CyberheistNews Vol 15 #29 [Jawdropper] AI Is Luring Travelers to Places That Don’t Even Exist!

[Jawdropper] AI Is Luring Travelers to Places That Don’t Even Exist!

We’ve seen AI generate art, write code and even compose music. But now it’s crafting a new kind of scam: fake travel destinations.

According to TechRadar, cybercriminals are using generative AI tools to create websites, videos and itineraries for vacation spots that don’t exist. The scam is surprisingly effective. AI can conjure up hyper-realistic photos, convincing reviews and professional-looking booking sites. For victims dreaming of a getaway, it’s easy to be fooled.

These travel scams usually start with targeted social media ads or email promotions offering luxury getaways at rock-bottom prices. Once users click through, they’re shown photorealistic images of luxurious resorts or scenic towns, some even backed by “customer testimonials” generated by AI. Victims pay deposits or full fees for the trip, only to discover the destination is a fiction.

This isn’t just about lost money. These scams erode trust in online bookings and digital content. And as generative AI improves, spotting fakes becomes harder.

So how can you protect yourself and your family?

Start with skepticism. Verify destinations on independent sources like Google Maps or travel forums. Don’t rely solely on beautiful images or glowing reviews, especially from new websites with no established credibility. If the deal feels too good to be true, it probably is.

And finally, this is another reminder that AI is a double-edged sword. While it’s transforming industries, it’s also arming cybercriminals with powerful tools for deception. Stay alert. Stay skeptical. And always double-check before you book that dream vacation.

[VIDEO!] An Article at TechRadar. Show this Jawdropper to your family. I did.
https://www.techradar.com/computing/artificial-intelligence/ai-is-tricking-people-into-traveling-to-places-that-dont-exist-and-we-all-need-to-learn-to-avoid-these-scams?

[Live Demo] Stop Misdirected Emails and Data Loss Before They Happen with KnowBe4 Prevent

With 376 billion emails sent daily, your organization faces unprecedented risks from human error and misdirected communications. The human element, involved in 68% of data breaches, creates outbound-based threats costing millions in penalties and reputation damage annually.

KnowBe4’s data reveals a shocking reality: organizations detect only 10% of outbound email security incidents, leaving your business dangerously vulnerable.

Join our live demo to see how KnowBe4 Prevent seamlessly integrates into M365 to identify risky communications before they lead to breaches.

See KnowBe4 Prevent in action as we show you how to:

• Prevent costly mistakes with real-time alerts that stop misdirected emails and unauthorized file sharing
• Detect and block data exfiltration attempts before sensitive information leaves your organization
• Engage users with an unobtrusive, real-time risk assessment as they compose an email
• Gain comprehensive visibility into outbound email risk across your organization
• Enforce information barriers that keep you compliant with industry regulations

Strengthen your security posture with AI-native intelligent email security that identifies and stops risky communications before damage occurs, closing the critical security gap traditional solutions miss.

Date/Time: Wednesday, July 23 @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/prevent-live-demo?partnerref=CHN

[Heads Up] Watch for New Attacks on Your Browser-Based AI Agents

By Roger Grimes

We are working tirelessly on our AI First strategy to better protect both humans and their AI tools.

KnowBe4 and its advocates spend a lot of time talking to audiences about AI-enabled threats, and rightly so, as recently covered in dozens of previous posts. And then OpenAI released their Browser Agent…

This year and next promise to be an explosion of cyber threats better enabled by AI. After years of saying AI attacks would be coming, they are here and will be the way that most cybercrime is committed forevermore. AI will enable cyberattacks to be faster, more successful, more pervasive and hyper personalized.

As the leading Human Risk Management (HRM) platform provider, a lot of our attention focuses on decreasing human risk. We do this through a highly dynamic platform that pushes technical defenses, security awareness training, and AI-enabled defenses.

We are also working to protect the AI you use to protect yourself and increase your productivity. Attackers are crafting new ways to exploit AI in ways that are likely to be more successful than if humans were more involved.

We have previously covered how attacks against your AI productivity tools can lead to increased disinformation, data leaks and poor results. There is a new worry…attacks against your browser-based AI agents.

Browser-Based AI Agents

Browser-based AI agents are a more modern version of browser extensions and add-ins, which have been around for decades…only with AI thrown in. Browser extensions have always been a huge security threat to people’s browsers. A badly coded, weakly threat-modeled browser extension can easily undermine an otherwise very secure browser experience.

