CyberheistNews Vol 15 #26 [My Clicking Time Bomb] What Do I Do Concerning the Repeat Clickers?

[My Clicking Time Bomb] What Do I Do Concerning the Repeat Clickers?

By Bex Bailey

I not too long ago had a number of conversations about repeat clickers. First with a Forrester analyst after which, shortly after, at KB4-CON Orlando following a presentation on the topic by Matthew Canham, Govt Director of the Cognitive Safety Institute.

After that, my method was rather less natural: intrigued by the subject, I spoke with a number of KnowBe4 prospects to learn the way they handle repeat clickers.

The time period “repeat clickers” is fairly self-explanatory: they’re the people who frequently click on on suspicious hyperlinks in emails – whether or not in phishing simulations or, extra dangerously, in precise phishing assaults. That is greater than the occasional error.

Right here, we’re speaking about those self same names that ceaselessly come up as having interacted with simulations or precipitated a safety incident. Repeat clickers characterize a big cybersecurity danger to their organizations. On the similar time, they’re usually amongst a few of the most valued workers.

The problem, then, is how one can cut back this danger in a good and simply means that retains these people invested of their work.

The Disproportionate Danger and Return of Repeat Clickers

Canham’s analysis into this space is fascinating. In a pilot research, he outlined repeat clickers as individuals who interacted with three or extra phishing simulations.

He decided:

• Whereas solely 0.83% of contributors fell into this class
• They had been practically 10 occasions extra more likely to work together with a simulation than the broader group

Let’s simply pause there. Repeat clickers are, usually, lower than 1% of the worker base who characterize 10 occasions the phishing danger of different workers. Throughout his presentation at KB4-CON, Canham additionally highlighted that these people are sometimes of serious worth to their organizations, ceaselessly holding high-ranking positions.

He cited one instance of a identified repeat clicker who interacted with an actual phishing assault, resulting in a cyber incident. This particular person additionally occurred to be a Nobel Prize successful scientist.

Equally, one of many prospects I spoke to (anonymously) described a regarding repeat clicker they’d had of their group: a senior worker, who’s an unbelievable asset to the corporate and who, just about, used to click on each hyperlink in each electronic mail – together with phishing simulations on topics completely unrelated to their position.

It is not simply the enterprise worth these individuals characterize. The identical analysis research from Canham (relatively logically) states that mitigating this disproportionate danger can supply substantial return on funding (ROI). You have simply obtained to get your repeat clickers to cease clicking.

There’s One thing Completely different About Repeat Clickers

When anybody receives a phishing electronic mail (actual or simulated) sure components come into play. A few of these change on a case-by-case foundation, akin to context (e.g. somebody could be extra inclined on a day once they’re speeding) or the social engineering strategies used.

Then there are secure components (issues which can be much less more likely to change), which Canham lists in his analysis as cultural influences and particular person traits – with the latter described as “the first issue” in repeat clicking.

In a later research, Canham begins to unpack a few of these traits – and shares what’s probably my favourite anecdote from his analysis. On the different finish of the spectrum from repeat clickers are a bunch labeled “protecting stewards”, who at all times determine phishing simulations and habitually report them.

Canham requested each teams to recollect a code phrase of their selecting – akin to a pet’s title. In later interviews, all protecting stewards remembered their code phrases whereas all repeat clickers forgot theirs!

Tying into this, repeat clickers additionally struggled to recall the phishing simulations they interacted with, though partially, this could be on account of embarrassment.

The analysis begins to display the cognitive variations between the people who exhibit essentially the most fascinating cybersecurity behaviors (not interacting with simulations and reporting them) and those that repeatedly exhibit the least fascinating ones (repeated interactions that go unreported).

