Resources and best practices for designing and delivering effective security awareness training programs. Covers phishing simulations, compliance requirements, behavior change techniques, measuring training effectiveness, and fostering a culture of vigilance across organizations.
posts
The Breach That Started With a Single Browser Extension In early 2024, a data breach at a mid-size healthcare firm started not with some sophisticated zero-day exploit, but with a Chrome extension an employee installed to manage their tabs. That extension harvested saved passwords, session cookies, and browser history. Within
The Breach That Changed How I Think About Cyber Security In February 2024, Change Healthcare suffered a ransomware attack that disrupted insurance claims processing for nearly every hospital and pharmacy in the United States. UnitedHealth Group later confirmed the breach affected approximately 100 million individuals — making it the largest healthcare
In 2023, MGM Resorts lost roughly $100 million after a social engineering attack bypassed every piece of computer security software they had deployed. The attackers didn't exploit a zero-day vulnerability. They didn't brute-force a firewall. They called the help desk, impersonated an employee, and walked right
The FBI Gmail Alert That Changed the Threat Landscape In late 2024, the FBI issued a stark public service announcement: sophisticated phishing campaigns were actively targeting Gmail's 1.8 billion users, and the attacks were so convincing that even security-savvy professionals were falling for them. By 2025, the
A Single Phish Email Took Down a $13 Billion Pipeline In May 2021, a single compromised password — likely harvested through a phish — shut down Colonial Pipeline and triggered fuel shortages across the U.S. East Coast. The company paid a $4.4 million ransom within hours. That's the
One Phishing Email Cost MGM Resorts $100 Million In September 2023, a single social engineering phone call — preceded by a carefully crafted phishing email reconnaissance campaign — led to the breach that shut down MGM Resorts' operations across Las Vegas. Slot machines went dark. Hotel room keys stopped working. The
In February 2025, the FBI's Internet Crime Complaint Center reported that cybercrime losses in 2024 exceeded $16 billion — a staggering jump from the $12.5 billion reported the year before. That number landed like a gut punch across the security community, but honestly, none of us were surprised.
A Single Click Cost MGM Resorts $100 Million In September 2023, a threat actor called Scattered Spider social-engineered an MGM Resorts help desk employee with a phone call. That single interaction — not a sophisticated zero-day exploit, not a nation-state supply chain attack — led to a ransomware incident that cost the
In January 2024, a finance employee at a multinational firm in Hong Kong transferred $25.6 million to criminals after a video call with what appeared to be the company's CFO. Every person on that call was a deepfake. That's where phishing lives now — far beyond
In February 2024, Change Healthcare — one of the largest health payment processors in the United States — was hit by a ransomware attack that disrupted pharmacy operations, delayed patient care, and potentially exposed the protected health information of tens of millions of Americans. The root cause? Compromised credentials on a remote
