The Danish and Swedish Password Drawback

Why Password Safety Issues: The Danish and Swedish Password Drawback

By Martin Kraemer

Organizations and people alike face a continuing barrage of cyber threats, and infrequently, the weakest hyperlink in our defenses is one thing so simple as a password.

Just lately, KnowBe4 has make clear a regarding pattern in Denmark and Sweden: a big variety of workers aren’t utilizing robust passwords. Provided that individuals are the first goal for cybercriminals, weak passwords expose each workers and their organizations to severe cyber threats.

Worker Password Habits: A Nearer Look

Our analysis carried out in Denmark and Sweden paints a worrying image of worker password habits. In Denmark, almost 20% of workers admit to utilizing quick passwords as a result of they’re simpler to recollect. Alarmingly, 8% use the identical password for all their accounts.

In Sweden, whereas barely higher, 13% use quick passwords, and nearly 6% reuse them. Much more regarding is the lack of awareness about multi-factor authentication (MFA). Over a 3rd of Danish workers and 11% of Swedish workers do not know what MFA is.

Driving Password Safety Practices

A significant a part of constructing a robust safety tradition is guaranteeing workers persistently create robust passwords and perceive their essential function in cybersecurity. Brief or easy passwords are straightforward for cybercriminals to crack, which might result in unauthorized entry to private and work accounts.

This can lead to information breaches, id theft and monetary losses for people. For organizations, compromised worker accounts could be gateways for bigger assaults, probably resulting in information theft, ransomware and reputational harm.

Making Safety Easy and Sustainable

So, what could be accomplished? It begins with the fundamentals:

1) Encourage Password Managers: These instruments generate and securely retailer advanced passwords. Whereas 40% of Danes and almost 49% of Swedes have entry to password managers, solely a tiny fraction actively use them. Making their use necessary and offering coaching can considerably enhance safety. Low adoption results in password reuse, which amplifies the impression of a single compromised password.

2) Implement Multi-Issue Authentication (MFA): MFA provides an additional layer of safety to the login course of, performing as a second lock in your digital door. Regardless of its effectiveness, solely 41% of Danes and 49% of Swedes use MFA. This lack of utilization leaves accounts extremely susceptible, even when passwords are compromised. For organizations, it means an elevated danger of information breaches and fraud.

What number of customers in your org use weak passwords?

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/why-password-security-matters-the-danish-and-swedish-password-problem

Ridiculously Straightforward AI-Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering is the #1 cyber menace to your group. 68% of all information breaches are brought on by human error.

Be part of us for a dwell demonstration of KnowBe4 in motion. See how we safeguard your group from subtle social engineering threats utilizing probably the most complete human danger administration platform.

Get a have a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.

• NEW! Synthetic Intelligence Protection Brokers lets you personalize safety coaching, scale back admin burden, and elevate your human danger administration technique
• NEW! SmartRisk Agent offers actionable information and metrics that will help you decrease your group’s human danger rating
• NEW! Particular person Leaderboards are a enjoyable means to assist improve coaching engagement by encouraging pleasant competitors amongst your customers
• Sensible Teams lets you use workers’ habits and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
• Full Random Phishing mechanically chooses completely different templates for every person, stopping customers from telling one another about an incoming phishing take a look at

Learn the way almost 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: Wednesday, April 2, @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/kmsat-demo-1?partnerref=CHN2

Quantity of Cash Requested In BEC Assaults Practically Doubled in This autumn 2024

The typical amount of cash requested in enterprise e-mail compromise (BEC) assaults spiked to $128,980 within the fourth quarter of 2024, in line with the Anti-Phishing Working Group’s (APWG’s) newest report.

That is almost double the quantity requested throughout Q3 2024. The researchers discovered that Gmail accounts have been used to launch 81 p.c of BEC scams final quarter. The report additionally warns of a surge in SMS phishing scams impersonating toll operators within the US, pushed by a well-liked Chinese language phishing equipment.

“Residents of the US are being bombarded with textual content messages from Chinese language phishers, purporting to come back from U.S. toll highway operators, together with the multi-state EZPass system,” the researchers write. “The messages warn recipients that they face fines or lack of their driving license if they do not pay their tolls on-line.

“Researchers have discovered that this ‘smishing’ (SMS phishing) is enabled by an upgraded phishing equipment offered in China, which makes it easy to ship textual content messages and launch phishing websites that spoof toll highway operators in a number of U.S. states. The cellphone numbers that the phishers ship the messages to are normally random—they’re typically despatched to individuals who don’t use toll roads in any respect, or goal customers within the unsuitable state.”

The APWG members noticed slightly below one million phishing assaults in This autumn 2024, indicating a gentle improve over the course of the 12 months. The SAAS/Webmail class was probably the most regularly attacked sector, accounting for 23.3 p.c of all phishing assaults. Social media got here in second, with 22.5% of phishing assaults.

