Tag

Security Awareness Training

Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.

posts

Phishing

How to Spot a Phishing Email: 9 Red Flags That Matter

In March 2022, the Lapsus$ threat actor group breached Okta — a company literally in the business of identity security — by compromising a single employee through a social engineering campaign that started with phishing. If it can happen to an identity provider securing thousands of enterprises, it can happen to your

Carl B. Johnson Jan 09, 2023 8 min read
Phishing

What Is Phishing? A Security Pro's Real-World Guide

A Single Email Cost This Company $121 Million In 2017, a Lithuanian man orchestrated a phishing scheme that tricked both Google and Facebook into wiring him over $121 million combined. He sent fake invoices from a spoofed email address impersonating a legitimate hardware vendor. Employees at two of the most

Carl B. Johnson Dec 25, 2022 7 min read
Medusa Ransomware

Medusa Ransomware Gang Phishing Campaigns Explained

A Ransomware Gang That Starts With Your Inbox In 2022, the Medusa ransomware gang emerged as one of the most aggressive threat actors targeting organizations through phishing campaigns. They don't kick down the front door — they walk through it with stolen credentials, harvested from carefully crafted phishing emails

Carl B. Johnson Dec 25, 2022 6 min read
Phishing

Phish: Why Employees Still Take the Bait in 2022

A Single Phish Cost Twilio 163 Million User Records In August 2022, Twilio — a company that powers authentication for thousands of apps — confirmed that attackers used SMS-based phishing to compromise employee credentials. That single phish gave threat actors access to data from 163 customer accounts, which cascaded into a breach

Carl B. Johnson Dec 25, 2022 6 min read
Phishing

Phishing in 2022: What Actually Works to Stop It

Twilio disclosed in August that a phishing campaign tricked its employees into handing over credentials via SMS, exposing data tied to over 130 organizations — including Signal users. A few weeks later, Uber suffered a breach when an attacker used social engineering to fatigue an employee with multi-factor authentication push requests

Carl B. Johnson Dec 18, 2022 6 min read
Phishing Simulation

Phish Setlist for Security: Building Your Attack Plan

Why Every Security Team Needs a Phish Setlist In March 2022, Okta confirmed that the Lapsus$ threat actor group breached a third-party support engineer's account — and a big part of that attack chain started with social engineering. A single compromised credential. One phishing message that worked. That'

Carl B. Johnson Nov 21, 2022 7 min read
Phish Tour

Phish Tour: Simulated Attacks That Train Your Team

One Clicked Link Cost This Company Everything In September 2022, a single employee at Uber clicked a link in a social engineering attack. The threat actor, reportedly affiliated with Lapsus$, used that foothold to access internal systems, Slack channels, and cloud infrastructure. The breach made global headlines — not because Uber&

Carl B. Johnson Nov 21, 2022 7 min read
Phishing Definition

Definition of a Phishing Attack: What It Really Looks Like

In March 2022, the hacking group Lapsus$ breached Okta by phishing a single contractor's credentials. That one successful social engineering attack gave threat actors access to systems used by thousands of companies worldwide. If you're searching for the definition of a phishing attack, that incident is

Carl B. Johnson Oct 24, 2022 7 min read