The Breach That Started With a Single W-2 In early 2023, the IRS warned — again — about a surge in W-2 phishing scams targeting businesses. A threat actor sends one convincing email to someone in payroll. That person exports employee tax records. Within hours, fraudulent tax returns are filed under dozens
In March 2022, Lapsus$ breached Okta, Microsoft, and Nvidia — three companies with enormous security budgets — partly by exploiting weak or absent multi-factor authentication. The attackers used social engineering, SIM swapping, and MFA fatigue attacks to bypass single-layer defenses. Had stronger two-factor authentication been uniformly enforced, several of those breaches could
In February 2022, a teenage hacker tricked a T-Mobile employee into performing a SIM swap, then used that hijacked phone number to intercept SMS verification codes and breach Lapsus$ targets including Nvidia and Microsoft. The attack wasn't sophisticated. It didn't require zero-day exploits. The threat actor
A hospital employee clicked a link in what looked like a routine password reset email. Within 72 hours, CommonSpirit Health — one of the largest U.S. health systems — was battling a ransomware attack that disrupted operations at over 140 facilities. The investigation report cited "lack of basic security awareness&
In 2022, the FBI's Internet Crime Complaint Center received over 800,000 complaints totaling losses exceeding $10.3 billion — a 49% increase over 2021. When I talk to the people behind those numbers, a pattern emerges fast: they didn't understand what was happening to them because
In February 2023, the U.S. Marshals Service confirmed a major ransomware attack that compromised sensitive law enforcement data — including personally identifiable information and internal legal documents. A federal agency with dedicated security staff and government-grade infrastructure still got hit. If you're running a business without those resources,
In 2022, the FBI's Internet Crime Complaint Center (IC3) received over 800,000 complaints with losses exceeding $10.3 billion — and malware was the engine behind a staggering number of those incidents. I've spent years watching organizations get blindsided not because they lacked firewalls, but because
In February 2023, the FBI's Internet Crime Complaint Center reported that malware-related complaints had surged again, with losses running into the hundreds of millions. Buried in those numbers is a distinction most people get wrong: adware vs spyware. I've watched organizations treat adware as a minor
In September 2022, Uber disclosed a breach that started with a single employee accepting a multi-factor authentication push notification they shouldn't have. The threat actor behind it — linked to the Lapsus$ group — had already compromised the employee's credentials. But the initial foothold? Social engineering and malware
In March 2022, the FBI issued a Private Industry Notification warning that cybercriminals were using keyloggers embedded in fake business invoices to compromise corporate networks. The attackers harvested credentials for weeks before anyone noticed. By then, the damage was done — financial accounts drained, email systems hijacked, and sensitive client data
