In January 2024, a finance employee at a multinational firm in Hong Kong wired $25 million to threat actors after a deepfake video call convinced him his CFO had authorized the transfer. The employee had doubts. He hesitated. But the faces on screen looked real, the voices sounded right, and
The $4.88 Million Lesson Your Employees Haven't Learned Yet In January 2024, the SEC's own X (formerly Twitter) account was hijacked because someone fell for a SIM-swap attack. If the agency that regulates public companies can't keep its own accounts secure, what does
In January 2024, a finance employee at a multinational firm in Hong Kong transferred $25 million to threat actors after a deepfake video call convinced him his CFO had authorized the payment. No malware. No zero-day exploit. Just a well-trained employee who wasn't trained well enough. That incident
In January 2024, Microsoft disclosed that a Russian threat actor group — Midnight Blizzard — had breached executive email accounts using a simple password spray attack against a legacy test account that lacked multi-factor authentication. One of the most technically sophisticated companies on the planet, compromised by one of the oldest tricks
The Click That Cost MGM Resorts $100 Million In September 2023, a threat actor called Scattered Spider social-engineered an MGM Resorts help desk employee with a simple phone call. That one interaction led to a ransomware attack that shut down slot machines, hotel check-ins, and digital room keys across Las
October Ends. The Phishing Emails Don't. Every October, organizations plaster break rooms with cybersecurity posters, blast out a few reminder emails, and call it a win. Then November rolls around, and the same employees click the same malicious links. I've watched this cycle repeat for over
In 2023, the FBI's Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion — a nearly 22% increase in losses over the previous year. A staggering share of those complaints came from small and midsize businesses. I've spent years helping
In 2023, a single employee at a 12-person accounting firm in Nevada clicked a link in what looked like a DocuSign email. Within four hours, every client file on the network was encrypted. The ransom demand was $250,000. The firm didn't have backups. They paid. That firm
MGM Resorts lost an estimated $100 million in September 2023 because a threat actor called an IT help desk, impersonated an employee, and talked their way into a privileged account. No zero-day exploit. No nation-state malware. Just a phone call and a human who hadn't been trained to
In January 2024, Microsoft disclosed that the Russian threat actor group Midnight Blizzard had breached corporate email accounts — not through some exotic zero-day exploit, but through a password spray attack on a legacy test account that lacked multi-factor authentication. One of the most well-resourced technology companies on the planet got