Along with forgetfulness, repeat clickers additionally appear to have:

• A extra internally oriented locus of management, that means they really feel extra in command of their very own future
• Excessive confidence (which I feel we are able to safely name “overconfidence”) of their skill to detect phishing emails
• A scarcity of mistrust or skepticism (making them extra inclined to social engineering assaults)
• Inflexible, relatively than adaptive, electronic mail habits – akin to the person talked about earlier, who clicks on hyperlinks in all emails seemingly on autopilot

It is simple to see how this explosive cocktail of traits interaction to trigger somebody to repeatedly work together with phishing emails. In the end, many of those components are deeply ingrained – however they are often influenced with the fitting approaches.

[CONTINUED] on the KnowBe4 weblog:
https://weblog.knowbe4.com/a-clicking-time-bomb-what-to-do-about-repeat-clickers

[Live Demo] Ridiculously Simple AI-Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering stay the #1 cyber menace to your group, with 68% of knowledge breaches brought on by human error. Your safety group wants a simple solution to ship customized coaching—that is exactly what our AI Protection Brokers present.

Be part of us for a demo showcasing KnowBe4’s modern method to human danger administration with agentic AI that delivers customized, related and adaptive safety consciousness coaching with minimal admin effort.

See how straightforward it’s to coach and phish your customers with KnowBe4’s HRM+ platform:

• SmartRisk Agent™ – Generate actionable information and metrics that will help you decrease your group’s human danger rating
• Template Generator Agent – Create convincing phishing simulations, together with Callback Phishing, that mimic actual threats. The Really helpful Touchdown Pages Agent then suggests acceptable touchdown pages primarily based on AI-generated templates
• Automated Coaching Agent – Robotically determine high-risk customers and assign customized coaching
• Data Refresher Agent and Coverage Quizzes Agent – Reinforce your safety program and organizational insurance policies.
• Enhanced Govt Experiences – Monitor person actions, visualize developments, obtain widgets, and enhance looking/sorting to supply deeper insights and streamline collaboration

See how these highly effective AI-driven options work collectively to dramatically cut back your group’s danger whereas saving your group priceless time.

Date/Time: Wednesday, July 9, @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/kmsat-demo-1?partnerref=CHN2

Europol Warns of Social Engineering Assaults

Social engineering stays a main preliminary entry vector for cybercriminals, in accordance with a brand new report from Europol.

“Social engineering, which exploits human error to realize entry to programs or private data, stands out as a distinguished method utilized by felony actors on this context,” Europol says.

“Preliminary Entry Brokers (IABs) have been more and more centered on utilizing such strategies for the acquisition of legitimate account credentials as an entry level to the victims’ programs.

“This preliminary entry can then be leveraged in a mess of the way by felony actors. For instance, entry credentials for distant providers are broadly utilized by ransomware teams and their associates to compromise company networks, which might result in information theft (exfiltration) and the deployment of ransomware.”

The report additionally warns of a surge in infostealer malware, permitting criminals to assemble data that can be utilized in future assaults.

“Phishing strategies are the primary vector for the distribution of infostealers,” Europol says. “Criminals use a wide range of strategies to attain this, together with sending emails, textual content messages, or messages on social media that include malicious attachments or URLs which introduce malware into the sufferer’s system.

“Malicious web sites are additionally propagated by means of search engine promoting instruments and SEO (search engine optimization) poisoning. Within the latter case, criminals manipulate internet search outcomes to guide customers to web sites containing malware.”

Europol additionally notes that AI instruments have elevated the effectiveness of social engineering assaults, enabling menace actors to simply generate convincing lures.

“The efficacy of most of the aforementioned social engineering strategies has been improved by the broader adoption of LLMs and different types of generative synthetic intelligence (genAI),” the researchers write. “Phishing texts and scripts, generated to include the language and cultural nuances of the victims’ location, can enhance the efficacy of campaigns.

“Latest analysis on the subject signifies that phishing messages generated by LLMs have a considerably larger click-through charge than these probably written by people.”

KnowBe4’s Human Danger Administration empowers your workforce to make smarter safety selections day by day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human danger.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/europol-warns-of-social-engineering-attacks

2025 Ransomware Consciousness Month Equipment Now Obtainable

We created this free useful resource package to assist your group and your customers defend in opposition to ransomware. Request your package now to learn the way ransomware has developed, what new assault vectors you have to be ready for and get recommendation from our specialists on how one can forestall an assault in opposition to your community.

