Phishing awareness articles teach readers to identify and avoid phishing attacks across email, SMS, voice calls, and social media. Content includes real-world phishing examples, red flags to watch for, reporting procedures, and tips for running phishing simulation campaigns.
posts
A Single Misconfigured S3 Bucket Exposed 540 Million Facebook Records Back in 2019, researchers at UpGuard discovered that two third-party Facebook app developers had left hundreds of millions of user records sitting in publicly accessible Amazon S3 buckets. No hacking required. No sophisticated exploit. Just wide-open cloud storage that anyone
In 2023, a single employee's personal phone led to one of the most damaging casino breaches in history. Threat actors used social engineering to compromise MGM Resorts, and the attack vector started with a device the company didn't fully control. The resulting disruption cost MGM over
A Single Email Cost This Company $100 Million In 2015, Ubiquiti Networks disclosed that threat actors used carefully crafted emails impersonating company executives to trick finance employees into wiring $46.7 million to overseas accounts. The attackers didn't exploit a software vulnerability. They exploited people — with spear phishing.
The Email That Cost One Company $100 Million In 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a form of spear phishing — accounted for over $2.9 billion in adjusted losses. That wasn't a typo. Billions. And those are just the cases
In late 2024, the FBI issued a stark warning: AI-driven phishing attacks targeting Gmail users had reached a level of sophistication that made them nearly indistinguishable from legitimate communications. We're not talking about the laughably bad "Nigerian prince" emails anymore. These are pixel-perfect replicas of Google
In 2023, MGM Resorts lost roughly $100 million after a social engineering phone call — a single phone call — gave threat actors the foothold they needed to deploy ransomware across the company's entire infrastructure. If you Google "cybersecurity definition," you'll get a tidy textbook answer
In January 2024, a finance employee at a multinational engineering firm in Hong Kong wired $25 million to threat actors after a video call with what appeared to be the company's CFO. The call was a deepfake. But the attack started weeks earlier — with a single spear phishing
That Google Alert in Your Inbox Might Be Real — Or It Might Be the Attack Itself Last year, a finance director at a mid-size logistics company got a Gmail account access warning that looked completely legitimate. It warned of a sign-in from an unrecognized device in another country. She clicked
In November 2023, the international law firm Allen & Overy confirmed it was hit by a LockBit ransomware attack. Weeks earlier, a midsize firm in the southeastern U.S. paid a seven-figure ransom after a threat actor encrypted every client file on its network — and the firm never made headlines
Your Employees' Phones Are the Weakest Link In March 2024, MGM Resorts was still dealing with the fallout of a social engineering attack that started with a simple phone call. But here's what most people missed in the post-incident analysis: the reconnaissance that made that attack possible
