Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

I hear about a ton of similar-sounding scam calls, where the scammer is pretending to be from a service you use (or used), offering you a substantial monthly discount (30% or more) if you pay some fee ahead of time. Sometimes they take the advance fee using your credit card, and sometimes they tell you that you have to get store gift cards. Who would possibly believe that a legitimate vendor would want them to pay with store gift cards? Hundreds of thousands of people.

The FBI has issued an advisory warning that scammers are distributing QR code phishing (quishing) links via unsolicited packages sent by snail mail. Recipients may scan the code to find out where the package came from, which will land them on a phishing page. This is a variation of a “brushing scam,” where unscrupulous vendors send packages designed to harvest information that can be used in phony positive reviews.

In today's world, cyberattacks are a constant threat. While technical defenses are crucial, people often remain the easiest attack vector for cybercriminals. To gauge the resilience of French employees against cyberattacks, we looked at the impact of security awareness training (SAT) and phishing simulations in strengthening their defenses. Our latest report, "Go Phish: How Susceptible Are French Employees To Malicious Attacks?", aims to provide some insight.

Cybersecurity incidents nearly tripled in the first half of 2025, jumping from 6% in the second half of 2024 to 17% in 2025, according to a new report from LevelBlue. Business email compromise (BEC) remains the most common method for initial access, but non-BEC tactics rose by 214%. The researchers observed a major surge in social engineering attacks, driven by the recent popularity of the ClickFix tactic.

ClickFix attacks have been around for decades; only the name is new. ClickFix attacks use social engineering to trick users into clicking on buttons and links that the user is told are needed so their browser or computer can perform some desired action.

A phishing campaign is targeting Instagram users with phony notifications about failed login attempts, according to researchers at Malwarebytes. Notably, the emails contain "mailto" links rather than traditional URLs, which help the phishing messages avoid being flagged by security filters. "Instead of linking to a phishing website, which is most common with emails like this, both the ‘Report this user’ and ‘Remove your email address’ links are mailto links," the researchers write.

There is no other way to say it clearer, social engineering is going to be a lot, lot worse soon and far more successful than it is today. And that’s saying a lot. It’s already pretty bad. As I’ve been touting for over 20 years…in hundreds of articles…social engineering is involved in more successful data breaches than any other single hacker method.

Attackers are using Microsoft Teams calls to trick users into installing the Matanbuchus malware loader, which frequently precedes ransomware deployment, according to researchers at Morphisec. Matanbuchus is a malware-as-a-service offering that allows threat actors to install additional payloads onto infected Windows systems. “Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises,” Morphisec says.

Most Microsoft 365 users aren’t aware of this recently growing serious email threat vector. I have been teaching about the risks of Microsoft email rules, forms and connectors on email clients and servers for decades. Both can be created by an attacker learning your email address and logon credentials (e.g., password or MFA codes).

Managing the security gap between your technical defenses and user behavior just got easier! Introducing KnowBe4 SecurityCoach for Microsoft Edge for Business integration. As one of the only human risk management platforms with a native reporting connector in Microsoft Edge for Business, SecurityCoach now transforms your browser into a real-time coaching platform.