CyberheistNews Vol 15 #40 The Behavioral Science When Your Best People Are Click Magnets

The Behavioral Science When Your Best People Are Click Magnets

By Javvad Malik

Last time, we talked about the great divide between tech-focused and people-focused security.

Now, let’s get nerdy and talk about the fascinating, complex, and occasionally infuriating operating system at the heart of the problem: the human mind.

Ever wondered why that “Urgent Invoice” email from a brand-new supplier creates an immediate jolt of anxiety that makes you want to click? That’s not a logic failure; it’s a feature. As noted in our recent human risk management (HRM) whitepaper, attackers are amateur psychologists, and they are brilliant at exploiting the brain’s built-in shortcuts, or cognitive biases. They aren’t just hacking systems; they’re hacking us.

They weaponize authority bias to make an email from the “CEO” feel impossible to ignore. They abuse optimism bias, our mind’s built-in “it’ll never happen to me” vulnerability. And they leverage the familiarity bias and the Illusory Truth Effect to create login pages that feel so right they must be legitimate, especially after we’ve seen similar designs before.

Traditional training often fails because it tries to fight these ingrained biases with logic, which is like trying to stop a tidal wave with a PowerPoint slide. The real battle is won or lost in the half-second between the stimulus (the email) and the response (the click). This is where Cyber Mindfulness comes in.

It’s not about meditating at your desk. It’s about cultivating the ability to recognize the “amygdala hijack”—that sudden jolt of fear, urgency, or curiosity that an attack is designed to trigger—and creating a crucial PAUSE. It’s in that pause that our rational mind has a chance to catch up and ask, “Wait a minute… does this feel right?”

As cybersecurity expert Anna Collard noted, she once clicked on a phishing link not from a lack of skill, but from a “distracted and multi-tasking state of mind.” Cyber mindfulness is the antidote to that autopilot mode.

An effective human risk management (HRM) strategy is built on this understanding. It’s not about trying to rewire the human mind. It’s about creating an environment that encourages that pause. It uses principles from behavioral science, like Professor BJ Fogg’s B=MAP model, which states that Behavior = Motivation + Ability + Prompt.

Instead of just trying to crank up “Motivation” (which is notoriously difficult), a smart HRM program focuses on:

• Increasing Ability: Making secure action incredibly easy. Think of a one-click Phish Alert Button. That’s a high ability.
• Providing the Right Prompts: Delivering timely nudges, contextual email banners, or realistic simulations that trigger a moment of reflection right when it’s needed.

This approach, often called Nudge Theory, is about designing a “choice architecture” where the secure path is also the path of least resistance. It’s about working with the grain of human nature, not against it.

Now that we understand the behavioral science behind this, how do we build a program around it?

Next time in this series, we’ll introduce DEEP, a simple framework for structuring a complex, human-centric security strategy.

Blog post with links:
https://blog.knowbe4.com/the-behavioral-science-behind-the-click

The Invisible Threat: How Polymorphic Malware is Outsmarting Your Email Security

Approximately $350 million in preventable losses stem from polymorphic malware, malicious software that constantly changes its code to evade detection. With 18% of new malware using adaptive techniques that challenge traditional defenses, now is the time to enhance your organization’s security posture.

Join us for this webinar where James McQuiggan, CISO Advisor at KnowBe4, shares valuable insights and proactive strategies to strengthen your security framework against sophisticated attacks.

In this session, you’ll discover:

• Enhanced detection strategies that go beyond traditional signature-based approaches to identify polymorphic threats before they impact your systems
• Proactive defense frameworks specifically designed to counter the most sophisticated shape-shifting malware
• Success stories from organizations that effectively neutralized advanced threats through strategic security improvements
• Communication templates for building stakeholder support for security enhancements
• Practical implementation roadmaps to strengthen your security posture against adaptive threats

Drawing from real-world scenarios and emerging threat intelligence, James will provide clear, actionable guidance for your security teams. You’ll leave with a practical toolkit of strategies you can implement immediately to enhance your organization’s resilience.

Date/Time: Wednesday, October 8 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/the-invisible-threat-na?partnerref=CHN

Get Your Game On! 3 Ways to Use the 2025 Cybersecurity Awareness Month Resource Kit

The calendar has flipped into October, so now it’s time to let the Cybersecurity Awareness Month games begin!

October marks the start of Cybersecurity Awareness Month, a time to drive home the importance of sound cybersecurity practices to your users. As ever, we at KnowBe4 have launched a free resource kit to help you spread the word all this month.

