Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Cybersecurity Starts At Home This World Social Media Day

Remember when "social media safety" meant advising employees not to post pictures of their security badges or laptop screens? Back then, corporate risk and personal scrolling felt like two entirely separate worlds. Today, that boundary has completely dissolved. Social media has become a primary staging ground for sophisticated social engineering attacks targeting your workforce, and their families.

FTC Report: Americans Lost $3.5 Billion to Imposter Scams Last Year

Imposter scams were the most commonly reported type of fraud in 2025, with Americans reporting $3.5 billion in losses, according to new data from the US Federal Trade Commission (FTC). Reported losses have increased nearly three times since 2020, and the true number is likely much higher since many scams go unreported. Losses across all types of fraud surged to $16 billion, a 25% increase compared to 2024.

Report: Device Code Phishing is Surging

Multiple sophisticated phishing kits are now focusing on harvesting device codes to breach accounts without a password, according to researchers at LevelBlue. “Device code phishing exploits a legitimate Microsoft authentication flow to harvest Microsoft 365 access and refresh tokens without ever capturing a password,” the researchers explain. “The core mechanic is straightforward: whoever initiates the authentication request receives the resulting tokens.

New Extortion Scam Uses IT Impersonation to Breach Organizations

A newly surfaced extortion brand called “Pink” is using voice phishing and fake IT support calls to breach organizations, the Register reports. The threat actor may be a rebrand of prior extortion groups, including BlackFile and Redact, though its tactics remain the same.

Social Engineering Attacks Abuse Workplace Collaboration Tools

Threat actors are increasingly abusing workplace collaboration tools like Microsoft Teams to launch social engineering attacks, according to researchers at Palo Alto Networks’s Unit 42. Attackers are sending Teams messages that impersonate IT personnel, asking users to approve a multifactor authentication prompt. Both criminal and nation-state threat actors are using this social engineering technique to compromise organizations’ environments.

APWG Report: Social Media Phishing is Surging

Phishing scams surged across social media platforms during the first quarter of 2026, according to a new report from the Anti-Phishing Working Group (APWG). “Threat volume increased in Q1 2026 on every social media platform, predominantly in two formats: Scams (27.1 percent of all threats) and Impersonation (43.8 percent of all threats),” the report says. The APWG adds, “Impersonation became more prevalent than in the previous quarter.

Cybersecurity Awareness Training for AI: Key Focus Areas

As employees increasingly rely on AI tools and AI agents in daily workflows, organizations are facing a new workforce security challenge: how to reduce risk without slowing productivity. Security leaders are no longer just protecting systems and identities. They also need to manage how employees interact with AI-generated content, automation, and decision support tools.

Americans Lost $900 Million to AI-Powered Scams Last Year

The US Federal Bureau of Investigation (FBI) warns that Americans lost just under $900 million to AI-powered scams in 2025, Malwarebytes reports. Total reported losses to scams last year reached nearly $21 billion, a 26% increase from 2024. The researchers note that the true losses are likely much higher, since many attacks go unreported. “The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AI‑generated scripts,” Malwarebytes says.

What AI Can't Hide When It Writes a Phishing Email

Phishing has always been a game of impersonation. But for decades, the tell was in the details: a misspelled word here, an awkward sentence there, a logo that was just slightly off. Security awareness training built an entire doctrine around those cues. Spot the typo, avoid the trap. That playbook is now obsolete. KnowBe4's latest Phishing Trends Report found that 86% of phishing attacks observed in the last six months involved some level of AI assistance.

Your AI Agents Are Eager to Please And Easy to Exploit

An AI-driven system at a beverage manufacturer recently churned out several hundred thousand excess cans after misreading unfamiliar packaging. The system didn’t recognize the company’s new holiday labels, flagged them as an error, and triggered additional production runs before the company caught the mistake. The system followed its instructions perfectly.

Best AI Agent Security Tools for SMB and Enterprise in 2026

Enterprise AI agent adoption has created a massive blind spot: 83% of organizations have no visibility into what their AI agents are doing, while 86% lack visibility into their AI data flows. With 1 in 3 enterprise employees now using an AI assistant daily — mostly without security governance — this visibility gap has become a critical enterprise risk. The security industry's response splits into two distinct layers.

From 1% to 26%: How AIDA Orchestration Fixes the Remedial Training Gap

As we speak, bad actors are using AI agents to do their dirty work. Our own research tells us 85.8% of phishing attacks were AI-driven in the past 12 months. Agentic power is helping social engineering and malware get smarter, faster and harder to detect. But enough of what you probably already know. Let’s talk about how we can address these risks. Our CISO Advisor Dr. Martin Kraemer wrote recently about AI agents being used for good.

