Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Cybercriminals are increasingly using sophisticated techniques such as smishing to exploit mobile users. Smishing is a type of scam conducted through SMS (Short Message Service). Attackers use this method to get people to give up private information or click on harmful links. This fraudulent method exploits the speed and trust people place in text messages by pretending to be a trusted organization, such as a bank or the government.

Hiring has never been easy. But in the last year, it’s taken on an entirely new level of complexity. Fake candidates have become one of the most urgent problems facing HR, talent, and InfoSec teams alike. Today’s recruiters are flooded with AI-generated resumes that are nearly impossible to distinguish from legitimate candidates. When fake candidates make it to interviews, the tactics escalate with deepfakes used to impersonate people and proxy stand-ins for technical assessments.

Phone scams are nothing new, but a recent report from National Trading Standards highlights a shift in how they work.

Most ATO detection tools are watching the wrong moment. Attackers don’t start at your login page – they start days earlier, registering lookalike domains, cloning your site, and harvesting credentials before your stack sees a single signal. Knowing how to detect account takeover means moving detection upstream: to the reconnaissance stage, the cloning event, and the live harvesting window. That’s where the attack is stoppable.

Fake calendar invites have been a problem on Gmail for years. Even though they could appear on other calendar services, I hadn’t seen or read about a lot of it. Gmail had been taking the brunt of the fake calendar invites. However, I got a scam Microsoft Outlook calendar invite recently, and other Outlook users are complaining more as well. So, what was previously happening mostly in Gmail has now moved over to Outlook, too. I am a busy guy.

Account takeover mitigation is the process of detecting, containing, and preventing unauthorized access to user accounts before financial or reputational damage occurs. Effective mitigation depends on real-time detection, rapid response, and automated playbooks. Modern account takeover attacks execute in minutes. Credentials are harvested in real time through phishing, reverse proxy phishing, and man-in-the-middle techniques. Attackers often attempt login seconds after a user submits credentials.

Avoid fake buyers on Facebook Marketplace. Discover common scam tactics, warning signs, and expert tips to stay safe when selling online. You just sold a stack of old books for $100 on Facebook Marketplace. The buyer seemed eager, messaged instantly, and offered to pay extra. Sounds too good to be true? It probably is. Learn how to spot fake buyers before you lose both your money and your stuff. The buyer seems interested, perhaps too interested.

LAPSUS$-linked breaches did not break multi-factor authentication (MFA) cryptographically. Attackers obtained valid authentication outcomes through techniques commonly described as MFA fatigue attacks or MFA bypass attacks, including push-prompt abuse, SIM swapping, social engineering, and session token replay. Understanding how these attacks succeed helps explain where modern identity defenses must evolve.

It is tax season in the United States and that means plenty of tax scams. I recently received these SMS messages. I am a TurboTax user, so hey, these might be legit, even though they look scammy. I first looked up the ttax.us domain using GoDaddy’s Whois service. The ttax.us domain is not valid. Fact is, scammers would not have sent out a scam message using a non-existent domain, so it probably means that it was taken down. Well, that’s good!