For 2025, we’re busting out of the arcade with retro-style assets and content themed per each of the four full weeks of October. Think of each week as a new level for your users to explore as they learn how to thwart the most treacherous cyber villains out there. Here’s a primer:

Week/Level 1: General Cybersecurity
The most basic and prevalent cyberthreats are no excuse for your users to keep their guard down. The goal of the first week is an introductory level to a variety of common cyberthreats that continues to take a toll on organizations of all sizes.

Week/Level 2: AI Threats
Few threats have rocketed to the top of the infosec world’s worry list like AI-powered phishing emails, scams and deepfakes. The goal of the second “level” and the associated focus content is to ensure your users are well-versed in these threats both as they go about their work life and explore the internet in their down time.

Week/Level 3: Ransomware
A threat cybercriminals keep shelling out the coin for, ransomware threatens all corners of the cyberworld. Help your users navigate the third level of Cybersecurity Awareness Month with the equipment and know-how they’ll need to be ransomware-ready.

Week/Level 4: Incident Reporting
Combining all your users have learned throughout the week, the fourth and final level is all about making sure they know what to do when they see something. From reporting phishing emails to seeking help from IT, sharing when something seems not right is one of the most important steps in helping to keep our/your organization cybersecure.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/get-your-game-on-3-ways-to-use-the-2025-cyberawareness-month-resource-kit

[Live Demo] Intelligent Email Defense: Automate, Remediate and Train from One Platform

As cyber attackers continue to outpace traditional defenses, it’s not a question of if, but when sophisticated attacks will bypass your email security controls.

Phishing attacks are surging at an unprecedented 1,265% rate since 2022, largely driven by AI advancements. Most concerning, 31% of IT teams take more than five hours to respond to reported security issues, leaving your organization vulnerable during those critical hours when threats remain active in your users’ inboxes.

During this demo, you’ll discover how PhishER Plus can help take control back from rising AI phishing risks by:

• Transforming your users into active threat sensors with one-click reporting via the Phish Alert Button
• Accelerating response times with AI-powered automation that reduces manual email review by 85-99%
• Providing comprehensive threat intelligence from a network of 13+ million global users and third-party integrations
• Removing threats automatically from all mailboxes with PhishRIP before users can interact with them
• Converting real attacks into targeted training opportunities with PhishFlip

Discover how PhishER Plus combines AI and human intelligence to transform your users from security risks into your most valuable defenders.

Date/Time: Wednesday, October 15 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-1?partnerref=CHN

Why KB4-CON EMEA 2025 Should Be Your Must-Attend Cybersecurity Conference This October

As cyber threats continue to evolve at breakneck speed, staying ahead of the curve isn’t just important, it’s essential.

KB4-CON EMEA 2025, taking place on the 23rd of October in London, brings together industry pioneers, thought leaders and security professionals to tackle the most pressing cybersecurity challenges facing organizations today.

Here are the reasons why this conference deserves a spot on your calendar:

1. Learn from Award-Winning Industry Leaders
This year’s keynote speaker is Graham Cluley, an award-winning cybersecurity and AI expert who’s been at the forefront of the industry since the early 1990s. As a member of the prestigious InfoSecurity Hall of Fame and host of the acclaimed “Smashing Security” and “The AI Fix” podcasts, Graham’s keynote “Agents of Chaos: AI, Humans, and the New Cybercrime” is a deep dive into the dramatic reshaping of the cybersecurity landscape by artificial intelligence. It explores the rapid evolution of threats, from phishing scams and insider risks to the explosive rise of AI-assisted cybercrime. Drawing on real-world incidents and darkly comic tales from the front lines, he will reveal how both hackers and defenders are leveraging AI in their ongoing battle.

You’ll also hear from other industry heavyweights including Jack Chapman, SVP of Threat Intelligence, who will expose the attack trends reshaping the threat landscape heading into 2026, and Stuart Clark, VP of Product Strategy, offering exclusive insights into KnowBe4’s product roadmap. KnowBe4’s CISO Advisors, Javvad Malik and Martin Krämer, will also give expert insight into human risk management and artificial intelligence in cybersecurity.

2. Get Ahead of Tomorrow’s Threats Today
The conference doesn’t just focus on current challenges, it’s designed to prepare you for what’s coming. With sessions covering AI-powered attacks, key phishing trends for 2026, and the evolution of human risk management, you’ll gain critical foresight into emerging threats. This forward-thinking approach ensures you’re not only reactive to current threats but proactive against future ones.

