Social engineering news review

1
Security Awareness Training Reduces Phishing Clicks by 86% — KnowBe4 Report
According to a new report by KnowBe4, employee cybersecurity awareness training reduces global phishing susceptibility by 86% in just 12 months.
In its annual Phishing by Industry Benchmarking Report for 2025, KnowBe4 assessed the Phish-Prone Percentage (PPP) — the share of employees who clicked a phishing link during simulated tests. The average baseline PPP was 33.1%, indicating a high level of vulnerability: nearly one in three employees was ready to engage with potentially malicious content prior to training.

However, once the Security Awareness Training (SAT) program was implemented, the results improved dramatically:
- After 3 months, PPP dropped by 40%
- After 12 months — by 86%

This highlights the effectiveness of consistent, relevant training in changing employee behavior and building a strong cybersecurity culture.

The research analyzed 67.7 million phishing simulations, conducted among 14.5 million users from 62,400 organizations worldwide. The three industries with the highest baseline phishing susceptibility were:
- Healthcare and Pharmaceuticals — 41.9%
- Insurance — 39.2%
- Retail and Wholesale — 36.5%

Larger organizations were also more vulnerable:
- Companies with over 10,000 employees had a baseline PPP of 40.5%
- Smaller organizations (up to 250 employees) showed 24.6%

Geographically, the highest levels of vulnerability were recorded in:
- South America — 39.1%
- North America — 37.1%
- Australia and New Zealand — 36.8%

We often see even mature companies continue investing in technologies while ignoring the human factor. But the numbers don’t lie — over a third of employees fall for phishing before any training. That’s not a weakness — that’s the reality. That’s why a structured training approach — with simulations, hands-on practice, and relevant scenarios — is no longer optional. It’s a must.

2
Microsoft Dynamics 365 Under Attack: A Phishing Campaign That Bypasses Even MFA
Recently, researchers from Check Point uncovered a large-scale phishing campaign where attackers exploited a legitimate Microsoft service — Dynamics 365 Customer Voice. Normally used by businesses to collect customer feedback, this tool was turned into a weapon in the hands of cybercriminals.

The attack is cleverly constructed. Emails are sent from already compromised accounts, with subject lines that seem routine — payment details, reports, or documents. Inside, there’s a link supposedly leading to a Dynamics 365 survey or form. You click — first a CAPTCHA, then a login page. Everything looks legitimate. But it’s not Microsoft. It’s a replica, designed to harvest corporate credentials. Sometimes, even one-time MFA codes are intercepted.

Yes, even multi-factor authentication doesn’t always help. While researchers didn’t reveal the technical details, they confirmed such interception is possible. That’s serious.

What’s especially concerning is that this attack runs through Microsoft’s actual infrastructure. These emails pass spam filters, appear trustworthy, and often don’t raise suspicion — even among employees trained to recognize phishing. Everything looks too normal. Too credible. Too familiar. And that makes it even more dangerous.

This is why such incidents are no longer exceptions — they’re the new reality. In this world, it’s no longer enough to simply remind employees of digital hygiene. That still matters, of course, but phishing has evolved far beyond clumsy emails with spelling errors. Today, it integrates seamlessly into daily workflows, disguises itself as business-as-usual, and strikes quietly, precisely, professionally.

These attacks show us that technical security measures must align with the way people actually communicate at work. Otherwise, even well-informed employees might just do their job — and become the next victim.

3

Data Breach at Insight Partners: How Hackers Targeted Billion-Dollar Stakeholders
In early 2025, news broke of a major data breach at Insight Partners — one of the world’s largest venture capital firms, known for investing in companies like Twitter, SentinelOne, Wiz, Recorded Future, and many others. Although the incident occurred back in January, its consequences are only now becoming fully apparent. The leak affected not just employees and companies within the fund’s portfolio, but also investors — including individuals with billions of dollars under management.

Insight Partners officially confirmed that the breach was the result of a sophisticated social engineering attack. This means the hackers didn’t simply exploit a technical vulnerability; they infiltrated through human factors. It could have been phishing, account compromise, or even simple deception of staff. After detecting the breach, the firm brought in cybersecurity experts. Their analysis revealed that attackers may have accessed internal communications, banking information, fund and investor details, and personal data of current and former employees. Particularly valuable were the names and contact details of limited partners — or LPs — who hold large stakes in venture funds.

The hackers aren’t just stealing data — they’re using it for further attacks, especially BEC (Business Email Compromise) schemes. These attacks rely on trust and the mimicry of legitimate business communication. Imagine this: a CFO receives an email that appears to come from the CEO, urgently requesting a wire transfer to a new supplier. Everything looks authentic — the signature, writing style, even the subject line resembles past discussions. When attackers possess real documents, names, roles, and sample emails, the level of realism becomes dangerously high. That’s why BEC is considered one of the most financially damaging forms of cybercrime. According to the FBI, global losses from these attacks have already exceeded $55 billion.

Deepfake technology adds another layer of threat. This is not a theoretical concern — last year in Hong Kong, an employee was tricked into transferring $25 million after a video call with what appeared to be members of senior management. In reality, the visuals were deepfakes created by AI. The line between truth and fabrication is disappearing. A simple call or Zoom meeting is no longer enough to confirm someone’s identity.

The Insight Partners incident is not just an isolated problem. It’s a warning sign for the entire business community. Today, the target of an attack isn’t infrastructure — it’s trust. Hackers are hunting for information about people and processes: who reports to whom, how decisions are made, who has access to money. Even if a company doesn’t manage billions, it likely works with contractors, clients, and vendors — and a breach can become a gateway to compromising an entire network.

Source: SecurityLab
Download free cybersecurity training materials for your employees.