Here’s what you may get:

• Entry to our free on-demand Agentic AI Ransomware: What You Have to Know webinar that includes Roger Grimes, KnowBe4’s Knowledge-Pushed Protection Evangelist
• Our widespread whitepapers: Ransomware Hostage Rescue Guide and How Actual-Time Safety Teaching Mitigates Spear Phishing, Malware and Ransomware
• A 7-minute video that explains The Evolution and Way forward for Ransomware
• Our weblog The Ransomware Risk: Nonetheless Alive and Kicking
• Posters and digital signage to remind customers about what to be careful for

Get Your Equipment Now:
https://www.knowbe4.com/ransomware-resource-kit-chn

FTC States That Scams Price U.S. Shoppers $158.3 Billion in One Yr

By Roger Grimes

I’m used to repeating some fairly massive numbers when speaking concerning the monetary impression of cybercrimes. Whenever you look into the information, it’s fairly straightforward to begin speaking about tens of billions of {dollars}.

I often come throughout figures which can be within the a whole lot of billions of {dollars} in injury throughout a number of years globally. So, think about my shock after I discovered the U.S. Federal Commerce Fee (FTC) stated Individuals misplaced $158.3B in 2023, one yr, to scammers, and that annual determine is getting worse.

I discovered this not too long ago whereas watching Kathy Stokes, AARP’s Director of Fraud Prevention Program division, current at Casper School’s Rocky Mountain Cybersecurity Symposium in Casper, WY.

$158B is over $433M a day stolen…simply from U.S. residents.

At first, I believed Stokes needed to have her figures unsuitable. She was clearly by chance misstating a multi-year determine for a single yr or speaking about international figures as an alternative of for less than U.S. people.

Nope, she was not.

In actual fact, the determine of $158.3B in U.S. fraud a yr was simply repeated by Senator Chuck Grassley within the latest U.S. Senate Judiciary Committee assembly on June seventeenth. It was, in flip, taken from the FTC’s October 18, 2024, report, see pages 2 and 28. It’s an estimated determine, and it includes scams of every kind and never simply cybersecurity crime (though the overwhelming majority of scams now contain cyber ultimately).

After all, not everyone seems to be efficiently scammed annually. The FTC calculates that “solely” 8% of Individuals, or simply beneath 21 million residents, are efficiently scammed annually. It equates to 57,000 Individuals efficiently scammed every day, and if the overall quantity of fraud was divided by these Individuals, it could equate to over $17,000 per citizen per yr. Ouch!

The FTC beforehand reported annual scams as costing “solely” tens of billions of {dollars} annually, however after adjusting for “under-reporting” (solely 2% of victims reported their loss to the FTC) final yr, the brand new estimated determine of $158.3B is now the official determine. Prior years’ estimates had been additionally up to date. Every year it’s worse than the final.

The primary rip-off total was funding scams, the place a sufferer was tricked by somebody they gave an excessive amount of belief into making a fraudulent funding. These scams usually happen when a scammer sends what the recipient thinks is an errant SMS message supposed for another person. “Hey, are you there?” or one thing like that.

I get a number of of those per week by means of SMS, and at the very least one per week on X and LinkedIn. Generally it’s the solely message I obtain.

The recipient normally responds to the sender to inform them that they despatched the message to the unsuitable individual and the scammer makes use of the type reply as a solution to strike up an extended dialog. That dialog can result in a false sense of an actual relationship, romantic or in any other case.

The unearned belief is then used to trick the sufferer into sending cash for some purported “positive factor”…normally a cryptocurrency rip-off…and the sufferer by no means sees their cash once more.

Faux jobs and faux employers are one other rising space for scams. KnowBe4 has written a ton about each. It’s getting harder for individuals searching for work to seek out actual employers and for corporations searching for workers to seek out actual workers. The scammers usually promote on respectable employment websites, social media websites like LinkedIn, or place adverts on official web sites.