The Role of Agentic AI in Phishing Security Training

Phishing attacks are evolving faster than traditional training programs can keep up. Advances in AI — including generative tools — are making attacks more dynamic, personalized, and harder to detect. At the same time, agentic AI for phishing security training is reshaping how programs improve, enabling them to adapt to user behavior and shifting risk in real time.

4 Hot Summer Travel Tips To Avoid Scams

When the weather starts to get warmer, it is a sign that summer time is around the corner. But just as the weather heats up and travel plans get booked, scammers capitalize on the season by performing nefarious schemes to separate victims from their money and other valuables. Recent McAfee research found that more than one in three Americans have experienced a travel-related cyberthreat, with 41% of those affected losing money, often costing victims over $500.

Build a Custom Security Training Course in Seconds | KnowBe4 AIDA Content Creation Agent

What if you could build a complete, personalized security awareness course from a single prompt — in seconds? KnowBe4's AIDA Content Creation Agent does exactly that. Powered by our decade of AI innovation, it generates e-learning modules instantly — and goes far beyond basic content generation: Deepfake Face Injection — Insert real members of your team into training visuals using safe, consensual deepfake synthesis. Your people, your culture, your training.

A Credit Score for Cyber Behavior

You can add verified AI skills to your LinkedIn profile. Certifications proving you know how to use the latest tools. This shows progress, but it is only half the problem. While we are getting very good at verifying what people know, we still have almost no way to verify how they behave. In hiring, we obsess over skills and experience, and ponder cultural fit. We run background checks. We validate credentials.

Agentic AI Security in 2026: What to Know

Organizations are rapidly deploying autonomous and semi-autonomous AI agents that can make decisions, execute tasks and interact directly with systems without constant human oversight. That shift is driving investment, with the global agentic AI in cybersecurity market projected to grow to $322.39 billion by 2033. The surge represents enormous gains in efficiency and agility — and also signals a dramatic increase in risk.

An Overview of Email Compliance Regulations and Reporting

Email is one of the primary ways people share information, connect with customers and get work done. It is also one of the easiest channels for risk to slip in. A mistyped address, an exposed attachment, a missed opt-out, or a rushed response to a phishing message can all lead to serious problems. That is why email compliance matters. It helps define how your organization handles email, what is allowed and how to report on activity when something goes wrong.

How to Secure AI Agents: 4 Best Practices

Imagine you give an AI agent permission to triage support tickets. A few weeks later, it’s accessing a system no one intended it to reach, putting the data within at risk of exposure or misuse. Nothing dramatic happens at the moment. That’s what makes the risk tricky. AI agents don’t wait for approval the way traditional systems do, and they move faster than the controls you’ve set around them.

I Love Device-Bound Session Credentials, But They Are Still Phishable and Hackable

Google recently released Device-Bound Session Credentials (DBSC) for Google Chrome and Google Workspace. It is a long-awaited new security enhancement to fight back against local cookie theft. But, yes, it can still be hacked and phished. Nothing alone in cybersecurity is a complete panacea.

Attackers Use Spoofed ChatGPT Site to Deliver Malware

Researchers at Malwarebytes warn that a fake ChatGPT download site is delivering malware. The attackers use sponsored results and SEO manipulation to target users who search for “ChatGPT download.” The phishing page is a convincingly spoofed version of the legitimate ChatGPT website, which delivers malware tailored to Windows or Mac users.

KnowBe4 Wins Multiple 2026 TrustRadius Top Rated Awards

We’re proud to share that KnowBe4 has once again been recognized as a leader in cybersecurity, receiving six 2026 TrustRadius Top Rated Awards across our platform. These awards are especially meaningful because they’re based entirely on customer feedback—making them a direct reflection of how our customers view the value and impact of our partnership.

A Look at Spam vs. Phishing: 4 Key Differences

Spam and phishing are often used interchangeably in email security, but they serve distinct purposes and carry varying levels of risk. Understanding the difference between spam vs. phishing helps organizations better recognize threats and respond appropriately. This guide breaks down how spam and phishing differ, how to identify each, and what steps organizations can take to reduce risk.

