How cyber attacks start via email and social media

“Do you have UPI?” That’s all the email said. The sender name looked like my cofounder’s. The email landed in a teammate’s inbox at 1:48 PM. For a second, she almost replied. This is how scams actually start. Just four words that feel ordinary enough to make you click. And it’s not just us. In 2024, over 36 lakh cyber-fraud complaints were filed in India and citizens reported losses of ₹22,845 crore. UPI fraud incidents nearly doubled year-on-year in FY24 to about 13.4 lakh cases. The patterns repeat across email, SMS and WhatsApp: - Fake emails that copy your boss’s or cofounder’s name. - Urgent asks: “Do you have UPI?”, “KYC expiring today”, “Refund waiting.” - One wrong click and money gone in seconds. What saved us? Our teammate paused. She expanded the sender, and checked the “From” and “Reply-To”. The address was off by one letter. Spoofed. Here’s what you should do the next time this lands in your inbox: 1. Expand the sender. Check the full address, the domain, and the Reply-To. 2. Never share an OTP anywhere. Never share your UPI PIN. Never approve unknown “collect” requests. 3. If money moves, call 1930 and file at cybercrime.gov.in, then alert your bank. The first hour is critical for freezing funds. One careless “yes” can empty your account. But one careful pause can save a crore. The difference between the two is less than five seconds.

Over one-third of cyber incidents Unit 42 responded to last year began with social engineering tactics. It's now the top method attackers use to break in. Phishing still leads with roughly 65% of these cases. But newer tools like voice cloning, SEO poisoning, fake prompts, and even MFA bombing are on the rise. These attacks often aim at privileged accounts (about two-thirds of incidents) and half impersonate internal staff or support teams. When done right, ol' reliable deception gets you domain admin in under 40 minutes. One in three of these breaches exposed data - a 16-point jump over other tactics. Business email compromise (BEC) featured in many cases, with nearly 60% of BEC incidents leading to leaked info. AI is powering this evolution. Gen‑AI and AI agents are helping craft believable lures, clone voices, and even automate recon and follow-up steps. That gives attackers scale and speed. Here's what is critical now: • Train beyond phishing. Simulate voice scams and deceptive prompts. • Bridge identity signals - detect odd behavior, not just added credentials. • Lock down privileged recovery paths and MFA logic. • Treat identity theft as a top-tier business risk. Trust your team, but verify every indicator. #cybersecurity #socialengineering #identitysecurity

A client once asked, “Do I really need social media security training for my team?” I didn’t say yes. I told him a story. A small agency founder. Just landed a dream client through LinkedIn. He was thrilled. Then the client sent over a contract. Via Google Drive. Looked normal. Wasn’t. One click. That’s all it took. The founder lost control of his company email. Then his LinkedIn. Then access to client data. Because the attacker wasn’t the client. It was a scammer. And this isn’t rare. Checkpoint says 52% of phishing attacks started on LinkedIn in Q1 2025 Bad actors love platforms where business and personal lines blur. So what should small businesses do? ➡️ Teach your team to check their privacy settings. ➡️ Encourage them to go private on social. ➡️ Train them to say no to unknown links and downloads. ➡️ Stop oversharing. Seriously. ➡️ Block tags unless they approve them first. Social media is the new front door. Don’t leave it wide open.

