New research has found over 1 in 3 UK&I workers are likely to click a phishing link, according to KnowBe4’s 2023 Phishing by Industry Benchmarking Report. The report measures an organisation’s Phish-prone Percentage (PPP), which shows the likelihood employees will be duped by phishing or a social engineering scam.

KnowBe4 analysed a data set of over 12.5 million users, across 35,681 organisations, with over 32.1 million simulated phishing security tests across 19 different industries and seven geographic regions. The resulting baseline “Phish-prone Percentage (PPP)” measured the percentage of employees in organisations that had not conducted any KnowBe4 security training, who clicked a simulated phishing email link or opened an infected attachment during testing.

The post More than 1 in 3 UK&I workers are likely to click a phishing link appeared first on IT Security Guru.

Phishing emails continue to be one of the most common methods to effectively perpetuate malicious attacks on organizations around the globe. Cybercriminals are always refining their strategies to stay one step ahead of end users and organizations by changing phishing email subjects to be more believable. They prey on emotions and aim to cause distress or confusion in order to entice someone to click. Phishing tactics are changing with the increasing trend of cybercriminals using email subjects related to IT and online services such as password change requirements, Zoom meeting invitations, security alerts and more. These are effective because they would impact an end users’ daily workday and subsequent tasks to be completed.

Holiday phishing email subjects were also utilized this quarter with incentives such as a change in schedule, gift card and spa package giveaway used as bait for unsuspecting end users. Tax-related email subjects became more popular as the U.S. prepared for tax season in Q1.

“Cybercriminals are constantly increasing the damage they cause to organizations by luring unsuspecting employees into clicking on malicious links or downloading fake attachments that seem realistic,” said Stu Sjouwerman, CEO, KnowBe4. “Emails that are disguised as coming from an internal source such as the IT department are especially dangerous because they appear to come from a more trusted, familiar place where an employee would not necessarily question it or be as skeptical. Building up an organization’s human firewall by fostering a strong security culture is essential to outsmart bad actors.”

To download a copy of the Q1 2023 KnowBe4 Phishing Report infographic, visit here.

The post KnowBe4 Q1 Phishing Report reveals IT and online services emails drive dangerous attack trend appeared first on IT Security Guru.

In the U.K., there was a 35% increase in the average number of mobile devices exposed to at least one malicious phishing attack per quarter between 2020 and 2022. In the last two years, 20-30% of mobile devices in the U.K. have been exposed to at least one malicious phishing attack every quarter.

Lookout also found that users on all devices – whether personal or work provided – are tapping more on mobile phishing links in comparison to just two years ago. The report estimates the potential annual financial impact of mobile phishing to an organisation of 5,000 employees is nearly $4 million. Enterprises operating in highly regulated industries – including insurance, banking, legal, healthcare and financial services – were found to be the most heavily targeted.

“Mobile as a threat surface will continue to grow, and hybrid work continues to grow in tandem, introducing huge numbers of unmanaged devices into the enterprise environment,” said Aaron Cockerill, chief strategy officer at Lookout. “It is more important now than ever for organizations to evolve their cybersecurity strategy to proactively combat mobile phishing. As one of the most effective attack vectors for threat actors, often serving as a starting-point for more advanced attacks, mobile phishing protection should be a top priority for organizations of any size.”

In 2022, more than 50% of personal devices were exposed to a mobile phishing attack every quarter, with the percentage of users falling for multiple mobile phishing links in a year is increasing rapidly year over year.

Users, endpoints and applications are now so closely connected that threat actors can initiate advanced attacks simply by stealing user credentials. Mobile phishing is one of the most effective tactics to steal login credentials, which means that mobile phishing itself poses significant security, compliance, and financial risk to organizations in every industry. It is likely that the rise of remote work has contributed to this, as organizations relax bring-your-own-device (BYOD) policies to accommodate employees accessing corporate networks outside the traditional security perimeter.

Lookout also claim mobile phishing attacks are also growing more sophisticated. The share of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022, indicating that users are having a tougher time distinguishing phishing messages from legitimate communications.

The post UK sees 35% increase in mobile phishing exposures – Global State of Mobile Phishing Report appeared first on IT Security Guru.

“We already know that more than 80% of company data breaches globally come from human error,” said Stu Sjouwerman, KnowBe4’s CEO. “New-school security awareness training your staff is one of the least costly and most effective methods to thwart social engineering attacks. Training gives employees the ability to rapidly recognize a suspicious email, even if it appears to come from an internal source, causing them to pause before clicking. That moment where they stop and question the email is a critical and often overlooked element of security culture that could significantly reduce your risk surface.”

To add, KnowBe4 also stated the number one attack threat in the past quarter from their phishing tests and those seen in the wild are phishing links in the email body. As we are all aware, once this malicious links are clicked in the real world, they often lead to disastrous consequences like ransomware attacks or data breaches.

