Content dedicated to raising security awareness across organizations and among individuals. Covers threat recognition, safe online behavior, reporting protocols, and strategies for embedding a culture of vigilance that reduces human error and minimizes cyber risk exposure.
posts
In 2024, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They didn't brute-force a password. They simply called IT support, impersonated an employee they found on
In February 2024, CISA issued an emergency directive after a threat actor compromised Microsoft's corporate email systems and accessed correspondence from multiple federal agencies. The directive forced agencies to reset credentials, review logs, and report back within days. That single incident crystallized something I've been telling
A 3-Minute Email Cost One Company $37 Million In 2024, a finance employee at a multinational firm joined a deepfake video call with what appeared to be the company's CFO and several colleagues. Every person on that call was AI-generated. The employee transferred $25.6 million (approximately HK$
The Breach That Started With a Single Click In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered their way past help desk staff with a ten-minute phone call. The attackers didn't exploit some exotic zero-day. They exploited a human being
In May 2025, the FBI's Internet Crime Complaint Center reported that phishing was — for the ninth consecutive year — the most-reported cybercrime in the United States. Not ransomware. Not cryptojacking. Phishing. The simplest attack in the playbook continues to cause the most damage, and the phishing meaning most people
The Breach That Started With a Single Password In January 2024, Microsoft disclosed that a Russian threat actor group known as Midnight Blizzard accessed corporate email accounts — including those of senior leadership — using nothing more than a password spray attack against a legacy test account that lacked multi-factor authentication. No
In January 2022, the Red Cross disclosed that a cyberattack compromised the personal data of over 515,000 vulnerable people — victims of conflict, missing persons, detainees. The attack vector? A threat actor exploiting an unpatched vulnerability, combined with social engineering techniques that went undetected for weeks. It's a
In May 2021, Ireland's Health Service Executive got hit with a Conti ransomware attack that started with a single phishing email. One employee opened one malicious Excel attachment, and the entire national healthcare system went offline for weeks. That's the real-world weight behind the phishing meaning
In July 2021, a single phishing email led to a ransomware attack that shut down fuel deliveries across the entire U.S. East Coast. The Colonial Pipeline breach started — like most breaches do — with a compromised credential. If one employee had known how to spot phishing emails, $4.4 million
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 complaints about phishing — making it the most reported cybercrime in the United States for the fifth consecutive year. Yet when I ask employees during security assessments to explain what phishing actually is, most give me a
