Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
In March 2020, a single phishing email led to a credential theft incident at Magellan Health that exposed data on 365,000 patients. The attacker impersonated a Magellan executive, tricked one employee, and spent five days inside the network before anyone noticed. A functioning phishing awareness program might have stopped
In 2020, the FBI's Internet Crime Complaint Center received 19,369 business email compromise complaints. The adjusted losses? A staggering $1.8 billion — making BEC the single most financially devastating cybercrime category in the FBI IC3 2020 Internet Crime Report. That's more than ransomware, more than
In February 2021, the FBI warned that threat actors were sending fake text messages impersonating banks, delivery companies, and even state unemployment agencies — all designed to steal credentials and drain accounts. These weren't theoretical risks. The FBI's Internet Crime Complaint Center (IC3) reported over $54 million
In January 2021, the FBI and CISA issued a joint advisory warning about a surge in vishing attacks targeting corporate employees working from home. Threat actors were calling employees directly, impersonating IT help desks, and convincing them to hand over VPN credentials. Within hours, attackers had access to internal networks,
The Phone Call That Cost One Company $75 Million In 2020, a teenager orchestrated one of the most high-profile social engineering attacks in history. He called Twitter employees, posed as IT staff, and convinced them to hand over credentials to internal tools. Within hours, he'd hijacked accounts belonging
In July 2020, a 17-year-old from Florida convinced Twitter employees to hand over internal credentials. Within hours, the accounts of Barack Obama, Elon Musk, Joe Biden, and Apple were all posting Bitcoin scam messages. The attacker didn't exploit a software vulnerability. He exploited people. These social engineering examples
In July 2020, a teenager convinced Twitter employees to hand over internal credentials through a phone-based social engineering attack. The result: hijacked accounts belonging to Barack Obama, Elon Musk, Joe Biden, and Apple — broadcasting a Bitcoin scam to hundreds of millions of followers. The attacker didn't exploit a
In 2020, a teenager and two accomplices convinced a Twitter employee they were from the company's IT department. That single phone call gave them access to internal tools, which they used to hijack 130 high-profile accounts — including those of Barack Obama, Elon Musk, and Apple — netting over $100,
The Click That Cost One Hospital $67 Million In 2020, Universal Health Services suffered a Ryuk ransomware attack that disrupted operations across 400 facilities for weeks. The estimated cost? $67 million. The entry point? An employee who interacted with a malicious payload. This wasn't a sophisticated zero-day exploit.
One Month Won't Save You — But It Can Start Something That Does In October 2020, during Cybersecurity Awareness Month, a major hospital chain — Universal Health Services — was fighting off one of the largest ransomware attacks in U.S. healthcare history. The Ryuk ransomware hit over 400 facilities. Staff
