Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A new survey has found that 64% of C-Suite executives in cybersecurity or data center roles view data breaches and ransomware attacks as the top threat to companies over the next decade.

Cybersecurity has long focused on fortifying networks, securing endpoints and blocking malicious code. Yet one of the most persistent and costly security vulnerabilities isn’t technical — it’s human. Employees routinely fall for phishing scams, mishandle sensitive data or unintentionally violate security policies. While most people don’t mean to cause harm, their behavior still introduces significant cyber risk to the organization.

Researchers at Bitdefender warn of a wave of social engineering attacks targeting WhatsApp accounts. The attacks begin with automated phone calls that instruct users to add a specific phone number to their WhatsApp contacts. The call then ends abruptly. The scammers are doing this to gather potential targets for future attacks. Most people will ignore the calls, but those who do add the number to their contacts will be more likely to fall for additional social engineering attacks.

Social engineering remains a primary initial access vector for cybercriminals, according to a new report from Europol. “Social engineering, which exploits human error to gain access to systems or personal information, stands out as a prominent technique used by criminal actors in this context,” Europol says.

I am used to repeating some pretty big numbers when talking about the financial impact of cybercrimes. When you look into the data, it is pretty easy to start talking about tens of billions of dollars. I occasionally come across figures that are in the hundreds of billions of dollars in damage across multiple years globally. So, imagine my surprise when I learned the U.S. Federal Trade Commission (FTC) said Americans lost $158.3B in 2023, one year, to scammers, and that annual figure is getting worse.

I recently had several conversations about repeat clickers. First with a Forrester analyst and then, shortly after, at KB4-CON Orlando following a presentation on the subject by Matthew Canham, Executive Director of the Cognitive Security Institute. After that, my approach was a little less organic: intrigued by the topic, I spoke with several KnowBe4 customers to find out how they manage repeat clickers.

Lead Researchers: James Dyer and Louis Tiley Between May 5 and May 7, 2025, KnowBe4 Threat Lab identified a phishing campaign originating from accounts created on the legitimate service ‘EUSurvey’. Although this was a focused campaign, on a smaller-scale to others identified by the team, it employed a combination of sophisticated techniques worth highlighting.

AI-generated voice deepfakes present an urgent threat to organizations, according to researchers at Pindrop. The researchers warn that speech generation tools can create realistic-sounding cloned voices in near real-time, allowing attackers to hold live conversations with victims while imitating someone the victim knows. Additionally, these tools can now convincingly imitate human emotions, making social engineering attacks even more persuasive.

In today's rapidly evolving threat landscape, cybercriminals are becoming increasingly sophisticated in their attack methodologies, particularly when it comes to email-based threats. Organizations worldwide are recognizing that a single-vendor approach to security, while valuable, may not provide the comprehensive protection needed to defend against the full spectrum of modern cyber threats.

Researchers at Google have published a report on the latest scam trends, noting an increase in travel-themed scams targeting people preparing for their summer vacations. “Ahead of the summer vacation season, our teams have observed a spike in travel scams,” the researchers write. “Fake travel websites lure users into booking travel with a promise of ‘too good to be true’ prices, experiences, or discounts.

Researchers at Google’s Mandiant have published a report on voice phishing (vishing) attacks, noting that these attacks have served as initial access points for recent waves of ransomware incidents. Threat actors often perform reconnaissance before launching social engineering attacks, collecting publicly available information in order to craft tailored, realistic scenarios.

There are many things in our lives we must prepare for to be ready. For other things, we wing it, or we're not prepared to deal with it at the moment. For me, I've reached that point in my life where I needed to have a medical procedure done, and it was something I've put off for several years. It may not be very comfortable to admit, but last week, I had a colonoscopy. That's not exactly how you'd expect a cybersecurity blog to start, but hear me out on this one!

What is AI really? Throughout this article, I will remove the hype and get to the most honest answer ever. Artificial Intelligence, or AI, or at least the first version of how we think of it today, was “invented” in the 1950s…a long time ago. Since then, various computer scientists and groups have worked on different iterations, often using different names, including machine learning and neural networks.