3. Master Human Risk Management
One of the conference’s key themes is the revolutionary shift toward human risk management (HRM). You’ll discover how to move beyond traditional security policies to create personalized security architectures that adapt to user behavior in real time. Learn proven strategies for driving measurable behavior change across your entire workforce, a crucial skill as the human element remains the most vulnerable link in cybersecurity.

4. Immerse Yourself in Comprehensive Learning
With over 15 informative sessions, the conference offers depth and breadth. Whether you’re interested in accelerating security productivity through AI, securing email vectors, or exploring adaptive defense strategies, there’s content tailored to your specific needs and challenges. The diverse session lineup ensures that professionals at all levels will find valuable, actionable insights.

5. Connect with Your Cybersecurity Community
Beyond the sessions, KB4-CON EMEA 2025 offers networking opportunities. Connect with fellow cybersecurity professionals, share challenges, exchange best practices, and build lasting relationships with peers who understand your daily struggles. These connections often prove as valuable as the formal sessions, providing ongoing support and collaboration opportunities long after the conference ends.

6. Gain Direct Access to Product Experts
The conference provides rare direct access to product experts and strategic decision-makers. Engage in product-specific sessions, get hands-on with live demos, and gain insider knowledge about future developments that could impact your security strategy. This level of access is typically unavailable outside of such specialized events.

7. Apply Learning Immediately
Unlike theoretical conferences, KB4-CON EMEA 2025 focuses on practical, industry-specific tactics you can implement immediately.

The Bottom Line
Cyber threats are evolving daily and the stakes have never been higher, KB4-CON EMEA 2025 represents a critical opportunity to enhance your security posture, expand your professional network, and stay ahead of emerging threats. The combination of world-class speakers, cutting-edge content, and practical applications makes this more than just a conference, it’s an investment in your organization’s security future.

Don’t miss this opportunity to be part of the conversation shaping the future of cybersecurity. Mark your calendar for the 23rd of October in London, and prepare to discover, grow, and connect.

Ready to secure your spot at KB4-CON EMEA 2025? The future of cybersecurity awaits, register here.
https://blog.knowbe4.com/why-kb4-con-emea-2025-should-be-your-must-attend-cybersecurity-conference-this-october

[FREE Resource Kit] The Cybersecurity Awareness Month Kit for 2025 is Now Available

Cybersecurity Awareness Month is here and we’ve got your back!

It’s dangerous out there, so you shouldn’t go alone. Take your users on an 8-bit journey across four levels of cyber sleuthing with our 80s arcade themed Cybersecurity Awareness Month resource kit! We’ve set you up with enough free training content to run a whole theme campaign throughout October.

This year, each themed week represents a new level for your users to explore. Along the way they’ll encounter baddies bursting out of the arcade cabinet representing the key cyber threats for each week.

Here is what you’ll get:

• Access to a curated collection of security awareness training videos and interactive modules straight from KnowBe4’s award-winning training library
• Resources to help you plan your activities, including your Cybersecurity Awareness Month User Guide and Cybersecurity Awareness Weekly Planner
• NEW! Four “Arcade Villain” character cards/posters, plus additional posters and digital signage assets available in multiple languages
• Free resources for you including our most popular on-demand webinar and whitepaper

This kit will help you and your users fight cyber crime this October and beyond.

Get Your Kit Now:
https://info.knowbe4.com/cyber-security-awareness-kit-chn

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: KnowBe4 Is a Proud Participant in the Microsoft Security Store Partner Ecosystem:
https://www.prnewswire.com/news-releases/knowbe4-is-a-proud-participant-in-the-microsoft-security-store-partner-ecosystem-302571865.html

PPS: Your KnowBe4 Fresh Content Updates from September 2025:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-september-2025

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-40-the-behavioral-science-when-your-best-people-are-click-magnets

North Korean Hackers Target Job Seekers With Social Engineering Tricks

A North Korean threat actor dubbed “DeceptiveDevelopment” is using various social engineering techniques to target job seekers, according to researchers at ESET. The group uses data stolen in this operation to support North Korea’s fraudulent IT worker operations.

“DeceptiveDevelopment operators use various methods to compromise their victims, relying on clever social engineering tricks,” the researchers write. “Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List.

“They offer fake lucrative job opportunities to attract their targets’ interest. Victims are requested to participate in a coding challenge or a pre-interview task. The task involves downloading a project from private GitHub, GitLab, or Bitbucket repositories.