Scams included pretend distributors, who claimed to be promoting one thing, usually for a “nice worth”, who then by no means delivered the products. Tech help scams, the place the scammer posed as Microsoft or another recognizable brand-new expertise vendor had been quite common.

They name the sufferer, claiming to have proactively discovered an issue they wish to assist with. All of the sufferer does is lose cash.

Romance scams are rampant, particularly with AI-enabled deepfakes permitting scammers to create new photographs and movies of fraudulent paramours, all whereas carrying on wealthy and vibrant conversations. Faux test scams, authorities imposters, enterprise imposters, fraudulent trip and journey schemes, and faux prizes and sweepstakes rounded out the highest rip-off sorts.

Surprisingly, in accordance with the FTC, youthful individuals had been extra more likely to be efficiently scammed than older individuals. However older individuals (60 and older) had been extra more likely to lose extra money. Older individuals usually have extra money than youthful individuals. Most individuals misplaced cash on account of on-line scams, however larger particular person losses occurred from scams achieved over the cellphone.

No doubt, there are a variety of victims dropping some huge cash.

What Can You Do?

[CONTINUED]
https://weblog.knowbe4.com/ftc-states-that-scams-cost-u.s.-consumers-158.3b-in-one-year

Publix Federal Credit score Union’s Secret to Zero Phishing Clicks & Weekly Time Financial savings

Your safety group probably spends hours managing electronic mail threats focusing on executives like your CFO and CEO.

Publix Staff Federal Credit score Union was dealing with this actual problem till they strengthened their method to human danger administration with KnowBe4.Now:

• They’ve achieved zero clicks on phishing assessments for 2 consecutive months
• Their safety group saves hours on phishing investigation and response
• The workers are extra conscious and reporting extra suspicious emails to the IT group, offering higher safety for everybody

“KnowBe4 Defend is catching a variety of emails that had been getting by means of earlier than. It is actually been a recreation changer.” Ricky Robertson, Director of Info Safety.

Watch this story and extra to discover ways to higher handle human danger at your group.

[VIDEO] Watch Now (2 min)
https://www.knowbe4.com/merchandise/customer-testimonials

[AWS CASE STUDY] KnowBe4 Seamlessly Scales to 22 Billion Occasions Utilizing Amazon EventBridge

Find out how cybersecurity agency KnowBe4 created an event-driven structure utilizing Amazon EventBridge:

• 22,000 occasions processed per second
• 22B occasions managed in 2024
• 99.99% uptime

KnowBe4, a frontrunner in cybersecurity coaching and providers, transitioned to an event-driven structure that accelerated its product improvement. Knowbe4 is dedicated to advancing cybersecurity by means of technological innovation and has a tradition of shortly adopting new Amazon Net Companies (AWS) options to serve that purpose.

Inside 8 months in 2023, KnowBe4 constructed a serverless, event-driven structure that lets the group shortly get new options and providers into the fingers of its prospects. KnowBe4’s adoption of event-driven structure accelerated product improvement and decreased the time to marketplace for new options.

Hyperlink to AWS:
https://aws.amazon.com/options/case-studies/knowbe4-case-study/

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.

PS: Your KnowBe4 Recent Content material Updates from June 2025:
https://weblog.knowbe4.com/your-knowbe4-fresh-content-updates-from-june-2025

PPS: [LUNCH & LEARN] “I attempted to rent a North Korean scammer”. Warmly Really helpful 20-minute video:
https://www.youtube.com/watch?v=Y7x0gvfFa0Q

You may learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-26-my-clicking-time-bomb-what-do-i-do-about-the-repeat-clickers

Extra Than Half of Spam Emails Are Now AI-Generated

A research from Barracuda has discovered that 51 p.c of spam emails are created by generative AI instruments, in comparison with nearly zero earlier than the general public launch of ChatGPT in 2022.

