CyberheistNews Vol 14 #36 KnowBe4 Expands Youngsters’s Interactive Cybersecurity Exercise Equipment for 2024/2025 Faculty 12 months

KnowBe4 Expands Youngsters’s Interactive Cybersecurity Exercise Equipment for 2024/2025 Faculty 12 months

Are you able to consider it is already back-to-school time for a lot of? The place has the summer time gone?

We’re dedicated at KnowBe4 to offering content material for college students of all ages to assist them keep protected and possibly get them focused on a profession in cybersecurity sooner or later.

For instance, we launched our profitable KnowBe4 Scholar Version final spring for college students over the age of 16 that included coaching supplies targeted on subjects which might be related for younger adults.

For college kids below 16, the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment is offered without spending a dime to varsities, lecturers and oldsters. This equipment is linked under. Contemplate telling the lecturers in your youngsters’s faculty.

New Faculty 12 months, New Content material

We’re excited to announce this newest replace to the equipment, which features a new coaching module and a few nice up to date options.

We have now been including recent assets to this equipment every faculty yr, together with an AI security video, a password online game, a cybersecurity exercise e-book, and center faculty lesson plans. We have now much more deliberate for the upcoming faculty yr.

Final yr we launched our groundbreaking Roblox sport known as KnowBe4 Hack-A-Cat, the place college students can play a sport on the favored platform and study issues like phishing, ransomware and different cybersecurity-related subjects. We heard from many educators that they want a companion lesson to incorporate to assist clarify the ideas within the sport for college students in a extra direct method.

So, I’m excited to announce that this accompanying lesson is now accessible on the youngsters’s equipment website. It’s titled “Hack-A-Cat: Your Cybersecurity Journey on Roblox,” and lecturers can have college students full this on their very own in a pc lab, with laptops and even on the smartboard on the entrance of the classroom.

This self-paced module can be utilized as a lesson previous to taking part in the Roblox sport at college or independently with their associates at house. We predict it is an ideal complement to the in-game studying expertise to take advantage of affect for college students to study cybercrime, be ready, and possibly in the future be a part of one of many groups serving to defend others.

Youngsters Equipment Now Out there in Your Personal LMS

One other requested function of our equipment that’s now accessible is the flexibility to obtain the content material and use it in your individual Studying Administration System (LMS) and/or Digital Studying Surroundings (VLE) and make them a studying exercise for college students.

This function permits admins to obtain the equipment in a typical commonplace known as Sharable Content material Object Reference Mannequin (SCORM) that’s typically accepted by most studying platforms. The teachings which might be accessible in SCORM format embody:

• AI Consciousness for College students
• Bye Bye Bully
• Captain Consciousness: Conquer Web Security for Youngsters
• Password Zapper Sport
• Spot the Phish – Child’s Version

There’s a hyperlink on the backside of the web page that permits for the simple obtain of all these supplies in SCORM format. Search for the hyperlink within the textual content, “In search of SCORM recordsdata? Click on HERE to obtain.”

There are additionally supporting supplies accessible in picture and doc codecs (not SCORM) that you would be able to obtain instantly from the equipment web page:

• Clickbait Cootie Catcher Tabletop Train
• Password Warriors Tabletop Train
• Poster: Captain Consciousness: Conquer Web Security for Youngsters
• Safety Cat’s Exercise Guide for Youngsters

KnowBe4 prospects may nonetheless use the content material on the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment web site, however we needed to make the SCORM possibility accessible to have the ability to give entry to extra college students (hyperlinks on weblog).

We shall be including extra content material to the Youngsters’s Equipment and to the KnowBe4 Scholar Version all through the varsity yr, based mostly on the most recent threats and suggestions from our associate establishments and others, so verify again typically as you might be planning classes on your college students.

