KnowBe4 Research Shows Eighty-Two Percent of Email Servers are Misconfigured

KnowBe4, provider of the world’s most popular integrated new-school security awareness training and simulated phishing platform, analyzed more than 10,000 email servers and identified that eighty-two percent of them are misconfigured, allowing spoofed emails to enter an organization disguised as coming from a company’s own domain.

KnowBe4 reviewed thousands of domains that have been through its no cost domain spoof test to uncover the results. This examination revealed one of the most common security issues – spoofing – is frequently set up incorrectly, allowing a cybercriminal to impersonate an employee, or worse, a key executive. As part of its no cost domain spoof test, KnowBe4 has worked with thousands of IT managers to determine whether they are open to such an attack, finding that in more than 80 percent of the cases their email servers are misconfigured and allow phishing attacks in, making them an easy target.

According to KnowBe4 CEO Stu Sjouwerman, “A typical scenario is a spoofed email that looks like it comes from the IT administrator or “IT” asking an employee to update their email account credentials. The uneducated employee fills out their username and password credentials thinking they are complying to a request, missing the telltale signs of a phishing attack with a spoofed email address. This can lead to any number of nefarious scenarios, including a ransomware attack where all computers on the company network are hijacked.”

Ransomware has nearly doubled in the first half of 2016, and phishing emails are the top vehicle used to spread the rapidly evolving threat. Many IT managers and executives are realizing that outdated security techniques will not combat today’s more sophisticated cybercriminal. It is vital that businesses deploy a defense-in-depth strategy with effective security awareness training for all employees from the mail room to the board room included as part of the outer layer, along with policies and procedures.

“Adding security awareness training as part of a defense-in-depth program creates a ‘human firewall’ that is a highly effective part of defending against social engineering attacks. When spoofed phishing attacks make it through the filters, your users are a critical part of your defense,” continued Sjouwerman. “Training employees to make better security decisions helps mitigate the risk of social engineering.”

KnowBe4 uses a number customizable email templates for simulated phishing, and a gallery of community templates created and shared by IT managers. Out of more than three million simulated phishing attacks sent out by KnowBe4 over the course of Q3 2016, the company identified the top phishing subject lines that employees are most likely to click on include:

  • Email Account Updates
  • Re: Your Vacation Request
  • Internet Capacity Warning
  • Email Server Migration Failure
  • Your Amazon Order Receipt
  • Join my network on LinkedIn
  • All Employees: Update your Healthcare Info
  • 50% off iPhone 7, no matter your provider!
  • Alert: Dallas Shooters Identified
  • New Java Version Rollout

KnowBe4 believes that safe security practices need to take place all year long, not just during Cyber Security Month, and encourages both SMBs and large enterprises to include proactive security awareness training and simulated phishing programs to help strengthen their human firewall.

About KnowBe4
KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 6,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO Fraud and other social engineering tactics through a new school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s trainings based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as a first line of corporate IT defense.
Number 139 on the 2016 Inc 500 list, KnowBe4 is based in Tampa Bay, Florida. For more information, visit and follow Stu on Twitter at @StuAllard.


Topics: Social Engineering, Speaking Engagements, Stu Sjouwerman, update healthcare info, email server migration failure, human firewall, impersonate key executive, penetration testing, phishing subject lines, company’s own domain, cyber security, email account updates, email servers misconfigured, Join my network on Linkedin, security awareness training, security consultant, security issues, internet capacity warning, IT administrator, KnowBe4, malware, simulated phishing, Spam, spoofed emails, Vacation request, Amazon order receipt, customizable email templates, cybercrime, 50% off iPhone, alert Dallas shooters identified, ransomware, Kevin Mitnick, New Java Version Rollout

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›