CyberheistNews Vol 15 #26 [My Clicking Time Bomb] What Do I Do About the Repeat Clickers?

[My Clicking Time Bomb] What Do I Do About the Repeat Clickers?

By Bex Bailey

I recently had several conversations about repeat clickers. First with a Forrester analyst and then, shortly after, at KB4-CON Orlando following a presentation on the subject by Matthew Canham, Executive Director of the Cognitive Security Institute.

After that, my approach was a little less organic: intrigued by the topic, I spoke with several KnowBe4 customers to find out how they manage repeat clickers.

The term “repeat clickers” is pretty self-explanatory: they’re the individuals who continually click on suspicious links in emails – whether in phishing simulations or, more dangerously, in actual phishing attacks. This is more than the occasional error.

Here, we’re talking about those same names that frequently come up as having interacted with simulations or caused a security incident. Repeat clickers represent a significant cybersecurity risk to their organizations. At the same time, they’re often among some of the most valued employees.

The challenge, then, is how to reduce this risk in a fair and just way that keeps these individuals invested in their work.

The Disproportionate Risk and Return of Repeat Clickers

Canham’s research into this area is fascinating. In a pilot study, he defined repeat clickers as people who interacted with three or more phishing simulations.

He determined:

• While only 0.83% of participants fell into this category
• They were nearly 10 times more likely to interact with a simulation than the wider group

Let’s just pause there. Repeat clickers are, typically, less than 1% of the employee base who represent 10 times the phishing risk of other employees. During his presentation at KB4-CON, Canham also highlighted that these individuals are often of significant value to their organizations, frequently holding high-ranking positions.

He cited one example of a known repeat clicker who interacted with a real phishing attack, leading to a cyber incident. This individual also happened to be a Nobel Prize winning scientist.

Similarly, one of the customers I spoke to (anonymously) described a concerning repeat clicker they’d had in their organization: a senior employee, who is an incredible asset to the company and who, pretty much, used to click every link in every email – including phishing simulations on subjects totally unrelated to their role.

It’s not just the business value these people represent. The same research study from Canham (rather logically) states that mitigating this disproportionate risk can offer substantial return on investment (ROI). You’ve just got to get your repeat clickers to stop clicking.

There’s Something Different About Repeat Clickers

When anyone receives a phishing email (real or simulated) certain factors come into play. Some of these change on a case-by-case basis, such as context (e.g. someone might be more susceptible on a day when they’re rushing) or the social engineering techniques used.

Then there are stable factors (things that are less likely to change), which Canham lists in his research as cultural influences and individual traits – with the latter described as “the primary factor” in repeat clicking.

In a later study, Canham begins to unpack some of these traits – and shares what is possibly my favorite anecdote from his research. At the other end of the spectrum from repeat clickers are a group labeled “protective stewards”, who always identify phishing simulations and habitually report them.

Canham asked both groups to remember a code word of their choosing – such as a pet’s name. In later interviews, all protective stewards remembered their code words while all repeat clickers forgot theirs!

Tying into this, repeat clickers also struggled to recall the phishing simulations they interacted with, although in part, this might be due to embarrassment.

The research begins to demonstrate the cognitive differences between the individuals who exhibit the most desirable cybersecurity behaviors (not interacting with simulations and reporting them) and those who repeatedly exhibit the least desirable ones (repeated interactions that go unreported).

In addition to forgetfulness, repeat clickers also seem to have:

• A more internally oriented locus of control, meaning they feel more in control of their own destiny
• High confidence (which I think we can safely call “overconfidence”) in their ability to detect phishing emails
• A lack of distrust or skepticism (making them more susceptible to social engineering attacks)
• Rigid, rather than adaptive, email habits – such as the individual mentioned earlier, who clicks on hyperlinks in all emails seemingly on autopilot

It’s easy to see how this explosive cocktail of traits interplay to cause someone to repeatedly interact with phishing emails. Ultimately, many of these factors are deeply ingrained – but they can be influenced with the right approaches.

