Why Don’t We Demand This?

One of the Biggest Mysteries in Cybersecurity: Why Don’t We Demand This?

By Roger Grimes

“The problem is much, much worse than most people acknowledge.”

One of the biggest enduring mysteries for me in cybersecurity is why most cybersecurity curricula don’t teach secure coding to programmers.

I have no real answers, only speculation.

Secure coding has many other names, including secure by design, security development lifecycle, but it means that the humans involved in the development of software, services and firmware, are given training in how to avoid inserting common security vulnerabilities.

Common vulnerability types include buffer overflows, insecure input handling, hard-coding authentication credentials, directory traversal errors, cross-site scripting, etc. The OWASP Top Ten list is a great list of some of the most common issues.

Some programming issues, like buffer overflows, can be solved by using “memory type safe” programming languages when possible and practical. Non-memory type safe languages are involved in up to 70% of commonly exploited vulnerabilities.

Secure coding means giving programmers and others in the development stream, old or new to the profession, education about those common vulnerabilities and how to avoid them. Like any security challenge, it takes a combination of education, policies and tools. And like most computer security challenges, education is often the weakest link when the tools aren’t more protective.

I’ve tried for years to get universities and college curricula to add secure coding instruction as a required part of their curriculum or as a separate required dedicated class. It seems like a no-brainer. And yet, almost no programming curriculum does. There are a few, but not many.

And let me say that I don’t teach programming for a living. I’m looking from the outside in.

[CONTINUED] At the KnowBe4 Blog:
https://blog.knowbe4.com/one-of-the-biggest-mysteries-in-cybersecurity-why-dont-we-teach-or-demand-secure

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4’ HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets, and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: THIS WEEK, Thursday, September 11 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ksat-demo-3?partnerref=CHN3

Hospitals Need to Prepare for AI-Powered Phishing Attacks

Healthcare organizations need to be prepared for an increase in AI-assisted phishing attacks, according to Zack Martin, Senior Policy Advisor at Venable.

In an article for HIT Consultant, Martin explained that AI has made phishing attacks more convincing and easier to launch, posing a heightened risk to healthcare organizations.

“In the second half of 2024, phishing incidents surged by more than 700 percent – a spike that coincided with the mainstream adoption of generative AI tools,” Martin says. “These tools are now being used to create convincing emails, fake login pages and impersonation campaigns that target both patients and staff. And in healthcare, where digital literacy can vary widely and data is especially sensitive, the consequences can be severe, leading to data breaches, ransomware and system outages.”

Healthcare entities have a unique attack surface that makes them particularly vulnerable to social engineering attacks. Hospitals also face a heightened risk from ransomware attacks, since disruptions can affect patient care and put lives at risk.

“Hospitals and clinics serve a mix of internal users and external users – from employees logging into medical systems to patients and family members accessing portals,” Martin writes. “Many of these users may be unfamiliar with phishing tactics and could be more likely to trust realistic-looking login prompts or urgent alerts.

“The combination of accessible AI tools and a digitally inexperienced user base creates a perfect storm for credential theft.” Martin concludes that employee awareness training can give healthcare orgs a necessary layer of defense against these attacks.

“A truly effective identity-first security strategy also includes continuous user education,” Martin writes. “Phishing emails – especially those enhanced by generative AI – can fool even the most experienced professionals. Regular awareness campaigns and simulated phishing exercises can help staff develop a reflex for spotting fake emails, verifying URLs, and reporting suspicious activity quickly.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/hospitals-need-to-prepare-for-ai-powered-phishing-attacks

A New Era of Email Defense: The Power of KnowBe4 and Microsoft Defender for Office 365

Discover how KnowBe4 and Microsoft Defender for Office 365 are transforming email security and explore the power of the new integration.

Join our live demo with Murali Natarajan, Principal Product Manager at Microsoft, and Stuart Clark, Vice President of Product Strategy at KnowBe4, to see how KnowBe4’s advanced threat detection capabilities and Microsoft’s Integrated Cloud Email Security (ICES) ecosystem work together to create an unmatched defense against today’s most sophisticated email threats.

During this session, you’ll learn how to:

• Seamlessly integrate KnowBe4 Defend with Microsoft’s security controls for unified quarantine, consistent policy enforcement and comprehensive visibility
• Leverage the combined strengths of KnowBe4’s specialized AI detection and Microsoft Defender, ensuring the strongest verdict always wins for superior threat prevention
• Simplify deployment, reduce complexity and eliminate separate quarantine systems through seamless integration with Microsoft tools
• Adopt Microsoft’s newest framework early, ensuring compatibility with future developments and unlocking co-marketing opportunities
• Enable your security teams to investigate, respond to and remediate threats through familiar Microsoft interfaces while harnessing KnowBe4’s advanced detection capabilities

Date/Time: Wednesday, September 10 @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/knowbe4-microsoft-defender?partnerref=CHNP2

A Warrant Is Out for Your Arrest

A super common voice phone call phishing scam (i.e., vishing) is when the scammer calls you and pretends to be a law enforcement official with a warrant for your arrest for not answering a court jury duty summons.

