Discover resources and strategies for building effective security awareness training programs. Posts cover curriculum design, engagement techniques, compliance requirements, and methods for measuring training impact to reduce human-related security incidents across organizations.
posts
In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered the company's IT help desk with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They didn't brute-force a password. They just talked their way
Most Quiz Questions Are a Waste of Everyone's Time I recently reviewed a Fortune 500 company's annual security awareness program. Their quiz had 20 multiple-choice questions. One of them asked employees to define the word "malware." Another asked which year the first computer virus
In May 2021, a single phishing email led to the shutdown of Colonial Pipeline — the largest fuel pipeline in the United States. One compromised credential. One employee who didn't catch the red flags. The result: fuel shortages across the East Coast, a $4.4 million ransom payment, and
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. Yet every week, I still talk to business owners who think phishing is just "those obvious Nigerian prince emails." It'
In March 2025, CISA and the FBI issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors — healthcare, education, legal, insurance, and manufacturing. The attack vector wasn't some exotic zero-day exploit. It was phishing. Specifically, carefully crafted Medusa ransomware
A Single Phish Email Cost One Company $37 Million In 2024, Orion SA disclosed that a single employee fell for a business email compromise scheme and wired approximately $60 million to a threat actor's accounts. The company recovered some funds, but the net loss still exceeded $37 million.
That Gmail Notification Might Be Real — Or It Might Be the Attack Itself In January 2024, Google reported blocking over 99.9% of phishing emails from reaching Gmail inboxes. That sounds impressive until you realize that the remaining fraction still amounts to millions of malicious messages daily. Among the most
A Single Email Cost One Company $100 Million In 2019, Toyota Boshoku Corporation lost $37 million to a single business email compromise attack. Facebook and Google collectively lost over $100 million to a Lithuanian man who sent fake invoices via email over a two-year period. These weren't sophisticated
Your Organization Needs a Phish Setlist — Not Just One Test In 2023, the FBI's IC3 received over 298,000 phishing complaints — making it the most reported cybercrime category for the fifth consecutive year. Yet most organizations I work with still run the same single phishing simulation once a
In early 2024, researchers at Proofpoint documented a campaign where a single threat actor group rotated through at least six distinct phishing lure templates in under three weeks — targeting financial services, healthcare, and education sectors in sequence. Security teams that recognized the first lure missed the second. Those who caught
