CyberheistNews Vol 16 #19 Crafty Criminals Continue to Pose as Help Desks in Social Engineering Attacks

Crafty Criminals Continue to Pose as Help Desks in Social Engineering Attacks

Researchers at Google’s Threat Intelligence Group (GTIG) are tracking a new threat actor that’s impersonating help desks to trick users into installing malware.

The threat actor, which GTIG tracks as “UNC6692,” begins by sending a large volume of spam emails to the victim, then initiates contact via Microsoft Teams to ostensibly help the user block the spam.

“As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization,” GTIG says.

“The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers.”

After the attackers make contact with a victim on Teams, they send a link to a phishing page that poses as a “Mailbox Repair Utility.” This page is designed to harvest the user’s credentials.

“The harvesting script…employs a “double-entry” psychological trick. It is programmed to reject the first and second password attempts as incorrect. This serves two functions: it reinforces the user’s belief that the system is legit and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data.”

The phishing page then installs several strains of custom malware to establish a foothold on the user’s system.

The researchers conclude, “The UNC6692 campaign demonstrates how modern attackers blend social engineering and technical evasion to gain a foothold into environments.

“A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.”

Blog post with links:
https://blog.knowbe4.com/attackers-continue-to-pose-as-help-desks-in-social-engineering-attacks

Personalized Security Awareness Training Proven to Reduce Risk by 87%

68% of breaches still involve a human element, and as attackers use AI to create hyper-personalized messages, even highly security-conscious users can be fooled. Yet your users still receive generic training that ignores these real-world risks.

Join us for a live demo to see how our AI-native Security Awareness Training (SAT) is giving you even more tools to transform your security culture. See how you can move away from manual campaign management and focus your time on strategic risk reduction, all while delivering personalized training that actually changes behavior.

See how KnowBe4 SAT empowers you to:

• Deliver personalized training that actually changes behavior with targeted learning experiences based on each user’s role, behavior patterns and risk level
• Reduce administrative burden and manual work with AI Defense Agents that create strategic impact by automating training assignments, phishing simulations and program optimization
• Make data-driven decisions with our SmartRisk™ Engine that analyzes user behavior to provide insights into human risk
• Measurably reduce risk with SAT proven to drop Phish-prone™ Percentage from an industry average of 33.1% to 4.1% within one year—an 87% reduction in human-related cyber risk

Don’t miss out on seeing how the platform trusted by over 70,000 organizations reduces human risk and saves your teams hours every week.

Date/Time: TOMORROW, Wednesday, May 13 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ksat-demo-2?partnerref=CHN2

[You Need to Check This Out!] Introducing the New AI-Native KnowBe4 SAT

Cybercriminals are getting smarter and faster. Social engineering attacks are evolving rapidly, and AI is making them more convincing than ever. According to the 2025 Verizon Data Breach Investigations Report, up to 68% of cyberattacks involve some form of social engineering.

Meanwhile, 95% of cybersecurity professionals say AI is making phishing attacks harder to detect, and 65% believe attackers will soon rely on AI as their primary tool.

This isn’t just theory. In 2023, a social engineering attack reportedly disrupted Clorox’s operations, contributing to losses estimated at $380 million. When attackers can convincingly impersonate executives, vendors or trusted contacts, traditional defenses alone are no longer enough.

Employees and contractors are still involved in about 60% of breaches. And as attackers use AI to create hyper-personalized messages, even highly security conscious users can be fooled. The reality is when attacks adapt to humans, your defenses must adapt too.

KnowBe4’s AI-native SAT empowers organizations continuously reduce risk through personalized, relevant, and responsive security awareness training (SAT).

