CyberheistNews Vol 15 #16 [Scary] A New Real Cash Scam Sweeps Across the U.S. Warn Your Family and Friends!

[Scary] A New Real Cash Scam Sweeps Across the U.S. Warn Your Family and Friends!

By Roger Grimes.

Right now, today, thousands of people are being tricked into going to their banks or credit unions to withdraw large sums of cash and will give or send it to a complete stranger, never to see it again.

Many of the victims are in the prime of their lives, intelligent and consider themselves to be of above-average ability in spotting scams and scammers.

Each victim unknowingly gave large sums of their life savings to people they had never met. They were instructed to lie. They were instructed not to tell their spouses what they were doing. They were instructed not to trust any other law enforcement.

They were told their phones and even houses could be bugged. In their moment of personal weakness, it was them and the stranger on the phone against the world. They were convinced that what they were doing was needed to protect not only themselves and their families, but the entire world!

It is similar to the climactic ending of nearly every Hollywood action film…and for a little while…the victim accidentally gives themselves a starring role in the opposite of a feel-good movie.

Cash Bag Scamming

I'll call this type of social engineering attack "cash bag scamming" because the defining characteristic is that the scammer gets a big bundle of physical cash. The scam starts like this.

The victim is usually first contacted by a person pretending to be a legal representative of a prominent retail vendor, like Amazon. They will tell the victim a wild story like that their vendor account was compromised by terrorists and is being used by terrorists to facilitate terrorism.

The representative will make up some bogus transactions and ask the potential victim to confirm that these purported transactions were not really theirs.

Of course, they were not. They were made up.

The representative claims the transactions are not being charged to the victim, but says that the FBI, CIA, FTC, IRS or Secret Service (or some authoritative sounding federal law enforcement service) would like to talk to them and would it be OK for the representative to transfer them into the call. The victim agrees.

[CONTINUED] At the KnowBe4 Blog
https://blog.knowbe4.com/scary-a-new-real-cash-scam-sweeps-across-the-u.s.-warn-your-family-and-friends

Agentic AI Ransomware: What You Need to Know

Brace yourself for agentic AI ransomware — a terrifying fusion of cutting-edge tech and malicious intent that's set to redefine cyber threats as we know them. Unlike traditional ransomware, which follows pre-programmed rules, agentic AI ransomware can adapt its behavior in real time based on its environment and the defenses it encounters. Is your organization prepared?

Join us for this mind-blowing webinar where Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, pulls back the curtain on the looming threat of AI-powered ransomware. Don't let your organization become a case study in what NOT to do when faced with this new breed of ransomware!

You'll discover:

• Agentic AI and why it's keeping cybersecurity experts up at night
• A glimpse into the future: what agentic AI malware looks like and how it operates
• The terrifying mechanics behind agentic AI ransomware
• Battle-tested strategies to fortify your defenses against this AI-driven attack
• How to stay one step ahead with next-generation defense tactics against evolving AI threats

Don't be caught with your defenses down. Join us and arm yourself with strategies you need to protect your organization in this new era of AI-powered cyber warfare and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, April 23 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/agentic-ai-ransomware?partnerref=CHN2

How Does Human Risk Management Differ from Security Awareness Training?

In today's cybersecurity landscape, organizations face an ever-present and often underestimated threat: human risk.

Despite significant advancements in technological defenses, human error remains a leading cause of data breaches and security incidents. Multiple industry studies and research reports consistently show that between 70% and 90% of data breaches involve some form of human related cause — whether through social engineering, errors or misuse. It's why a recent study revealed that 74% of CISOs now consider human error their top cybersecurity risk.

SAT has been a long-held, well-established approach that has focused on education, awareness, testing and best practices. HRM, on the other hand, is a more comprehensive approach that aims to identify, quantify and mitigate risks associated with human behavior in a cybersecurity context.

And, while the term "Human Risk Management" may be relatively new, the concept itself represents years of evolution in understanding how to effectively address human-related security risks.

While some still use SAT and HRM interchangeably, these strategies are fundamentally different—and understanding how human risk management (HRM) is different from security awareness training (SAT) is key to building a more secure organization.

Security Awareness Training

SAT is a well-established approach that focuses on educating employees about cyber threats, organizational policies and best practices. SAT programs aim to raise awareness of risks like phishing, malware and social engineering attacks. These initiatives typically include video modules, quizzes and simulated phishing emails to test employee readiness.

SAT plays a critical role in establishing a security baseline. It ensures employees are informed about the threats they may encounter and the appropriate steps to respond. However, SAT alone doesn't always result in lasting behavior change. It often follows a one-size-fits-all model, delivering the same content to all employees regardless of their individual risk levels, job roles or digital behaviors.

