In September 2024, a security researcher discovered a stored cross-site scripting vulnerability in a major email platform that allowed attackers to execute arbitrary JavaScript the moment a victim opened a crafted message. No clicks required beyond reading the email. The vulnerability sat unpatched for weeks. If you think XSS is
In 2023, MGM Resorts lost an estimated $100 million after a single social engineering phone call tricked an IT help desk employee into resetting credentials. One employee. One question they got wrong in real life — not on a cybersecurity awareness quiz, but in a live attack. The attacker found a
In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They exploited a person — someone who hadn't been trained to recognize what was happening. That single
In January 2024, a finance employee at a multinational firm in Hong Kong joined what appeared to be a routine video call with the company's CFO. Everything looked normal — the CFO's face, voice, and mannerisms were all spot-on. The employee followed instructions and wired $25 million
In January 2024, a finance employee at a multinational engineering firm in Hong Kong wired $25.6 million to threat actors after a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The attack started with
A $100,000 Ransom Demand Starts With One Email In early 2024, the FBI and CISA issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors since June 2021. The attack chain almost always starts the same way: phishing campaigns targeting
In January 2024, a finance employee at engineering firm Arup received an email inviting them to a video call with the company's CFO. Everything looked legitimate — the email, the meeting link, even the faces on the screen. It was all a deepfake-powered phish. That single interaction cost Arup
That Gmail Alert Isn't Always What You Think In September 2023, the FBI's Internet Crime Complaint Center warned that business email compromise — much of it involving compromised Gmail and Google Workspace accounts — resulted in over $2.9 billion in reported losses during 2023 alone. A single
In January 2024, a finance worker at British engineering firm Arup was tricked into wiring $25 million to criminals after a video call — a call that started with a single fake email. The message looked like it came from the company's CFO. Everything about it — the sender name,
$4.88 Million Per Breach — and Phishing Opens the Door In January 2024, a finance worker at multinational firm Arup sent $25 million to threat actors after a deepfake video call that impersonated company executives. The attack started with a single phishing email. One message. Twenty-five million dollars gone. That