Four Key Benefits of AI-Native SAT

Organizations that use KnowBe4’s SAT realize key benefits, including:

• Personalized training that actually changes behavior
  People engage with training when it feels relevant to their daily work. KnowBe4 SAT delivers targeted learning experiences based on each user’s role, behavior patterns and risk level, helping employees better recognize the threats they’re most likely to encounter. The result is stronger engagement, better retention and real behavior change—not just box-checking.
• Less manual work, more strategic impact
  Running security awareness programs manually can consume significant time and resources. KnowBe4 SAT uses AI Defense Agents to automate training assignments, phishing simulations and program optimization, reducing administrative burden and helping teams focus on higher-value security initiatives.
• Clear, data-driven insight into risk
  KnowBe4 SAT analyzes hundreds of behavioral indicators to provide measurable visibility into your organization’s risk posture. Security leaders gain actionable insights that help prioritize interventions, demonstrate program effectiveness and communicate progress with confidence.
• Measurable reduction in phishing risk
  Organizations using SAT reduce their Phish-prone™ Percentage from an industry average of 33.1% to 4.1% within one year—an 87% reduction in human-related cyber risk. Fewer successful phishing attacks means fewer incidents, less disruption and greater confidence in your overall security posture.

Here is the blog post with much much more:
https://blog.knowbe4.com/introducing-the-new-ai-native-knowbe4-sat

[Live Demo] What’s Next for Inbound, Outbound and Collaboration Security

Join us for an exclusive first look at what’s next in KnowBe4’s Cloud Email Security. We’re pulling back the curtain on new capabilities designed to help you stay three steps ahead of sophisticated threats. You won’t want to miss this sneak peek at where we’re taking email defense next!

We will showcase:

• Zero-friction deployment in minutes with a single API permission
• How localized teachable moments keep your global workforce engaged and change risky behaviors
• The future of adaptive data loss prevention
• Collaboration security protection that extends beyond the inbox and into Microsoft Teams
• New functionality coming to Google Workspace

You’ll see how to detect the full spectrum of threats: inbound attacks and outbound data loss.

Date/Time: Wednesday, May 20 @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ces-demo-month-2?partnerref=CHN

Report: Deepfake Fraud Causes Billions in Losses

Deepfake-driven fraud has caused $2.19 billion in losses globally, with $1.65 billion reported in 2025 alone, according to an analysis by Surfshark. More than half of these losses were due to investment scams using deepfakes of high-profile figures.

“Our analysis reveals that the most successful tactic for scammers involves using deepfakes of government officials or celebrities to endorse various investment opportunities,” the researchers write. “This method alone has caused $1.13 billion in damages, which represents 52% of all reported deepfake-related fraud losses.

“This is followed by corporate attacks — such as the impersonation of CEOs to request unauthorized transactions — at 25%. Other significant contributors include financial crimes where victims’ identities are stolen and scammers use deepfake technology to secure bank loans or drain accounts (9%), followed by deepfaked romance scams (7%), family member impersonation (6%), and various other forms of deepfake-related fraud (2%).”

More than $700 million was lost by victims in the U.S., with corporate losses accounting for 43%. “The United States was the most targeted country globally for deepfake-related scams, suffering $712 million in losses,” Surfshark says.

“Of these, 43% occurred in the corporate sector — involving scams in which deepfakes were used to trick organizations into sending money or, in some cases, to place fake candidates in remote jobs. Another 31% of losses resulted from deepfaked investment opportunities.

“A particularly concerning trend in the U.S. is the impersonation of family members using deepfakes, which has already caused $124 million in losses, or 17% of the U.S. total. While deepfake family member scams have appeared in other countries, the U.S. currently accounts for 99.9% of all such losses globally.

“However, this concerning trend is likely to become more widespread internationally in the near future.”

Blog post with links:
https://blog.knowbe4.com/report-deepfake-fraud-causes-billions-in-losses

Email Security Kit: Resources for Redefining Your Defense

91% of cybersecurity leaders say their email security lets too many threats through.

While phishing remains the entry point for 70% of breaches, the gap between traditional email security and modern adversarial tactics is widening. This oversight leaves your workforce vulnerable to threats that bypass standard filters.

This kit cuts through the marketing hype, helping you navigate the necessary transition from legacy systems to an integrated approach to cloud email security.

Here’s what you’ll get:

• Report: 2026 Phishing Threat Trends Report, Vol. 7
• Infographic: Humans + AI: Better Than Your SEG
• Webinar: Moving Beyond Traditional Email Security
• Whitepaper: From Legacy to ICES: Separating Marketing Hype from Proven Email Defense
• Whitepaper: Critical Capabilities When Evaluating Integrated Cloud Email Security
• Infographic: KnowBe4 Integrates with Microsoft

Download Now:
https://info.knowbe4.com/email-security-kit?utm_source=chn_email&utm_medium=email&utm_campaign=dg-ces-campaign-26&utm_content=ces_kit

You Have 60 Seconds to Stop the Breach. Are You Ready?

