Why Password Safety Issues: The Danish and Swedish Password Drawback

By Martin Kraemer

Organizations and people alike face a continuing barrage of cyber threats, and sometimes, the weakest hyperlink in our defenses is one thing so simple as a password.

Just lately, KnowBe4 has make clear a regarding pattern in Denmark and Sweden: a major variety of staff aren’t utilizing robust passwords. On condition that individuals are the first goal for cybercriminals, weak passwords expose each staff and their organizations to critical cyber threats.

Worker Password Habits: A Nearer Look

Our analysis carried out in Denmark and Sweden paints a worrying image of worker password habits. In Denmark, practically 20% of staff admit to utilizing quick passwords as a result of they’re simpler to recollect. Alarmingly, 8% use the identical password for all their accounts.

In Sweden, whereas barely higher, 13% use quick passwords, and nearly 6% reuse them. Much more regarding is the lack of know-how about multi-factor authentication (MFA). Over a 3rd of Danish staff and 11% of Swedish staff do not know what MFA is.

Driving Password Safety Practices

A significant a part of constructing a powerful safety tradition is guaranteeing staff constantly create robust passwords and perceive their crucial function in cybersecurity. Brief or easy passwords are straightforward for cybercriminals to crack, which might result in unauthorized entry to non-public and work accounts.

This can lead to knowledge breaches, id theft and monetary losses for people. For organizations, compromised worker accounts will be gateways for bigger assaults, doubtlessly resulting in knowledge theft, ransomware and reputational injury.

Making Safety Easy and Sustainable

So, what will be accomplished? It begins with the fundamentals:

1) Encourage Password Managers: These instruments generate and securely retailer complicated passwords. Whereas 40% of Danes and practically 49% of Swedes have entry to password managers, solely a tiny fraction actively use them. Making their use obligatory and offering coaching can considerably enhance safety. Low adoption results in password reuse, which amplifies the affect of a single compromised password.

2) Implement Multi-Issue Authentication (MFA): MFA provides an additional layer of safety to the login course of, performing as a second lock in your digital door. Regardless of its effectiveness, solely 41% of Danes and 49% of Swedes use MFA. This lack of utilization leaves accounts extremely weak, even when passwords are compromised. For organizations, it means an elevated threat of information breaches and fraud.

What number of customers in your org use weak passwords?

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/why-password-security-matters-the-danish-and-swedish-password-problem

Ridiculously Straightforward AI-Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering is the #1 cyber risk to your group. 68% of all knowledge breaches are brought on by human error.

Be part of us for a reside demonstration of KnowBe4 in motion. See how we safeguard your group from subtle social engineering threats utilizing essentially the most complete human threat administration platform.

Get a have a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.

• NEW! Synthetic Intelligence Protection Brokers means that you can personalize safety coaching, cut back admin burden, and elevate your human threat administration technique
• NEW! SmartRisk Agent offers actionable knowledge and metrics that can assist you decrease your group’s human threat rating
• NEW! Particular person Leaderboards are a enjoyable approach to assist improve coaching engagement by encouraging pleasant competitors amongst your customers
• Sensible Teams means that you can use staff’ habits and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
• Full Random Phishing robotically chooses completely different templates for every person, stopping customers from telling one another about an incoming phishing take a look at

Learn how practically 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: Wednesday, April 2, @ 2:00 PM (ET)

Save My Spot:
https://data.knowbe4.com/kmsat-demo-1?partnerref=CHN2

Quantity of Cash Requested In BEC Assaults Practically Doubled in This autumn 2024

The typical amount of cash requested in enterprise e mail compromise (BEC) assaults spiked to $128,980 within the fourth quarter of 2024, based on the Anti-Phishing Working Group’s (APWG’s) newest report.

That is practically double the quantity requested throughout Q3 2024. The researchers discovered that Gmail accounts have been used to launch 81 % of BEC scams final quarter. The report additionally warns of a surge in SMS phishing scams impersonating toll operators within the US, pushed by a preferred Chinese language phishing equipment.

“Residents of the USA are being bombarded with textual content messages from Chinese language phishers, purporting to come back from U.S. toll highway operators, together with the multi-state EZPass system,” the researchers write. “The messages warn recipients that they face fines or lack of their driving license if they do not pay their tolls on-line.

“Researchers have discovered that this ‘smishing’ (SMS phishing) is enabled by an upgraded phishing equipment bought in China, which makes it easy to ship textual content messages and launch phishing websites that spoof toll highway operators in a number of U.S. states. The cellphone numbers that the phishers ship the messages to are normally random—they’re generally despatched to individuals who don’t use toll roads in any respect, or goal customers within the incorrect state.”

The APWG members noticed just below 1,000,000 phishing assaults in This autumn 2024, indicating a gentle improve over the course of the yr. The SAAS/Webmail class was essentially the most ceaselessly attacked sector, accounting for 23.3 % of all phishing assaults. Social media got here in second, with 22.5% of phishing assaults.

