Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Researchers at Abnormal have discovered the latest evolution in call-back phishing campaigns.

A new BazarCall phishing campaign is using Google Forms to send phony invoices, according to researchers at Abnormal Security. “BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand,” Abnormal explains. “Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.

Analysis of nearly a year’s worth of emails brings insight into exactly what kinds of malicious content are being used, who’s being impersonated, and who’s being targeted. I love data built on statistically relevant data samples, as the larger the data set, the more relevant and representative of an entire industry, country, or world it is. One such report is Hornetsecurity’s just released Cyber Security Report 2024.

Phishing, already a serious, ever-present threat, is getting even more pernicious thanks to ChatGPT, which enables threat actors to craft more realistic emails. Clearly, organizations need a way to fight back that recognizes the depth of the threat, including by employing managed detection and response services.

As the holiday season approaches, so does the annual surge in online shopping and holiday package tracking. Unfortunately, this joyous time has also become a prime hunting ground for cybercriminals. In a concerning development, cybersecurity experts are sounding the alarm about a new weapon in the phishing attackers' arsenal: generative artificial intelligence (AI).

First ever insight into those annoying spam calls provides enlightening detail into how many calls are there, where are they coming from, and how much time is wasted dealing with them. It’s sort of the new normal - never answer your phone if you don’t know the caller and let it go to voicemail. Why? Because of the proliferation of spam calls that nobody wants to receive. But just how bad is it? Global communications provider, Truecaller, released its’ first Monthly U.S.

Surveys, unfortunately, show that the vast majority of organizations do little to no security awareness training. The average organization, if it does security awareness training, does it once annually, likely as part of a compliance program. It is not enough We know from customer data collected, involving many tens of millions of records, over 10 years, that the more frequently an organization does training and simulated phishing, the better able their staff is able to spot phishing attacks.

QR code phishing, most commonly referred to as “quishing,” is a type of phishing attack that tricks users into scanning QR codes to steal personal information such as login credentials or credit card numbers. When a user scans a QR code created for a quishing attack, they are taken to a malicious website that either downloads malware on their phone or asks for their personal information.

You would be hard-pressed to find an author and organization (KnowBe4) that has pushed the use of phishing-resistant multi-factor authentication (MFA) harder. When the world was touting “MFA,” we were shouting “PHISHING-RESISTANT MFA” even louder, including here: Today, many of the world’s leading cybersecurity voices, including CISA, Microsoft and Google are pushing phishing-resistant MFA. Here is CISA’s take on it.

On July 26, the U.S. Security & Exchange Commission (SEC) announced several new cybersecurity rules, taking affect mid-December 2023, that will significantly impact all U.S. organizations (and foreign entities doing business in the U.S.) that must follow SEC regulations. Although the announcement did not generate a ton of fanfare off the normal business and cybersecurity sites, the rules will greatly increase resource requirements and actions.