New-school safety consciousness coaching offers your group an important layer of protection in opposition to phishing assaults. KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/amount-of-money-requested-in-bec-attacks-nearly-doubled-in-q4-2024

Taming the Hacker Storm: Your Framework for Defeating Cybercriminals and Malware

Are you prepared to show the tables on cybercriminals and their malicious minions? Neglect these so-called “next-gen” options that hardly make a dent — it is time for a revolution in cybersecurity that can ship hackers operating for the hills!

Be part of us for this webinar as Roger A. Grimes, KnowBe4’s Knowledge-Pushed Protection Evangelist and cyber-visionary, unveils a groundbreaking framework that might change the face of web safety without end. Drawing from his newest e-book, “Taming the Hacker Storm: A Framework for Defeating Hackers and Malware,”

Roger will take you on an exhilarating journey and real-world strategy to a future the place cybercrime is on its final legs.

On this webinar, you will uncover:

• The surprising fact behind the web’s Achilles’ heel — and the way we will fortify it
• A blueprint for a brand new web ecosystem that can make hackers’ heads spin
• Slicing-edge applied sciences and protocols that may very well be the silver bullet you have been ready for
• Your function within the cyber revolution and methods to change into a hero within the combat in opposition to digital villains
• Why arming your workforce with this information is the final word energy transfer in your safety tradition

Bored with taking part in protection? It is time to go on the offensive! Be part of us for this mind-bending session and earn CPE credit score whereas studying methods to flip the tide within the cyber struggle.

Date/Time: Wednesday, April 9 @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/taming-the-hacker-storm?partnerref=CHN

Surge in Phishing Assaults Hijacking Legit Microsoft Communications

A KnowBe4 Menace Lab Publication

On March 3, 2025, the KnowBe4 Menace Labs workforce noticed a large inflow of phishing assaults originating from official Microsoft domains.

KnowBe4 Defend detected exercise beginning on February twenty fourth, with a peak on March third, when 7,000 assaults from microsoft-noreply[@]microsoft.com have been recorded inside a 30-minute window.

To hold out this assault, menace actors arrange mail routing guidelines that mechanically forwarded official Microsoft invoices to recipients, utilizing subtle strategies to incorporate their payload while sustaining authentication integrity (together with passing DMARC).

This spike comes amid an increase within the exploitation of trusted platforms like DocuSign, PayPal, Google Drive and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are growing the deliverability and legitimacy of their assaults, making detection and prevention more difficult for each customers and safety programs.

Whereas we noticed a surge of those assaults inside a 30-minute window, this was doubtless because of a delay in Microsoft processing the excessive quantity of emails. Nevertheless, the assault doubtless continued for hours on today, affecting 1000’s of people outdoors our buyer base.

Fast Assault Abstract:

All assaults analyzed on this marketing campaign have been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Labs workforce.

• Vector and Sort: E-mail phishing
• Methods: Social engineering and bonafide model hijacking
• Targets: World Microsoft Prospects

On this assault, cybercriminals hijacked a official Microsoft bill and used mail movement guidelines to auto-forward it to 1000’s of recipients. By organising their very own Microsoft area, the attackers ensured the emails handed authentication protocols.

They then embedded a pretend group identify as their very own, which appeared within the physique of the e-mail, to socially engineer the sufferer to name the quantity current in that “identify.” Apart from this the assaults had no different payload, and all hyperlinks current are official.

[CONTINUED] Weblog submit with assault examples, hyperlinks and screenshots:
https://weblog.knowbe4.com/surge-in-phishing-attacks-hijacking-legitimate-microsoft-communications

[WHITEPAPER DOWNLOAD] 7 Greatest Practices For Implementing Human Threat Administration

In cybersecurity, the most important and most missed menace is human danger.

With human error accounting for 68% of information breaches, managing human danger is not simply necessary — it is important.

It is why human danger administration (HRM) has change into a essential a part of trendy safety methods. Efficient HRM goes past consciousness coaching by taking a data-driven, behavior-focused strategy to decreasing human danger.

Obtain this whitepaper to know:

• Why HRM calls for a technique that blends know-how, psychology and steady adaptation
• The seven finest practices to successfully implement a robust HRM program that drives behavioral change and strengthens your safety tradition
• strengthen your safety tradition by decreasing human danger

Obtain Now:
https://information.knowbe4.com/7-best-practices-for-implementing-human-risk-management-chn

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: eSecurity Planet has named KnowBe4 to its listing of Prime 20 Cybersecurity Firms You Have to Know in 2025. (Two issues are incorrect although, our yearly gross sales and the glassdoor rating are each a lot greater :-D)
https://www.esecurityplanet.com/cybersecurity/top-cybersecurity-companies/

You may learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-13-why-password-security-matters-the-danish-and-swedish-password-problem

Be Vigilant: Even Safety Execs Can Fall for Phishing Assaults

Troy Hunt, a safety professional who runs the “Have I Been Pwned” breach monitoring web site, disclosed {that a} phishing e-mail tricked him into handing over his MailChimp credentials.

