Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Fake calendar invites have been a problem on Gmail for years. Even though they could appear on other calendar services, I hadn’t seen or read about a lot of it. Gmail had been taking the brunt of the fake calendar invites. However, I got a scam Microsoft Outlook calendar invite recently, and other Outlook users are complaining more as well. So, what was previously happening mostly in Gmail has now moved over to Outlook, too. I am a busy guy.

Avoid fake buyers on Facebook Marketplace. Discover common scam tactics, warning signs, and expert tips to stay safe when selling online. You just sold a stack of old books for $100 on Facebook Marketplace. The buyer seemed eager, messaged instantly, and offered to pay extra. Sounds too good to be true? It probably is. Learn how to spot fake buyers before you lose both your money and your stuff. The buyer seems interested, perhaps too interested.

LAPSUS$-linked breaches did not break multi-factor authentication (MFA) cryptographically. Attackers obtained valid authentication outcomes through techniques commonly described as MFA fatigue attacks or MFA bypass attacks, including push-prompt abuse, SIM swapping, social engineering, and session token replay. Understanding how these attacks succeed helps explain where modern identity defenses must evolve.

It is tax season in the United States and that means plenty of tax scams. I recently received these SMS messages. I am a TurboTax user, so hey, these might be legit, even though they look scammy. I first looked up the ttax.us domain using GoDaddy’s Whois service. The ttax.us domain is not valid. Fact is, scammers would not have sent out a scam message using a non-existent domain, so it probably means that it was taken down. Well, that’s good!

Trust is the most expensive vulnerability in modern security architecture. In recent years, the security industry has pivoted toward a zero trust model for networks — assuming breach and verifying every request. Yet when it comes to the people behind those requests, we often default back to implicit trust. We trust that the person on the Zoom call is who they say they are. We trust that the documents uploaded to an HR portal are genuine. That trust is now being weaponized at an unprecedented scale.

A friend posted this on Facebook and it came up on my feed. I know this person and I was so sorry to read. How horrific! I had no idea who was killed in the accident, so I clicked on the news story. It took me to a site that posted this: This is a real reCAPTCHA posted to filter out anti-malware and content filtering services. When I saw this I knew that this was a fake news story and that my friend’s Facebook account had been taken over by a scammer.

Physical discs have given way to streaming. You can make a purchase with a tap of your phone. But relying on documents to verify business and individual identities isn't going anywhere. In fact, the opposite is true. Some regulations require document checks during identity verification. Even when that’s not the case, documents are becoming popular and valuable components of identity checks because they provide information that isn’t available elsewhere.

Picture this: It’s 3pm on a busy Tuesday. Your phone rings, and the caller ID shows your company's main number. "Hi, this is Jake from IT," says a confident voice. "We're seeing some unusual activity on your account and need to verify your password to secure it. Can you help me out real quick?". Sound familiar? Well, this was the exact technique perfected by a teenager named Kevin Mitnick in 1983, long before the internet, smartphones, or even Windows or Linux existed.

Threat actors are using phony meeting invites for Zoom, Microsoft Teams, Google Meet, and other video conferencing applications to trick users into installing remote monitoring and management (RMM) tools, according to researchers at Netskope. The invites lead to convincingly spoofed landing pages for fake video meetings, complete with a list of coworkers who have supposedly already joined the call. The page instructs the user to install a software update in order to join the video meeting.

Typosquatting is a deceptive technique in which threat actors register misspelled or look-alike domains of legitimate organizations to trick users into visiting fraudulent sites. It remains one of the most effective and underestimated attack vectors in the modern cyber threat landscape. What appears to be a misspelled domain often conceals sophisticated campaigns designed to phish company employees or customers, harvest credentials, deliver malware, and damage organizational reputation.