𝐓𝐡𝐞 𝐢𝐧𝐢𝐭𝐢𝐚𝐥 𝐯𝐢𝐫𝐮𝐬 𝐬𝐜𝐚𝐧 𝐰𝐚𝐬 𝐜𝐥𝐞𝐚𝐧. 𝐓𝐡𝐞 𝐬𝐚𝐧𝐝𝐛𝐨𝐱 𝐭𝐨𝐥𝐝 𝐚 𝐝𝐢𝐟𝐟𝐞𝐫𝐞𝐧𝐭 𝐬𝐭𝐨𝐫𝐲: 𝐀n 𝐚𝐭𝐭𝐚𝐜𝐤 𝐭𝐚𝐫𝐠𝐞𝐭𝐞𝐝 𝐚𝐭 ... 𝐦𝐞. It started with a LinkedIn invite to connect, including an opportunity to be recognized as an industry leader... Followed by a LinkedIn message asking for contact details. Followed by an email. Followed by a message with an attachment. One might think: "Wow, this publication is really interested in me!" But you know better. That PDF attachment feels off, but hi, nothing else to look at here, right? You decide to take the extra step. You start with an upload to VirusTotal—0 detections. You’re still suspicious, so you fire up the sandbox—the one you haven't touched in a while as a #CISO. The answer lies right there in front of you. You weren't just looking at a file; you were looking at a sophisticated, multi-stage attack. Luckily, they were unsuccessful this time. This story (based on real life events from last week) serves as a good reminder to all of us : 1. No one is too big or too small to be a target. Never open links or attachments from anyone you don't know, regardless of how professional they sound. 2. Your average user isn't going to go that far. Even if email security tool stopped the email (it did), the user might still open the attachment via LinkedIn on their desktop, letting the hackers in. Bottom line : Invest in defense in depth, ensure your EDR agents are checking in and don't forget about user awareness to help others avoid this trap (and that's what this post is for).

Let’s face it—despite next-gen firewalls and endpoint protection, most breaches still start the old-fashioned way: through email and web browsers. Why? Because they’re the tools we use every day, and that makes them the easiest to exploit. The Problem ✔ Email is a hacker’s best friend—phishing, BEC scams, and weaponized attachments keep evolving. Even with filters, one cleverly disguised email can bypass defenses and trick even savvy users. ✔ Browsers are the wild west—malicious ads, drive-by downloads, and rogue extensions turn routine web browsing into a minefield. And with SaaS apps everywhere, employees are constantly logging into new (and sometimes risky) sites. Basic spam filters and antivirus won’t cut it anymore. Attackers use AI-generated messages, zero-day exploits, and social engineering to slip past traditional defenses. What Actually Works ✅ AI-powered email filtering that detects subtle phishing cues (not just obvious spam). ✅ Browser isolation or strict extension controls to stop malicious code before it executes. ✅ Zero Trust policies—because assuming "trusted" users or devices is a recipe for disaster. ✅ Ongoing security training—because human error is still the weakest link. The Bottom Line If your security strategy isn’t obsessed with locking down email and browsers, you’re leaving the front door wide open. #CyberSecurity #EmailSecurity #BrowserSecurity #ZeroTrust #Phishing

As many of you know, I believe we need to radically improve the terms we use in security and better formalize their definitions. While I typically shy away from terms designed to be clever, tonight I’m leaning toward the idea that if you can’t beat ’em, join ’em. 🤓 Take “phishing,” for example. The term has been stretched so broadly in conversations that it now seems to mean “all forms of social engineering other than pretending to be a flower delivery person.” I propose two changes: 1️⃣ Start using the term “credential phishing” to clearly describe attacks aimed at stealing usernames, passwords, and MFA credentials. 2️⃣ Create a new term to describe attacks where users are tricked into running software at the behest of a malicious actor. These are just rough thoughts, and I’d love to hear your feedback. What do you think? 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 Credential phishing is a form of social engineering in which an adversary uses deceptive messages, often delivered through email, social media, or other communication channels, to trick a victim into divulging login credentials—specifically usernames, passwords, and multi-factor authentication (MFA) codes or actions (such as approving push notification MFA requests). 𝗧𝗿𝗶𝗰𝗸𝗹𝗼𝗮𝗱𝗶𝗻𝗴 Trickloading is a form of social engineering in which an adversary deceives a victim into downloading and executing software. The software involved is often malicious, such as ransomware, and is typically disguised as a legitimate file, such as a software update, document, or media file. However, adversaries may also misuse legitimate tools, repurposing them for malicious purposes such as tools for remote access, diagnostics, file sharing, or technical support. In both legitimate and malicious cases, victims may be required to bypass security warnings from the downloading application or operating system to proceed. Attackers often guide victims through the process of dismissing or ignoring these warnings. The attack may originate from an imposter message (e.g., email, text, or pop-up) or through a telephone call, often initiated by the victim, as seen in tech support and related scams.