Some of the biggest exploits in history have been tied to attacks against popular browser agents. Accordingly, many organizations, including KnowBe4, significantly limit which browser extensions can be added to co-workers’ browsers.

Browser extensions are naturally becoming more AI-enabled and increasing people’s productivity beyond previous imaginable levels. A lot of early commonly used browser-based AI agents involve increased productivity around email.

For example, some browser-based AI agents will cull your email inbox into more usable groupings, which allow more efficient handling. Other browser based AI agents will gladly find free availability on your calendar to schedule meetings that were initiated from an email.

Using this type of agent gives me an hour or two of my life back each week. Other browser-based AI agents look for and prevent cyberattacks. I have seen a few AI agents that focus on protecting your SMS messages.

[And this week OpenAI opened Pandora’s box with their agent, warning that this could be the victim of phishing and prompt injection.]

[CONTINUED] At the KnowBe4 Blog:
https://blog.knowbe4.com/knowbe4-protecting-you-and-your-ai

Measure Your Security Culture. 5 Minutes. Free Assessment

Many organizations invest in security training with no clear metrics for success, struggle to demonstrate ROI to leadership, or miss critical gaps in their security culture. Sound familiar?

That’s why we’ve created our new free KnowBe4 Program Maturity Assessment. It will help evaluate your organization across ten key dimensions of human risk management.

In just five minutes, you’ll get:

• A comprehensive evaluation across 10 critical security dimensions
• Clear measurement of 40 Culture Maturity Indicators
• Your organization’s specific maturity level (from Basic Compliance to Sustainable Security Culture)
• Practical, actionable recommendations to strengthen your human defense layer
• A strategic roadmap to advance your security culture

Unlike generic cybersecurity frameworks focused on technical controls, the Program Maturity Assessment zeroes in on what matters most—your people. The easy-to-understand results, not consultant jargon, gives you immediate steps to transform checkbox compliance into a measurable security culture.

After completing the assessment, you’ll receive a comprehensive report showing your maturity level and tailored feedback discussing how KnowBe4’s HRM+ platform can accelerate your maturity journey.

Start measuring what truly matters today!

Start Free Assessment:
https://info.knowbe4.com/program-maturity-assessment-chn

Engineered To Evade: How Phishing Attacks Are Designed To Get Through Your Secure Email Gateway

By Bex Bailey

Getting through secure email gateways (SEGs) is simply the cost of doing business for a cybercriminal. Literally, detection at the perimeter by a SEG is the same as falling at the first hurdle.

SEGs have been adopted broadly, especially in larger organizations (although this picture has started to change in recent years – more on that below).

Even where organizations don’t use a SEG, many native controls in email platforms (like Microsoft Exchange) operate using the same principles. So a cybercriminal will be fairly confident they’ll need to get through at least a SEG or similar layer to reach a target’s inbox.

Cybercriminals can be incredibly clever and, like most of us, they need or want to get paid at the end of the day. If email security technology stands between them and whatever they’re planning, then they’ll do everything they can to evolve their attacks to bypass detection.

Here’s some proof. Below is a screenshot taken from the dark web. It shows details of a subscription-based phishing toolkit with access to 30+ brand impersonation templates. It’s advertised for sale at a monthly cost of $300 or lifetime access for $1,000, and comes with 24/7 support.

Crucially, the payloads are guaranteed to bypass named SEG vendors.

When you combine these details, they paint an interesting picture. The cybercriminal selling the kit is hoping to create renewing customers to generate ongoing business. Any failure to deliver on their guarantees will damage this business model — so we can anticipate they will look to uphold their promises.

Blog post with links and screenshots:
https://blog.knowbe4.com/engineered-to-evade-how-phishing-attacks-are-designed-to-get-through-your-secure-email-gateway

2025 Phishing Threat Trends Report

Our Phishing Threat Trends Reports bring you the latest insights into the hottest topics in the phishing attack landscape. In 2025, it’s been in with the old and in with the new, as cybercriminals use new techniques to “revive” the efficacy of existing attacks.