This research comes hot off the heels of the recent KnowBe4 industry benchmarking report which found one in three untrained employees will click on a phishing link. The worst performing industries were Energy & Utilities, Insurance and Consulting, with all labelled the most at risk for social engineering in the large enterprise category. Stu added: “With the steep cost of cyberattacks, this is deeply concerning. Given that most data breaches originate from social engineering, we cannot afford to omit the human element. Implementing security awareness training with simulated phishing testing will help to better protect organizations against cyber attacks and result in a more secure organizational culture.”

The post HR Emails Dupe Employees The Most – KnowBe4 research reveals appeared first on IT Security Guru.

50,000 Emails a Day and Combating Business Email Compromise

For the most part, the team at Softcat can be described as tech savvy. As such, employees are, on the whole, more equipped to recognise suspicious activity. Yet, as it found upon completion of a baseline phishing campaign run with KnowBe4, 12% of the company is susceptible to falling victim to phishing emails. While this may appear to be a low figure to some, it is worth remembering that it only takes one mis-click for a data breach to ensue.

The struggle that Softcat faced in containing this issue boils down to two primary factors.

Firstly, until three years ago, its security awareness programme was conducted on an ad hoc basis. Any training was typically implemented during the induction period, when new employees first joined the business. On top of being infrequent, trainings would often be missed due to a lack of time or getting lost in the long to-do lists that accompanies starting a new job.

Secondly, the field in which Softcat operates in requires that employees work with a vast number of third parties. Indeed, at present, the company has upwards of 12,300 long-standing customers and at least a thousand partners. It also receives as many as 50,000 inbound emails a day. In other words, a quarter of a million inbound emails per working week! Solely considering the sheer number of clients and partners, as well as the immense influx of emails, the risks of a phishing attack are heightened multi-fold. One of the principle problems that Softcat has observed in the market is the compromise of business emails. On numerous occasions, a third-party suffers a phishing attack and the account becomes compromised. The account then sends out malicious emails to its contacts, including Softcat. At this stage, the risk is very high as the email appears to originate from a legitimate, known contact.

The importance of diverse security awareness training content

Fortunately for Mark Overton, Head of IT Security at Softcat, the company’s board recognised the importance of, not only implementing security awareness training, but ensuring it was well executed. Having successfully sold KnowBe4’s services and seeing first-hand its popularity among their clients, KnowBe4 stood out as an obvious provider for Softcat’s own security awareness needs.

Mark was especially impressed with the richness of KnowBe4’s content. While the former provider had security awareness as part of its portfolio, KnowBe4 specialised in it. In this way, it could offer a variety of content to accommodate different employees. On the one hand, Softcat has employees such as those in sales, who largely work within a restricted environment and possess limited administrative access. For these users, Mark wanted to be sure that they were not overburdened with irrelevant and exhaustive training. The short and entertaining videos offered by KnowBe4, that helped to drive home the key messages, were useful in this context. On the other hand, other departments such as those in finance and IT, who had high levels of privilege and faced greater risk, required more detailed and extensive training that KnowBe4 could also provide.

In addition to this, KnowBe4 automatically sends notifications to its users to regularly remind them of any incomplete training, while also providing unique links to it. This allows employees to easily access the training without having to go via the IT department with complaints regarding accessibility. In Mark’s words, KnowBe4 makes the process “seamless”.

Implementation

The implementation of KnowBe4’s training programme could easily be described as seamless as well. Under the sole supervision of an apprentice, Softcat was able to have the programme up and running in less than two months. Whenever a roadblock was hit, the customer relationship manager at KnowBe4 was quick to provide support. Indeed, Mark praised KnowBe4’s customer service as “second-to-none”, giving more time to the senior IT personnel to focus on other, more pressing jobs. 

The Gift that Keeps on Giving

KnowBe4’s content range as well as customisation facilities are among the most advantageous aspects of the service to Softcat. That, plus the frequent reminders and ease of use, allows Softcat’s employees to be efficiently made aware of the risks of operating online in the modern day. The fact that the programme runs without a huge administrative overhead is especially appreciated by Mark and his team of four, who have a heavy workload as it is.

In the near future, Mark plans to build a phishing campaign that closely mimics the business email compromises that he sees occurring from within the supply chain. The great selection of email templates available through the KnowBe4 platform, as well as the option to customise templates will be beneficial in this process. The main goal for Mark going forward is to significantly reduce the baseline of 12%.

“The more that employees are able to identify a phishing email, the more effectively and swiftly the IT team can spin off a workflow to neutralise the threat and safeguard the company’s cybersecurity,” he explained.