“Spam confirmed essentially the most frequent use of AI-generated content material in assaults, outpacing use in different assault sorts considerably over the previous yr,” the researchers write. “By April 2025, most spam emails (51%) had been generated by AI relatively than a human.

“Nearly all of the emails presently sitting within the common junk/spam folder are more likely to have been written by a big language mannequin (LLM).”

The research additionally noticed a rise in the usage of AI in focused assaults akin to enterprise electronic mail compromise (BEC), although AI adoption is transferring extra slowly in these circumstances.

“BEC assaults contain precision: They usually goal a senior individual within the group (e.g., the CFO) with a request for a wire switch or a monetary transaction,” the researchers write. “The evaluation confirmed that by April 2025 14% of BEC assaults had been generated by AI.”

Barracuda explains that attackers can abuse AI instruments to craft phishing emails which can be extra convincing for his or her goal audiences. “AI-generated emails usually confirmed larger ranges of ritual, fewer grammatical errors, and larger linguistic sophistication when in comparison with human-written emails,” the researchers write.

“These options probably assist malicious emails bypass detection programs and make them seem extra credible {and professional} to recipients. This helps in circumstances the place the attackers’ native language could also be totally different to that of their targets.

“Within the Barracuda dataset, most recipients had been in international locations the place English is broadly spoken.” Barracuda concludes, “Schooling additionally stays a robust and efficient safety in opposition to all these assault. Put money into safety consciousness coaching for workers to assist them to know the most recent threats and how one can spot them, and encourage workers to report suspicious emails.”

Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human danger.

Barracuda has the story:
https://weblog.barracuda.com/2025/06/18/half-spam-inbox-ai-generated

U.S. Tech Executives Cite Cyberattacks as Their High Concern

A brand new survey has discovered that 64% of C-Suite executives in cybersecurity or information middle roles view information breaches and ransomware assaults as the highest menace to corporations over the subsequent decade.

The survey, carried out by Talker Analysis on behalf of Per Scholas, additionally discovered that “greater than half (56%) of corporations have already defended in opposition to a hacking try, 43% have skilled an information breach, and 14% have fallen sufferer to a profitable hack.”

Moreover, lower than half of workers suppose their firm is well-equipped to defend itself in opposition to cyberattacks, whereas practically all of them could be open to collaborating in additional coaching.

“The survey additionally appeared on the perspective of workers working in tech and located that of the 1,000 polled, solely 48% consider that their firm is ‘very ready’ to stop cybersecurity assaults,” the researchers write. “Furthermore, solely about half of the staff surveyed (51%) are ‘very conscious’ of their firm’s cybersecurity efforts.

“The excellent news? If given the chance, 88% stated they’d take part in further coaching — with the common respondent keen to take a position just below two hours per week, or 7.1 hours per thirty days.”

Cybersecurity stays a prime concern as organizations undertake AI-driven tech. Worker coaching may also help organizations sustain with the evolving menace panorama. “AI is discovering its means into every part from day-to-day workloads to big-picture technique, but cybersecurity considerations stay entrance and middle within the AI financial system,” stated Brittany Murrey, Govt Vice President of Expertise Options at Per Scholas.

“Our analysis suggests workers are prepared and keen to upskill so as to defend delicate information, which is an important step. By providing complete coaching and staying forward of evolving threats, companies can embrace AI improvements with out sacrificing safety.”

Talker Analysis has the story:
https://talkerresearch.com/cyberattacks-top-list-of-concerns-for-u-s-tech-executive/

What KnowBe4 Clients Say

“Stu, We’re a really completely happy buyer. Our coaching completion charge has improved from a mean of about 60% to close 90%. Coaching content material has been very nicely obtained by our workers and our skill to supply content material in all of the languages the place we function has been a recreation changer.”

– N.A., Safety Techniques Architect

“Hello Stu, Sure we’re pleased with KnowBe4 to this point. We actually prefer it rather a lot, we really feel it’s offering nice safety consciousness for our workers.”

– H.R., Supervisor Info Safety