CyberheistNews Vol 14 #45 [Heads Up] QR Code Phishing is Rising Extra Subtle


CyberheistNews Vol 14 #45  |   November fifth, 2024


[Heads Up] QR Code Phishing is Rising Extra SubtleStu Sjouwerman SACP

Sophos describes a QR code phishing (quishing) marketing campaign that focused its personal workers in an try and steal data.

The attackers despatched phishing emails that seemed to be associated to worker advantages and retirement plans. The emails contained PDF attachments which, when opened, displayed a QR code.

If an worker scanned the code, they might be taken to a phishing web page that spoofed a Microsoft 365 login kind. The web page was designed to steal login credentials and multi-factor authentication codes.

Considered one of Sophos’s workers fell for the assault, exhibiting that even cybersecurity firms are susceptible to social engineering. Phishing hyperlinks contained in QR codes usually tend to evade detection by safety filters, and people are much less more likely to discover that the URLs are suspicious.

“We in the security industry generally teach people resilience to phishing by instructing them to carefully look at a URL before clicking it on their computer,” Sophos explains.

“Nonetheless, not like a URL in plain textual content, QR codes do not lend themselves to scrutiny in the identical method. Additionally, most individuals use their cellphone’s digicam to interpret the QR code, quite than a pc, and it may be difficult to fastidiously scrutinize the URL that momentarily will get proven within the cellphone’s digicam app.

“This is both because the URL may appear only for a few seconds before the app hides the URL from sight, and also because threat actors may use a variety of URL redirection techniques or services that conceal or obfuscate the final destination of the link presented in the camera app’s interface.”

Sophos has noticed an growing variety of quishing makes an attempt over the previous few months, and these assaults are rising extra refined. “Throughout the summer, samples have become more refined, with a greater emphasis on the graphic design and appearance of the content displayed within the PDF,” the researchers write.

“Quishing documents now appear more polished than those we initially saw, with header and footer text customized to embed the name of the targeted individual (or at least, by the username for their email account) and/or the targeted organization where they work inside the PDF.”

Weblog publish with hyperlinks, and a free QR Code Phishing Safety Check:
https://weblog.knowbe4.com/qr-code-phishing-is-growing-more-sophisticated

[New Features] Ridiculously Straightforward and Efficient Safety Consciousness Coaching and Phishing

Outdated-school safety consciousness coaching (SAT) doesn’t hack it anymore. Your e-mail filters have a mean 7-10% failure charge; you want a powerful human firewall as your final line of protection.

Be part of us TOMORROW, Wednesday, November 6, @ 2:00 PM (ET), for a stay demonstration of how KnowBe4 introduces a new-school method to SAT and simulated phishing that’s efficient in altering consumer habits.

Get a take a look at THREE NEW FEATURES and see how simple it’s to coach and phish your customers.

  • NEW! Callback Phishing means that you can see how probably customers are to name an unknown cellphone quantity supplied in an e-mail and share delicate data
  • NEW! Particular person Leaderboards are a enjoyable method to assist improve coaching engagement by encouraging pleasant competitors amongst your customers
  • NEW! 2024 Phish-proneâ„¢ Share Benchmark By Trade enables you to examine your proportion together with your friends
  • Sensible Teams means that you can use workers’ habits and consumer attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
  • Full Random Phishing routinely chooses totally different templates for every consumer, stopping customers from telling one another about an incoming phishing take a look at

Learn how practically 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: TOMORROW, Wednesday, November 6, @ 2:00 PM (ET)

Save My Spot!
https://information.knowbe4.com/kmsat-demo-2?partnerref=CHN2

75% of Organizations Have Skilled a Deepfake-Associated Assault

As generative AI evolves and turns into a mainstream a part of cyber assaults, new information reveals that deepfakes are main the way in which.

Deepfake expertise has been round for plenty of years, however the AI growth has sparked new assaults, campaigns, and gamers all attempting to make use of the impersonation expertise to rob victims of their credentials, private particulars or cash.

We lately lined a number of deepfake campaigns all perpetrated by a single person that reached a worldwide degree. AI and automation solely allow this type of scale and make it a doable actuality for scammers in all places.