New-school safety consciousness coaching provides your group a vital layer of protection in opposition to phishing assaults. KnowBe4 empowers your workforce to make smarter safety selections on daily basis. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human threat.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/amount-of-money-requested-in-bec-attacks-nearly-doubled-in-q4-2024

Taming the Hacker Storm: Your Framework for Defeating Cybercriminals and Malware

Are you prepared to show the tables on cybercriminals and their malicious minions? Neglect these so-called “next-gen” options that hardly make a dent — it is time for a revolution in cybersecurity that may ship hackers operating for the hills!

Be part of us for this webinar as Roger A. Grimes, KnowBe4’s Knowledge-Pushed Protection Evangelist and cyber-visionary, unveils a groundbreaking framework that would change the face of web safety ceaselessly. Drawing from his newest ebook, “Taming the Hacker Storm: A Framework for Defeating Hackers and Malware,”

Roger will take you on an exhilarating journey and real-world method to a future the place cybercrime is on its final legs.

On this webinar, you may uncover:

• The stunning reality behind the web’s Achilles’ heel — and the way we are able to fortify it
• A blueprint for a brand new web ecosystem that may make hackers’ heads spin
• Slicing-edge applied sciences and protocols that might be the silver bullet you have been ready for
• Your function within the cyber revolution and the way to turn out to be a hero within the battle in opposition to digital villains
• Why arming your group with this information is the last word energy transfer on your safety tradition

Bored with enjoying protection? It is time to go on the offensive! Be part of us for this mind-bending session and earn CPE credit score whereas studying the way to flip the tide within the cyber struggle.

Date/Time: Wednesday, April 9 @ 2:00 PM (ET)

Save My Spot:
https://data.knowbe4.com/taming-the-hacker-storm?partnerref=CHN

Surge in Phishing Assaults Hijacking Reliable Microsoft Communications

A KnowBe4 Risk Lab Publication

On March 3, 2025, the KnowBe4 Risk Labs group noticed a large inflow of phishing assaults originating from professional Microsoft domains.

KnowBe4 Defend detected exercise beginning on February twenty fourth, with a peak on March third, when 7,000 assaults from microsoft-noreply[@]microsoft.com have been recorded inside a 30-minute window.

To hold out this assault, risk actors arrange mail routing guidelines that robotically forwarded professional Microsoft invoices to recipients, utilizing subtle methods to incorporate their payload while sustaining authentication integrity (together with passing DMARC).

This spike comes amid an increase within the exploitation of trusted platforms like DocuSign, PayPal, Google Drive and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are rising the deliverability and legitimacy of their assaults, making detection and prevention tougher for each customers and safety programs.

Whereas we noticed a surge of those assaults inside a 30-minute window, this was possible on account of a delay in Microsoft processing the excessive quantity of emails. Nevertheless, the assault possible continued for hours on this present day, affecting 1000’s of people outdoors our buyer base.

Fast Assault Abstract:

All assaults analyzed on this marketing campaign have been recognized and neutralized by KnowBe4 Defend and analyzed by our Risk Labs group.

• Vector and Kind: E-mail phishing
• Strategies: Social engineering and bonafide model hijacking
• Targets: International Microsoft Clients

On this assault, cybercriminals hijacked a professional Microsoft bill and used mail movement guidelines to auto-forward it to 1000’s of recipients. By establishing their very own Microsoft area, the attackers ensured the emails handed authentication protocols.

They then embedded a faux group title as their very own, which appeared within the physique of the e-mail, to socially engineer the sufferer to name the quantity current in that “title.” Aside from this the assaults had no different payload, and all hyperlinks current are professional.

[CONTINUED] Weblog publish with assault examples, hyperlinks and screenshots:
https://weblog.knowbe4.com/surge-in-phishing-attacks-hijacking-legitimate-microsoft-communications

[WHITEPAPER DOWNLOAD] 7 Greatest Practices For Implementing Human Threat Administration

In cybersecurity, the largest and most neglected risk is human threat.

With human error accounting for 68% of information breaches, managing human threat is not simply necessary — it is important.

It is why human threat administration (HRM) has turn out to be a crucial a part of trendy safety methods. Efficient HRM goes past consciousness coaching by taking a data-driven, behavior-focused method to lowering human threat.

Obtain this whitepaper to know:

• Why HRM calls for a method that blends know-how, psychology and steady adaptation
• The seven greatest practices to successfully implement a powerful HRM program that drives behavioral change and strengthens your safety tradition
• strengthen your safety tradition by lowering human threat

Obtain Now:
https://data.knowbe4.com/7-best-practices-for-implementing-human-risk-management-chn

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: eSecurity Planet has named KnowBe4 to its checklist of High 20 Cybersecurity Firms You Must Know in 2025. (Two issues are incorrect although, our yearly gross sales and the glassdoor rating are each a lot larger :-D)
https://www.esecurityplanet.com/cybersecurity/top-cybersecurity-companies/

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-13-why-password-security-matters-the-danish-and-swedish-password-problem

Be Vigilant: Even Safety Execs Can Fall for Phishing Assaults

Troy Hunt, a safety skilled who runs the “Have I Been Pwned” breach monitoring web site, disclosed {that a} phishing e mail tricked him into handing over his MailChimp credentials.

