Poker players and other human lie detectors look for “tells,” that is, a sign by which someone might unwittingly or involuntarily reveal what they know, or what they intend to do. A cardplayer yawns when he’s about to bluff, for example, or someone’s pupils dilate when they’ve successfully drawn to an insider straight.

Researchers at Group-IB have found an extensive campaign in which criminal operators have created a large number of fake Facebook profiles that repost messages in which the scammers misrepresent themselves as tech support personnel from Meta (Facebook’s corporate parent). Researchers discovered some 3200 bogus profiles in twenty-three languages. By far most of the profiles were created in English, more than 90%, followed by Mongolian (2.5%), Arabic (2.3%), Italian (0.8%), and Khmer (0.6%).

We’ve had occasion to write about ChatGPT’s potential for malign use in social engineering, both in the generation of phishbait at scale and as a topical theme that can appear in lures. We continue to track concerns about the new technology as they surface in the literature.

You may not have heard of this service planned for July 2023, but it promises a massive new social engineering attack surface. This is from their website: "About the FedNowSM Service. The FedNow Service is a new instant payment infrastructure developed by the Federal Reserve that allows financial institutions of every size across the U.S. to provide safe and efficient instant payment services.

Social media is designed of course to connect, but legitimate modes of doing so can be abused. One such case of abuse that’s currently running involves Linktree, a kind of meta-medium for social media users with many accounts. If you’re unfamiliar with Linktree, which, we stress, is a legitimate service, here’s how the company describes what it will let you do.

A FBI bulletin highlights a new twist in the sextortion game: companies claiming to assist with addressing sextortion who use deceptive social engineering tactics to coerce victims into paying huge fees.

New data shows that cybercriminals started this year off with a massive effort using new techniques and increased levels of attack sophistication. According to cybersecurity vendor Vade’s Q1 2023 Phishing and Malware Report, the number of phishing attacks in Q1 this year reached the highest total since 2018. While January represented the lion’s share of Q1 phishing volume (approximately 87%), Vade detected over 562 million phishing emails.

At a time when cyber attacks are achieving success in varying degrees and IT pros are keeping quiet about resulting breaches, there is one specific type of attack that has them most worried. Despite us all working in IT at a time where the sharing of threat data is at its highest, there is still the notion that organizations don’t want the public finding out about data breaches for fear of the repercussions to the company’s revenue and reputation.

The nature of an advanced artificial intelligence (AI) engine such as ChatGPT provides its users with an ability to use and misuse, potentially empowering both security teams and threat actors alike. I’ve previously covered examples of how ChatGPT and other AI engines like it can be used to craft believable business-related phishing emails, malicious code, and more for the threat actor.

In an interesting twist, new data hints that organizations with cyber insurance may be relying on it too much, instead of shoring up security to ensure attacks never succeed. Cyber insurance should be seen as an absolute last resort and shouldn’t be seen as a sure thing (in terms of a claim payout).