In response to Ironscale’s newest report, “Deepfakes: Is Your Organization Ready for the Next Cybersecurity Threat?,” 75% of organizations have skilled a minimum of one deepfake-related incident throughout the final 12 months. And 60% of organizations are solely “somewhat confident” or “not confident” in any respect of their group’s skill to defend towards deepfake threats. Given the extent at which deepfake-related incidents are occurring, it is crucial that organizations know the place to focus their defenses.

In response to the report, 39% of organizations cited incidents coming within the type of customized phishing emails — a sensible medium, on condition that impersonation of e-mail addresses, sender names and types can all be imitated. So deepfakes would match proper in.

And since e-mail is such a fabric medium for deepfakes, it is vital for recipients to identify suspicious and/or malicious emails nicely earlier than participating with deepfaked audio or video through new-school safety consciousness coaching.

KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human threat.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/three-quarters-of-organizations-have-experienced-a-deepfake-related-attack

Recon 2.0: AI-Pushed OSINT within the Palms of Cybercriminals

Cybercriminals are utilizing synthetic intelligence (AI) and generative AI in open supply intelligence (OSINT) actions to focus on your group with supercharged reconnaissance efforts. With AI-driven methods, they will collect, analyze and exploit publicly out there information to create extremely focused and convincing social engineering schemes, phishing campaigns and different types of cyber assaults.

Be part of James McQuiggan, Safety Consciousness Advocate at KnowBe4, as he explores how attackers use AI and OSINT to rapidly determine and prioritize targets. Learn to develop strong cybersecurity methods to counter AI-enhanced threats.

Utilizing unique demos and real-world examples, you may:

  • Acquire insights into how AI and generative AI amplify OSINT-driven reconnaissance
  • Perceive how attackers use AI to reinforce information aggregation, profile technology and goal prioritization to focus on your group
  • Uncover the implications of AI-driven OSINT and methods for menace detection and mitigation
  • Study why a powerful safety tradition continues to be your greatest line of protection

Register now to discover ways to detect and mitigate AI-enhanced OSINT threats.

Date/Time: Wednesday, November 13, @ 2:00 PM (ET)

Cannot attend stay? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/ai-driven-osint?partnerref=CHN

Phishing Alert: Cybercriminals Impersonating KnowBe4 Coaching Emails

Within the ever-evolving panorama of cybersecurity threats, we have lately encountered a classy phishing try concentrating on one in all our valued KnowBe4 prospects. This incident serves as an important reminder of the significance of remaining vigilant and sustaining strong e-mail safety measures.

Our buyer obtained a suspicious e-mail that intently mimicked KnowBe4’s legit “Please Complete Assigned Training” notifications. At first look, the e-mail appeared genuine, demonstrating the growing sophistication of phishing assaults.

The weblog has an instance screenshot of what the phishing e-mail regarded like, covers key indicators of the phishing try, classes realized and greatest practices.

[CONTINUED]
https://weblog.knowbe4.com/phishing-alert-cybercriminals-impersonating-knowbe4

Re-check Your Electronic mail Assault Floor Now

Cybercriminals are actively exploiting uncovered consumer information to provoke refined assaults towards organizations, together with yours. In case your workers’ e-mail addresses have probably fallen into the palms of adversaries, the specter of a focused breach turns into fast, and each second counts.

It is time to re-check your e-mail assault floor.

Uncover your present e-mail assault floor now with KnowBe4’s Electronic mail Publicity Verify Professional (EEC Professional). EEC Professional identifies your at-risk customers by crawling enterprise social media data and hundreds of breach databases.

EEC Professional helps you discover your customers’ compromised accounts which have been uncovered in the latest information breaches — quick.

Get your EEC Professional Report in lower than 5 minutes. It is typically an eye-opening discovery. You’re in all probability not going to love the outcomes…

Get Your Free Report:
https://information.knowbe4.com/email-exposure-check-pro-chn-2

Many Bosses Assume Their Workers Lack Even Fundamental Safety Consciousness

Craig Hale in Techradar wrote a few new Fortinet report:

“Practically three-quarters (70%) enterprise leaders are more and more involved about their workers’ cybersecurity information, stating they lack even basic consciousness wanted to fight rising threats.

