Latest news with #ErichKron


Techday NZ
18-07-2025
- Business
- Techday NZ
Internal-themed phishing emails drive sharp rise in staff clicks
KnowBe4 has released its Q2 2025 Phishing Simulations Roundup report, revealing a significant rise in employee vulnerability to phishing emails, especially those that mimic internal communications. The report shows that 98.4% of the top 10 most-clicked phishing email templates imitated internal messages, with attackers frequently posing as HR or IT departments. These findings indicate a persistent susceptibility among employees to social engineering techniques that leverage trust in familiar internal sources. According to the data gathered from the KnowBe4 HRM+ platform between April and June 2025, phishing simulation patterns remain largely unchanged from the previous quarter. The report specifies that internal-themed topics overwhelmingly led to clicks, demonstrating that workplaces continue to struggle with identifying fraudulent emails disguised as routine company communications. Among the internal communications strategies employed in phishing simulations, HR-themed emails accounted for 42.5% of incidents where employees clicked on malicious links, while IT-themed messages were responsible for 21.5%. This highlights the particular vulnerability of employees to phishing attempts that exploit organisational trust and daily business processes. Phishing campaigns using branded content were also prevalent, with 71.9% of malicious landing page interactions featuring recognisable brands. Microsoft was the most frequently impersonated brand, cited in 26.7% of such incidents. LinkedIn, X, Okta, and Amazon followed, showing that attackers use brand familiarity to further their fraudulent aims. Analysis of clicked links within these campaigns revealed similar trends. Internally themed email simulations accounted for 80.6% of the top 20 most-clicked links, and of these, 68.2% used domain spoofing methods to deceive recipients. This trend underscores the complexity of modern phishing attempts which go beyond simple deception and rely on technical measures that closely imitate legitimate domain names. Attachment-based phishing methods also posed a challenge for employees. Clicks on PDF attachments saw an 8.1% increase compared with the first quarter of 2025, and PDFs constituted 61.1% of the top 20 clicked attachments. HTML files and Word documents made up the remainder, with 20.9% and 18.0% respectively. Erich Kron, Cybersecurity Advocate at KnowBe4, commented on the findings: "One of the key takeaways from the Q2 Simulated Phishing Roundup is the critical role trust plays in cybersecurity. Whether that is trust in internal communications, familiar brands, or even known individuals, phishing emails that appear to originate from reputable sources will always have a higher chance of lowering a recipient's suspicions." "We see this time and time again in real-word scenarios, where attackers use sophisticated social engineering tactics to take advantage of this fundamental human instinct, making it harder for employees to distinguish legitimate and malicious emails." Elaborating further, Kron said: "The Q2 findings reinforce the need for organisations to strengthen their human defences through a layered approach centred on human risk management. This includes employee empowerment through a combination of relevant, timely and adaptive security training and intelligent detection technology that can identify and mitigate threats in real time." The Q2 2025 findings suggest that combating phishing threats requires ongoing prioritisation from organisational leadership, particularly in the areas of training and technological support. The data indicates a need for adaptive educational programmes and advanced detection mechanisms to ensure that staff can recognise and neutralise phishing attempts disguised as routine communications. Follow us on: Share on:


