Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Phone scams are nothing new, but a recent report from National Trading Standards highlights a shift in how they work.

Most ATO detection tools are watching the wrong moment. Attackers don’t start at your login page – they start days earlier, registering lookalike domains, cloning your site, and harvesting credentials before your stack sees a single signal. Knowing how to detect account takeover means moving detection upstream: to the reconnaissance stage, the cloning event, and the live harvesting window. That’s where the attack is stoppable.

Account takeover mitigation is the process of detecting, containing, and preventing unauthorized access to user accounts before financial or reputational damage occurs. Effective mitigation depends on real-time detection, rapid response, and automated playbooks. Modern account takeover attacks execute in minutes. Credentials are harvested in real time through phishing, reverse proxy phishing, and man-in-the-middle techniques. Attackers often attempt login seconds after a user submits credentials.

Fake calendar invites have been a problem on Gmail for years. Even though they could appear on other calendar services, I hadn’t seen or read about a lot of it. Gmail had been taking the brunt of the fake calendar invites. However, I got a scam Microsoft Outlook calendar invite recently, and other Outlook users are complaining more as well. So, what was previously happening mostly in Gmail has now moved over to Outlook, too. I am a busy guy.

Avoid fake buyers on Facebook Marketplace. Discover common scam tactics, warning signs, and expert tips to stay safe when selling online. You just sold a stack of old books for $100 on Facebook Marketplace. The buyer seemed eager, messaged instantly, and offered to pay extra. Sounds too good to be true? It probably is. Learn how to spot fake buyers before you lose both your money and your stuff. The buyer seems interested, perhaps too interested.

LAPSUS$-linked breaches did not break multi-factor authentication (MFA) cryptographically. Attackers obtained valid authentication outcomes through techniques commonly described as MFA fatigue attacks or MFA bypass attacks, including push-prompt abuse, SIM swapping, social engineering, and session token replay. Understanding how these attacks succeed helps explain where modern identity defenses must evolve.

It is tax season in the United States and that means plenty of tax scams. I recently received these SMS messages. I am a TurboTax user, so hey, these might be legit, even though they look scammy. I first looked up the ttax.us domain using GoDaddy’s Whois service. The ttax.us domain is not valid. Fact is, scammers would not have sent out a scam message using a non-existent domain, so it probably means that it was taken down. Well, that’s good!

Trust is the most expensive vulnerability in modern security architecture. In recent years, the security industry has pivoted toward a zero trust model for networks — assuming breach and verifying every request. Yet when it comes to the people behind those requests, we often default back to implicit trust. We trust that the person on the Zoom call is who they say they are. We trust that the documents uploaded to an HR portal are genuine. That trust is now being weaponized at an unprecedented scale.

A friend posted this on Facebook and it came up on my feed. I know this person and I was so sorry to read. How horrific! I had no idea who was killed in the accident, so I clicked on the news story. It took me to a site that posted this: This is a real reCAPTCHA posted to filter out anti-malware and content filtering services. When I saw this I knew that this was a fake news story and that my friend’s Facebook account had been taken over by a scammer.

Physical discs have given way to streaming. You can make a purchase with a tap of your phone. But relying on documents to verify business and individual identities isn't going anywhere. In fact, the opposite is true. Some regulations require document checks during identity verification. Even when that’s not the case, documents are becoming popular and valuable components of identity checks because they provide information that isn’t available elsewhere.