By Haylea Reiner

2026 has officially become the year of speed, scale and support. The delta between a phishing email landing and a full organizational compromise has shrunk to mere seconds.

The reality by the numbers:

• 60 Seconds: The median time it takes a user to click a phishing link and enter their data (Verizon DBIR).
• Every 2 Seconds: A business is expected to be struck by a ransomware attack throughout 2026 (SentinelOne).
• 4x: Number of employees who are more likely to report a suspicious email if they received training within 30 days (Verizon DBIR).
• 54%: Click-through rate on AI-automated spear phishing (Brightside AI).
• 16 Hours Down to 5 Minutes: Time saved generating AI phishing campaigns with just five prompts (IBM).
• 277 Days: Average dwell time to detect a breach (Fortinet).

To close this window, your defense strategy must evolve into a two-step powerhouse of accuracy and automation.

Step 1: Accuracy Through Intelligent Detection

Training people not to click only works if you trust your technology and your workforce 100% of the time. But in 2026, we know that technology alone can’t catch every evolving Gen-AI attack and even the best-trained employees are human. In fact, the median organization still sees a 1.5% click rate even with regular training.

The real win is a stronger ROI on your training by marrying it to your technology. When you give employees the tools they need where they need them, you prioritize that extra layer of intelligence to gain a filter that technology alone misses.

The Phish Alert Button (PAB) now feeds directly into our inbound email security solution, KnowBe4 Defend. This creates a seamless loop:

• The Warning: A user receives an email with a banner or tag warning them of suspicious content.
• The Human Audit: The user reviews the email, recalls the color-coded alert and prior training and isn’t sure if it’s safe.
• The Report: The user hits the PAB.
• The Operation: This message is instantly ingested into Defend for instantaneous automated analysis.

This synergy ensures user feedback is immediately operationalized to remove threats and reduce false positives without manual intervention. It turns every employee into a real-time contributor to your SOC.

Step 2: Automation to Eliminate Zero-Day Exploits

While Defend is already scanning for real-time link detonation and heuristic analysis, the true power of 2026 security lies in leveraging dual remediation engines.

The new integration between Defend and PhishER (our incident response platform) allows organizations to deploy PhishRIP with high-speed remediation across all Microsoft environments. By breaking down the walls between inbound security and incident response, you can move at machine speed to keep up with the threats.

• Near-Zero Dwell Time: Defend’s inline architectural speed supercharges PhishER’s remediation, allowing you to rip malicious content across tens of thousands of mailboxes in seconds, not hours.
• Dual Defense Posture: A proactive set-it-and-forget-it workflow that neutralizes threats organization-wide the moment one is identified.
• Unified Feedback Loop: Enables individual reclassifications that tune Defend’s policies based on PhishER data, allowing for a personalized security posture that reduces false positives.

REMEMBER to Incentivize Reporting!

There’s no need for email security to be boring. Accuracy improves through training, but it is also vital that you, the SOC partner, make security engaging. Consider:

• Rewards: Random drawings for company swag or bonuses for those who reported suspicious emails in a given month.
• Recognition: Company-wide shout-outs to the Security Superstars who successfully flagged and reported real threats.

As reporting increases, you can demonstrate how report rate accuracy is maturing your organization’s safety profile. An easy win is also deploying PhishFlip within PhishER to turn a real, neutralized threat into a simulation, showing your team, leadership and Board exactly what would have happened if a user hadn’t reported it.

For more information on how to build a stronger workforce, view our recent whitepaper, Stronger Together: KnowBe4’s Phish Alert Button Paired with PhishER Plus and KnowBe4 Defend.

