CyberheistNews Vol 12 #06 [Heads Up] Beware of New Quickbooks Payment Scams

[Heads Up] Beware of New QuickBooks Payment Scams
Email not displaying? | View Knowbe4 Blog
CyberheistNews Vol 12 #06  |   Feb. 8th., 2022
[Heads Up] Beware of New QuickBooks Payment Scams

Many small and mid-sized companies use Intuit’s popular QuickBooks program. They usually start out using its easy-to-use base accounting program and then the QuickBooks program aggressively pushes other complimentary features. One of those add-on features is the ability to send customers’ invoices via email.

The payee can click on a “Review and pay” button in the email to pay the invoice. It used to be a free, but less mature, feature years ago, but these days, it costs extra. Still, if you are using QuickBooks for your accounting, the ability to generate, send, receive and electronically track invoices all in one place is a pretty easy sell.

Unfortunately, phishing criminals are using QuickBooks’ popularity to send business email compromise (BEC) scams. The emails appear as if they are coming from a legitimate vendor using QuickBooks, but if the potential victim takes the bait, the invoice they pay will be to the scammer.

Worse, the payment request can require that the payee use ACH (automated clearing house) method, which requires the payee to input their bank account details. So, if the victim falls for the scam, the criminal now has their bank account information. Not good.

Note: Some other QuickBooks scam warnings will tell you that QuickBooks will never ask for your ACH or banking details. This is not completely true. QuickBooks, the company and its support staff, never will, but QuickBooks email payment requests often do. Warn your users in Accounting.

CONTINUED at the KnowBe4 blog with both legit and malicious example screenshots:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, February 9 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at TWO NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Security Culture Benchmarking Feature compare your organization’s security culture with your peers
  • NEW! AI-Driven training recommendations for your end users in their own UI
  • Brandable Content feature gives you the option to add branded custom content to select training modules
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, February 9 @ 2:00 PM (ET)

Save My Spot!

The 4 Things You Should Be Doing Right Now To Best Improve Your Cybersecurity

The key to really good cybersecurity is to concentrate on just four things. Master them first before you begin to try and do the other hundreds of things that everyone else is going to tell you need to do.

Here are the four things all computer security people should do to significantly lower cybersecurity risk the best and most effectively:

  • Mitigate social engineering
  • Patch exploited software
  • Practice good password hygiene
  • Use multi-factor authentication (MFA)

There it is. Those four things, if concentrated on and done well, will make you and your organization significantly less likely to experience a negative cybersecurity event. If not done well, as is the case with most people and organizations, it will mean you are at higher risk for negative cybersecurity events.

No other defense recommendations (e.g., antivirus, firewalls, least-privilege, etc.) will do as much to significantly reducing cybersecurity risk than the four things mentioned above.

I am not staking my 34-year cybersecurity career on saying that these four things will do more to decrease cybersecurity risk than anything else, because for the entirety of the computer age, these four defenses would have put down 99% of all cybersecurity attacks.

It is people’s and organization’s inability to correctly focus on these four things that allows cybercriminals and their malware to be as successful as they are. I am not saying they are the only four things you should be doing or that if doing these four things very well will absolutely mean you will not get hacked. But what I am saying is the odds of you or your organization getting hacked go up significantly if you do not do these four things well; and vice-versa.

I have written white papers, books and hundreds of cybersecurity articles on this topic. If you want the basis for my recommendations, please read my magnum opus on the topic: A Data-Driven Computer Defense.

Or read any of the free articles I post on LinkedIn every week. I am a broken record about this topic. When I die, if I get this one point across to more people and help to better secure people’s computers, organizations and the Internet, I will die a happy man. – Roger Grimes.

CONTINUED at the KnowBe4 blog:

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, February 9 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4’s KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors’ security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: TOMORROW, Wednesday, February 9 @ 1:00 PM (ET)

Save My Spot!

Web Trackers Collect Much More Info About Your Users’ Browsing Activity Than Previously Believed

Researchers at Norton LifeLock have found that web trackers are collecting much more information about users’ browsing activity than had previously been believed. Such trackers can follow users around much of the internet in order to build a profile about them. The profiles are usually compiled for advertising purposes.

“It’s common knowledge that web trackers know an astonishing amount of info about you,” the researchers write. “Our new research discovered that sometimes they know as much as twice what was previously found. And even if you delete your browser’s data history, they can reconstruct your ‘data identity’ within hours.”