Depending on the source you use and the legal jurisdiction involved (e.g., state, federal, county), as much as 20% – 40% of people who receive a summons to appear in court as part of a jury (or Grand Jury) ignore it. They see it and throw it away.

They knowingly throw it away, not wanting to disrupt their life or career to take a day or potentially weeks out of their life to be part of a court jury. I get it. It can be unexpected, disrupting and you can spend hours a day waiting to be called as part of a jury, only to not be selected.

Ignoring a jury summons and not showing up for jury selection is a violation of the law and can easily result in serious consequences. If you are a legal citizen, it’s your legal and ethical duty to serve on a jury when called (in countries with citizen juries). But most of the people who get them and ignore them, do so without ever being harassed by the courts or law enforcement.

It makes jury scofflaws good potential phishing victims.

The scammers (usually part of a large call center) have your phone number, name, address and know what county you are in. Then they call you, pretend to be the sheriff’s department or police department and tell you that you have an outstanding warrant and that you will be arrested and pay a big fine.

But…they will offer to let you pay the fine over the phone and avoid arrest, using credit cards or gift cards purchased from a store.

Who would ever believe that law enforcement would let them pay a fine using store-purchased gift cards? A lot of scared people who were always worried about throwing away that jury summons. The defense is easy.

If anyone calls claiming to be from law enforcement or the court system, ask them for the case number (which they will usually provide) and then tell them you will look up their phone number using a reputable source (never call back the phone number they give you)…and most of the time they will either threaten you with coming to arrest you one more time or simply hang up. Most hang up when they realize the potential victim is onto their scheme.

A lot of people reading this might think they would never fall for this scam. But people do. If it’s not you, it could be a family member or friend. I think we are all susceptible to the right scam at the right moment in our lives.

You can help people avoid this scam by letting them know it exists. And if you get a jury summons, don’t throw it away.

Blog post with links:
https://blog.knowbe4.com/a-warrant-is-out-for-your-arrest

Level Up Your Strategies for Cybersecurity Awareness Month

Cybersecurity Awareness Month is just around the corner, and it’s time to plan your October campaign! While it’s an exciting opportunity, it can also be challenging. How do you turn mandatory security awareness into a fun and engaging campaign that actually reduces human risk?

Join Erich Kron, CISO Advisor at KnowBe4, as he shows you exactly how to do it. You’ll discover how to leverage KnowBe4’s ready-to-use kit to run a complete themed campaign throughout October. We’ve done the heavy lifting so you can focus on what matters most: building a stronger security culture that lasts.

In this fun and practical session, you’ll learn:

• How to explain cyber threats to users in ways they can relate to and understand in their daily work
• Real examples and creative campaign ideas showing how admins have created wildly successful cybersecurity awareness campaigns
• Simple gamification techniques that transform passive learning into competitive fun
• How to select the right training modules that entertain while they educate and why it matters
• How to maintain momentum and engagement long after Cybersecurity Awareness Month ends

Join us to get practical tools and creative ideas that will make your Cybersecurity Awareness Month campaign the talk of the organization while dramatically reducing your human risk. Register now and earn CPE credit for attending!

Date/Time: Wednesday, September 17 @ 2:00 PM (ET)

Can’t attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/level-up-your-strategies?partnerref=CHN

Report: AI Can Now Automate Entire Attack Chains

Threat actors can now use AI tools to automate entire attack operations, according to a new report from Anthropic.

The company says an attacker abused its Claude AI tool to create a hacking and extortion campaign that compromised at least seventeen organizations. The attacker used Claude to conduct reconnaissance, initial access, malware development, data exfiltration and extortion analysis.

“A cybercriminal used Claude Code to conduct a scaled data extortion operation across multiple international targets in a short timeframe,” the researchers write. “This threat actor leveraged Claude’s code execution environment to automate reconnaissance, credential harvesting, and network penetration at scale, potentially affecting at least 17 distinct organizations in just the last month across government, healthcare, emergency services, and religious institutions.”

The attacker was able to steal “healthcare data, financial information, government credentials, and other sensitive information, with direct ransom demands occasionally exceeding $500,000.”

Anthropic also observed a Chinese state-sponsored APT abusing Claude to assist in a successful espionage campaign targeting Vietnamese critical infrastructure.

“The actor integrated Claude as an assistant across 12 of 14 MITRE ATT&CK tactics, using it as a technical advisor, code developer, security analyst, and operational consultant throughout their campaign,” the researchers write. “The actor appears to have compromised major Vietnamese telecommunications providers, government databases, and agricultural management systems.”

