A widespread phishing campaign is attempting to steal credentials from employees working at dozens of organizations around the world, according to researchers at Group-IB. The campaign has targeted organizations across twelve industries, including government, aerospace, finance, energy, telecommunications, and fashion. “The campaign begins with phishing links crafted to mimic trusted platforms commonly used for document management and electronic signatures, such as DocuSign,” Group-IB says.

A new report makes it clear that U.K. organizations need to do more security awareness training to ensure their employees don’t fall victim to the evolving use of AI. Here at KnowBe4, we’ve long known that AI is going to be a growing problem, with phishing attacks and the social engineering they employ far more believable and effective.

For decades, we have all been warned to be appropriately skeptical of internet search engine results. Sadly, most people are not. Most people think that what Google, Bing, or Duck Duck Go brings back is heaven sent and can be trusted. It cannot. Results often include malicious links from search engine optimization (SEO) poisoning, where the attacker has been able to trick the search engine into returning its URL when a user searches for something.

A new report from Hornetsecurity has found that 427.8 million emails received by businesses in 2024 contained malicious content. “Once again, phishing remains the most prevalent form of attack, responsible for a third of all cyber-attacks in 2024,” Hornetsecurity’s researchers write. “This was confirmed by the analysis of 55.6 billion emails, showing that Phishing remains a top concern consistently year over year.

New analysis of ransomware attacks shows that phishing is the primary delivery method and organizations need to offer more effective security awareness training to mitigate the threat. Hornet Security’s Q3 2024 Ransomware Attacks Survey report paints a pretty bleak picture of how organizations have fared this year against ransomware attacks. So almost one in five organizations is a victim. According to the survey data, 52.3% of the attacks started with a phishing email.

Researchers at Silent Push warn that a phishing campaign is using malicious Google Ads to conduct payroll redirect scams. The attackers are buying search ads with brand keywords to boost their phishing pages to the top of the search results. “We have identified hundreds of domains primarily focused on Workday users and high-profile organizations, including the California Employment Development Department (EDD), Kaiser Permanente, Macy’s, New York Life, and Roche,” the researchers write.

The US Federal Bureau of Investigation (FBI) warns that threat actors are increasingly using generative AI to increase the persuasiveness of social engineering attacks. Criminals are using these tools to generate convincing text, images, and voice audio to impersonate individuals and companies. “Generative AI reduces the time and effort criminals must expend to deceive their targets,” the FBI says.

Frequently, when a cybersecurity training manager sends out a controversial simulated phishing attack message that angers a bunch of employees and ends up making headlines, we get called by the media to comment on the story. Here are some examples of potentially controversial simulated phishing messages: I have read many stories of security awareness training managers sending simulated phishing emails with these types of messages, often around Christmas or other national holidays.

In recent years, the world of cybersecurity has witnessed a concerning trend: a significant increase in phishing attacks. A new study reveals that these attacks have surged by nearly 40% in the year ending August, 2024. What's particularly alarming is the role played by new generic top-level domains (gTLDs) in this spike. While gTLDs like.shop, .top, and.xyz make up only 11% of new domain registrations, they account for a staggering 37% of reported cybercrime domains.

The latest data on brand phishing trends shows one brand dominating quarter over quarter, but also continuing to take on a larger share of the brand impersonation. Take a guess which brand tops the list as the most impersonated in phishing attacks? If you guessed Microsoft, you’d be right. You’d also have been right last quarter, and the quarter before that – according to Check Point Research.