Tag

Credential Theft

Posts exploring how attackers steal usernames, passwords, and authentication tokens through phishing, keylogging, brute force attacks, and credential stuffing. Includes actionable guidance on multi-factor authentication, password managers, and monitoring for compromised credentials.

posts

Fake Identity Website

Fake Identity Website Threats: How to Spot and Stop Them

The Fake Identity Website That Fooled an Entire HR Department Earlier this year, an HR team at a mid-size logistics company received a job application that checked every box. The resume was polished, the LinkedIn profile looked legitimate, and the applicant's personal website — showcasing a portfolio and professional

Carl B. Johnson Jul 16, 2024 7 min read
Fake Mailer

Fake Mailer Attacks: How Threat Actors Spoof Emails

In January 2024, a finance director at a mid-sized logistics company wired $740,000 to a bank account in Hong Kong. The email requesting the transfer appeared to come from the CEO's exact email address — correct display name, correct domain, correct signature block. It wasn't the

Carl B. Johnson Jul 13, 2024 7 min read
Cloud Computing Security

Cloud Computing Security: 7 Mistakes That Cause Breaches

In January 2024, Microsoft disclosed that a Russian threat actor group known as Midnight Blizzard had breached its corporate email systems — not through some exotic zero-day exploit, but through a password spray attack on a legacy test account that lacked multi-factor authentication. If Microsoft, a company that literally sells cloud

Carl B. Johnson May 13, 2024 7 min read
Phishing Attack Examples

Phishing Attack Examples: 7 Real Breaches That Cost Millions

One Email Cost This Company $100 Million In 2019, Toyota Boshoku Corporation — a major Toyota parts supplier — lost $37 million after an employee wired funds to a fraudster posing as a legitimate business partner. That same year, Nikkei's American subsidiary lost $29 million to a nearly identical scheme.

Carl B. Johnson May 03, 2024 7 min read
Phishing Prevention Tips

Phishing Prevention Tips That Actually Stop Breaches

In January 2024, a finance employee at a multinational firm in Hong Kong wired $25 million to threat actors after a deepfake video call convinced him his CFO had authorized the transfer. It started with a phishing email. Every catastrophic breach I've investigated over the past decade traces

Carl B. Johnson May 02, 2024 7 min read
Phishing Prevention

How to Avoid Phishing Attacks: A Practical Guide

In January 2024, a finance employee at a multinational firm in Hong Kong wired $25.6 million to threat actors after joining a video call where every other participant — including the company's CFO — was a deepfake. The attackers had spent weeks studying publicly available video of those executives,

Carl B. Johnson May 02, 2024 7 min read
Business Email Compromise

Business Email Compromise: The $2.9B Threat in 2024

In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise accounted for $2.9 billion in adjusted losses — making it the single costliest category of cybercrime they track. Not ransomware. Not credit card fraud. Email scams where someone pretends to be your CEO, your vendor,

Carl B. Johnson May 02, 2024 7 min read
Spear Phishing

What Is Spear Phishing? The Targeted Attack Behind Major Breaches

In January 2023, Reddit disclosed that an attacker had used a carefully crafted phishing email — targeting a specific employee with internal details about the company — to steal credentials and access internal systems. It wasn't a mass-blast scam. It was a precision strike. That's spear phishing in

Carl B. Johnson May 02, 2024 7 min read
Smishing Attacks

Smishing Attack Examples: Real Texts That Stole Millions

In February 2024, the FBI warned that threat actors stole over $10 billion through internet-enabled fraud in 2023 — and SMS-based phishing, commonly called smishing, was one of the fastest-growing attack vectors cited in the FBI IC3 annual report. If you think smishing is just a nuisance text from a fake

Carl B. Johnson Apr 08, 2024 7 min read
Vishing Scam Awareness

Vishing Scam Awareness: Stop Voice Phishing Attacks

The Phone Call That Cost One Company $25 Million In early 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million after receiving a video call that appeared to include the company's CFO and other colleagues — all deepfake recreations. The attack started with a

Carl B. Johnson Apr 08, 2024 7 min read