“The information comes as firms brace themselves for elevated menace exercise within the age of synthetic intelligence, which aids menace actors to extend the sophistication of their assaults.

“The report from Fortinet cites one other separate examine carried out by the corporate claiming greater than 4 in 5 organizations have confronted incidents like malware, phishing and password assaults over the previous 12 months.

Staff aren’t ready for the way forward for cybersecurity

“Wanting forward, three in 5 leaders count on AI-augmented assaults to make it even tougher for staff to acknowledge threats.

“Nonetheless, synthetic intelligence is not simply seen as a menace to companies. 4 in 5 of the examine’s individuals imagine that rising AI-enhanced threats have pushed higher openness to coaching initiatives inside their firms, with three quarters of leaders planning to launch consciousness campaigns. In response to the altering menace panorama, firms have gotten more and more proactive:

  • “Round one-third (34%) delivering content material month-to-month
  • And virtually half (47%) doing so quarterly
  • Virtually all (98%) have lined phishing prevention
  • Safety (48%) and privateness (41%) incessantly showing in coaching”

Our remark: Quarterly will not be ample, that’s extra like one other baseline take a look at. That you must practice individuals on the very least as soon as a month, even when it’s only 5 minutes. And clearly ship simulated phishing safety assessments to maintain them on their toes with safety prime of thoughts.

Story at Techradar:
https://www.techradar.com/professional/safety/bosses-think-their-employees-lack-basic-security-awareness?

[NEW CONTENT] 5 Crucial Hyperlinks To Assist You Construct A Sturdy Safety Tradition

  • CISO Safety Useful resource Equipment with 5 Key Belongings:
    https://www.knowbe4.com/assets/ciso-resource-kit
  • CISO Speaking Factors to Current to the Board:
    https://www.knowbe4.com/hubfs/CISO-Speaking-Factors-Guidelines-Guide_en-US.pdf
  • Infographic: High 3 Threats to Deal with to Forestall a Information Breach:
    https://www.knowbe4.com/hubfs/CISO-High-Threats-Infographic_en-US.pdf
  • eBook: The Definitive Information to How Safety Consciousness Coaching (SAT) Addresses Regulatory Compliance, Cyber Insurance coverage and Safety Frameworks:
    https://www.knowbe4.com/hubfs/SAT-Laws-eBook_EN-us.pdf
  • ROI of SAT Information for CISOs:
    https://www.knowbe4.com/hubfs/ROI-KB4-CFO-Guide_en-US.pdf

Let’s keep secure on the market.

Heat regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Bruce Schneier: “Roger Grimes on Prioritizing Cybersecurity Advice”:
https://www.schneier.com/weblog/archives/2024/10/roger-grimes-on-prioritizing-cybersecurity-advice.html

PPS: Your KnowBe4 Compliance Plus Contemporary Content material Updates from October 2024:
https://weblog.knowbe4.com/knowbe4-cmp-content-updates-october-2024?

Quotes of the Week  

“Peace is not an absence of war, it is a virtue, a state of mind, a disposition for benevolence, confidence, justice.”
– Spinoza – Thinker (1632 – 1677)


“No act of kindness, no matter how small, is ever wasted.”
– Aesop – Creator (620 – 560 BC)


Thanks for studying CyberheistNews

You’ll be able to learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-45-heads-up-qr-code-phishing-is-growing-more-sophisticated

Safety Information

4 out of 10 Phishing Emails Are Despatched From a Compromised Electronic mail Account

Evaluation of phishing emails within the second quarter of this 12 months paints an image of what safety groups and vigilant recipients ought to count on from fashionable phishing assaults.

Within the 2024 Phishing Menace Developments report from Egress (a KnowBe4 firm), we be taught that phishing assaults have elevated by 28% over a single quarter this 12 months. So, this stays a key focus for safety groups.

