Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Ransomware attacks targeting utilities have surged by 42% over the past year, with spear phishing playing a major role in 81% of cases, according to a ReliaQuest study spanning November 2023 to October 2024. Analyzing data from its GreyMatter platform and dark web activity, ReliaQuest found that utilities like water and energy systems are disproportionately affected. Their critical role in infrastructure makes them prime targets for cybercriminals.

Threat actors are using voice phishing (vishing) attacks via Microsoft Teams in an attempt to trick victims into installing the DarkGate malware, according to researchers at Trend Micro. “The attacker used social engineering to manipulate the victim to gain access and control over a computer system,” Trend Micro says.

A widespread phishing campaign is attempting to steal credentials from employees working at dozens of organizations around the world, according to researchers at Group-IB. The campaign has targeted organizations across twelve industries, including government, aerospace, finance, energy, telecommunications, and fashion. “The campaign begins with phishing links crafted to mimic trusted platforms commonly used for document management and electronic signatures, such as DocuSign,” Group-IB says.

A new report makes it clear that U.K. organizations need to do more security awareness training to ensure their employees don’t fall victim to the evolving use of AI. Here at KnowBe4, we’ve long known that AI is going to be a growing problem, with phishing attacks and the social engineering they employ far more believable and effective.

For decades, we have all been warned to be appropriately skeptical of internet search engine results. Sadly, most people are not. Most people think that what Google, Bing, or Duck Duck Go brings back is heaven sent and can be trusted. It cannot. Results often include malicious links from search engine optimization (SEO) poisoning, where the attacker has been able to trick the search engine into returning its URL when a user searches for something.

A new report from Hornetsecurity has found that 427.8 million emails received by businesses in 2024 contained malicious content. “Once again, phishing remains the most prevalent form of attack, responsible for a third of all cyber-attacks in 2024,” Hornetsecurity’s researchers write. “This was confirmed by the analysis of 55.6 billion emails, showing that Phishing remains a top concern consistently year over year.

New analysis of ransomware attacks shows that phishing is the primary delivery method and organizations need to offer more effective security awareness training to mitigate the threat. Hornet Security’s Q3 2024 Ransomware Attacks Survey report paints a pretty bleak picture of how organizations have fared this year against ransomware attacks. So almost one in five organizations is a victim. According to the survey data, 52.3% of the attacks started with a phishing email.

Researchers at Silent Push warn that a phishing campaign is using malicious Google Ads to conduct payroll redirect scams. The attackers are buying search ads with brand keywords to boost their phishing pages to the top of the search results. “We have identified hundreds of domains primarily focused on Workday users and high-profile organizations, including the California Employment Development Department (EDD), Kaiser Permanente, Macy’s, New York Life, and Roche,” the researchers write.

The US Federal Bureau of Investigation (FBI) warns that threat actors are increasingly using generative AI to increase the persuasiveness of social engineering attacks. Criminals are using these tools to generate convincing text, images, and voice audio to impersonate individuals and companies. “Generative AI reduces the time and effort criminals must expend to deceive their targets,” the FBI says.

Frequently, when a cybersecurity training manager sends out a controversial simulated phishing attack message that angers a bunch of employees and ends up making headlines, we get called by the media to comment on the story. Here are some examples of potentially controversial simulated phishing messages: I have read many stories of security awareness training managers sending simulated phishing emails with these types of messages, often around Christmas or other national holidays.