Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Messaging platforms are now a major vector for phishing and other social engineering attacks, according to a new report from NCC Group’s Fox-IT. The researchers warn that legitimate messaging apps such as WhatsApp, Telegram, Discord, Signal, LinkedIn, and Gmail-integrated messaging serve as avenues through which attackers can target users while evading email security filters.

Email-based threats are evolving faster than traditional solutions can keep up. According to Verizon’s 2025 Data Breach Investigations Report, the use of synthetically generated text in malicious emails has doubled over the past two years. That makes it far more difficult to spot social engineering attacks like phishing, which trick users with deceptive messages.

The U.S. public sector faces unique challenges as it is tasked with safeguarding the most sensitive data of citizens, all while maintaining the critical infrastructure that keeps society functioning. Unfortunately, government and educational institutions are no longer just peripheral targets, they are on the frontline of cyberattacks.

It is tax season in the United States and that means plenty of tax scams. I recently received these SMS messages. I am a TurboTax user, so hey, these might be legit, even though they look scammy. I first looked up the ttax.us domain using GoDaddy’s Whois service. The ttax.us domain is not valid. Fact is, scammers would not have sent out a scam message using a non-existent domain, so it probably means that it was taken down. Well, that’s good!

Phishing isn’t just increasing. It’s outpacing the way many organizations test for it. Attacks have surged 400% year over year, and corporate users are now more likely to be targeted by phishing than by malware. As social engineering becomes a primary entry point into enterprise environments, how you assess phishing risk matters just as much as how often you train for it.

Our increasing dependence on the internet and, specifically, email for business and personal communication has produced the perfect environment for cybercriminals to launch phishing attacks. As organization’s technical controls have advanced, cybercriminals have evolved their attacks, making them more difficult for traditional email security solutions that use signature-based detection (such as Microsoft and secure email gateways (SEGs) to detect.

Sending a work email to the wrong person – it’s something all of us have done at least once in our working lives. For some people, it’s a regular occurrence. But just how risky is it? Thinking back over your recent emails, you can probably pick out the ones that would have been worse to misdirect than others. In the best case it’s a non-issue or only slightly embarrassing.

For legal organizations, the integrity of communication isn't just a business requirement, it’s a foundational pillar of the profession. Whether it’s a sensitive case strategy, a confidential merger agreement, or personal client data, the information contained within firm emails represents an immense amount of trust and significant liability. However, as law firms increasingly migrate to cloud environments like Microsoft 365, they face a double-edged sword.

By the end of 2026, over 90% of all credential compromise attacks are estimated to be enabled by modular Phishing-as-a-Service (PhaaS) kits like the sophisticated, global threat, Kratos. This aggressive platform has already begun reshaping the threat landscape. At its core, Phishing-as-a-Service (PhaaS) is a malicious cloud-based service that allows easier deployment of phishing attacks and faster updating of features as compared to traditional phishing and malware attacks.

A friend posted this on Facebook and it came up on my feed. I know this person and I was so sorry to read. How horrific! I had no idea who was killed in the accident, so I clicked on the news story. It took me to a site that posted this: This is a real reCAPTCHA posted to filter out anti-malware and content filtering services. When I saw this I knew that this was a fake news story and that my friend’s Facebook account had been taken over by a scammer.