While web trackers aren’t inherently malicious, users should be aware of how much of their information is being collected. If a company that holds this information is breached, attackers can easily use the data to launch large-scale social engineering attacks.

Norton LifeLock offers the following findings:

  • “Top Trackers: Our study reveals that top trackers can see 73% of an average user’s browsing history despite appearing on a smaller number of unique domains.
  • “The power of sharing: We also estimate how much additional knowledge organizations can gain if they cooperate. Two organizations would see a 5% bump if they shared data; more than two organizations cooperating could push that number up to 50%.
  • “Getting to know you — quickly: Consumers encounter, on average, 177 tracking organizations in one week, they will encounter half of those trackers in the first two hours of browsing. In other words, if the user were to start over with a fresh browser, it would only take two hours on average to re-encounter 50% of all trackers.”

People need to know that much of their online information is public, that scammers and spies can use this information in targeted phishing attacks, and that phishing and other forms of social engineering are threats to organizations as well as individuals. New-school security awareness training can give your employees a healthy sense of skepticism so they can avoid falling for social engineering attacks.

Blog post with links:

Incredible Email Hacks You’d Never Expect and How You Can Stop Them

If you think the only way your network and devices can be compromised via email is phishing, think again!

A majority of data breaches are caused by attacks on the human layer, but email hacking is much more than phishing and launching malware. From code execution and clickjacking to password theft and rogue forms, cybercriminals have more than enough email-based tricks that mean trouble for your InfoSec team.

In this webinar Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist and security expert with over 30-years of experience, explores many ways hackers use social engineering and phishing to trick your users into revealing sensitive data or enabling malicious code to run.

Roger will show you how hackers compromise your network. You’ll also see incredible demos including a (pre-filmed) hacking demo by Kevin Mitnick, the World’s Most Famous Hacker and KnowBe4’s Chief Hacking Officer.

Roger will teach you:

  • How remote password hash capture, silent malware launches and rogue rules work
  • Why rogue documents, establishing fake relationships and tricking you into compromising your ethics are so effective
  • The ins and outs of clickjacking
  • Actionable steps on how to defend against them all

Email is still a top attack vector cybercriminals use. Don’t leave your network open to being vulnerable from these attacks, and earn CPE credit for attending.

Date/Time: Wednesday, February 16 @ 2:00 PM (ET)

Save My Spot!

Phone Number Only Phishing on the Rise. Roger Calls Back the Scammers.

I do not have the data to support my conclusion, but myself and others have noticed the sharp increase in email phishing attempts that include only a phishing message and a phone number to call. There are no embedded links or file attachments, and the subjects are just plausible enough that I can see them slipping by normal phishing filters and tricking some very small percentage of people.

If the potential victim is tricked into calling the included phone number, they will usually be directed to a scammer who will attempt to get them to pay a fraudulent bill using some method of payment. The involved phone number is often a VoIP phone number that connects to the scammer’s cell phone somewhere around the world.

Two Examples

Most of the phishing scams involve supposed pending payments for things the victim did not order. They are intended to induce a panicked response in the recipient who then calls to stop an order and bill they did not incur. The phishing scams range from very simple text to more elaborate, branded forms. Here are two examples.

CONTINUED in this KnowBe4 blog post:  

Let’s stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from January 2022. Check out The Inside Man Season 4 Trailer!:

PPS: [New Feature] Give Your Users Additional AI-Driven Learning Opportunities with NEW Recommended Optional Learning:

Quotes of the Week

“For true love is inexhaustible; the more you give, the more you have.”
– Antoine de Saint-Exupery – Novelist (1900 – 1944)

“No legacy is so rich as honesty.”
– William Shakespeare (1564 – 1616)


Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog[heads-up]-beware-of-new-quickbooks-payment-scams

Security News

New Phishing Campaign Is Impersonating Zoom To Steal Credentials

A phishing campaign is impersonating Zoom in order to steal users’ Microsoft credentials, according to Lauryn Cash at Armorblox. The emails landed in about 10,000 inboxes, and targeted “a major online mortgage brokerage company located in North America.”

“The email took advantage of the end users’ natural instinct (in any Zoom call) to start the meeting,” Cash writes. “When the user clicked on the link to start the meeting they fell into the trap of the malicious attack and were navigated to a landing page that mimics a Microsoft Outlook login screen.”

