Latest news with #Hoxhunt
Yahoo
08-05-2025
- Yahoo
Let's go PHISHING! What lures work in the upper Midwest?
LA CROSSE, Wis. (WLAX/WEUX) – Who doesn't love to fish? Getting outdoors, casting a line to see if you can catch lunch or dinner, and enjoying everything the Upper Midwest is all about. Wait… what did that headline say? Oh! PHISHING! That is something completely different, isn't it? Let me explain. Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers… and it's a BIG problem across the globe. According to Hoxhunt's Phishing Trends Report, since 2021, there has been a 49% increase in phishing attacks. Of those, 65% are focused on organizations and 35% on individuals. Furthermore, between 80 and 95% of all cyber attacks begin with a phish and the average cost of a phishing breach is $4.88 million. Even worse, since ChatGPT launched in 2022, there has been a 4,151% increase in phishing attacks. Wisconsin, Minnesota, Iowa (and 21 other states) all fall victim to the 'Package delay/shipping issue' lure. If you have received a text message or email from 'USPS' saying 'Your shipment is waiting at our warehouse after two unsuccessful delivery attempts due to an incomplete address…' then you know exactly what kind of lure gets the most action in our area of the country. That got me wondering what are the most effective lures for phishing attacks in the upper Midwest. That is where my friends at Fullstack Academy helped me out. They just released a study of the Most Popular Lures in the US by State. They have broken down the numbers for all 50 states using a survey of almost 2500 Americans. They asked questions like how often, what type of phishing lures they most frequently receive, which companies are impersonated the most in these phishing lures, if they've fallen victim to a phishing lure, and more. Have you ever received that text or email? Did you stop and think, 'How does the USPS have my phone number/email address?' They don't. That is someone or something trying to gain your information. And, it's important to note, you are clearly not alone. Part of what works about scams like this is that people feel ashamed for falling for them, so they go unreported. These scams play on our inattention to detail, our natural curiosity, and finally the shame of feeling duped. You can find Cybersecurity Bootcamp courses on Fullstack Academy and other places on the web. However, it's important to stay as vigilant as you can. Pay attention to what is being sent to you and, most importantly, slow down. Take your time when opening messages and emails to think about their legitimacy. Think through things and ask yourself if they make sense. When in doubt, ask questions. Reach out to the entities that you think are sending the message and ask if they are trying to get a message to you. Most importantly, be gracious with yourself and, as always, be kind. Especially to yourself. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Yahoo
06-05-2025
- Business
- Yahoo
AI Meets Behavioral Science: Hoxhunt Co-Founder & CEO Mika Aalto, Live at RSAC 2025
Tech Edge hosted a fireside chat on April 29 at RSAC 2025 in San Francisco with Mika Aalto, co-founder and Chief Executive Officer at Hoxhunt. The in-person interview was joined by Editor-at-Large Jarrett Banks and they discussed the company's focus on people and how it combines AI and behavioral science to create individualized micro-training experiences for people, among other topics. Watch the interview below: About Mika Aalto Mike is a Co-Founder and CEO of Hoxhunt. He is a Big Data and Machine Learning expert as well as an entrepreneur with more than 20 years' experience building businesses. Since 2004 he has accumulated expertise as a software engineer and IT Manager, and created Wayward Systems, a start-up specializing in behavior analytics and automated user authentication. Previously, he helped build a temporary workforce management software that handled over $100 million annually in salary and invoice transactions at Haahtela. Mika has a Master's Degree with a triple major: SBL (software business lab), Software Business and Engineering (SoberIT), and Technology Law. About Hoxhunt Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. We combine AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk. Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte. To learn more about Hoxhunt, please visit Contact: Exec Edge Editor@
Forbes
09-04-2025
- Forbes
Google Confirms Gmail Update Choice—3 Billion Users Must Now Decide
Gmail users have a surprising choice to make. Gmail needs a rethink, as do Outlook, Apple Mail, and other email platforms. The driver for this is AI — and not in a good way. Symantec, Cofense and most recently Hoxhunt warn that unbeatable AI attacks are now inevitable, as the best known large language models (LLMs) design, develop and even execute attacks. But Gmail users also face a more immediate decision, given a critical problem with its most recent updates. Hoxhunt says 'AI agents can now out-phish elite human red teams, at scale,' which means mass customization as spear phishing attacks tailored to a particular victim become the norm. Google, Microsoft and others say they catch 'more than 99%' of the spam, phishing and malware targeting inboxes. And yet millions of messages still get through before today's trickle of AI attacks becomes an unstoppable tidal wave. This is why I've argued email needs a fundamental change, not evolutionary add-ons. A change to better replicate the immediacy and brevity of the messaging platforms pulling users away from email, both in and out of the workplace. A change to leverage private and secure on-device filtering and threat defense. And a change with security built in, not added on. Again, as we now expect from other comms platforms. Email can't be adjusted to fit, it needs that rethink. And while many of Gmail's recent innovations are welcomed — enhanced sender authentication, cloud-based AI filtering, and (in development) shielded addresses, its two most recent updates show the challenge in building on what we have today. This month, Google confirmed it is 'making end-to-end encrypted emails easy to use for all organizations' which use Gmail. This delivers the table stakes security we rely on with voice and video comms and with messaging. But it's harder with email's wide open architecture. That's why this change is coming first to enterprises. Ars Technica and others have qualified the excitement that quickly followed Google's game-changiung announcement: 'Gmail unveils end-to-end encrypted messages. Only thing is: It's not true E2EE." The reason being that the keys protecting the secure email traffic sit within the client-side infrastructure, not within the actual 'end.' Gmail's AI relevancy search As Ars Technica warns, 'the new feature is of potential value to organizations that must