our friend Larry Abrams — Catalin Cimpanu observes that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats.”

“The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities,” Cimpanu writes.

Real Cost of Cyber Fraud Closer to 9 billion Dollars

Since roughly 15 percent of the nation’s fraud victims report their crimes to law enforcement, for 2016, 298,728 complaints were received, with a total victim loss of 1.33 billion dollars. Intrepid investigative cybercrime reporter Brian Krebs noted: “If that 15 percent estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to 9 billion dollars.

Applying that same 15 percent rule, that brings the likely actual losses from CEO fraud schemes to around 2.4 billion dollars last year.”

Bonus Report. You Can Now See This for Your Own State

For instance, take Florida where KnowBe4 is located. The FBI reported it lost 29,560,665 dollars to BEC just last year, but using the 15% rule it’s most likely a whopping 190 million dollars, and that is just one state. This is the link where you can see the numbers for your state, which is useful if you are going for IT security budget approval and need numbers that are real and close to home.

Links, pictures and download your complimentary CEO Fraud Prevention Manual PDF here:

Can You Be Spoofed? Find out for a Chance to Win.

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a “CEO fraud” spear phishing attack on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!

To enter just go here fill out the form, it’s quick, easy and often a shocking discovery… 82% of email servers are not configured correctly. Is yours?

On-Demand Webinar: Best Practices and Future Direction of Security Awareness Training

While reported numbers fluctuate from industry study to industry study, they all agree on one thing: cybercriminals are successfully and consistently exploiting human nature to accomplish their goals. Prudent security leaders know that security awareness and training is key to strengthening their ‘human firewall’ – but they often don’t know where to start.

In this webinar “Best Practices and Future Direction of Security Awareness Training”, Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst in charge of the awareness training magic quadrant, discusses emerging industry trends and provides the actionable information you need to train your last line of defense, your employees.

Perry will cover these topics:

  • Practical security awareness and behavior management tips
  • Outlining how and where tools are helpful
  • Emerging industry trends
  • How to create a “human firewall”

Watch Now:

Scam of the Week: Real Estate Wire Transfer Phishing Fraud

According to the NY Daily News, State Supreme Court Justice Lori Sattler was in the process of selling her apartment and buying another, when she received an email that seemed like it was coming from her lawyer.

The “lawyer” instructed her to send the money – a little over 1 million dollars – to an account with the Commerce Bank of China, and she did.

It is not known if the scammers managed to compromise Sattler’s account, the lawyer’s email account or if they created a spoofed one, but it’s highly likely that one of the two people involved was pwned – how else would the bad guys know how to send such a timely and convincing spear-phishing email?

Emails From Fake Realtors Are Skyrocketing

Our customers send us “phishy” emails through our complimentary Phish Alert button, we get thousands per day. These real-estate-themed phishing attacks usually come from spoofed addresses like Keller Williams, Remax and so on.

You have to remember that most Realtors use their personal email accounts to conduct business. Their email signature will have their company email address listed but they are always sending and receiving from either their ISP provided email account or from Hotmail, Yahoo, and Gmail. This is not very secure, but is very convenient when you are on the road most of your day.

Here is a recent scenario. A fake email comes in and it is a PDF file that will pertain to a current real estate transaction, and you know the realtors email account is hacked. It even goes so far where a realtor had their account hacked and after every closing in that office, the closer would receive an email with different wiring instructions. The bad guy had gotten into the realtors email account and knew when every one of their closings were taking place.

I suggest you send employees, friends and family an email about this Scam of the Week, you’re welcome to copy/paste/edit:

“There is an epidemic of real-estate related phishing scams going on. Bad guys silently take over the email address of a home buyer or their realtor / lawyer, and right at the moment that a large amount of money needs to get wired for closing, they send a fake email with a different bank account that the bad guys control.

Always, always, always pick up the phone before you make a large transfer and get confirmation about the correct bank account that the wire goes to. This is true for the house, but also the office.”

Obviously, an end-user who was trained to spot social engineering red flags like this would think twice before they wire money to an unknown account.