The emails also contained the users’ real names, which increased the legitimacy of the attack. “The email title, sender name, and content aimed to induce trust and urgency in the victims – trust because the email claimed to come from a legitimate company, Zoom, and a sense of urgency because it claimed the victim was late to starting a meeting,” Cash writes.

“The email included the victim’s name in the title as well, further adding a sophisticated nature to the targeted attack.” Cash recommends that users should be cautious when clicking on links in emails, especially if the email is unexpected.

“Since we receive an abundance of emails from service providers, our brains have been trained to quickly execute on the requested actions,” Cash says. “It’s best to engage with these emails in a rational and methodical manner whenever possible – easier said than done, we know!

A best practice is to perform an ‘eye test’ on the email received that includes inspecting the sender name, email address, language within the email, and any logical inconsistencies within the email.”

Cash adds that you should also enable multi-factor authentication and use a password manager to make it more difficult for attackers to gain access to your account.

We all have a tendency to drop our guard when we encounter the familiar. New-school security awareness training can teach your employees to follow security best practices so they can thwart phishing attacks.

Blog Post with links:

Increased “Shipping Delays” Now Served as Phishbait

Attackers are exploiting pandemic-related supply-chain disruptions to launch phishing campaigns, according to Troy Gill, senior manager of threat intel at Zix. In an article for Threatpost, Gill describes a phishing attack that impersonated a major shipping company.

“[R]ecently the Zix Threat Research team uncovered a spoofing attack where the threat actors posed as one of the largest container-shipping lines in the world,” Gill says. “The email encouraged the recipient to download a shipping document confirmation by clicking on a malicious link.

If the user complied, they would be directed to a very convincing phishing page that cycled through different realistic-looking company backgrounds, with a sign-in screen overlay meant to steal the user’s email credentials.”

Gill points out that these phishing emails, like many social engineering attacks, instill a sense of urgency to compel users to click the link.

“Another continuing trend involves generating a feeling of pressure and urgency to keep recipients from giving it too much thought before responding or following the link,” Gill writes. “Of late, this tactic has become more convincing and subtle, such as stating individuals will lose access to a valuable account if they do not respond immediately.”

Gill concludes that organizations need to use a combination of employee training and security technologies to defend against phishing attacks.

“Although spoofing attacks are continuing to evolve, the burden on organizations can be lessened by implementing the right training and adopting the most effective technology solutions to keep email, employees and the company as a whole protected,” Gill writes.

“Shipping and logistics companies are dealing with a lot of uncertainty right now, and so are their customers. The strength of companies’ cybersecurity posture doesn’t need to be another question mark.”

External stressors like the COVID pandemic can have important implications for the threats a business faces. New-school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing attacks.

Blog Post with Links:

What KnowBe4 Customers Say

“Hello Mr. Sjouwerman, Thank you for reaching out. I am very happy with the whole platform, but to tell you the truth, I also very much like the whole approach, onboarding and followup that is done by the account manager who is assigned to us. I think this adds a lot to the platform itself. It shows that you do not only care about the training and online services but it shows how you care about enhancing the experience for us to better utilize the services.

Not all companies are like this and to me, this is a real game changer in terms of approach. Again, thank you very much for reaching out, it is very appreciated. Best regards!”

– B.M., President & IT Infrastructure Specialist

The 10 Interesting News Items This Week

  1. The five most popular cognitive biases that result in phishing attacks:

  2. North Korea Hacked Him. So He Took Down Its Internet:

  3. WSJ: Cyberattack on News Corp, Believed Linked to China, Targeted Emails of Journalists, Others:

  4. FBI urges athletes to keep personal devices at home, use burners during Beijing Winter Olympics:

  5. WSJ Opinion: “Going After the Kremlin Mafia”:

  6. Iranian state-sponsored group APT35 linked to Memento ransomware:

  7. String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say:

  8. FBI says more IP Cyber Theft comes from China than everywhere else:

  9. Microsoft: Russian FSB hackers hitting Ukraine since October:

  10. Ukrainian cyberdefense in need of upgrades as tensions rise:

Cyberheist ‘Fave’ Links

This Week’s Links We Like, Tips, Hints and Fun Stuff


originally published on

Related posts

KnowBe4 and Okta Update


CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential


Prevent your organization falling victim to a cloud misconfiguration breach