[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/a-clicking-time-bomb-what-to-do-about-repeat-clickers

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4’s HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies.
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets, and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: Wednesday, July 9, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-1?partnerref=CHN2

Europol Warns of Social Engineering Attacks

Social engineering remains a primary initial access vector for cybercriminals, according to a new report from Europol.

“Social engineering, which exploits human error to gain access to systems or personal information, stands out as a prominent technique used by criminal actors in this context,” Europol says.

“Initial Access Brokers (IABs) have been increasingly focused on using such techniques for the acquisition of valid account credentials as an entry point to the victims’ systems.

“This initial access can then be leveraged in a multitude of ways by criminal actors. For example, access credentials for remote services are widely used by ransomware groups and their affiliates to compromise corporate networks, which can lead to data theft (exfiltration) and the deployment of ransomware.”

The report also warns of a surge in infostealer malware, allowing criminals to gather information that can be used in future attacks.

“Phishing techniques are the main vector for the distribution of infostealers,” Europol says. “Criminals use a variety of methods to achieve this, including sending emails, text messages, or messages on social media that contain malicious attachments or URLs which introduce malware into the victim’s system.

“Malicious websites are also propagated through search engine advertising tools and search engine optimization (SEO) poisoning. In the latter case, criminals manipulate web search results to lead users to websites containing malware.”

Europol also notes that AI tools have increased the effectiveness of social engineering attacks, enabling threat actors to easily generate convincing lures.

“The efficacy of many of the aforementioned social engineering techniques has been improved by the wider adoption of LLMs and other forms of generative artificial intelligence (genAI),” the researchers write. “Phishing texts and scripts, generated to incorporate the language and cultural nuances of the victims’ location, can improve the efficacy of campaigns.

“Recent research on the topic indicates that phishing messages generated by LLMs have a significantly higher click-through rate than those likely written by humans.”

KnowBe4’s Human Risk Management empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/europol-warns-of-social-engineering-attacks

2025 Ransomware Awareness Month Kit Now Available

We created this free resource kit to help your organization and your users defend against ransomware. Request your kit now to learn how ransomware has evolved, what new attack vectors you need to be prepared for and get advice from our experts on how to prevent an attack against your network.

Here is what you’ll get:

• Access to our free on-demand Agentic AI Ransomware: What You Need to Know webinar featuring Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist
• Our popular whitepapers: Ransomware Hostage Rescue Manual and How Real-Time Security Coaching Mitigates Spear Phishing, Malware and Ransomware
• A 7-minute video that explains The Evolution and Future of Ransomware
• Our blog The Ransomware Threat: Still Alive and Kicking
• Posters and digital signage to remind users about what to watch out for

Get Your Kit Now:
https://www.knowbe4.com/ransomware-resource-kit-chn

FTC States That Scams Cost U.S. Consumers $158.3 Billion in One Year

By Roger Grimes

I am used to repeating some pretty big numbers when talking about the financial impact of cybercrimes. When you look into the data, it is pretty easy to start talking about tens of billions of dollars.

I occasionally come across figures that are in the hundreds of billions of dollars in damage across multiple years globally. So, imagine my surprise when I learned the U.S. Federal Trade Commission (FTC) said Americans lost $158.3B in 2023, one year, to scammers, and that annual figure is getting worse.

I learned this recently while watching Kathy Stokes, AARP’s Director of Fraud Prevention Program division, present at Casper College’s Rocky Mountain Cybersecurity Symposium in Casper, WY.

$158B is over $433M a day stolen…just from U.S. citizens.

At first, I thought Stokes had to have her figures wrong. She was obviously accidentally misstating a multi-year figure for a single year or talking about global figures instead of for only U.S. individuals.

Nope, she was not.

In fact, the figure of $158.3B in U.S. fraud a year was just repeated by Senator Chuck Grassley in the recent U.S. Senate Judiciary Committee meeting on June 17th. It was, in turn, taken from the FTC’s October 18, 2024, report, see pages 2 and 28. It is an estimated figure, and it involves scams of all types and not just cybersecurity crime (although the vast majority of scams now involve cyber in some way).

Of course, not everyone is successfully scammed each year. The FTC calculates that “only” 8% of Americans, or just under 21 million citizens, are successfully scammed each year. It equates to 57,000 Americans successfully scammed each day, and if the total amount of fraud was divided by those Americans, it would equate to over $17,000 per citizen per year. Ouch!

