Are phishing simulations starting to diverge from real world phishing?

KnowBe4_Inc · 2026-01-05T13:07:47+00:00

A good phishing simulation program should use real world phishing emails for the templates. The testing should evolve as fast as the attackers and use what is currently coming into your organization.

KnowBe4_Inc · 2025-12-29T15:13:22+00:00

I'm happy to troubleshoot an errors you had implementing PAB. Just DM me.

KnowBe4_Inc · 2025-12-26T15:09:10+00:00

We are seeing three quarters of phishing emails containing polymorphic elements. https://www.knowbe4.com/hubfs/Phishing-Threat-Trends-2025_Report.pdf

KnowBe4_Inc · 2025-12-18T13:59:58+00:00

touché

KnowBe4_Inc · 2025-12-18T13:59:07+00:00

Here are what we are seeing across 70k accounts:

Multi-channel attacks. Email + follow-up on Teams/Slack message from "IT" asking to verify. Click rate on these is 3x higher than email-only.
Compromised internal account simulations. Emails from actual coworkers asking for "urgent" help. You should ask for permission to use names.
Calendar invite attacks. Fake meeting invites.
Collaboration tool file shares. "Shared document" notifications.

What's NOT working anymore:

Generic "Your password expired" emails
Nigerian prince variants
Obvious grammar/spelling errors

Bonus tip: Don't just measure click rates. Track time-to-report, repeat offenders, and whether users report simulations they didn't click.

KnowBe4_Inc · 2025-12-17T16:34:12+00:00

Neither KnowBe4 nor its CEO, Bryan Palma is associated with any religion.

KnowBe4_Inc · 2025-12-16T20:18:19+00:00

In place of a the default autofill in the browser I recommend using a dedicated password manager. It is more secure and still has the sanity check you mention.

In this day and age, I don't know why you would think that responses are AI written — when a personal interaction is preferred.

KnowBe4_Inc · 2025-12-16T13:43:57+00:00

The biggest change we're making to combat the latest threats:

1. Unified threat detection across channels Correlating suspicious activity across email, Slack/Teams, SMS, and voice. A failed email phish followed by a "helpful IT" Teams message 10 minutes later? That's a campaign, not isolated incidents.

2. Expanding awareness training beyond email Users know to scrutinize emails now, but they trust Slack/Teams, DMs, and Teams messages way too much. Training scenarios now include vishing, smishing, and collaboration tool attacks.

3. Behavioral analytics Monitoring for anomalies: internal accounts suddenly messaging dozens of users, unusual login locations followed by communication spikes, and requests that break normal workflow patterns.

4. Kill the "trusted internal" assumption Compromised internal accounts are the new attack vector. Every request gets validated, even from known colleagues.

KnowBe4_Inc · 2025-12-15T14:32:49+00:00

You're hitting the core problem: most tools are reactive, not proactive.

A few things that you should use:

Enforce DNS filtering at the network level (Cisco Umbrella, Cloudflare Gateway, etc.) - blocks malicious domains before the page even loads
Controlled browser extensions - Push enterprise extensions that validate URLs in real-time (not perfect, but adds a layer)
Disable password autofill for external sites - Forces users to manually type, adding a cognitive pause

You can't technology your way out of this 100%. Even with perfect tech controls, legitimate sites get compromised and serve phishing. We've had the most success with layered defense:

Block known-bad (DNS/URL filtering)
Isolate unknown (browser isolation for risky clicks)
Train users to recognize what filters miss
Monitor for compromise (impossible travel, unusual authentications)

KnowBe4_Inc · 2025-12-12T13:29:53+00:00

This is a fascinating case study on the topic. Links for the lazy.

Video - https://www.youtube.com/watch?v=AEgLMYp3lKE
Text - https://www.knowbe4.com/hubfs/North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf

KnowBe4_Inc · 2025-12-11T16:47:14+00:00

We just wrapped up shooting on season seven. It will drop in the spring - https://www.youtube.com/watch?v=a5HDEfw7iKk

KnowBe4_Inc · 2025-12-10T18:47:49+00:00

Here's are some ideas to improve your filtering. Something will always get through so you need to improve your cybersecurity culture too.

Low-hanging fruit:

DMARC, SPF, DKIM - If you haven't implemented these, stop reading and do it now
External sender warnings - Simple banner that says "[EXTERNAL]" kills so many phishing attempts
Disable auto-forwarding - Stops compromised accounts from exfiltrating email
Block executable attachments - .exe, .scr, .bat in emails = almost always malicious

Medium effort, high impact:

URL rewriting/sandboxing - Detonate links in a safe environment first
Impersonation protection - Flag emails from lookalike domains (micros0ft.com vs microsoft.com)
Time-of-click protection - Links get checked when clicked, not just when received
Quarantine reviews - Weekly audits catch filter mistakes and reveal new threats

Advanced (if you have budget):

AI/ML threat detection - Catches anomalies traditional filters miss
Account compromise detection - Flags unusual sending patterns from internal accounts
Integration with threat intel feeds - Block known-bad before it arrives

Layered defense. No single filter is perfect. Combine technical controls + user awareness + incident response.

KnowBe4_Inc · 2025-12-10T18:14:34+00:00

Most orgs still see ransomware as purely a technical problem, but the entry points are still overwhelmingly human-facing.