Techday NZ
17-07-2025
- Business
- Techday NZ
Phishing attacks in Q2 2025 exploit trust in internal emails
KnowBe4 has released its Q2 2025 Phishing Simulation Roundup report, showing that employees remain vulnerable to phishing emails that closely mimic internal communications and well-known brands. Internal focus The report draws on data from simulated phishing exercises conducted in mid-2025 using the KnowBe4 HRM+ platform. It shows that 98.4% of the top 10 most-clicked email templates had internal themes, with human resources referenced in 42.5% of phishing failures and IT topics in 21.5%. Malicious emails that exploit trust by purporting to come from familiar sources are proving hard for employees to identify, with internal communication topics dominating the list of most successful phishing simulations. Branded threats KnowBe4's findings also indicate continued abuse of popular brands in social engineering attacks, with branded content present in 71.9% of malicious landing page interactions. Microsoft was featured in 26.7% of these interactions, followed by LinkedIn, X, Okta, and Amazon. When it came to hyperlinks within emails, the vast majority (80.6%) of the top 20 most-clicked links originated from internally-themed simulations, and 68.2% used domain spoofing techniques to appear more convincing. Attachment trends The analysis showed a rise in the use of PDF files as phishing lures. PDF attachment clicks increased by 8.1% compared to the previous quarter, and PDFs made up 61.1% of the top 20 attachments. HTML files accounted for 20.9%, with Word documents making up the remaining 18.0%. Consistency with previous quarter The trends in Q2 2025 were largely consistent with those seen in Q1 2025, emphasising the persistent nature of social engineering tactics that rely on the exploitation of trust and familiarity. Expert commentary "One of the key takeaways from the Q2 Simulated Phishing Roundup is the critical role trust plays in cybersecurity. Whether that is trust in internal communications, familiar brands, or even known individuals, phishing emails that appear to originate from reputable sources will always have a higher chance of lowering a recipient's suspicions. We see this time and time again in real-word scenarios, where attackers use sophisticated social engineering tactics to take advantage of this fundamental human instinct, making it harder for employees to distinguish legitimate and malicious emails," said Erich Kron, Cybersecurity Advocate, KnowBe4. Kron also highlighted the importance of a comprehensive approach to reducing risk: "The Q2 findings reinforce the need for organizations to strengthen their human defenses through a layered approach centered on human risk management. This includes employee empowerment through a combination of relevant, timely and adaptive security training and intelligent detection technology that can identify and mitigate threats in real time." Human element in security The Q2 2025 report points to a need for regular and adaptive security training for employees, alongside the deployment of detection technologies capable of recognising and halting phishing attempts. The data suggests that even as technical defenses improve, the human element remains a significant focus for attackers. Follow us on: Share on:

Associated Press
22-05-2025
- Business
- Associated Press
Stay Cyber-Safe This Summer With the Top 7 Cybersecurity Travel Tips From KnowBe4
KnowBe4 shares cybersecurity tips for travelers to protect their information during summer trips TAMPA BAY, Fla., May 22, 2025 /PRNewswire/ -- KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today offered key travel safety tips tailored to address cybersecurity threats targeting travelers this summer. As travelers prepare for their summer getaways, cybercriminals look for ways to exploit security gaps in travel plans. The increase in social engineering scams, public WiFi vulnerabilities and emerging mobile device threats highlights the critical need for proactive protection measures. KnowBe4 is offering advice to help travelers lower their cyber risk exposure while on vacation. KnowBe4's top seven summer travel cybersecurity tips include: 'No matter how far we travel, cybercriminals remain closer than we think,' said Erich Kron, Security Awareness Advocate at KnowBe4. 'While it's easy to let your guard down during a trip, keeping cybersecurity at the forefront can prevent your vacation from being derailed by scams or cyberattacks. With these holiday tips, KnowBe4 aims to equip travelers with practical tools and actionable knowledge to navigate today's digital landscape securely.' For more information on KnowBe4, visit About KnowBe4 KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset. Media Contact: Kathy Wattman SVP of Public Relations [email protected] 727-474-9950 View original content to download multimedia: SOURCE KnowBe4 Inc.