Blog post with links:
https://blog.knowbe4.com/you-have-60-seconds-to-stop-the-breach.-are-you-ready

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from April 2026:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-april-2026

PPS: Send this to your CMO for me? “Why And How Market Research Is Getting More Human”:
https://www.forbes.com/councils/forbestechcouncil/2026/05/05/why-and-how-market-research-is-getting-more-human/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-19-crafty-criminals-continue-to-pose-as-help-desks-in-social-engineering-attacks

Alert: Extortion Groups Use Vishing to Gain Initial Access

Criminal extortion actors are using voice phishing (vishing) to gain initial access to organizations, according to a report from Palo Alto Networks’ Unit 42 and the Retail & Hospitality ISAC (RH-ISAC). Unit 42 attributes a portion of this activity to a threat group tracked as “CL-CRI-1116” (also known as “BlackFile” or “Cordial Spider”).

“CL-CRI-1116 attackers may register a device under their control as a mechanism to bypass multi-factor authentication (MFA) in Identity and Access Management platforms once an employee account is successfully compromised,” the researchers write. “The attackers also maintain access by moving laterally from standard employee accounts to high-privileged accounts.

“They scrape internal employee directories to obtain contact lists for executives. By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

Once the attackers gain access, they methodically exfiltrate as much sensitive data as possible in order to extort their victims. Unit 42 and RH-ISAC advise organizations to implement a combination of staff training, security policies and technologies to defend against these attacks.

“To mitigate the success rate of these tactics, organizations are advised to focus on security policies, managing multi-factor identity verification for callers, protocols around what information can be shared in calls, and what IT support actions can be completed in a single call without escalation to management,” the researchers write.

“Additionally, security awareness training for frontline phone staff can be effective, focused on simulation-based scenarios and identifying signs of social engineering, such as vague answers to identity questions and attempts to create a high-pressure request for immediate action.

“Many retail and hospitality organizations report an improvement in security posture against vishing IT impersonation attempts by combining policy review and changes, staff education, and technical security controls such as VoIP log analysis and MFA configurations.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce human risk.

RH-ISAC has the story:
https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/

Report: 4 in 10 UK Businesses Reported by Phishing Attacks Last Year

43% of businesses in the UK reported a breach or attack last year, with phishing driving the vast majority (85%) of these attacks, the Register reports. A survey by the British government found that attacks involving only phishing grew by six percentage points in 2025.

“Phishing attacks remained the most prevalent type of breach or attack by far (experienced by 38% of businesses and 25% of charities) and continued to be ascribed as the most disruptive type of breach or attack (69% of businesses and charities that experienced a breach or attack),” the report says.

“Among those who experienced a breach or attack, the proportion experiencing phishing attacks only (and no other type of breach or attack) has increased among both businesses (from 45% last year to 51% this year) and charities (from 46% last year to 57% this year).

“The qualitative interviews highlighted interviewees’ perception that phishing attacks had become easier for attackers to commit, and that this was contributing to what they perceived as an increase in attack volumes.”

Despite increased publicity surrounding cyberattacks, the survey found that there has been no significant move to increase staff awareness about phishing techniques.

“Qualitative insights highlighted that recent high-profile cyber attacks in the media had moved the perception risk from cyber attacks and breaches up the agenda within organizations,” “Despite this, staff training and awareness raising activities remained stable across businesses compared with last year (19% in both 2024/2025 and 2025/2026).

“There were signs of an increase among large businesses (76% in 2024/2025 to 84% in 2025/2026), but this did not represent a significant change. On the other hand, the proportion of charities running staff training and awareness raising activities has decreased since last year (17% in 2025/2026, down from 21% in 2024/2025), driven by a decline among low-income charities (13% in 2025/2026, down from 18% in 2024/2025).”

AI-powered security awareness training gives your organization an essential layer of defense against phishing and other social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.

The Register has the story:
https://www.theregister.com/2026/04/30/almost_half_of_uk_firms/

What KnowBe4 Customers Say

“As discussed in our meeting, wanted to give a huge shoutout to Kristian H. for his outstanding performance during preparation and rollout of KnowBe4 Defend, Prevent, and Protect for our Credit Union.

“He made us feel like a priority by always making himself available to help teach, fix, and prepare us for the rollout. He always displayed great professionalism and a positive attitude.

“We really appreciate this level of support and attention.”

– V.D., VP Information Security