The e-mail seemed to be a MailChimp notification informing him that his account had been flagged for spam. The message contained a hyperlink to assessment his account, which led to a phishing web page.

Hunt notes that he had two-factor authentication (2FA) enabled on his account, however the attackers have been in a position to bypass this measure. Whereas 2FA is a crucial layer of protection, customers needs to be conscious that attackers can nonetheless use social engineering to get round it.

“I went to the hyperlink which is on mailchimp-sso[.]com and entered my credentials which – crucially – didn’t auto-complete from 1Password,” Hunt explains. “I then entered the OTP and the web page hung. Moments later, the penny dropped, and I logged onto the official web site, which Mailchimp confirmed by way of a notification e mail which confirmed my London IP handle…

“I instantly modified my password, however not earlier than I bought an alert about my mailing checklist being exported from an IP handle in New York. And, moments after that, the login alert from the identical IP. This was clearly extremely automated and designed to right away export the checklist earlier than the sufferer may take preventative measures.”

Hunt explains that he was jetlagged on the time, which contributed to the lapse in judgment. “Firstly, I’ve obtained a gazillion related phishes earlier than that I’ve recognized early, so what was completely different about this one?” Hunt says.

“Tiredness, was a significant factor. I wasn’t alert sufficient, and I did not correctly assume by way of what I used to be doing. The attacker had no approach of figuring out that (I haven’t got any cause to suspect this was focused particularly at me), however all of us have moments of weak spot and if the phish instances simply completely with that, nicely, right here we’re.”

Hunt provides that the phishing e mail was well-written and plausible, with correct grammar and MailChimp branding. “Secondly, studying it once more now, that is a really well-crafted phish,” Hunt writes. “It socially engineered me into believing I would not be capable to ship out my publication so it triggered “concern”, nevertheless it wasn’t all bells and whistles about one thing horrible taking place if I did not take fast motion. It created simply the correct quantity of urgency with out being excessive.”

Troy Hunt has the story:
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

[Train Those Users] Phishing-as-a-Service Assaults are on the Rise

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing assaults within the first two months of 2025, based on researchers at Barracuda. PhaaS platforms, which offer criminals with a ready-made equipment for launching superior phishing assaults, have been answerable for greater than 1,000,000 assaults in January and February.

Three PhaaS platforms accounted for practically all of those assaults, with the Tycoon 2FA equipment dominating the market. “Tycoon 2FA was essentially the most distinguished and complex PhaaS platform lively in early 2025,” Barracuda says. “It accounted for 89% of the PhaaS incidents seen in January 2025.

“Subsequent got here EvilProxy, with a share of 8%, adopted by a brand new contender, Sneaky 2FA with a 3% share of assaults.” Sneaky 2FA is a brand new phishing platform that emerged earlier this yr. The software targets Microsoft 365 accounts and might bypass multifactor authentication.

Barracuda explains, “Targets obtain an e mail that comprises a hyperlink. In the event that they click on on the hyperlink, it redirects them to a spoofed, malicious Microsoft login web page. The attackers examine to ensure the person is a professional goal and never a safety software earlier than pre-filling the faux phishing web page with the sufferer’s e mail handle by abusing Microsoft 365’s ‘autograb’ performance.

“The assault toolkit is bought as-a-service by the cybercrime outfit, Sneaky Log. It is named Sneaky 2FA as a result of it could bypass two issue authentication. Sneaky 2FA leverages the messaging service Telegram and operates as a bot.”

Barracuda notes that worker coaching can present an necessary layer of protection in opposition to phishing assaults. “Safety consciousness coaching for workers that helps them to know the indicators and behaviors of the newest threats can also be necessary,” the researchers write.

“Encourage staff to report suspicious-looking Microsoft/Google login pages. In case you discover them, undertake an in-depth log evaluation and examine for MFA anomalies.”

KnowBe4 empowers your workforce to make smarter safety selections on daily basis.

Barracuda has the story:
https://weblog.barracuda.com/2025/03/19/threat-spotlight-phishing-as-a-service-fast-evolving-threat

What KnowBe4 Clients Say

“Hello Stu, I am blissful to share that we’re very happy with the coaching and phishing service. It has confirmed to be a priceless software for elevating consciousness and strengthening our group’s safety posture. The outcomes have been constructive, and the group appreciates the sensible and interesting method of the service.

“We’re excited to proceed working with you and sit up for seeing how the service evolves sooner or later. Please do not hesitate to succeed in out if there’s something new or further you assume may gain advantage us additional.”

– P.T., Director Data Know-how