CyberheistNews Vol 16 #20  |   May 19th, 2026

[Heads Up] Today You Have Only 60 Seconds to Stop That Breach. Are You Ready?

Sometimes a blog post completely breaks out and goes viral!

This one by Haylea Reiner did last week:

2026 has officially become the year of speed, scale and support. The delta between a phishing email landing and a full organizational compromise has shrunk to mere seconds.

The reality by the numbers:

• 60 Seconds: The median time it takes a user to click a phishing link and enter their data (Verizon DBIR).
• Every Two Seconds: A business is expected to be struck by a ransomware attack throughout 2026 (SentinelOne).
• 4x: Number of employees who are more likely to report a suspicious email if they received training within 30 days (Verizon DBIR).
• 54%: Click-through rate on AI-automated spear phishing (Brightside AI).
• 16 Hours Down to Five Minutes: Time saved generating AI phishing campaigns with just five prompts (IBM).
• 277 Days: Average dwell time to detect a breach (Fortinet).

To close this window, your defense strategy must evolve into a two-step powerhouse of accuracy and automation.

Step 1: Accuracy Through Intelligent Detection

Training people not to click only works if you trust your technology and your workforce 100% of the time. But in 2026, we know that technology alone can't catch every evolving Gen-AI attack, and even the best-trained employees are human. In fact, the median organization still sees a 1.5% click rate even with regular training.

The real win is a stronger ROI on your training by marrying it to your technology. When you give employees the tools they need where they need them, you prioritize that extra layer of intelligence to gain a filter that technology alone misses.

The Phish Alert Button (PAB) now feeds directly into our inbound email security solution, KnowBe4 Defend. This creates a seamless loop:

• The Warning: A user receives an email with a banner or tag warning them of suspicious content.
• The Human Audit: The user reviews the email, recalls the color-coded alert and prior training and isn't sure if it's safe.
• The Report: The user hits the PAB.
• The Operation: This message is ingested into Defend for instantaneous automated analysis.

This synergy ensures user feedback is immediately operationalized to remove threats and reduce false positives without manual intervention. It turns every employee into a real-time contributor to your SOC.

Step 2: Automation to Eliminate Zero-Day Exploits

While Defend is already scanning for real-time link detonation and heuristic analysis, the true power of 2026 security lies in leveraging dual remediation engines.

The new integration between Defend and PhishER (our incident response platform) allows organizations to deploy PhishRIP with high-speed remediation across all Microsoft environments. By breaking down the walls between inbound security and incident response, you can move at machine speed to keep up with the threats.

• Near-Zero Dwell Time: Defend's inline architectural speed supercharges PhishER's remediation, allowing you to rip malicious content across tens of thousands of mailboxes in seconds, not hours.
• Dual Defense Posture: A proactive set-it-and-forget-it workflow that neutralizes threats organization-wide the moment one is identified.
• Unified Feedback Loop: empowers individual reclassifications that tune Defend's policies based on PhishER data, allowing for a personalized security posture that reduces false positives.

REMEMBER to Incentivize Reporting!

There's no need for email security to be boring. Accuracy improves through training, but it is also vital that you, the SOC partner, make security engaging. Consider:

• Rewards: Random drawings for company swag or bonuses for those who reported suspicious emails in a given month.
• Recognition: Company-wide shout-outs to the Security Superstars who successfully flagged and reported real threats.

As reporting increases, you can demonstrate how report rate accuracy is maturing your organization’s safety profile. An easy win is also deploying PhishFlip within PhishER to turn a real, neutralized threat into a simulation, showing your team, leadership and Board exactly what would have happened if a user hadn’t reported it.

For more information on how to build a stronger workforce, view our latest whitepaper, Stronger Together: KnowBe4’s Phish Alert Button Paired with PhishER Plus and KnowBe4 Defend.

Blog post with links:
https://blog.knowbe4.com/you-have-60-seconds-to-stop-the-breach.-are-you-ready

NEW! High-Performance Email Security Meets Global Teachable Moments

As organizations shift toward API-based security architectures, the promise is zero friction and maximum scale, but most solutions still leave workforce intelligence behind. Today, KnowBe4 is changing that.

We are thrilled to announce the launch of KnowBe4 Defend Graph API integration and localized teachable moments within our Inbound Email Security.

You now get AI-driven protection that stops threats and personalized coaching that makes your entire global workforce smarter, in their own language.

Zero Friction Deployment: Graph API

Moving beyond complex mail flow rules, the new Graph API deployment offers a streamlined, high-performance setup for Microsoft 365.

This allows you to:

• Empower your users to spot risks early: Color-coded tags in Outlook flag potential threats directly in their inbox view before they even open an email.
• Deploy faster with less complexity: Minimal permissions means scalable protection without altering your mail flow architecture.
• Turn blocked threats into teachable moments: When Defend quarantines a threat, your users receive personalized explanation, turning a standard security action into an educational event.

Coaching That Resonates: Localized Teachable Moments

Your global workforce requires more than just a generic translation. We have expanded Defend’s language support with rewritten teachable moments.

This allows you to:

• Deliver coaching with native context: Content has been rewritten by native speakers to ensure it is culturally and linguistically relevant to your employees’ specific dialects.
• Reduce help-desk toil: When blocked emails come with clear, native-language explanations, your IT team sees fewer clarification tickets.
• Protect your global workforce: Support is now live for 14 dialects, including Brazilian Portuguese, French Canadian, Japanese, Mandarin and Spanish (Latin America).

Defend is the only inbound email security solution that stops the breach today while building a more intuitive, security-aware workforce for tomorrow.

Join our upcoming demo to see it in action.

Date/Time: TOMORROW, Wednesday, May 20 @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ces-demo-month-2?partnerref=CHN2

Warning: Netflix Phishing Scams Can Lead to Serious Consequences

Researchers at Bitdefender warn that Netflix-themed phishing attacks can have far-reaching consequences if users follow poor security practices. While Netflix is generally associated with a user’s personal life, phishing attacks targeting personal accounts can put users’ employers at risk.

"Your Netflix account is just the starting point. It’s not the final target," Bitdefender says. "Most people reuse passwords across multiple platforms. Hackers take advantage of this by launching automated attacks known as credential stuffing, where they test your stolen login details on other services such as email accounts, banking apps and online stores. If the same password works elsewhere, attackers gain access to far more valuable accounts."

Credential stuffing is a serious threat that can lead to broad compromises across a user’s digital life.

"Using automated tools, attackers test the same email-password combination on services such as payment platforms, e-commerce sites, corporate VPNs and more," the researchers write. "There’s also the real danger of losing your Netflix password and letting attackers into your company's infrastructure because you used the same password.

"Even if just a small percentage of these attempts succeed, attackers gain access to significantly more valuable accounts. In some cases, a single phishing incident can cascade into a full digital identity compromise."

Bitdefender offers the following advice to help users avoid falling for these attacks:

• "If an email pressures you to act quickly or promises an unexpected reward, pause before clicking anything. Instead of using the link provided, open Netflix directly in your browser or app and check your account from there.
• Use a unique password for Netflix and every other service. This single step can stop credential stuffing attacks from spreading beyond one account.
• Enable two-factor authentication wherever possible, especially for your email account. Since your email acts as the central hub for password resets, protecting it significantly reduces your risk."

We could not agree more. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/warning-netflix-phishing-scams-can-lead-to-serious-consequences

Identify Weak User Passwords in Your Organization with the Newly Enhanced Weak Password Test

Cybercriminals never stop looking for ways to hack into your network, but if your users’ passwords can be guessed, they’ve made the bad actors’ jobs that much easier.

Verizon's Data Breach Investigations Report showed that 81% of hacking-related breaches use either stolen or weak passwords.

The Weak Password Test (WPT) is a free tool to help IT administrators know which users have passwords that are easily guessed or susceptible to brute force attacks, allowing them to take action toward protecting their org.

Weak Password Test checks the Active Directory for several types of weak password-related threats and generates a report of users with weak passwords.

Here's how Weak Password Test works:

• Connects to Active Directory to retrieve password table
• Tests against ten types of weak password related threats
• Displays which users failed and why
• Does not display or store the actual passwords
• Just download, install and run. Results in a few minutes!

Don't let weak passwords be the downfall of your network security. Take advantage of KnowBe4's Weak Password Test and gain invaluable insights into the strength of your password protocols.

Download Now:
https://info.knowbe4.com/free-cybersecurity-tools/weak-password-test-chn

Fighting AI-Assisted Ransomware Threats

By Javvad Malik on May 14.

This Anti-Ransomware Day, it's important to recognize the ever-changing landscape of cyber threats and how organizations can fortify their defenses. The evolution from traditional ransomware to cyber extortion over the last few years reflects a professionalized, decentralized ecosystem.

To arm your organization against this danger, understanding the current landscape and implementing robust defense strategies is essential.

The Evolving Threat of Ransomware

Ransomware has transitioned from isolated attacks mainly targeting large enterprises to a vast ecosystem of independent criminals leveraging Ransomware-as-a-Service (RaaS) models. This industrialization of ransomware has led to an increase in small business victims, which highlights the importance of all organizations, regardless of size, prioritizing cybersecurity as an imperative and not merely a tactical IT expense.

This new franchise business has also given attackers more capabilities to exfiltrate data, which has led to them increasingly relying on it to make money rather than simply deploying ransom alone. This means that if a ransom is paid, it is often to prevent sensitive data from being made public, not to regain access to encrypted files.

In these cases, organizations should shift their focus from mere recovery to understanding the scope of data breaches and communicating effectively with relevant stakeholders.

In addition, the use of artificial intelligence empowers criminals to launch more varied attacks at much greater speed and at large scale, making the RaaS model even more dangerous.

Proactive Defense Strategies

Adopt an "Assume-Breach" Mentality

• Organizations should treat every security product as a potential vulnerability and address technical debt aggressively, moving toward a zero-trust architecture. Advanced actors like Salt Typhoon have demonstrated that sophisticated breaches often rely on "classic" playbooks, exploiting known vulnerabilities in perimeter devices like firewalls and VPNs that already have patches available.

Develop a Robust Incident Response Plan

• If a breach does occur, the ultimate goal is to ensure your organization can recover at speed, turning a potential catastrophe into a manageable disruption. Implementing strong, off-site backups and network segmentation can help prevent lateral movement during an attack. An effective incident response plan is key. Such a plan should include a decision tree for notifications, responsibilities and authority, and it should be physically accessible. Relying solely on digital copies can be risky if they fall into the hands of cybercriminals. Most importantly, this plan should be tested to ensure it operates as desired.

Leverage AI for Defense

• Organizations should fight automation with automation, using AI-driven defense to neutralize AI-assisted threats and ensure speedier recovery. With AI playing a significant role in ransomware attacks, organizations must use AI-enabled tools for patch management and defense. Also, integrating AI into anti-social engineering education is crucial, focusing on training staff to identify AI-driven deepfakes.

Revise Security Playbooks

• Another result of AI is the accelerated speed at which attacks can now occur. It takes threat actors as little as 72 minutes to complete all steps from initial access to exploit because they are leveraging AI to orchestrate attacks. Organizations must update their SIEM or EDR rules and SOC playbooks to keep pace with these quicker, AI-driven threats, and address the challenges of threats such as shadow AI and prompt injections.

As ransomware continues to evolve, so too must our defenses. By recognizing the complexities of the current threat landscape and implementing strategic measures rooted in a deep understanding of AI and social engineering, organizations can stay one step ahead.

Blog post with links:
https://blog.knowbe4.com/fighting-ai-assisted-ransomware-threats-strategies

Securing the Hybrid Workforce: Protecting Humans and AI Agents in a New Era

The workforce has changed — your security strategy must evolve with it.

AI copilots, assistants and autonomous agents are now embedded across enterprise workflows, helping employees write code, summarize incidents, draft communications and analyze data. What began as productivity support has become a new class of digital colleagues.

But while AI accelerates innovation, it also expands risk. Attackers are already targeting the interaction layer between humans and AI — exploiting trust, influencing outputs and introducing new forms of social engineering.

Securing the Hybrid Workforce: Protecting Humans and AI Agents in a New Era explains how organizations can defend this emerging attack surface without slowing productivity.

In this whitepaper, you’ll learn how to:

• Understand the growing Human–AI attack surface
• Identify emerging threats including prompt injection and AI impersonation
• Reduce automation bias and strengthen digital mindfulness
• Apply a dual defense strategy to protect both humans and AI agents
• Gain visibility into AI usage with discovery, monitoring, detection and protection
• Implement scalable governance and policy controls for AI-enabled environments

AI is now part of your workforce. Your security program must evolve to protect both sides of the collaboration.

Download Now:
https://www.knowbe4.com/whitepapers/securing-the-hybrid-workforce-protecting-humans-and-ai-agents?utm_source=chn_email&utm_medium=email&utm_campaign=dg-ces-campaign-26&utm_content=securing_hybrid_workforce_wp

Let's stay safe out there.

PS: Last week we hosted a fantastic KB4-CON 2026. Keep an eye out for your on-demand availability announcement!

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-20-heads-up-today-you-have-only-60-seconds-to-stop-that-breach-are-you-ready

FTC: Americans Lost $2.1 Billion to Social Media Scams Last Year

A new report from the U.S. Federal Trade Commission (FTC) has found that Americans lost $2.1 billion in 2025 to scams that began on social media.

Nearly 30% of people who reported losing money to a scam said it started on social media, far outpacing other modes of contact. "Social media scams produced far more in losses—an eightfold increase since 2020—than any other contact method used by scammers to reach consumers, according to the new data," the FTC says.

"The Data Spotlight notes that social media creates easy access to billions of people from anywhere in the world, making a scammer’s job easier at very little cost. Scammers may hack a user’s account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests or shopping habits."

The FTC says most of these scams began on Facebook, leading to around $794 million in losses. "Reports show that in 2025, people reported losing more money to scams that started on Facebook than on any other social media platform," the FTC says.

"WhatsApp and Instagram were a distant second and third. In 2025, people reported losing far more money to scams on Facebook alone than they reported losing to text or email scams."

The FTC notes that this data only includes losses that were reported, so the actual numbers are likely much higher. The Commission offers the following advice to help users avoid falling for scams:

• "Limit who can see your posts and contacts on social media. Visit your privacy settings to set some restrictions so scammers have less to work with.
• Never let someone you have met only on social media direct your investment decisions. Instead, learn more about spotting investment scams.
• Before you buy, check out the company. Search online for its name plus 'scam' or 'complaint'"

KnowBe4 empowers your workforce to make smarter security decisions every day.

The FTC has the story:
https://www.ftc.gov/news-events/news/press-releases/2026/04/new-ftc-data-show-people-have-lost-billions-social-media-scams

Report: Adversarial Use of AI is Evolving

Threat actors are increasingly augmenting their attacks with AI tools, according to researchers at Google’s Threat Intelligence Group (GTIG). For the first time, GTIG observed a threat actor using a zero-day exploit developed by AI, although Google blocked the attack before it succeeded.

Threat actors also continue to use Large Language Models (LLMs) for research, reconnaissance and malware development.

"Malicious adversaries' most common use case for LLMs mirrors that of standard users – they conduct research and troubleshoot tasks," the researchers write. "GTIG has observed a variety of threat actors engaging in this type of prompting to support research, reconnaissance and troubleshooting throughout various phases of the attack lifecycle.

"By automating intelligence gathering and task support, these interactions lower the barrier to entry for complex, multi-stage operations and enable threat actors to focus their human capital on the higher-order strategic elements of campaigns."

This allows threat actors to easily craft targeted phishing attacks based on employees’ roles within a targeted organization. "Adversaries frequently use LLMs to perform reconnaissance that would previously have required significant manual effort," the researchers write.

"For instance, we have observed actors prompting models to generate detailed organizational hierarchies for specific departments and third-party relationships of large enterprises, particularly those involving high-value functions like finance, internal security and human resources.

"This data allows for the creation of higher-fidelity phishing lures tailored to individuals with administrative privileges or access to sensitive data, moving beyond the commodity tactics of traditional bulk phishing."

Attackers are also boosting their malware development skills with the help of AI, enabling unskilled threat actors to launch sophisticated attacks.

"Adversaries are advancing their implementation of AI-enabled tooling, moving beyond content generation and tool development and into more sophisticated autonomous attack orchestration for malware commands," GTIG says. "Threat actors have begun relying on LLMs for interactive system navigation and real-time decision making.

"By integrating LLMs into malware operations, attackers can enable payloads to act autonomously, independently interacting with the victim environment or device, synthesizing system states and executing precise commands without human supervision."

These attacks will only grow more sophisticated as AI improves. Check out the brand new KnowBe4 Agent Risk Manager:

GTIG has the story:
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access

What KnowBe4 Customers Say

"I wanted to share some feedback on the support we’ve received from James during our time working with him. He’s been a huge help to our team across several situations, especially when we needed quick clarity or were working through more complex issues.

"His responsiveness and ability to break things down in a practical, easy-to-understand way made a real difference for us.

"What stood out most is how consistent he’s been. No matter the ask, he’s been reliable, approachable and clearly invested in helping us be successful with the product.

"I appreciate the level of support he’s provided and wanted to make sure you were aware of the impact he’s had on our experience. - W.C., Security Analyst"

1. Signal adds security warnings for social engineering, phishing attacks:
   https://www.bleepingcomputer.com/news/security/signal-adds-security-warnings-for-social-engineering-phishing-attacks/
2. Instructure pays ransom after Canvas incident as Congress announces investigation:
   https://therecord.media/instructure-pays-ransom-canvas-incident-congress-investigation
3. UK moves to shield security researchers in cybercrime law overhaul:
   https://therecord.media/uk-moves-to-shield-security-researchers-cybercrime
4. Fired hacker twins forget to end Teams recording, capture own crimes:
   https://arstechnica.com/tech-policy/2026/05/fired-hacker-twins-forget-to-end-teams-recording-capture-own-crimes/
5. Deepfake sextortion forces schools to remove student photos from websites:
   https://www.malwarebytes.com/blog/family-and-parenting/2026/05/deepfake-sextortion-forces-schools-to-remove-student-photos-from-websites
6. OpenAI just confirmed it got hit in the TanStack npm supply chain attack:
   https://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/
7. Criminals use stolen iPhones to launch phishing attacks:
   https://www.wired.com/story/your-iphone-gets-stolen-then-the-hacking-begins/
8. North Korea’s Lazarus Group uses social engineering to target the financial sector:
   https://foxitsecurity.wordpress.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/
9. FTC warns of scams targeting small businesses:
   https://consumer.ftc.gov/consumer-alerts/2026/05/run-small-business-pay-your-bills-not-scammers

This Week's Links We Like, Tips, Hints and Fun Stuff

• Virtual Vaca #1 - Exploring SAHARA Near Djanet:
  https://youtu.be/GtS8I2mj8wQ
• Virtual Vaca #2 - Top 25 Places To Visit in Greece - Travel Guide:
  https://youtu.be/f4wBcKc2j8s
• Virtual Vaca #3 - Ireland in 4K - Incredible Scenes & Uncovering Hidden Gems:
  https://youtu.be/E4y2nkchTxQ
• [Supercar Blondie] The Brabus Bodo is the most significant car the Bottrop-based tuner has unveiled in years! We need a bigger garage:
  https://www.youtube.com/watch?v=GqaAlA1creg
• [Current State of AI Graphics] Steampunk Cinderella: A Timeless Fairy Tale Reimagined:
  https://www.flixxy.com/steampunk-cinderella-a-timeless-fairy-tale-reimagined.htm?utm_source=chn&utm_medium=email
• Unitree Unveils: GD01, A Manned Transformable Mecha, from just $650,000. I want one:
  https://youtu.be/oWOyUMJWptc
• [MYTHBUSTERS CLASSIC] Can You Surf On Water Using Only Rockets?:
  https://youtu.be/wdJhtjAJ-6Y
• Wingsuit Flying Out of the Woods:
  https://youtu.be/8r8HSAnAL0g
• Best of the Week! People Are Awesome:
  https://www.flixxy.com/ordinary-people-extraordinary-skills-best-of-the-week.htm?utm_source=chn&utm_medium=email
• LockPickingLawyer [#1652] Why Your Lock Needs Balls… To Resist Drilling:
  https://youtu.be/knQFPY2FFfE
• Need some space? Ultra Massive Details HDR OLED TEST | 16K HDR Nature Video:
  https://youtu.be/b27_G3K0TjI
• Fantastic Wingsuit Flight along the Weisshorn:
  https://www.instagram.com/reels/DYShpfnC1fZ/
• For Da Kids #1 - Too Funny! This Naughty Baby Elephant is really Obsessed with This Chicken!:
  https://youtu.be/FwFarfLHj70
• For Da Kids #2 - Chased by a Leopard Seal in Antarctica:
  https://youtu.be/yrfuLF7sl_U
• For Da Kids #3 - Man does sweetest thing for tiny furball he found on street:
  https://youtu.be/UGNzjc1WPOU
• For Da Kids #4 - Street cat gets saved and now she's daddy's girl:
  https://youtu.be/23cMcFRNYLc
• For Da Kids #5 - Tiny Dog Rings Her Bell Every Time She Wants A Foot Rub From Dad:
  https://youtu.be/qGojyPfrsxY