Download this latest edition to discover:

• What’s driving a resurgence in ransomware delivered by phishing emails
• How cybercriminals have achieved a 47% increase in attacks evading Microsoft’s native security and secure email gateways
• Which jobs cybercriminals are most likely to apply for in your organization
• How 92% of polymorphic attacks utilize AI to achieve unprecedented scale — and change the phishing landscape for good
• Plus other top phishing stats for 2025

Download Now:
https://info.knowbe4.com/phishing-threat-trends-report-chn

Let’s stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.

PS: [VIDEO] Introduction to ChatGPT Agent. They warn against phishing and prompt injection:
https://www.youtube.com/live/1jn_RpbPbEc

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-29-jawdropper-ai-is-luring-travelers-to-places-that-dont-even-exist

Job Seekers Beware: Many People Are Falling for Employment Scams

More than one in 10 people who were targeted by job scams this year fell victim, according to a report from Resume.org. Younger people, particularly young men, are more likely to fall victim.

“In total, 14% of those who received a job scam text fell victim,” the report says. “Younger workers are more likely to have fallen victim to the scam. Twenty percent of Gen Zers fell for a job scam, followed by 16% of millennials, 10% of Gen Xers, and just 4% of boomers.

Men appear even more likely to become victims, with 24% of Gen Z men and 31% of millennial men interacting with the scam.” One in three victims of these scams lost money to the attackers, and 18 percent quit their jobs or delayed real interviews for a fake offer.

“Of the people who engaged with the job scam text, nearly half, 48%, say they shared personal information with the sender, and 30% had money stolen from their bank account or credit card,” the report says. “The amount stolen varied: 6 % lost less than $100, 32% between $100 and $250, and 38% between $251 and $500.

“Additionally, 21% report losses of $501 to $1,000, while 3% say scammers took more than $1,000. Further, 22% of victims gave the scammers money directly. The most common reason was being asked to pay upfront fees, something 84% of victims report.”

Kara Dennison, head of career advising at Resume.org, stated, “There are several reasons younger people, especially young men, are more vulnerable to job scams. Many are early in their careers and haven’t yet developed the instincts to spot red flags.

“Financial pressure also plays a big role, as the promise of fast, remote income is incredibly appealing when facing student debt and rising living costs.”

Users can thwart these scams if they have a healthy sense of suspicion and are trained to recognize social engineering tactics. “When asked what made the message seem suspicious, most say the fact that it came through a text message instead of a traditional job platform,” the researchers write.

“Others say the job description or company details were vague, the offer seemed too good to be true, or the message included poor grammar and an unprofessional tone. Some say they were tipped off by the fact that they were pressured to respond quickly or promised unrealistic pay.”

KnowBe4 empowers your workforce to make smarter security decisions every day.

Resume.org has the story:
https://www.resume.org/3-in-10-young-men-targeted-by-job-scam-texts-fell-victim/

FTC Advisory: How to Protect Yourself Against Job Scams

The U.S. Federal Trade Commission (FTC) has issued an advisory warning of job scams that impersonate well-known companies with tempting employment opportunities. The scammers are trying to steal users’ personal and financial information in order to steal their money or launch further attacks.

“Scammy recruiters who claim to be recruiting for a big-name employer often reach out by email or text with a remote job offer — sometimes from a personal phone number or email account,” the FTC says. “You might get an email with an official-looking invitation for a virtual interview along with information about your job duties and job benefits.”

If you respond to a phony job offer, the scammers will attempt to rush through the process to prevent you from thinking clearly or asking others for advice.

“Before you even interview, you might get an official-looking job offer along with paperwork that requires your personal financial information (supposedly for direct deposit),” the advisory says. “The recruiter will push for that information before they answer your questions about the job.

“In reality, there is no job and the ‘recruiter’ is a scammer. Real employers won’t ask for that kind of information before they’ve actually interviewed and hired you. The FTC offers the following advice to help users recognize these scams:

• “Look at the sender’s email address. Is the email from a business or a personal email? Recruiters will generally email from a corporate email account, not from a personal email like @gmail.com or @yahoo.com.
• They ask for your personal information before you interview. Scammers will ask for your driver’s license, Social Security, or bank account number to fill out ’employment paperwork.’ Your sensitive information might be the focus of your ‘interview’ and they might ask to get that information before they’ll talk about job duties.
• Check out the recruiter. Search online the name of the recruiter or their company to see what you find about them. Type the name with words like ‘scam’ or ‘complaint.'”

Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

The FTC has the story:
https://consumer.ftc.gov/consumer-alerts/2025/07/job-scammers-are-looking-hire-you