Nearly Two-Thirds of CEOs Cite Cyberattacks as Their Top Concern

Cyberattacks are now the top concern of leading CEOs, overtaking fears over geopolitical turmoil or inflation, the Wall Street Journal reports. A survey by the Conference Board and the Business Council found that 65% of CEOs at blue-chip companies cited cyberattacks as their top worry in the second quarter of 2026, an increase from 56% in Q1 2026.

The New Frontier: Securing Japan's Hybrid Digital Workforce (2026 & Beyond)

As Japan navigates the mid-point of the decade, its cybersecurity landscape is undergoing a fundamental transformation. Driven by escalating geopolitical tensions and the rapid proliferation of agentic AI, the nation is shifting its focus from purely technical defenses to a broader strategy of "Cognitive Security" and national resilience. The emergence of a hybrid workforce - where human employees work alongside autonomous AI agents - has redefined the traditional enterprise perimeter.

Report: AI-Enabled Social Engineering Attacks Are on the Rise

Threat actors are increasingly using AI-enabled social engineering to get around technical security measures, according to a new report from Visa. Social engineering attacks were behind the largest number of losses in the second half of last year. “From July to December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the single largest category of consumer payment fraud,” Visa says.

The Silent Invitation: A Deep Dive into Calendar Invite Phishing

As reported in the latest Phishing Threat Trends Report (Vol. 7), attackers are increasingly using calendar invites to bypass traditional email defenses, with this vector surging 49% over the past six months. In this Threat Labs deep dive, our team goes behind the scenes to provide a detailed analysis of this escalating campaign. We break down the technical underpinnings and tactical shifts in a unique multi-vector attack that turns your trusted corporate schedule into an instrument of compromise.

How to Secure AI Adoption In Your Organization

The era of "typing into a box" is over. For years, we viewed artificial intelligence as a digital assistant—a sophisticated autocomplete tool that waited for human input. But according to Martin Kraemer, KnowBe4’s CISO Advisor for Europe and the Middle East, that dynamic has shifted. We have moved from asking AI questions to giving AI jobs. In a recent webinar, Martin explores the transition from AI tools to AI agents.

FBI: Kali365 Phishing Kit is Targeting Microsoft 365 Accounts

The US Federal Bureau of Investigation (FBI) has warned that a new phishing-as-a-service (PhaaS) platform called “Kali365” is targeting OAuth tokens to gain direct access to users’ Microsoft 365 accounts without stealing credentials or multifactor authentication codes. “Through the Kali365 platform subscription, cyber threat actors can capture ‘OAuth’ tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments,” the Bureau says.

Cyber Insurance for MidMarket Organizations in Southeast Asia

Businesses increasingly identify cyber risk as a core operational concern. Yet many cyber incidents still stem from basic, preventable vulnerabilities such as susceptibility to phishing, weak passwords, unpatched software and misconfigured systems. Insurers can play an important role in helping to raise firms’ cybersecurity hygiene and enhancing overall cyber resilience. However, cyber insurance penetration in certain market segments and regions remains low.

Phishing Attacks Are Using Real Hotel Reservation Info to Target Travelers

Scammers are using legitimate hotel booking details to craft targeted phishing attacks, WIRED reports. Victims are far more likely to fall for a phishing attack if a message contains real information that they wouldn’t expect a scammer to know. According to researchers at Norton, this phishing campaign is targeting customers of at least 350 hotels and vacation rentals across 50 countries.

Athletes Are Increasingly Targeted by Social Engineering Attacks

Scammers are increasingly targeting athletes with advanced social engineering attacks, the Guardian reports. The Guardian cites a recent report from Ernst & Young that found that athletes and teams have lost nearly $1 billion to fraud over the past twenty years, and more than 40% of these losses were reported in the past six years.

Warning: Scammers are Exploiting Geopolitical Unrest

Scammers are taking advantage of the conflicts in the Middle East and Ukraine to exploit people’s emotions, according to researchers at ESET. “Geopolitical turmoil often leads to human misery, which tends to pull at the heartstrings,” ESET says. “Legitimate charities may solicit donations to help their efforts to support innocent citizens caught in the crossfire.

AI Agent Governance Part 3 - Runtime Governance: The Hidden Performance Cost of Agentic AI

At the World Economic Forum cyber meeting in Geneva recently, I had an interesting conversation with Vinh Nguyen, who is a strategic security advisor and Senior Fellow for AI at CFR. I wanted to know from him how he sees runtime governance in agentic AI working out practically and what approaches actually work. One of the challenges he mentioned was that yes, we need runtime governance to provide continuous and real time assurance that agents are doing what they are supposed to be doing.