As a result, while employees may know what to do, that knowledge doesn't always translate into action or different behavior. The gap between awareness and behavior is where SAT's limitations become evident, and represents the primary difference between SAT and HRM.

Human Risk Management: A Paradigm Shift

HRM represents a next-generation approach to managing human-related cybersecurity risks. Rather than simply educating employees, HRM aims to identify, quantify and mitigate those risks through a holistic, data-driven lens.

HRM has evolved over years of learning and iteration. Leading organizations like KnowBe4 were among the first to recognize that employees are not the "weakest link" in cybersecurity—they are a critical layer of defense. This shift in thinking marks a profound departure from traditional SAT, which sometimes unintentionally placed blame on users for mistakes.

How Is Human Risk Management Different from Security Awareness Training?

Let's break down some of the core differences between HRM and SAT across these topics, which are expanded on the blog.

1. From Awareness to Measurable Risk Reduction
2. From One-Size-Fits-All to Personalized Learning
3. From Static Training to Dynamic Defense
4. From Compliance-Driven to Behavior-Focused
5. From Reactive to Proactive Security Culture

[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/how-does-human-risk-management-differ-from-security-awareness-training

The Outstanding ROI of KnowBe4's Human Risk Management Platform

Reducing the risk of a data breach is paramount, and the overwhelming majority of data breaches are due to human error. According to Verizon's Data Breach Investigations Report, 74% of all data breaches involved the human element.

It's why security awareness training and security orchestration platforms are critical at reducing risk, protecting data and ensuring regulatory compliance. They now represent one of the best return on investments for your organization's infosec budget.

Download this guide to understand:

• The cost savings and productivity gains of KnowBe4's SAT, Compliance Plus and PhishER Plus products
• The overall risk reduction of a data breach or ransomware attack
• How you can decrease your cyber insurance premiums
• The 3-year ROI and annual benefits

Download Now:
https://info.knowbe4.com/hobson-outstanding-roi-knowbe4-hrm-platform-chn

AI-Powered Spear Phishing Can Now Outperform Human Attackers

Researchers at Hoxhunt have found that AI agents can now outperform humans at creating convincing phishing campaigns.

The researchers state that in 2023, AI-powered phishing was 31% less effective than humans. In November 2024, it was 10% less effective than humans. Then in March 2025, the AI was 24% more effective than humans.

"This public finding could be considered an inflection point for the threat landscape," the researchers state. "AI's superiority in social engineering will transform cybersecurity risks, attacks and defenses. Advances in AI Large Language Models are simultaneously disrupting the social engineering landscape and the cybersecurity training category.

"The co-evolution of attacks and protections must be considered when evaluating the rising threat of blackhat generative AI applications."

Currently, these types of sophisticated AI-powered attacks are limited to targeted spear phishing campaigns. However, commodity phishing kits will likely incorporate these features at some point in the near future.

"It is only a matter of time until AI agents disrupt the phishing landscape," the researchers write. "For now, there are many anecdotal media accounts of highly targeted, sophisticated AI spear phishing attacks that leveraged AI. These are typically bespoke campaigns.

"Soon, the phishing-as-a-service market will shift to mass adoption of AI Spear Phishing Agents. Once that happens, the baseline quality and effectiveness of mass phishing campaigns will rise to a level we currently equate with targeted spear phishing attacks."

Organizations should begin preparing now for unskilled cybercriminals to gain access to these sophisticated AI capabilities.

"Disruption happens gradually and then all at once, to paraphrase Clayton Christensen," the researchers write. "We must be prepared for when the inevitable disruption to the phishing-as-a-service market occurs, as AI-generated phish become more effective, easier to adopt and ultimately more lucrative for criminals."

New-school security awareness training can help your employees keep up with evolving social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links here:
https://blog.knowbe4.com/ai-powered-spear-phishing-can-now-outperform-human-attackers

Can You Be Spoofed?

Are you aware that one of the first things hackers attempt is whether or not they can spoof the email address of someone in your domain?

This is how "CEO fraud" spear-phishing attacks are launched on your organization. Such attacks are hard to defend against, unless your users know what to look for.

Are your email servers vulnerable to spoofing? KnowBe4 can help you find out with our free Domain Spoof Test. It's quick, easy and often a shocking discovery.

Find out now if your email server is configured correctly, many are not!

• This is a simple, non-intrusive "pass/fail" test
• We will send a spoofed email "from you to you"
• If it makes it through into your inbox, you know you have a problem
• You'll know within 48 hours!

Try to Spoof Me!
https://info.knowbe4.com/domain-spoof-test-1-chn