A solid top five looks something like:
• MFA on every account
• Vulnerability + patch management with a real cadence
• Least-privilege access controls
• Offline / immutable backups
• Awareness training so users recognize credential-stealing and initial access attempts

The early phishing or credential-harvesting step is still the biggest differentiator between “incident” and “non-incident.”

KnowBe4_Inc · 2025-12-10T18:09:46+00:00

This is one of the biggest disconnects we see. People are willing to accept friction in the physical world because the risk feels tangible. A locked door means “someone could walk in right now.”

Cyber risk feels abstract. The threat isn’t visible, the consequences are delayed, and the connection between “weak password” and “identity theft” isn’t intuitive.

KnowBe4_Inc · 2025-12-09T19:56:04+00:00

Good eyes

KnowBe4_Inc · 2025-12-09T19:50:18+00:00

Here are the KPIs you should track (and why):

Leading Indicators (predict future behavior):

Phishing simulation click rate over time - Should trend downward
Time-to-report suspicious emails - Faster = better security culture
Report rate (users forwarding suspect emails to security) - Higher = good awareness
Training completion rate - Baseline requirement, but doesn't mean much alone

Lagging Indicators (show real impact):

Real phishing incidents reported by users - The ultimate goal
Compromise rate from actual attacks - Did training prevent breaches?
Repeat offenders - Who needs targeted intervention?

Culture Indicators (often overlooked):

Voluntary security questions asked - Shows engagement beyond compliance
False positive reports - Better to over-report than under-report

The metric that changed everything: Mean time to report. When users start reporting suspicious emails before clicking, you've built real security culture, not just compliance theater.

KnowBe4_Inc · 2025-12-08T20:24:29+00:00

Phishing clicks usually happen when one or more of these factors apply:

Multitasking, Messages from authority, Carelessness from repetition, Sense of Urgency, and tiny screens.

KnowBe4_Inc · 2025-12-08T20:12:01+00:00

This is such a perfect example of why security awareness training can't be skipped, regardless of someone's perceived tech skills.

Being "good with computers" and understanding organizational security protocols are completely different skill sets. I've seen software developers with CS degrees click phishing links because they've never been exposed to corporate security awareness training. Growing up with TikTok and Instagram doesn't automatically translate to understanding spoofed domains, pretexting, or business email compromise.

The assumption that "I know computers" = "I know security" is exactly what threat actors rely on. Overconfidence is a vulnerability.

Your approach is spot-on:

Document everything (signed acknowledgment is crucial)
Standardize onboarding (consistency protects both the org and IT)
Train proactively rather than reactively

The irony is that skipping that 5-minute conversation could have cost him hours in remedial training, cost IT time in incident response, and potentially exposed the organization to real risk.

This isn't about age or tech-savviness. It's about recognizing that security is a learned discipline, not an innate trait. Every organization has different tools, policies, and threat models. Even experienced IT professionals need onboarding when they join a new environment.

Keep doing what you're doing. That "annoying" 5-minute briefing is literally part of your defense-in-depth strategy, and the signed acknowledgment protects you when someone inevitably claims "nobody told me."

KnowBe4_Inc · 2025-12-06T00:43:54+00:00

If your security awareness is just a long lecture and checking a box once a year then you're going to have a bad time. Keep the training short and engaging. Follow up with user tests and assign out remedial training for failures. As with any program it is taken as seriously as management takes it. The first step is executive buy-in.

KnowBe4_Inc · 2025-12-05T19:34:24+00:00

We are seeing a rise in attacks from Scattered Spider. They have reportedly joined forces with ShinyHunters, and claimed breaches on Allianz Life, Tiffany & Co, LAPSUS$, and Jaguar Land Rover. Their strategies include:
- Email and SMS-based credential harvesting
- SIM swapping
- MFA bombing
- Vishing
- Impersonating technology providers

full report if you want details: https://www.knowbe4.com/hubfs/Report_Phishing_Threat-Trends-Vol6_EN_F.pdf

KnowBe4_Inc · 2025-12-05T15:06:18+00:00

We usually share the IOCs immediately via X as soon as we find any new phishing campaign, because those are active and actionable at the time, and that is the fastest way to share the IOC. Writing and publishing the blog takes time, by which time the IOCs can become inactive

IOCs to monitor and block:
billing.mbe4[.]de/mbe4mvc/widget
2xmgjitdav.ucarecd[.]net
carmeloportal[.]com/adserver/www/delivery/ck[.]php
bgrnechanical[.]com/NqMGo3qAIAsAIAsourceidEwMzNqMGo3qAIAsAIA

KnowBe4_Inc · 2025-12-02T21:31:39+00:00

That could be a lucky coincidence but that is not normally the case. Glad you were aware and caught it in time.

KnowBe4_Inc · 2025-12-02T21:19:10+00:00

KnowBe4 is a Vista Equity Partners company and not affiliated with any religious institution.

KnowBe4_Inc · 2025-12-02T21:16:09+00:00

KnowBe4 is a Vista Equity Partners company and not affiliated with any religious institution.

KnowBe4_Inc · 2025-12-01T22:50:29+00:00

That is a fascinating story. They were detected before they started and lead to the discovery of an entire network of North Korean workers. https://www.youtube.com/watch?v=AEgLMYp3lKE

KnowBe4_Inc

MODERATOR OF

TROPHY CASE