However we additionally get an replace of what sorts of particular methods are being utilized in phishing emails, laying out a roadmap for what safety options and customers must be watching out for:

  • 44% of phishing emails have been despatched from a compromised account — bear in mind, this probably implies that the compromised account, too, was phished in a credential harvesting rip-off, solely compounding the phishing downside
  • Payloads fluctuate — 45% of phishing emails include a hyperlink-based payload, whereas 23% embrace malicious attachments and 20% rely solely on social engineering
  • In impersonation assaults, 36% of them used hyperlinks, 45% used attachments and 15% used social engineering solely
  • And the most important pink flag for me is the truth that workers solely precisely report phishing emails 29% of the time

Menace actors proceed to make use of a variety of strategies to trick customers into participating. However the one thread all through is using social engineering, whether or not it is impersonating somebody the sufferer is aware of or utilizing a compromised account.

These are all strategies to ascertain credibility to get the sufferer recipient to click on, open or reply to a phishing e-mail, one thing we educate in our new-school safety consciousness coaching.

Phishing seems prefer it’s not going anyplace, so empowering your workers to cease assaults as an alternative of aiding them can considerably cut back the danger of profitable cyber assaults.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/more-than-4-out-of-10-phishing-emails-are-sent-from-compromised-account

FBI Warns of Election-Associated Scams

The U.S. Federal Bureau of Investigation (FBI) has issued an advisory outlining numerous scams exploiting curiosity within the upcoming U.S. election. The Bureau says “[s]cammers use the names, images, logos, and slogans of candidates to fraudulently solicit campaign contributions, sell merchandise (which is never sent to the purchaser), or steal victim personally identifiable information (PII) that can be used for other fraud.”

The FBI describes one rip-off that entails contacting victims and telling them they don’t seem to be registered to vote, in an try and trick the consumer into visiting a phishing web page and coming into their data.

“Victims receive a text message or email stating they are not registered to vote in their state and encouraging them to click a link that takes the victim to a fraudulent state voter registration page,” the FBI says.

“The victim may or may not already be registered to vote with their state. This scheme is a means to steal PII for identity theft and potentially to further target victims for additional scams.”

The FBI provides the next recommendation to assist customers keep away from falling for these scams:

  • “Be cautious when receiving any unsolicited calls, texts, emails, or surveys. Don’t present your private data to individuals you have no idea. Don’t click on on unknown hyperlinks.
  • “Donations to a political marketing campaign won’t act as an funding; they won’t improve in worth then be returned to you.
  • “Verify the registration standing of a Political Motion or Celebration Committee on the Federal Election Fee (FEC) web site. Further due diligence could also be crucial as a result of some rip-off PACs are identified to be registered with the FEC.
  • “Analysis an organization on-line earlier than making any buy by wanting up buyer opinions and BBB.org complaints.
  • “Check your voter registration status at www.vote.gov.”

KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human threat.

What KnowBe4 Prospects Say

“Stu, Thanks for reaching out. I’m more than happy with our coaching and phishing service! I’ve been a fan of KnowBe4 for a few years. I’m grateful for the instruments your group gives to maintain my group educated and secure.

I’ve been impressed together with your degree of transparency as you labored by means of the North Korean Hacker scenario. Your willingness to be upfront, sincere, and share your classes with the world has garnered an excellent higher degree of loyalty and belief for me, personally. Thanks.

Considered one of our core values right here is Individuals-Centered Care. We accomplish this by means of creating workers and educating shoppers. We determined to again up our thought of creating workers monetarily by investing in KnowBe4.

We all know that creating our workers is extra than simply giving them instruments and experiences that make them higher veterinarians, veterinary technicians, or receptionists; we all know it entails being extra accountable, educated digital residents.

Thanks for giving us a platform that enables us to develop our workers exterior of their regular duties and obligations and permits us to maintain our community safer. I admire you!”

– R.C., Chief Info Officer

The ten Fascinating Information Objects This Week

Cyberheist ‘Fave’ Hyperlinks

This Week’s Hyperlinks We Like, Ideas, Hints and Enjoyable Stuff

Recent articles