“These repositories contain trojanized code, often hidden cleverly in long comments displayed well beyond the right-hand edge of a code browser or editor window. Participation in the task triggers the execution of BeaverTail, the first-stage malware.”

The threat actors also use the ClickFix social engineering tactic, in which the user is tricked into copying and pasting a malicious command into their computer’s terminal.

“The attackers direct the victim to a fake job interview website, containing an application form that they are asked to complete,” ESET explains. “The form contains a few lengthy questions related to the applicant’s identity and qualifications, leading the victim to put significant time and effort into filling in the form and making them feel like they are almost done, and therefore more likely to fall for the trap.

“In the final step of the application, the victim is asked to record a video of them answering the final question. The site triggers a pop-up asking the victim to allow camera access, but the camera is never actually accessed. Instead, an error message appears saying that access to the camera or microphone is currently blocked and offers a ‘How to fix’ link. That link leads to a pop-up employing the ClickFix social engineering technique.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

ESET has the story:
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/

Multitasking Employees Are Particularly Vulnerable to Phishing Attacks

Employees who multitask are significantly more vulnerable to phishing attacks, according to a study from the University at Albany published in the European Journal of Information Systems.

“In real-world settings, users are frequently engaged in other digital tasks when a suspicious message appears, requiring them to momentarily interrupt their workflow,” the researchers write. “Under such multitasking conditions, phishing detection becomes a secondary, interrupting task that must compete for attention and cognitive resources.”

Attackers exploit fundamental human vulnerabilities to trick victims into clicking on malicious links or downloading malware. If users are aware of the hallmarks of social engineering attacks, they can build a healthy sense of suspicion that alerts them to these red flags.

“Key tactics used in crafting phishing messages include urgency, reciprocity, authority, scarcity, consistency, fear and liking, all of which significantly heighten individuals’ phishing vulnerability,” the researchers write. “Message framing is another critical factor.

“Messages that include gain or loss framing—emphasizing potential rewards or the risk of loss—can make individuals more vulnerable, as humans tend to approach rewards and avoid losses. Additionally, emotional cues embedded in phishing messages, particularly those inducing positive valence and low certainty, have been shown to increase susceptibility.”

While it’s not feasible to ask employees to stop multitasking, there are measures that can increase their ability to detect phishing attacks during the course of their workdays. Security awareness training with realistic phishing simulations can help employees be more vigilant even while they’re busy. If employees know they’re going to receive simulated phishing emails, they’ll be more likely to spot the real ones.

Digital Information World has the story:
https://www.digitalinformationworld.com/2025/09/new-research-warns-multitasking-leaves.html

Bruce Schneier about the “Lethal AI Agent Trifecta” for Data Theft

I’m quoting, and the full blog post is below:

He said: “The lethal trifecta of capabilities is:

• Access to your private data—one of the most common purposes of tools in the first place!
• Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM
• The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)

“This is, of course, basically the point of AI agents. The attack involves hiding prompt instructions in a pdf file—white text on a white background—that tell the LLM to collect confidential data and then send it to the attackers.

“The fundamental problem is that the LLM can’t differentiate between authorized commands and untrusted data. So when it encounters that malicious pdf, it just executes the embedded commands. And since it has (1) access to private data, and (2) the ability to communicate externally, it can fulfill the attacker’s requests.

“I’ll repeat myself: This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment­—and by this I mean that it may encounter untrusted training data or input­—is vulnerable to prompt injection.

“It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there. In deploying these technologies. And I say this as someone who is basically an optimist about AI technology.”

Full blog post:
https://www.schneier.com/blog/archives/2025/09/abusing-notions-ai-agent-for-data-theft.html

What KnowBe4 Customers Say

“I can confidently say I’m a very happy camper with KnowBe4. As the Platform Admin and DevSecOps Developer here, your platform has made my life much easier. Before KnowBe4, I had to deliver manual security training sessions, which was time-consuming and less consistent. Now, I can simply select the right training modules and enroll our team with just a few clicks. It’s streamlined our entire security awareness program and given us peace of mind knowing everyone is properly trained. We’ve had no regrets moving to KnowBe4—it’s been a real game-changer for us.”

N.J., Senior DevSecOps Developer

“It’s great to hear from you. We’ve been seeing strong results with KnowBe4, and I’d like to highlight the excellent support we’ve received from Edmond C. His guidance during our onboarding, especially sharing how other companies structure their campaigns, was incredibly helpful in getting us up to speed quickly.”

L.D., Senior Manager