When you’ve got an concept or request of what you wish to see us add, be at liberty to get in contact. We’re dedicated to offering recent academic content material for college students and companions to remain protected.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/knowbe4-childrens-interactive-cybersecurity-activity-kit-2024

[New Features] Ridiculously Straightforward and Efficient Safety Consciousness Coaching and Phishing

Previous-school consciousness coaching doesn’t hack it anymore. Your e-mail filters have a mean 7-10% failure fee; you want a robust human firewall as your final line of protection.

Be a part of us TODAY, Wednesday, September 4, @ 2:00 PM (ET), for a dwell demonstration of how KnowBe4 introduces a new-school method to safety consciousness coaching and simulated phishing that’s efficient in altering person conduct.

Get a have a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.

• NEW! Callback Phishing permits you to see how doubtless customers are to name an unknown telephone quantity offered in an e-mail and share delicate info
• NEW! Particular person Leaderboards are a enjoyable approach to assist improve coaching engagement by encouraging pleasant competitors amongst your customers
• NEW! 2024 Phish-prone™ Share Benchmark By Trade helps you to examine your share together with your friends
• Sensible Teams permits you to use staff’ conduct and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
• Full Random Phishing mechanically chooses completely different templates for every person, stopping customers from telling one another about an incoming phishing check

Learn the way almost 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: TODAY, Wednesday, September 4, @ 2:00 PM (ET)

Save My Spot!
https://information.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2

Phishing Assaults Are More and more Concentrating on Social Media and Smartphone Customers

Menace actors are more and more tailoring their assaults to focus on social media apps and smartphone customers, in accordance with a brand new report from the Anti-Phishing Working Group (APWG).

As e-mail safety applied sciences enhance, scammers are turning to social media apps, textual content messages, and voice calls to conduct social engineering assaults.

Matthew Harris, Senior Product Supervisor, Fraud at OpSec, defined, “We have now noticed an elevated share of fraud being focused in direction of websites that don’t require excessive safety, akin to social media websites like Fb and LinkedIn, and SAAS and Webmail accounts akin to Microsoft Outlook and Netflix.”

The report additionally discovered that the quantity of phishing assaults focusing on financial institution accounts has fallen in comparison with final yr, however these assaults have grown extra subtle and focused. Attackers have to put extra effort into banking-focused assaults since these establishments usually have extra layers of safety.

“Banks require two-factor authentication for on-line banking, akin to codes despatched to the customers’ cell phones,” the report says. “With out these authentication codes, phishers cannot get into victims’ on-line monetary accounts.

“So as an alternative, fraudsters are utilizing phone-based strategies to phish financial institution and cost service customers. These are extra instant contact strategies, and permit the fraudster to speak victims out of their delicate info.

“Telephone-based fraud is initiated by completely different strategies. One is voice phishing or vishing — the place fraudsters name potential victims. One other is SMS-based phishing or smishing – during which fraudsters promote the URLs of phishing websites inside SMS (Brief Message Service) and Web-generated, phone-to-phone textual content messages.”

Nearly all of scams in Q2 2024 concerned reward card fraud or advance price requests. APWG contributor Fortra discovered that the common sum of money requested in enterprise e-mail compromise (BEC) assaults rose by 6.5% final quarter to succeed in $89,520.

KnowBe4 empowers your workforce to make smarter safety selections each day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/phishing-attacks-are-increasingly-targeting-social-media-and-smartphone-users

[NEW WEBINAR] Code Crimson: How KnowBe4 Uncovered a North Korean IT Infiltration Scheme

A current incident make clear a chilling new tactic: North Korean operatives posing as IT professionals to infiltrate organizations everywhere in the world. And this one hit somewhat too near house… proper right here at KnowBe4.

We’re pulling again the curtain on this occasion that will help you defend your group from this new and rising, terrifying menace.

Be a part of us for an unique, no-holds-barred dialog with the staff who lived by it. Perry Carpenter, our Chief Human Danger Administration Strategist, sits down with Brian Jack, Chief Info Safety Officer, and Ani Banerjee, Chief Human Assets Officer, to speak about how we noticed the pink flags and stopped it earlier than any harm was executed.