Forbes
14-05-2025
- Forbes
New Zoom Alert—Update Windows, iOS, Android Apps Now
Video conferencing app Zoom has issued a new update alert after fixing multiple vulnerabilities affecting its Workplace apps. The fixes affect Zoom Workplace apps across various platforms, including Windows, macOS, Linux, iOS and Android. The worst issue is a flaw tracked as CVE-2025-30663, which is ranked as having a high severity, according to Zoom's security bulletin. The Zoom flaw is a time-of-check to time-of-use issue. This could, in theory, allow an attacker to modify or replace a file between it being checked and being used. The other vulnerabilities are ranked as having a medium severity. Among these, CVE-2025-30668 is an integer underflow issue in Zoom Workplace apps for Windows. Meanwhile, CVE-2025-46785 is a buffer over-read issue in Zoom Workplace apps for Windows. CVE-2025-30665 and CVE-2025-30666 are NULL pointer dereference issues in Zoom Workplace apps for Windows. None of the flaws are known to have been used in real-life attacks. The Zoom patches come at a busy time for updates. Apple has issued iOS 18.5, fixing over 30 issues in its iPhone operating system, alongside other updates including iPadOS 17.7.7. Meanwhile, Microsoft's Patch Tuesday addresses a number of important flaws. In total, there are nine Zoom flaws, the worst of which could allow an attacker to elevate privileges, says Erich Kron, security awareness advocate at Knowbe4. "Given the number of people that use and rely on Zoom for their organizations' day-to-day activities, this type of flaw could be very significant,' he says. Since the pandemic, Zoom has remained a key communication tool for businesses globally. But as AI allows attackers to create fake images and videos, it's difficult to know whether people are who they say they are. Deepfake audio and video have already been an issue, and in this case having a Zoom meeting initiated from a legitimate account could be the difference between a person believing the caller and not believing them, says Kron. Fortunately, exploiting the Zoom flaw in question is not something that can be done easily remotely, he says. This means physical access to your device is required, which is obviously much more difficult for an adversary. 'However, it demonstrates what may be possible with other future vulnerabilities that could be remotely exploited,' Kron says. The Zoom updates cover multiple apps, so it's a good idea to check your devices now. If the updates are available, apply them as soon as you can to keep your Zoom apps safe.


Techday NZ
14-05-2025
- Business
- Techday NZ
Australia, New Zealand invest AUD $7 million in cyber education
Australia and New Zealand have ranked third globally for phishing vulnerability, with a baseline Phish-prone Percentage (PPP) of 36.8% according to KnowBe4's 2025 Phishing by Industry Benchmarking Report. The report provides an analysis of cybersecurity readiness based on how likely employees are to fall victim to social engineering or phishing attempts. The PPP metric, developed by KnowBe4, reflects the percentage of users who are susceptible to phishing prior to any security training. For Australia and New Zealand (ANZ), this baseline figure of 36.8% is higher than both the global average of 33.1% and the European average of 32.5%. KnowBe4's study draws on data from 67.7 million simulated phishing exercises conducted among 14.5 million users in 62,400 organisations worldwide. Employees underwent a programme of security awareness training, with their PPP tracked at intervals of ninety days and again after more than a year, to evaluate the effectiveness of ongoing training in reducing cyber risk. The findings highlight a marked improvement in resilience to phishing threats following sustained training. Within the first ninety days of awareness training, the average PPP in the region dropped from 36.8% to 19.9%. After twelve months, this figure declined further to just 4.9% on average. KnowBe4 noted that these results are consistent with global patterns, where ongoing security awareness initiatives play a substantial role in strengthening defences against cyber attacks. Large organisations in Australia and New Zealand were identified as the most susceptible globally, with an initial PPP of 44.6%. The report shows these organisations reduced their risk dramatically to 4.7% after a year of continuous security awareness training. The data also indicated that the critical infrastructure and banking sectors were the most vulnerable to phishing in the ANZ region at the outset of the study. Government action in response to the findings has included an investment of AUD $7 million, distributed among 200 recipients, to support community-level cyber education initiatives. This forms part of broader efforts to build long-term resilience, which also include legislative measures to address the increasing sophistication of cyber threats targeted at critical infrastructure sectors. International cooperation has become a core strategy in the region's response to cyber challenges. Australia and New Zealand have engaged with partners through the Five Eyes security alliance and invested in developing a skilled cybersecurity workforce as part of their approach to strengthening organisational and national resilience. Erich Kron, Security Awareness Advocate at KnowBe4, commented on the results: "Our report shows that large ANZ organisations began with the highest phishing vulnerability globally at 44.6% yet achieved a remarkable reduction to just 4.7% after ongoing training. The most significant shift we are seeing is the growing recognition by the Australian government of the critical role that community-level education plays in building a resilient cyber ecosystem, evidenced by their AUD $7 million investment across 200 recipients. While progress is being made, it is clear from the data in the report that sustained security training is essential to drive long-lasting change." The KnowBe4 report reiterates the importance of regular, comprehensive security training in reducing individuals' susceptibility to phishing and social engineering, particularly within sectors deemed high risk. The report underlines the necessity of a multifaceted approach that combines education, government policy, industry collaboration, and workforce development to address the persistent risk posed by phishing attacks in the region. Follow us on: Share on: