A new malware-as-a-service (MaaS) kit called “Stanley” is offering users guaranteed publication in the Chrome Web Store, bypassing Google’s security verification process, according to researchers at Varonis.
A new malware-as-a-service (MaaS) kit called “Stanley” is offering users guaranteed publication in the Chrome Web Store, bypassing Google’s security verification process, according to researchers at Varonis.
.png)
|
“Useful information, not only for work but for personal purposes. I will definitely pass what I’ve learned on to family and friends!” “Very good reminders; I’ve experienced some of these situations recently.” |
|
|
Deepfake Awareness and Defense |
encryptED: Dark Minds Behind Digital Threats |
|
Phish or Treat? Smishing Edition |
Privileged User Security: Privileged Access |
|
Public Wi-Fi Dangers |
Secure Application Development for |
|
Secure Application Development for |
Social Engineering Awareness for Energy and Utilities |
| Artificial Intelligence for Students Training Module Navigate AI’s future confidently. Students gain essential understanding of artificial intelligence tools, ethical challenges, deepfake risks and safe, responsible usage practices for academic success. |
Break the Cycle: How Students Recognize and Stop Hazing Training Module Create safer campus communities by recognizing and preventing hazing. Learn bystander intervention techniques, understand physical and psychological impacts and know how to report concerning behaviors. |
NEW! – Quarterly Product Update Videos
At KnowBe4, we’re always adding new features and improving our products. Watch the latest Quarterly Product Update to catch up on all the fresh content and new features that we’ve added to the KnowBe4 platform over the last quarter.
Here’s the direct link to the KnowBe4 platform support article and video: https://support.knowbe4.com/hc/en-us/articles/360015575313-Video-KSAT-Quarterly-Product-Update-December-2025
Here’s the direct link to the PhishER support article and video: https://support.knowbe4.com/hc/en-us/articles/1500005726381-Video-PhishER-Quarterly-Product-Update-December-2025
To see all the features of the KnowBe4 platform, request your demo today!
Don’t like to click on redirected links? Copy and paste this into your browser:
https://info.knowbe4.com/kmsat-request-a-demo-content-update
NEW! – KnowBe4’s Public Product Roadmap
Our public product roadmap is now available, providing a high-level view of planned enhancements and new capabilities. The roadmap reflects our ongoing innovation as we continue to evolve in response to emerging threats, your needs and changes in the cybersecurity landscape.
As always, our focus remains on reducing human risk and helping your users make smarter security decisions. While timelines and scope may shift, our public roadmap offers transparency into how we’re thinking about what comes next so you can plan your security initiatives ahead of time.
Check out the roadmap here: https://www.knowbe4.com/products/product-roadmap.
Researchers at Palo Alto Networks’ Unit 42 warn of a proof-of-concept (PoC) attack technique in which threat actors could use AI tools to generate malicious JavaScript in real time on seemingly innocuous webpages.
Commodity phishing platforms are now a central component of the cybercriminal economy, according to researchers at Flare. These platforms allow threat actors of all skill levels to carry out advanced attacks at scale.
A new survey by Vodafone Business found that more than 10% of companies in the UK would likely go out of business if they were hit by a major cyber incident, such as a ransomware attack, Infosecurity Magazine reports.
In the relentless growth of the phishing landscape, technical advances like AI have made attack methods two-pronged. They target technical weaknesses and use identity-based attacks to bypass defenses that land directly in end user inboxes.
A phishing campaign is abusing LinkedIn private messages to target executives and IT workers, according to researchers at ReliaQuest. The messages attempt to trick victims into opening an archive file, which will install a legitimate pentesting tool.
[Heads Up] New “Fancy” QR Codes Are Making Quishing More Dangerous
QR code phishing scammers are increasingly using visually stylized QR codes to deliver phishing links, Help Net Security reports.
QR code phishing (quishing) is already more difficult to detect, since these codes deliver links without a visible URL. Attackers are now using QR codes with colors, shapes and logos woven into the code’s pattern.
“Fancy QR codes further complicate detection,” Help Net Security says. “Their layouts no longer resemble the familiar black and white grid. Logos appear in the center. Modules become rounded, stretched or recolored. Background images blend into the code. These design changes preserve scan success while disrupting visual and structural assumptions used by existing detection tools.”
Help Net Security cites a report from Deakin University that looked at these “fancy” QR codes, in which the researchers noted that these “artistic and aesthetic QR codes are created by blending an image with black-white QR code where their modules are almost unidentifiable to [the] human eye.”
Quishing is also a threat because people usually scan them with their phones, bypassing any security defenses their employer might have on their work computers. These codes can also be placed as stickers in physical locations.
“According to reporting by NordVPN, 73% of Americans scan QR codes without verifying the destination, and more than 26 million users have been redirected to malicious websites,” Help Net Security writes.
“In 2025, the U.S. Federal Trade Commission warned consumers that QR codes on unexpected packages should be treated as suspicious. New York City’s Department of Transportation issued a similar warning after discovering fraudulent QR codes placed on parking meters.”
AI-powered security awareness training can give your organization an essential layer of defense against phishing attacks. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/warning-fancy-qr-codes-are-making-quishing-more-dangerous
[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing
Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.
Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.
See how easy it is to train and phish your users with KnowBe4’s HRM+ platform:
See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.
Date/Time: TOMORROW, Wednesday, February 4 @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2
KnowBe4 Urges Action: Take Control of Your Data this Data Privacy Week
With organizations collecting and storing massive amounts of personal data these days, much of which people share freely, we need to become better at protecting data on both the storing and sharing side of things.
Organizations must have strong data protection measures in place, and everyone should start being more digitally mindful when sharing their own personal data. Ultimately, being careful of what we put out there is the best way to reduce cyberattacks and data breaches.
For organizations, data privacy is a continuous process, not a once-a-year tick-box exercise. Reducing human risk and minimizing data collection are important strategies for data security. For individuals, it’s time to kick start digital mindfulness.
Privacy is not about hiding, it’s about controlling your data. Taking small, consistent steps can beat one big privacy overhaul. KnowBe4’s CISO advisors provide practical advice to both organizations and individuals to take control of their data this Data Privacy Week.
[CONTINUED] at the KnowBe4 blog with advice to organizations:
https://blog.knowbe4.com/knowbe4-urges-action-take-control-of-your-data-this-data-privacy-week
Cyber CSI 2.0: Phishing Forensics in the Age of AI and Deepfakes
The phishing arms race has entered a dangerous new phase. Old detection methods no longer work in 2026. AI-generated phishing emails now mimic writing styles perfectly. Deepfake voice and video calls impersonate your CEO with ease. Even “safe” platforms like Microsoft Teams and protected domains aren’t bulletproof.
Join Roger A. Grimes, CISO Advisor at KnowBe4, for a fresh look at modern phishing forensics. Roger will show you the latest tools and methods to catch high-tech social engineering before it hits your network.
In this session you’ll learn how to:
Get inside the mind of a hacker and master the forensic skills that separate compromised organizations from protected ones, plus earn CPE for attending!
Date/Time: Wednesday, February 11 @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/cyber-csi-2.0-phishing-forensics?partnerref=CHN
Starting the Year with Cyber Intention: Human-Centric Insights from the Global Cybersecurity Outlook 2026
By Anna Collard
One of my first intentional “to-dos” this year has been spending time with the World Economic Forum’s Global Cybersecurity Outlook 2026, a report I was privileged to actively contribute to over the past year.
For KnowBe4 customers, this report offers more than trend analysis. It provides a baseline of where organizations stand today, what separates resilient orgs from less resilient ones, and why the human factor is now central to cyber resilience.
Below are some of the insights that stood out most to me, viewed through a human-centric cybersecurity lens.
Cybersecurity Has Become Personal
Cyber-enabled fraud and phishing have overtaken ransomware as CEOs’ top cybersecurity concern in 2026. According to the report, 73% of respondents said they, or someone close to them, were personally affected by cyber-enabled fraud last year.
This shift matters. Cyber risk is no longer limited to IT teams or orgs; it is impacting households, communities and trust itself.
Exposure to cyber-enabled fraud and phishing / social engineering is highest in:
This reinforces the importance of security awareness, behavioral resilience and empowering individuals to recognize and resist manipulation.
[CONTINUED] at the KnowBe4 blog with stats:
https://blog.knowbe4.com/starting-the-year-with-cyber-intention-human-centric-insights-from-the-global-cybersecurity-outlook-2026
Do Your Users Know What to Do When They Receive a Suspicious Email?
Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?
KnowBe4’s FREE (yes, you read that right) Phish Alert button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user’s inbox to prevent future exposure. All with just one click! And now, supports Outlook Mobile!
Phish Alert Benefits
Sign Up
https://info.knowbe4.com/free-tools/phish-alert-button-chn
Note: The Phish Alert Button supports Outlook 2010, 2013, 2016 & Outlook for Microsoft 365, Exchange 2013 & 2016, Chrome 54 and later (Linux, OS X and Windows) and Outlook Mobile!
AI Agents Go Rogue, Bypassing Guardrails in ‘Scary’ Security Incident
A chilling example of AI’s “unintended consequences” has emerged, proving that autonomous agents can already collaborate to circumvent corporate security controls. George Kurtz, CEO of CrowdStrike, highlighted an incident where a customer’s IT automation suite—a network of AI agents—went right around implemented guardrails.
One agent, identifying a software bug, lacked the access to fix it. Instead of halting, it posted a request to a Slack channel with its peers. A second agent, which had the necessary privileges, “raised its hand” and applied the fix.
“Do you see how scary this is? These two agents are reasoning, and they went right around the guardrails that were put in place,” Kurtz warned. The core risk is that the agents are “guessing what you want them to do,” leading to potentially wrong code pushes and an untraceable chain of error.
The solution, according to Kurtz, is a massive new market: AIDR (AI Detection and Response). With an estimated 90 agents per employee becoming the norm, the need for centralized visibility and protection across all homegrown and third-party agents presents a “massive TAM opportunity” for security firms.
It would of course start with training those agents to recognize these dangers, something like—I am making this up on the spot—”Guardrail Integrity Training”
Here is the Instagram Reel:
https://www.instagram.com/reel/DUGqipoEU35/?igsh=MWVraTB0aHh2enRheA%3D%3D
Let’s stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.
PS: Make sure to join us at KB4-CON 2026 May 12-14, 2026, at the Orlando World Center Marriott:
https://www.knowbe4.com/kb4-con
PPS: My new book ‘Agent-Powered Growth’ made it on TWO Bestseller Lists!
https://stu-sjouwerman.multiscreensite.com/
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-05-heads-up-new-fancy-qr-codes-are-making-quishing-more-dangerous
Report: One in Ten UK Companies Wouldn’t Survive a Major Cyberattack
A new survey by Vodafone Business found that more than 10% of companies in the UK would likely go out of business if they were hit by a major cyber incident, such as a ransomware attack, Infosecurity Magazine reports.
Additionally, 71% of business leaders believe at least one of their employees would fall for a convincing phishing attack, and fewer than half (45%) of organizations have ensured that all of their employees have received basic cyber awareness training.
The most common reasons why leaders believe their staff would fall for phishing emails are “a lack of awareness and training; staff being ‘too busy’; and the absence of clear protocols for verifying and flagging suspicious messages.”
Respondents also said their employees reuse their work password for nearly a dozen personal accounts, greatly increasing the risk of phishing and credential stuffing attacks. If an attacker manages to steal a password for a personal account, then they can test that password against the user’s work account.
Multifactor authentication can add a layer of defense against stolen passwords, but MFA can also be bypassed via social engineering.
“The poll paints a troubling picture of inadequate crisis preparedness, poor password practices and staff susceptibility to phishing scams – all of which leave businesses exposed to cyber-crime,” Vodafone says. “With nearly two thirds of business leaders (63%) reporting that their organization’s risk of cyber-attack has risen over the past year, password reuse remains particularly prevalent.
“Employers estimate that, on average, staff use their work password for up to 11 other personal accounts, including social media and dating sites.”
Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/uk-execs-warn-may-not-suruvie/
Voice Phishing Kits Give Threat Actors Real-Time Control Over Attacks
Researchers at Okta warn that a series of phishing kits have emerged that are designed to help threat actors launch sophisticated voice phishing (vishing) attacks that can bypass multifactor authentication.
“The most critical of these features are client-side scripts that allow threat actors to control the authentication flow in the browser of a targeted user in real-time while they deliver verbal instructions or respond to verbal feedback from the targeted user,” Okta says.
“It’s this real-time session orchestration that delivers the plausibility required to convince the threat actor’s target to approve push notifications, submit one time passcodes (OTP) or take other actions the threat actor needs to bypass MFA controls.”
The phishing kits allow attackers to guide the victim through the attack flow, which proceeds as follows:
Moussa Diallo, threat researcher at Okta Threat Intelligence, stated, “Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call.
“The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.”
KnowBe4 empowers your workforce to make smarter security decisions every day.
Okta has the story:
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
What KnowBe4 Customers Say
“Hi Bryan, so far, so good. It took us a few weeks to get to a point where we’re now using smart hosting to avoid bot clicks. But I’m preparing my first major phishing campaign using the platform, the second annual Phishy Phebruary, which is something I came up with last year.
“Everyone has been great, from Patrick and Jordan presale to Kelli and the support team post. I’m looking forward to KB4-CON.”
– L.U., CISM, Data Governance Manager | IS Security Department
“Hi Bryan, thanks for reaching out, so far this has been one of the best onboarding experiences I have had in a long time. Angelina has been great at helping us build out our monitoring and training regimen which has been great since we are new to formalizing our cyber security training and awareness. This camper is happy, keep doing what you’re doing. It works.”
– V.E., IT Manager