comply with onerous regulations mandating end-to-end encryption. It most definitely isn't suitable for consumers or anyone who wants sole control over the messages they send. Privacy advocates, take note.' True end-to-end encryption (E2EE) sits within the client itself, managing key exchange between sender and recipient. The only way to deliver E2EE email is a walled garden such as Proton, which relies on manually password protecting emails sent outside. Gmail's end-to-end encryption With Meta's third-party chats and GSMA's RCS E2EE update, we will see (almost) full E2EE between different walled gardens. RCS "will be the first large-scale messaging service to support interoperable E2EE between client implementations from different providers.' There is no direct read across to email of course. But it moves the bar. Gmail is secured with Workspace's Client Side Encryption (CSE), which keeps an "organization's data private with end-to-end encryption that Google servers and third parties can't decrypt, giving [an] organization greater control over access to its data. CSE is especially beneficial for organizations that store sensitive or regulated data, like IP, healthcare records, or financial data," not person-to-person comms. And this brings us to the second innovation. AI-based relevancy search. Ten days before Gmail's quasi E2EE, Google announced 'Gmail is rolling out a smarter search feature powered by AI to show you the most relevant results, faster… Search results now factor in elements like recency, most-clicked emails and frequent contacts. With this update, emails you're looking for are far more likely to be at the top of your search results.' Using this is in itself a decision for users, given it lets AI loose on your data. On which, Google told me "our priority is respecting our users' privacy while giving them choice and control over their data. To that end, this particular tool is one of the 'smart features' that users can control in their personalization settings.' E2EE and AI search don't work together, because they're both wraps around a legacy comms architecture rather than one built for the world we live in today. Google confirmed to me that E2EE messages 'are completely excluded" from AI search. "We do not have the key to decrypt, so we literally cannot read the message.' That's as it should be, but you can see the problem from a user perspective. Two new headline features don't work together. Email is a fundamentally insecure platform to which we're adding AI, and that AI comes with new privacy expectations that email can't deliver. This is why so much enterprise and personal comms has moved from email to messaging. Cue that rethink. Meanwhile, you have a decision to make.
Forbes
05-04-2025
- Forbes
New Gmail, Outlook Warning—Unbeatable AI Attacks Are Suddenly Here
Your inbox is now at risk Email attacks are now soaring. But we may look back on this time as the beginning of something more dangerous and more frightening. Almost all attacks are still human generated, even if AI fine tunes text and images. That's about to change. Full AI attacks have just quietly passed a terrifying milestone. They are literally now unbeatable. Just to illustrate how dangerous this is, both Google and Microsoft say they catch 'more than 99%' of the spam, phishing and malware targeting their users' inboxes. And yet we all still receive such emails, plenty get through. And they're not even smart. My recent favorite was an email from a personal email address, 'from the Office of Singapore Central Bureau of Investigation,' which then told me to respond immediately 'to avoid legal action against you as the Indian law demands." And yet that email and countless others still bypass today's filters and safety nets. The much more sophisticated 'spear phishing' attacks do better. These are personalized and so take time and attention. There are less of them but more get through. This is where AI is now playing and it will be terrifying. A new report from Hoxhunt warns that these AI-crafted attacks can now beat human attacks for the first time. 'For the first time in over 2 years of testing,' the researchers warn, its AI agents 'created more effective simulated phishing campaigns against millions of global users than our elite human red teams could.' AI beats human — and it isn't even close. This means pointing AI at a target, and then letting it loose on the target's social media, LinkedIn, public profiles, to fuel a highly personalized attack with no errors. And this can be done at unlimited scale, against anyone and everyone, continually and endlessly. The data shows just how rapidly AI attacks are getting smarter. We're not getting smarter, and while new AI is also deployed by email platforms to catch attacks before they hit, it won't be fast enough. 'In 2023,' Hoxhunt says, 'AI was 31% less effective than humans.' Even as late as November 2024, 'AI was 10% less effective than humans.' But in testing last month, 'AI was 24% more effective than humans." 'In 2024,' Hoxhunt says 'AI agents began tricking more novice users with the better-written emails. Meanwhile, human-generated attacks were much more effective than AI against users with more than 6 months of training. By February/March 2025, AI surpassed human red teams across the spectrum of user skill levels. From 2023 to 2025, AI's phishing performance relative to elite human red teams improved by 55%." 'The threat landscape has changed.' the team says. 'The phishing-as-a-service market will shift to mass adoption of AI Spear Phishing Agents. Once that happens, the baseline quality and effectiveness of mass phishing campaigns will rise to a level we currently equate with targeted spear phishing attacks." We have seen similar recent warnings from Symantec (see video above) and Tenable, as this AI attack nightmare comes true. But the Hoxhunt report shows how quickly AI is improving, and clearly there are no guardrails that stop it continuing to advance. So, is there any hope for what can be done? 'The good news from our research,' says Hoxhunt, 'is that there is still time to harden the human layer with adaptive phishing training. Behavior change programs can achieve extremely high levels of engagement and resilience with the use of AI Spear Phishing Agents… AI is a sword that cuts both ways; to penetrate or to parry,' albeit 'as AI technology continues to evolve, the ability to craft more sophisticated phishing attacks on-demand will only increase, making AI an essential tool in both offensive and defensive cybersecurity strategies.' There is still time, only a relatively small percentage of phishing attacks are AI-driven. But that will change. And user behaviors and 'spidey senses' need to change just as quickly. Today, we are not ready for this. The question is whether we have time to prepare before the inevitable tidal wave is unleashed.