The FTC previously reported annual scams as costing “only” tens of billions of dollars each year, but after adjusting for “under-reporting” (only 2% of victims reported their loss to the FTC) last year, the new estimated figure of $158.3B is now the official figure. Prior years’ estimates were also updated. Each year it is worse than the last.

The number one scam overall was investment scams, where a victim was tricked by someone they gave too much trust into making a fraudulent investment. These scams often occur when a scammer sends what the recipient thinks is an errant SMS message intended for someone else. “Hey, are you there?” or something like that.

I get a few of these a week through SMS, and at least one a week on X and LinkedIn. Sometimes it is the only message I receive.

The recipient usually responds to the sender to tell them that they sent the message to the wrong person and the scammer uses the kind reply as a way to strike up a longer conversation. That conversation can lead to a false sense of a real relationship, romantic or otherwise.

The unearned trust is then used to trick the victim into sending money for some purported “sure thing”…usually a cryptocurrency scam…and the victim never sees their money again.

Fake jobs and fake employers are another growing area for scams. KnowBe4 has written a ton about both. It is getting tougher for people looking for work to find real employers and for companies looking for employees to find real employees. The scammers often advertise on legitimate employment sites, social media sites like LinkedIn, or place ads on official websites.

Scams included fake vendors, who claimed to be selling something, often for a “great price”, who then never delivered the goods. Tech support scams, where the scammer posed as Microsoft or some other recognizable brand-new technology vendor were very common.

They call the victim, claiming to have proactively found a problem they want to help with. All the victim does is lose money.

Romance scams are rampant, especially with AI-enabled deepfakes allowing scammers to create new images and videos of fraudulent paramours, all while carrying on rich and vibrant conversations. Fake check scams, government imposters, business imposters, fraudulent vacation and travel schemes, and fake prizes and sweepstakes rounded out the top scam types.

Surprisingly, according to the FTC, younger people were more likely to be successfully scammed than older people. But older people (60 and older) were more likely to lose more money. Older people often have more money than younger people. Most people lost money due to online scams, but higher individual losses occurred from scams done over the phone.

Without a doubt, there are a lot of victims losing a lot of money.

What Can You Do?

[CONTINUED]
https://blog.knowbe4.com/ftc-states-that-scams-cost-u.s.-consumers-158.3b-in-one-year

Publix Federal Credit Union’s Secret to Zero Phishing Clicks & Weekly Time Savings

Your security team likely spends hours managing email threats targeting executives like your CFO and CEO.

Publix Employees Federal Credit Union was facing this exact challenge until they strengthened their approach to human risk management with KnowBe4.Now:

• They’ve achieved zero clicks on phishing tests for two consecutive months
• Their security team saves hours on phishing investigation and response
• The employees are more aware and reporting more suspicious emails to the IT team, providing better protection for everyone

“KnowBe4 Defend is catching a lot of emails that were getting through before. It’s really been a game changer.” Ricky Robertson, Director of Information Security.

Watch this story and more to learn how to better manage human risk at your organization.

[VIDEO] Watch Now (2 min)
https://www.knowbe4.com/products/customer-testimonials

[AWS CASE STUDY] KnowBe4 Seamlessly Scales to 22 Billion Events Using Amazon EventBridge

Learn how cybersecurity firm KnowBe4 created an event-driven architecture using Amazon EventBridge:

• 22,000 events processed per second
• 22B events managed in 2024
• 99.99% uptime

KnowBe4, a leader in cybersecurity training and services, transitioned to an event-driven architecture that accelerated its product development. Knowbe4 is committed to advancing cybersecurity through technological innovation and has a culture of quickly adopting new Amazon Web Services (AWS) solutions to serve that goal.

Within 8 months in 2023, KnowBe4 built a serverless, event-driven architecture that lets the organization quickly get new features and services into the hands of its customers. KnowBe4’s adoption of event-driven architecture accelerated product development and reduced the time to market for new features.