Throughout this webinar, you may get the within scoop on:

• The methods and instruments utilized by these covert operatives to sneak by the cracks
• How we found one thing was unsuitable, and the way we rapidly stepped in to cease it
• How one can spot faux IT staff in your hiring course of and office
• Sensible recommendation for fortifying your group in implementing sturdy screening processes and safety protocols to safeguard in opposition to infiltration

Achieve unique insights and actionable methods to guard your group from these subtle threats. Do not miss this chance to remain forward within the ever-evolving panorama of cybersecurity, plus earn CPE credit score for attending!

Date/Time: Thursday, September 12 @ 2:00 PM (ET)

Cannot attend dwell? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/code-red-webinar?partnerref=CHN

E mail Compromise Stays Prime Menace Incident Sort for the Third Quarter in a Row

New evaluation of Q2 threats exhibits a constant sample of conduct on the a part of menace actors and menace teams, offering organizations with a transparent path to guard themselves.

It is each cybersecurity skilled’s fear; whether or not the safety controls they’ve put in place will really cease assaults.

But it surely’s really fairly straightforward to calm these fears by merely being attentive to business information that paint an image of what techniques and strategies menace actors are utilizing and to make sure the suitable controls are in place to cease such malicious exercise.

Based on Kroll’s Q2 2024 Menace Panorama Report, there are some constant developments which might be changing into evident. Going again three quarters, Kroll demonstrates by information that the next menace incident varieties (in descending order) are being skilled throughout cyber assaults: e-mail compromise, ransomware, unauthorized entry and net compromise.

Wanting on the chart, you possibly can see how necessary gaining access to e-mail is for menace actors. And even with the substantial improve in unauthorized entry this yr it seems that the menace actor “leopard” would not change its spots.

It is clear that defending e-mail entry with multi-factor authentication, robust passwords and safety consciousness coaching is important. These measures assist forestall social engineering assaults geared toward stealing credentials, a development that exhibits no indicators of slowing down.

Weblog put up with hyperlinks and graphics:
https://weblog.knowbe4.com/email-compromise-remains-top-threat-incident-type-for-the-third-quarter-in-a-row

[Popular Whitepaper] The Safety Tradition How-to Information

Bettering the safety tradition of your group can appear daunting. A complete tradition sounds virtually too large to affect. However influencing safety tradition is feasible with the suitable plan, buy-in and content material.

With the suitable tradition supporting them, your customers shall be higher outfitted to establish probably devastating cyber assaults and social engineering threats earlier than they have an effect on your community.

This how-to information will stroll you thru easy methods to construct a step-by-step plan, serving to you perceive the basics of safety tradition and what you are able to do to maneuver the tradition needle in your group.

You will study:

• The basic ABCs of tradition change and the way every builds off one another
• A seven-step cycle for enhancing your safety tradition
• Recommendation and finest practices for making essentially the most out of every step within the course of

Obtain this information right now!
https://information.knowbe4.com/wp-security-culture-how-to-guide-chn

Extra Carrots and Fewer Sticks

This weblog was co-written by Perry Carpenter and Roger A. Grimes.

As I sit within the 2024 Seattle Convene convention this week and hearken to speaker after speaker discuss their profitable safety consciousness coaching packages, one factor is completely clear. All of them choose carrots and fewer sticks.

A query human threat managers often ask me is what function unfavorable penalties ought to play in a profitable safety consciousness coaching program? This touches on a basic precept that my colleague, Perry Carpenter, is well-known for emphasizing — the significance of working with human nature somewhat than in opposition to it.

Due to that, I invited him to co-write this weblog put up with me. Contemplate this a two-for-one weblog particular…The remainder of this put up represents our mixed ideas.

What is the end-goal, anyway?

A few of our prospects have a coverage of firing individuals for first-time offenses, whether or not that offense is clicking on a simulated phishing e-mail URL hyperlink or interacting with an actual phishing rip-off. We have now many purchasers who haven’t any outlined coverage for “missed” phishing checks and who by no means work together with an worker for both “failing” or not failing a simulated phishing check. The suitable coverage lies someplace in between.