Let’s stay safe out there.


Warm Regards,
Stu Sjouwerman

Two Albert Einstein Quotes of the Week

“Whoever is careless with the truth in small matters cannot be trusted with important matters.”

“Education is what remains after one has forgotten what one has learned in school.”


Thanks for reading CyberheistNews

Security News

Why So Many Top Hackers Hail from Russia

Brian Krebs wrote: “Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs.

His post examines the first part of that assumption by examining a breadth of open-source data.

The supply side of that conventional wisdom seems to be supported by an analysis of educational data from both the U.S. and Russia, which indicates there are several stark and important differences between how American students are taught and tested on IT subjects versus their counterparts in Eastern Europe. Here is the whole post and also the comments at the end which are interesting:

Ukraine Was Russia’s Test-Lab for CyberWar

The quintessential cyberwar scenario has come to life in the Ukraine. Twice. On separate occasions, invisible saboteurs turned off the electricity to hundreds of thousands of people. The blackouts were part of a digital blitzkrieg that has pummeled Ukraine for the past three years-a sustained cyberassault.

How an Entire Nation Became Russia’s Test Lab for Cyberwar:

Global Cyber Alliance: “Few U.S. Hospitals Secure Their Email Against Phishing”

Shaun Waterman at the quite useful CyberScoop site wrote: “Fewer than one-third of the largest 98 public and private hospitals in the United States secure their email against phishing and spamming, according to data released Thursday.

The Global Cyber Alliance said that of the 50 largest public hospitals, only six employed Domain-based Message Authentication, Reporting and Conformance, or DMARC — an email authentication policy and reporting protocol developed a decade ago, originally by PayPal. Of the 48 biggest for-profit hospitals, only 22 used DMARC. Full story at the KnowBe4 Blog:

Security Awareness Training Can Lower Your Cyberinsurance Premium

New-school security awareness training might even pay for itself from Day 1!

How? Call your cybersecurity insurance carrier or agent and specifically ask if you get a discount on the premium if you step all employees through awareness training. There could be significant savings and it may even fully pay for the training.

KnowBe4 advises both prospects and existing customers to inquire with their cyber insurance company about a reduced premium or discount for having our training in place. Frequently this works, and the compliance modules and physical security parts in the Diamond pricing level also get them a discount.

One cyber insurance carrier told us: “Thanks for your inquiry, and question earlier on whether we can offer a discounted premium on cyber insurance for having security awareness training in place. Yes, having training in place for employees certainly helps lower the cyber insurance premium.”

Get a quote to begin with, so you know how surprisingly affordable this is:

New Insider Threat Training Regulations Take Effect for Defense Contractors

I was quoted in FedScoop: “And, according to Stu Sjouwerman, CEO of security awareness training outfit KnowBe4, this regulation is also a response to the popular and increasing focus on human vulnerability in breaches.

“The last few years, it has become blindingly clear that the bad guys are not even bothering trying to find software vulnerabilities,” Sjouwerman said, “and have gone after the end-user with social engineering.”” Full article:

A Whole Slew of Interesting News Items This Week

Hardening the Workforce: Developing Cyber Defenses:

Vaping, e-Cigarettes Can Be Used to Hack Computers:

Honda factory struck by same WannaCry ransomware that caused global chaos:

Girl Scouts to Offer Cybersecurity Badges:

Microsoft admits to disabling third-party antivirus code if Win 10 doesn’t like it:

F-Secure Labs Shares the Top Companies Spoofed in Spam in 2017:

Russian hackers selling login credentials of UK politicians, diplomats:

New Mac Malware Spotted on the Dark Web:

KPMG: Cybersecurity Has Reached a ‘Tipping Point’ from Tech to CEO Business Issue:

Study: Employers aware of cybersecurity threats but not proactive enough:

Wikileaks: The CIA can remotely hack into computers that aren’t even connected to the internet:

How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence (EXCLUSIVE)

Alert: There are too many cybersecurity alerts:

Cyberheist ‘Fave’ Links

This Week’s Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.