Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A new report has found that nearly 40% of security leaders believe their organizations are least prepared for phishing and other social engineering attacks, Help Net Security reports. According to the report from VikingCloud, these concerns are driven by the increasing use of AI tools to assist in cyberattacks. “Generative or agentic AI-driven phishing attacks (51%) are leadership teams’ top concern when it comes to new cyberattack techniques,” the report says.

A survey by Gartner found that 62% of organizations have been hit by a deepfake attack in the past twelve months, Infosecurity Magazine reports. Akif Khan, senior director at Gartner Research, told Infosecurity Magazine that deepfakes are currently being used in social engineering attacks to impersonate executives and trick employees into transferring money. “That’s trickier because social engineering is a perpetually reliable thing for attackers to use,” Khan said.

In our previous blog post, we discussed the behavioral science behind why people click on malicious links. So far in this series, we’ve established that our old security playbooks are broken and that we’re dealing with the complex psychology of the human brain. Trying to tackle that all at once can feel like herding cats. What we need is a simple, memorable mental map to bring structure to the chaos. Let’s go DEEP.

Law firms really are under constant pressure to meet tight deadlines, maintain client confidentiality and protect privileged communications. And like most aspects of life with technology so deeply intertwined, the same tools that make work possible can also be significant sources of risk. Consider something as basic as email; likely the most commonly used tool in the profession.

Welcome back. In our last blog post, we talked about the great divide between tech-focused and people-focused security. Now, let’s get nerdy and talk about the fascinating, complex, and occasionally infuriating operating system at the heart of the problem: the human brain. Ever wondered why that "Urgent Invoice" email from a brand-new supplier creates an immediate jolt of anxiety that makes you want to click? That’s not a logic failure; it’s a feature.

Attackers are abusing AI-powered development platforms like Lovable, Netlify and Vercel to create and host captcha challenge websites as part of phishing campaigns, according to researchers at Trend Micro. “Since January, Trend Micro has observed a rise in fake captcha pages hosted on such platforms,” the researchers write.

Researchers at Varonis warn of a new phishing automation platform called “SpamGPT” that “combines the power of generative AI with a full suite of email campaign tools.” While previous phishing kits have automated parts of the attack chain, SpamGPT’s sophistication sets it apart from the rest “SpamGPT’s interface and features imitate a professional email marketing service, but for illegal purposes,” Varonis writes.

Hackread reports that attackers are abusing Google’s AppSheet platform to send phishing emails. The campaign was spotted by researchers at Raven, who warn that attackers are sending messages that impersonate AppSheet, informing users of phony trademark violations. Notably, the emails are sent from AppSheet’s legitimate infrastructure, making them more likely to bypass security controls and appear legitimate to human recipients.

Let’s be brutally honest. For years, our industry has been locked in a civil war. In one camp, the technologists have been building higher walls and smarter traps, arguing that the right AI-powered, next-gen firewall will solve all our problems. In the other camp, the behaviorists have been calling for more training and better awareness, convinced that if we just make people understand the risks, they’ll stop clicking on things.