The US Cybersecurity and Infrastructure Security Agency (CISA) has found that compromise of valid accounts and spear phishing attacks were the two most common vectors of initial access in 2022, Decipher reports. Valid accounts were compromised in 54% of successful attacks. “Valid accounts can be former employee accounts that have not been removed from the active directory or default administrator accounts,” CISA said.

We've reported on several Amazon scams, but for once, there is positive news. Amazon sent an email Thursday morning highlighting the top scams your users should watch out for: Prime Membership Scams Per Amazon, "These are unexpected calls/texts/emails that refer to a costly membership fee or an issue with your membership and ask you to confirm or cancel the charge.

Researchers from Carnegie Mellon University and the Center for A.I. Safety have discovered a new prompt injection method to override the guardrails of large language models (LLMs). These guardrails are safety measures designed to prevent AI from generating harmful content. This discovery poses a significant risk to the deployment of LLMs in public-facing applications, as it could potentially allow these models to be used for malicious purposes.

What happened? The SEC (Securities and Exchange Commission) has introduced new rules that require public companies to be more transparent about their cybersecurity risks and any breaches they experience. This means companies will need to regularly share information about how they're managing cybersecurity risks and any significant cybersecurity incidents they've had. If a company experiences a significant cybersecurity incident, they'll need to report it within four business days.

Social engineering is involved in 70% to 90% of successful compromises. It is the number one way that hackers and malware successfully attack devices and networks. No other initial root cause comes close (unpatched software and firmware are a distant second, being involved in about 33% of attacks). A particular type of social engineering is responsible for more successful compromises than any other type of attack: spear phishing.

New data focused on the first half of the year shows some anomalies. Phishing attacks are slowing down… that is, until you dive into the details. I can’t remember the last time I posted a headline stating that phishing numbers were down; that’s because we haven’t seen this trend occur in a number of years. But new data from Vade Secure’s H1 2023 Phishing and Malware Report shows an interesting outlier that skews a high-level view of the data.

Amid potential concerns by governments, customers, and prospects about ties with the Russian government, the cybersecurity vendor Group-IB continues in its promise to separate itself from Russia. You can understand how an organization may look at a Russia-based company these days; it’s not the fault of the Russian company, but of the negative posture many feel towards the Russian government.

Fraudsters are spreading scams on Facebook that pose as ads for legitimate AI tools, according to researchers at Check Point. The Facebook pages impersonate ChatGPT, Google Bard, Midjourney, Jasper, and more.

Scammers are taking advantage of the popularity of the Barbie movie, according to researchers at McAfee. “In the last 3 weeks, we’ve seen 100 new instances of malware that have Barbie-related filenames,” the researchers write. “Once again, this shows how attackers have latched onto the movie’s hype, hoping the people will click the malicious files because the Barbie name is trending. The types of files varied but included typical types such as.html and.exe.

IBM Security has released its annual Cost of a Data Breach Report, revealing that the global average cost of a data breach reached $4.45 million in 2023. This marks a significant increase of 15% over the past 3 years, making it the highest recorded cost in the history of the report. Notably, detection and escalation costs have seen a substantial rise of 42% during the same period, indicating a shift towards more complex breach investigations.