Additionally, the researchers observed AI-assisted attacks launched by North Korean and Russian APTs, as well as ransomware gangs, romance scammers, and malware developers.

Anthropic has banned the accounts associated with this activity and is working on ways to prevent such abuse in the future. However, organizations should expect attackers to continue to leverage AI in their operations, and these attacks will only grow more sophisticated as the technology improves.

Blog post with links:
https://blog.knowbe4.com/report-ai-can-now-automate-entire-attack-chains

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Fresh Content Updates from August 2025
https://blog.knowbe4.com/your-knowbe4-compliance-plus-fresh-content-updates-from-august-2025

PPS: ChatGPT Glossary: 56 AI Terms Everyone Should Know:
https://www.cnet.com/tech/services-and-software/chatgpt-glossary-56-ai-terms-everyone-should-know/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-36-one-of-the-biggest-mysteries-in-cybersecurity-why-dont-we-demand-this

Warning: New Spear Phishing Campaign Targets Executives

Researchers at Stripe warn of a wave of spear phishing attacks targeting C-suite employees and senior leadership across a wide range of industries.

The emails pose as OneDrive document-sharing notifications with subject lines like “Salary amendment” or “FIN_SALARY.” If a user clicks the link, they’ll be taken to a spoofed Microsoft Office/OneDrive login page designed to steal their credentials.

The researchers note that “[b]oth the email body and phishing page are customized with the recipient’s name and company details to enhance credibility.”

Interestingly, the phishing emails use obfuscated button text to avoid detection by security filters. For example, the word “Open” is surrounded by random characters that are invisible to users in light mode.

“When the initial email is viewed in Light Mode, the buttons appear as ‘Open’ and ‘Share,'” the researchers explain. “In Dark Mode, concealed padding becomes visible, exposing randomized alphanumeric strings such as twPOpenHuxv and gQShareojxYI.

“This breaks up high-value trigger words like ‘Open’ and ‘Share,’ reducing the likelihood of detection by secure email gateways that apply string- or regex-based rules.”

Stripe offers the following recommendations to help organizations protect themselves against these attacks:

• “Awareness for executives and assistants – Ensure that those most likely to be targeted understand this campaign. The actor is using realistic ‘salary amendment’ subject lines and personalized company details to increase credibility.
• Skepticism around unexpected documents – Remind staff to be cautious when receiving links or documents relating to HR, payroll, or salary matters, particularly when sent externally.
• Reporting suspicious emails – Make it clear how to escalate suspicious messages quickly within your business. The faster these are reported to your security resource, the quicker they can take action to protect others.
• Support staff training – Executive assistants and close colleagues are also high-value targets. Ensure they receive the same level of awareness training and support as C-suite members.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Stripe has the story:
https://stripeolt.com/knowledge-hub/expert-intel/analysing-targeted-spearphishing/

Attackers Can Bypass AI Safety Measures to Carry Out Convincing Scams

Researchers at Rutgers University have demonstrated that AI agents can be used to carry out sophisticated scams from start to finish, Help Net Security reports.

The technique, dubbed “ScamAgent,” bypasses AI safety measures by breaking the scam into separate steps. “ScamAgent integrates natural language generation, contextual memory, goal-driven planning, and text-to-speech (TTS) synthesis to conduct full scam conversations without requiring continuous human input,” the researchers write.

“Unlike simple prompt injections, ScamAgent constructs persistent personas, maintains conversational context, and uses deception strategies that unfold over time. This design allows it to bypass existing safety guardrails by decomposing harmful tasks into benign subgoals and leveraging contextual carryover to avoid triggering filters.”

The researchers note that AI-generated voice attacks may bypass traditional defenses against scam calls.

“Research on scam call detection and defense primarily focuses on audio analysis, caller identification, and user behavior using acoustic and call metadata features,” the researchers explain. “However, these approaches generally assume human-generated calls rather than AI-synthesized dialogues.

“The rise of LLM-driven attacks represents a new class of threat that combines linguistic deception, multi-turn planning, and synthetic voice generation, demanding novel detection and mitigation techniques.”

While the researchers focused on voice-based scams, they note that similar techniques can be used to launch various types of social engineering attacks.

“Although ScamAgent was designed to simulate scam call generation, the methods employed generalize well to other misuse domains,” the researchers write. “These include phishing attacks, medical misinformation, impersonation of trusted institutions and manipulation of interactive systems such as customer support bots.

“The agent’s planning mechanism, which allows it to deconstruct goals and adjust its strategy mid-dialogue, poses a significant challenge to traditional static moderation techniques.”

Attackers will always find ways to abuse new technology for malicious purposes, and users need to be prepared for a surge in AI-assisted social engineering attacks. KnowBe4 enables your workforce to make smarter security decisions every day.

Help Net Security has the story:
https://www.helpnetsecurity.com/2025/08/28/scamagent-ai-threats-scam-calls/