The e-mail gave the impression to be a MailChimp notification informing him that his account had been flagged for spam. The message contained a hyperlink to evaluate his account, which led to a phishing web page.

Hunt notes that he had two-factor authentication (2FA) enabled on his account, however the attackers have been capable of bypass this measure. Whereas 2FA is a essential layer of protection, customers must be conscious that attackers can nonetheless use social engineering to get round it.

“I went to the hyperlink which is on mailchimp-sso[.]com and entered my credentials which – crucially – didn’t auto-complete from 1Password,” Hunt explains. “I then entered the OTP and the web page hung. Moments later, the penny dropped, and I logged onto the official web site, which Mailchimp confirmed by way of a notification e-mail which confirmed my London IP tackle…

“I instantly modified my password, however not earlier than I acquired an alert about my mailing listing being exported from an IP tackle in New York. And, moments after that, the login alert from the identical IP. This was clearly extremely automated and designed to right away export the listing earlier than the sufferer may take preventative measures.”

Hunt explains that he was jetlagged on the time, which contributed to the lapse in judgment. “Firstly, I’ve obtained a gazillion comparable phishes earlier than that I’ve recognized early, so what was completely different about this one?” Hunt says.

“Tiredness, was a significant factor. I wasn’t alert sufficient, and I did not correctly assume by means of what I used to be doing. The attacker had no means of figuring out that (I haven’t got any motive to suspect this was focused particularly at me), however all of us have moments of weak spot and if the phish occasions simply completely with that, properly, right here we’re.”

Hunt provides that the phishing e-mail was well-written and plausible, with correct grammar and MailChimp branding. “Secondly, studying it once more now, that is a really well-crafted phish,” Hunt writes. “It socially engineered me into believing I would not be capable of ship out my publication so it triggered “worry”, but it surely wasn’t all bells and whistles about one thing horrible occurring if I did not take instant motion. It created simply the correct amount of urgency with out being excessive.”

Troy Hunt has the story:
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

[Train Those Users] Phishing-as-a-Service Assaults are on the Rise

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing assaults within the first two months of 2025, in line with researchers at Barracuda. PhaaS platforms, which give criminals with a ready-made equipment for launching superior phishing assaults, have been chargeable for greater than one million assaults in January and February.

Three PhaaS platforms accounted for almost all of those assaults, with the Tycoon 2FA equipment dominating the market. “Tycoon 2FA was probably the most distinguished and complicated PhaaS platform energetic in early 2025,” Barracuda says. “It accounted for 89% of the PhaaS incidents seen in January 2025.

“Subsequent got here EvilProxy, with a share of 8%, adopted by a brand new contender, Sneaky 2FA with a 3% share of assaults.” Sneaky 2FA is a brand new phishing platform that emerged earlier this 12 months. The device targets Microsoft 365 accounts and might bypass multifactor authentication.

Barracuda explains, “Targets obtain an e-mail that comprises a hyperlink. In the event that they click on on the hyperlink, it redirects them to a spoofed, malicious Microsoft login web page. The attackers test to ensure the person is a official goal and never a safety device earlier than pre-filling the pretend phishing web page with the sufferer’s e-mail tackle by abusing Microsoft 365’s ‘autograb’ performance.

“The assault toolkit is offered as-a-service by the cybercrime outfit, Sneaky Log. It is named Sneaky 2FA as a result of it might probably bypass two issue authentication. Sneaky 2FA leverages the messaging service Telegram and operates as a bot.”

Barracuda notes that worker coaching can present an necessary layer of protection in opposition to phishing assaults. “Safety consciousness coaching for workers that helps them to know the indicators and behaviors of the most recent threats can be necessary,” the researchers write.

“Encourage workers to report suspicious-looking Microsoft/Google login pages. If you happen to discover them, undertake an in-depth log evaluation and test for MFA anomalies.”

KnowBe4 empowers your workforce to make smarter safety choices daily.

Barracuda has the story:
https://weblog.barracuda.com/2025/03/19/threat-spotlight-phishing-as-a-service-fast-evolving-threat

What KnowBe4 Prospects Say

“Hello Stu, I am blissful to share that we’re very happy with the coaching and phishing service. It has confirmed to be a beneficial device for elevating consciousness and strengthening our workforce’s safety posture. The outcomes have been constructive, and the workforce appreciates the sensible and interesting strategy of the service.

“We’re excited to proceed working with you and look ahead to seeing how the service evolves sooner or later. Please do not hesitate to achieve out if there’s something new or extra you assume may gain advantage us additional.”

– P.T., Director Info Know-how