The purpose is to cut back cybersecurity threat most effectively and successfully with out considerably impacting enterprise and revenues. Firing your finest staff as a result of they failed a phishing check would not appear overly productive.

Punitive approaches typically backfire and might create a tradition of worry somewhat than one in every of shared duty.

That is very true as a result of anybody…ANYONE!! could be phished. If you happen to suppose you possibly can’t be socially engineered into doing one thing in opposition to your individual finest pursuits, you might be at increased threat for a profitable phishing assault, not much less.

Nobody desires to click on on a phish. And sure, now we have people who find themselves extra inclined to phishing than others. And we want a technique to inspire the poorer performers to grow to be higher. However how will we do that successfully?

Extra Carrots

Listed below are some widespread carrot concepts.

[CONTINUED] Weblog put up with hyperlinks:
https://weblog.knowbe4.com/more-carrots-and-fewer-sticks

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Contemporary Content material Updates from August 2024:
https://weblog.knowbe4.com/knowbe4-content-updates-august-2024

PPS: [BUDGET AMMO] This Safety Firm [Cinder] Has Been Flooded With Job Candidates From North Korea:
https://www.forbes.com/websites/davidjeans/2024/08/26/cinder-north-korea-jobs/

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-36-knowbe4-expands-children’s-interactive-cybersecurity-activity-kit-for-2024-2025-school-year

Menace Actors Abuse Microsoft Sway to Launch QR Code Phishing Assaults

Researchers at Netskope final month noticed a 2000-fold improve in site visitors to phishing pages delivered by Microsoft Sway. The phishing assaults are focusing on orgs within the expertise, manufacturing and finance sectors in Asia and North America.

Most of those assaults concerned QR code phishing (quishing) to trick victims into visiting the malicious websites.

“Attackers instruct their victims to make use of their cellular gadgets to scan the QR code in hopes that these cellular gadgets lack the stringent safety measures usually discovered on company issued ones, making certain unrestricted entry to the phishing website,” Netskope explains.

“Moreover, these QR phishing campaigns make use of two strategies from earlier posts: using clear phishing and Cloudflare Turnstile. Clear phishing ensures victims entry the precise content material of the official login web page and might permit them to bypass extra safety measures like multi-factor authentication.

In the meantime, Cloudflare Turnstile was used to cover the phishing payload from static content material scanners, preserving the nice fame of its area.” Notably, the menace actors abused Sway, a free Microsoft 365 presentation app, to evade safety applied sciences.

“By utilizing official cloud functions, attackers present credibility to victims, serving to them to belief the content material it serves,” the researchers write. “Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as nicely.

“Sway may also be shared by both a hyperlink (URL hyperlink or visible hyperlink) or embedded on a web site utilizing an iframe. Over the previous six months, Netskope Menace Labs noticed little to no malicious site visitors utilizing Microsoft Sway. Nevertheless, in July 2024, we noticed a 2,000-fold improve in site visitors to distinctive Microsoft Sway phishing pages. The pages we investigated had been focusing on Microsoft 365 accounts.”

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/threat-actors-abuse-microsoft-sway-to-launch-qr-code-phishing-attacks

Fewer, Excessive-Profile Ransomware Assaults Are Yielding Larger Ransoms

Evaluation of cryptocurrency funds made on the blockchain highlights shifts within the measurement and frequency of ransomware assaults and will paint a bleak image for the rest of the yr.

Every quarter, blockchain evaluation firm, Chainalysis, analyzes cybercriminal exercise from the attitude of blockchain use to facilitate funds, crypto theft, and so on.