The value of KnowBe4’s services has not stayed a secret within the company either. Rather, because the content can be easily personalised as necessary, other departments are demonstrating interest in using the programme for their own security awareness needs. For example, the legal team and departments responsible for their ISO standards are considering the application of Knowbe4’s services to confirm that all employees have read and acknowledged policies or have undergone anti-corruption and bribery training.

All in all, Mark said that KnowBe4 “really makes life easy”.

The post Case study: Softcat Prevails Over Cybercrime With KnowBe4 appeared first on IT Security Guru.

Read Full Story 

ORIGINAL SOURCE: The Sun

The post Snapchat Phishing Scam: 55,000 users Compromised appeared first on IT Security Guru.

IRONSCALES, the world’s first automated phishing prevention, detection and response provider, today announced that it has secured a $6.5 million Series A, led by K1 Investment Management, LLC, with participation from existing investor RDC. On the cusp of its third consecutive year of triple digit revenue growth, IRONSCALES will use the capital investment to accelerate its channel partner program, expand its global sales team and expedite research and development for its machine learning threat detection, incident response and intelligence sharing technologies. IRONSCALES, which was recently featured by Momentum Partners as one of the top 10 cybersecurity companies to watch in Q3 2017, has now raised more than $8 million since 2015.
IRONSCALES enables organizations to mitigate the risk associated with the technological, operational and human challenges inherent to phishing attacks. Its multi-layered and automated approach to prevent, detect and respond to phishing emails combines micro-learning phishing simulation and awareness training (IronSchool), with mailbox-level phishing detection (IronSights), automated incident response (IronTraps) and real-time automated actionable intelligence sharing (Federation) technologies. By providing protection at every stage of an email phishing attack, IRONSCALES’ customers reduce false positives and the time from email phishing attack discovery to enterprise-wide remediation from days, weeks or months to just seconds, with little to no security team involvement.
​​​​​ “IRONSCALES’ unique approach to phishing detection and remediation particularly resonated with the K1 team, and we looking forward to leveraging our previous experience in partnering with growing security companies as the company strengthens its position within a rapidly evolving market,” said Hasan Askari, Managing Partner of K1. “We are excited at the opportunity to be a long-term capital partner for Eyal and the IRONSCALES team.”
 
UNDERSTANDING THE EMAIL PHISHING EPIDEMIC
More than 90 percent of cybersecurity attacks begin with email phishing due to the escalation of technological, operational and human vulnerabilities. Today, traditional signature-based secure email gateways and filters are easily bypassed by sophisticated spear-phishing, spoofing and business email compromise (BEC) messages. In addition, the success of employee awareness and training programs have proven limited, as the majority of workers lack the time, skills, focus and tools to serve as full-time phishing defenders. And when suspicious emails are identified and reported, security teams and incident responders are frequently ill-equipped to respond as expeditiously as phishing mitigation requires.
With IRONSCALES, organizations reduce technological, operational and human risk through multi-layered anti-phishing machine learning technologies that provide:

• Smart real-time email scanning with cloud native support (Multi AV, Sandbox, CDR)
• User behavioral analysis & mailbox segmentation
• Mailbox level detection & context based in-mail alerts
• Automated forensics, remediation & orchestration
• Automated threat intelligence sharing
• Micro-learning employee awareness training with real-life phishing simulations
• A report button and 911 mailbox in the Outlook or Google toolbar.

“The overwhelming majority of the world’s most devastating cyberattacks of recent years have begun with email phishing,” said Eyal Benishti, founder and CEO of IRONSCALES. “IRONSCALES multi-layered and automated approach to email phishing mitigation utilizes machine learning technology that continuously gets smarter, empowering organizations to reduce cybersecurity risk in the midst of the unprecedented frequency and complexity of attacks.”
 
IRONSCALES Continues Expansion Plans
Since entering the UK and European markets 18 months ago, IRONSCALES has established a strong customer-base and built solid relationships with MSSPs and IT Resellers. This capital investment will allow the company to further its aggressive expansion plans for this region, introducing additional partner incentives and ‘on the ground’ support. It recently announced the appointment of David Burnett as VP of Sales for UK & EMEA with further appointments and partnerships imminent.
IRONSCALES also announced today that it will open its North American headquarters in Q1 2018. Its VP of Sales will be based in Atlanta, while 10-15 new jobs in marketing, business development and HR will be hired at its new office location. R&D will remain in Israel. More information on new U.S. and EMEA employees and locations will be revealed in the coming months.
For more information on IRONSCALES, visit www.ironscales.com and follow @ironscales on Twitter and Linkedin.
 

The post IRONSCALES Secures $6.5 Million to Automate Email Phishing appeared first on IT Security Guru.

The post Russian Hackers Stealing UK Air Miles appeared first on IT Security Guru.

The post New Phishing Attack Combines Phishing, Malware and Data Theft appeared first on IT Security Guru.

The post Funeral Home Hacked, used to Run Online Scams appeared first on IT Security Guru.