Picture this: it's 2021. You're an IT professional, scrolling through LinkedIn, when a message pings. "Bastion Secure," a new cybersecurity company, is hiring. The pay? Excellent. Remote work? Absolutely. A chance to tinker with cutting-edge tech? You bet. For dozens, this looked like the career lottery win. What they didn’t clock was that their new "employer" was the infamous cybercriminal syndicate, FIN7. This isn't just another tale of a clever job scam.

OpenAI has published a report looking at AI-enabled malicious activity, noting that threat actors are increasingly using AI tools to assist in social engineering attacks and influence operations. In one case, the company banned ChatGPT accounts that were likely being used in North Korean attempts to fraudulently obtain jobs at US companies. “Similar to the threat actors we disrupted and wrote about in February, the latest campaigns attempted to use AI at each step of the employment process.

We’re proud to share that KnowBe4 has once again been recognized as a leader in cybersecurity, receiving multiple 2025 TrustRadius Top Rated Awards across our product suite. These awards are especially meaningful because they’re based entirely on customer feedback—making them a direct reflection of how our customers view the value and impact of our platform.

A criminal threat actor tracked as “UNC6040” is using voice phishing (vishing) attacks to compromise organizations’ Salesforce instances, according to researchers at Google’s Threat Intelligence Group. After gaining access, the attackers exfiltrate the victim’s data and hold it for ransom.

Researchers at Trellix warn of a spear-phishing campaign that’s targeting CFOs around the world with phony employment offers. The emails are designed to deliver a legitimate remote access tool that will give the attacker a foothold on the victim’s machine.

A KnowBe4 co-worker of mine recently got this SMS phishing message (i.e., smish). They quickly identified it as a social engineering attack and shared it on our internal communication channel for sharing such things. I have had more and more of these types of similar smishes occurring over the last few months. It is an attempt to trick someone into worrying that their Gemini, Gmail, Microsoft, Instagram…or whatever account…is in the middle of being compromised and you need to react NOW! NOW!

When it comes to cybersecurity, organizations face an ever-present and often underestimated threat: human risk. Despite significant advancements in technological defenses, human error remains a leading cause of data breaches and security incidents. Industry studies consistently show that between 70% and 90% of data breaches involve some form of human-related cause—whether through social engineering, errors, or misuse.

A phishing campaign is targeting European countries with lures themed around copyright infringement, researchers at Cybereason warn. The phishing emails are designed to deliver the Rhadamanthys infostealer malware. “These campaigns often involve emails impersonating companies and their legal departments, falsely claiming recipients have violated copyright on social media or elsewhere and demanding content removal,” the researchers write.

The FBI is warning that the Silent Ransom Group (SRG) is targeting law firms with IT-themed social engineering attacks and callback phishing emails. SRG is a cybercriminal gang that demands ransoms in exchange for not leaking stolen data. “SRG has been operating since 2022 and has primarily been known for their callback phishing emails, masquerading as well-known businesses who offer subscription plans,” the FBI explains.

Researchers at Certo warn that a new AI chatbot called “Veniceai” can allow cybercriminals to easily generate phishing messages or malware code. The tool, which only costs $18 per month, is growing in popularity on criminal forums. “One of the starkest contrasts between Veniceai and more mainstream AI systems like ChatGPT is how each responds to harmful or malicious requests,” Certo says.

Last year, KnowBe4's report "Exponential Growth in Cyber Attacks Against Higher Education Institutions" illustrated the growing cyber threats facing universities and colleges. The report highlighted the perfect storm of factors making educational institutions prime targets: vast data repositories, open networks, limited security resources, and decentralized governance structures.

Researchers at IBM Security warn that a major phishing campaign is targeting users in France, incorporating leaked personal data to make the emails more convincing. IBM has observed seventeen waves of the campaign since March 2024, and at least 160,000 victims have clicked on the phishing link. “The phishing emails inform recipients that their Amazon Prime subscription will automatically renew at a cost of 480 Euros per year,” IBM explains.

You know what's interesting about data breaches? Everyone focuses on credit card numbers and financial data, but the reality is that every piece of information has value to someone. The Legal Aid breach perfectly illustrates this point, with over two million pieces of information accessed including details about domestic abuse victims, family cases, and criminal proceedings.