A new report from ESET has found that most nation-state threat actors rely on spear phishing as a primary initial access technique. In the second and third quarters of 2024, state-sponsored APTs from China, Russia, Iran, and North Korea used social engineering attacks to compromise their targets. Iranian threat actors continued conducting cyber espionage against countries across the Middle East, Europe, and the US. They also expanded their targeting to hit financial companies in Africa.

The latest trend in cybercrime is that attackers don't really focus on “hacking” in; they’re logging in. We see this now in the wild, driven by organized criminal groups like Scattered Spider and BlackCat, who’ve reemerged with a renewed focus on gaining access through legitimate means, often exploiting help desks and social engineering tactics.

Threat actors are abusing DocuSign’s API to send phony invoices that appear “strikingly authentic,” according to researchers at Wallarm. “Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm says.

Cybercriminals are impersonating OpenAI in a widespread phishing campaign designed to trick users into handing over financial information. The emails inform users that a payment for their ChatGPT subscription was declined, inviting them to click a link in order to update their payment method. The phishing emails appear fairly convincing, but trained users could spot some red flags. The most obvious giveaway is that the emails were sent from “info@mtacom,” which is clearly unrelated to OpenAI.

Attackers are abusing Eventbrite’s scheduling platform to send phishing emails, according to researchers at Perception Point. These attacks increased by 900% between July and October 2024. “Perception Point researchers observed phishing emails delivered via ‘noreply@events.eventbritecom,’” the researchers write.

ReliaQuest warns that the BlackBasta ransomware gang is using new social engineering tactics to obtain initial access within corporate networks. The threat actor begins by sending mass email spam campaigns targeting employees, then adding people who fall for the emails to Microsoft Teams chats with external users. These external users pose as IT support or help desk staff, and send employees Microsoft Teams messages containing malicious QR codes.

When you think of KnowBe4, you might immediately picture phishing simulations, password security modules, or other security awareness training topics. But today, we're celebrating a milestone that showcases just how far our Compliance Plus training offering has come: we've reached 5 million learners and over 10,000 customers worldwide! Compliance Plus offers training content that is typically boring, stale and drawn.

Over a decade ago, I noticed that social engineering was the primary cause for all malicious hacking. It has been that way since the beginning of computers, but it took me about half of my 36-year career to realize it. At the time, I think everyone in cybersecurity knew social engineering was a big part of why hackers and their malware programs were so successful, but no one really knew how big.

Chief Information Security Officers (CISOs) are facing unprecedented challenges. The combination of increasingly sophisticated cyber threats, persistent talent shortages, and complex regulatory requirements has led many organizations to rethink their approach to cybersecurity. As a result, we're seeing a significant shift towards outsourcing key security functions to managed service providers.

Cybersecurity is all about risk management and reduction. You cannot get rid of all risk. Well, I guess you could, but you (and everyone else) would probably not want to work in a true zero-risk environment. It would be too locked down, super slow, and incredibly inflexible. Cybersecurity is all about identifying the most likely and impactful risks and reducing them. To repeat, cybersecurity is about risk management. Identify the biggest risks and mitigate those the best you can. That is your job.