Link to AWS:
https://aws.amazon.com/solutions/case-studies/knowbe4-case-study/

Let’s stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from June 2025:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-june-2025

PPS: [LUNCH & LEARN] “I tried to hire a North Korean scammer”. Warmly Recommended 20-minute video:
https://www.youtube.com/watch?v=Y7x0gvfFa0Q

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-26-my-clicking-time-bomb-what-do-i-do-about-the-repeat-clickers

More Than Half of Spam Emails Are Now AI-Generated

A study from Barracuda has found that 51 percent of spam emails are created by generative AI tools, compared to almost zero before the public release of ChatGPT in 2022.

“Spam showed the most frequent use of AI-generated content in attacks, outpacing use in other attack types significantly over the past year,” the researchers write. “By April 2025, most spam emails (51%) were generated by AI rather than a human.

“The majority of the emails currently sitting in the average junk/spam folder are likely to have been written by a large language model (LLM).”

The study also observed an increase in the use of AI in targeted attacks such as business email compromise (BEC), though AI adoption is moving more slowly in these cases.

“BEC attacks involve precision: They typically target a senior person in the organization (e.g., the CFO) with a request for a wire transfer or a financial transaction,” the researchers write. “The analysis showed that by April 2025 14% of BEC attacks were generated by AI.”

Barracuda explains that attackers can abuse AI tools to craft phishing emails that are more convincing for their target audiences. “AI-generated emails typically showed higher levels of formality, fewer grammatical errors, and greater linguistic sophistication when compared to human-written emails,” the researchers write.

“These features likely help malicious emails bypass detection systems and make them appear more credible and professional to recipients. This helps in cases where the attackers’ native language may be different to that of their targets.

“In the Barracuda dataset, most recipients were in countries where English is widely spoken.” Barracuda concludes, “Education also remains a powerful and effective protection against these types of attack. Invest in security awareness training for employees to help them to understand the latest threats and how to spot them, and encourage employees to report suspicious emails.”

Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Barracuda has the story:
https://blog.barracuda.com/2025/06/18/half-spam-inbox-ai-generated

U.S. Tech Executives Cite Cyberattacks as Their Top Concern

A new survey has found that 64% of C-Suite executives in cybersecurity or data center roles view data breaches and ransomware attacks as the top threat to companies over the next decade.

The survey, conducted by Talker Research on behalf of Per Scholas, also found that “more than half (56%) of companies have already defended against a hacking attempt, 43% have experienced a data breach, and 14% have fallen victim to a successful hack.”

Additionally, less than half of employees think their company is well-equipped to defend itself against cyberattacks, while nearly all of them would be open to participating in more training.

“The survey also looked at the perspective of employees working in tech and found that of the 1,000 polled, only 48% believe that their company is ‘very prepared’ to prevent cybersecurity attacks,” the researchers write. “Moreover, only about half of the employees surveyed (51%) are ‘very aware’ of their company’s cybersecurity efforts.

“The good news? If given the opportunity, 88% said they would participate in additional training — with the average respondent willing to invest just under two hours per week, or 7.1 hours per month.”

Cybersecurity remains a top concern as organizations adopt AI-driven tech. Employee training can help organizations keep up with the evolving threat landscape. “AI is finding its way into everything from day-to-day workloads to big-picture strategy, yet cybersecurity concerns remain front and center in the AI economy,” said Brittany Murrey, Executive Vice President of Talent Solutions at Per Scholas.

“Our research suggests employees are ready and willing to upskill in order to protect sensitive data, which is a crucial step. By offering comprehensive training and staying ahead of evolving threats, businesses can embrace AI innovations without sacrificing security.”

Talker Research has the story:
https://talkerresearch.com/cyberattacks-top-list-of-concerns-for-u-s-tech-executive/

What KnowBe4 Customers Say

“Stu, We are a very happy customer. Our training completion rate has improved from an average of about 60% to near 90%. Training content has been very well received by our employees and our ability to provide content in all the languages where we operate has been a game changer.”

– N.A., Security Systems Architect

“Hi Stu, Yes we are happy with KnowBe4 so far. We really like it a lot, we feel it is providing great security awareness for our employees.”

– H.R., Manager Information Security