Of their 2024 Crypto Crime Mid-year Replace Half 1, we see just a few notable adjustments in ransomware assaults:

• 2024 is about to be the highest-grossing yr but for ransomware funds
• The median ransom cost made to ransomware strains receiving a minimal of $1 million, spiked from slightly below $200,000 in early 2023 to $1.5 million in mid-June 2024

Chainalysis offers an fascinating chart to visualise ransomware funds revamped time. Because the chart exhibits, we’re seeing a development the place ransomware funds are growing. The median cost measurement within the first week of 2023 was simply $198,939. As compared, the median cost in mid-June of 2024 was $1.5 million — a virtually 800% improve! Keep in mind — these are funds and never calls for; so we’re seeing the true impacts of ransomware assaults, that are trending in direction of being dearer.

This can be a key purpose why organizations have to give attention to stopping such assaults to a better diploma, which ought to embody safety in opposition to phishing assaults through safety consciousness coaching to make sure a corporation’s customers act as a part of the defenses, siding with vigilance when interacting with a probably malicious e-mail or web site, somewhat than merely changing into a sufferer and enabling an assault.

KnowBe4 empowers your workforce to make smarter safety selections each day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Weblog put up with hyperlinks and charts:
https://weblog.knowbe4.com/fewer-high-profile-ransomware-attacks-yield-higher-ransoms-and-a-mid-year-total-of-just-over-450-million

Most Phishing Websites Are Now Cellular-Suitable

A brand new report from Zimperium has discovered that 78% of phishing websites are designed to focus on cellular browsers. These assaults can provide menace actors a foothold inside a corporation’s community, particularly if an worker makes use of their telephone for work-related actions.

“Cellular phishing consists of varied varieties akin to SMS phishing (smishing), voice phishing (vishing), app-based phishing, e-mail phishing and social media phishing,” the researchers clarify. “Whereas a few of phishing campaigns seem to focus on customers, they will function a malicious program to ship malware, seize reused passwords, or hijack OTPs, in the end infiltrating company networks and functions on the system.”

The researchers additionally warn that the majority phishing websites now use HTTPS, which is indicated by a lock icon subsequent to the URL within the browser bar. Customers should be conscious that the lock icon merely signifies that the location’s site visitors is encrypted, not that the location is essentially official.

“As a result of adjustments in browser conduct to deal with non encrypted websites as much less safe, and the flexibility to evade detection as a consequence of encrypted communication, attackers have been migrating to make use of safe communications (HTTPS) for contemporary phishing assaults,” the researchers write.

“In the meanwhile of writing, our evaluation exhibits that solely 12.9% of phishing URLs make use of an unencrypted HTTP scheme, whereas 87.1% utilized the safer HTTPS (together with people who redirected from HTTP to HTTPS). Using secured connections to serve malicious content material can create a false sense of safety for the person or masks malicious intent behind the ‘lock’ icon on the browser.”

Zimperium discovered that 60% of newly created phishing domains obtain an SSL certificates inside two hours of being registered. The researchers notice, “Because of this in simply 2 hours, a brand new phishing area could be created and be totally operational over a safe HTTPS connection.”

KnowBe4 empowers your workforce to make smarter safety selections each day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Zimperium has the story:
https://www.zimperium.com/weblog/deep-dive-into-phishing-chronology-threats-and-trends/

What KnowBe4 Prospects Say

“Hello Edmond, I’m writing to specific my honest gratitude for the distinctive help I’ve obtained from you over the previous few months to create coaching & phishing campaigns.

Your help has been marked by professionalism, effectivity, and a real need to assist. Your dedication to offering top-notch technical help has made a big distinction and remodeled my expertise with KnowBe4.

You’ve got persistently demonstrated persistence, in depth data, and immediate responses. Your consideration to element and willingness to go above and past actually exemplify wonderful help.

Thanks as soon as once more on your excellent help. I sit up for persevering with to work intently with you sooner or later.”

– H.C., Supervisor, IT

“Hello Stu, I have been a buyer of KnowBe4 for almost 10 years now (throughout 2 firms). Been a terrific journey…Our staff are higher off on account of the coaching! Sustain the nice work! Thanks!”

– B.L., CIO