 I wanted to take a moment to talk about a serious issue that we all need to be vigilant about: social engineering attacks. Social engineering is a form of cybercrime where attackers manipulate or trick targets into revealing information or performing actions that can lead to data exfiltration, theft of sensitive information, or financial fraud. One of the most prevalent forms of social engineering is phishing scams. Shockingly, an estimated 3.4 billion phishing emails are sent every day! These scams often trick users into giving up confidential data, such as personally identifiable information (PII) or protected health information (PHI). Sometimes, phishing emails ask recipients to click a link or download a file, leading to an infected website or the installation of malware or ransomware on the recipient’s device. Cybercriminals often impersonate individuals close to executives, such as friends, family members, coworkers, or bosses, to commit fraud or identity theft. These targeted attacks, known as spear phishing or whaling, are designed to deceive high-profile executives. The C-suite is especially at risk after a data breach or cybersecurity incident, as threat actors use stolen confidential data to make their communications appear more convincing. Another type of social engineering attack is business email compromise (BEC). Unlike spear phishing, which targets high-level executives, BEC attacks aim to impersonate these executives. Lower-level employees may receive fake or spoofed emails from someone pretending to be an executive, leading them to disclose critical information. The financial damage caused by BEC is significant, with the FBI reporting that in 2021 alone, BEC resulted in $49.2 million in victim losses. To combat these threats, it is essential to educate all our staff on how to spot fraudulent communications. Here are some critical measures we all can take to protect ourselves from social engineering attacks, phishing, and BEC: 1. Social engineering prevention training: Regularly educate employees on the tactics used by cybercriminals and how to recognize suspicious activities. 2. Multi-factor authentication (MFA): Implement MFA to add an additional layer of security, making it harder for attackers to gain unauthorized access. 3. Message sender verification: Always verify the sender's identity before acting on any email requests, especially those asking for sensitive information. 4. Never provide sensitive or personal information through email, phone, or text: Be cautious about sharing confidential data through unsecured channels. 5. Update antivirus, anti-malware, applications, and software: Ensure that all security solutions and software are up-to-date to protect against the latest threats. By following these preventive measures, we can significantly reduce the risk of falling victim to social engineering attacks. Let's stay vigilant and protect our organizations from these ever-evolving threats.

So what do you actually monitor when the pre-attack phase happens on social media? Once you start looking at cyberattacks through the lens of information environments, a different question appears. Not how the attack starts, but what signals appear before it even begins. 1️⃣ Behavioral velocity Accounts suddenly start publishing at abnormal rates. Not just volume—synchronized acceleration across multiple accounts. That velocity often appears days or weeks before the actual malicious payload. 2️⃣ Synchronized activity Accounts created months apart begin behaving as if they are part of the same team. Same timing, narrative themes, amplification patterns. Individually they look organic. Together they reveal coordination. 3️⃣ Semantic alignment Actors increasingly avoid obvious keywords. Instead they operate inside topic clusters and narrative framing. The signal is linguistic fingerprints across posts. 4️⃣ Account history anomalies Pages that previously posted about completely unrelated topics suddenly pivot to: • a new brand • a new technology • a political narrative • a financial product Those pivots often indicate compromised or repurposed accounts. 5️⃣ Paid amplification with no organic history One pattern we see repeatedly: ads promoting content that has no organic audience history. No engagement build-up or credible audience. Just immediate paid reach. That’s often the moment where influence operations intersect with fraud infrastructure. The uncomfortable part is that most organizations aren’t monitoring these signals at all. Security teams monitor malware infrastructure. Trust & Safety teams monitor abuse. Comms teams monitor reputation. But information-driven pre-attack activity sits between all of them. And threat actors know it. Generative AI didn’t invent these tactics. It made them cheap, scalable, and accessible to much smaller actors. Which means the social layer of cyber operations is only going to grow. The question is no longer whether these signals exist. The real question is: do you have tools in your stack that can actually detect them—and which team is actually responsible for monitoring that layer?

🔎 OSINT — What You Share Online Can Be Used Against You 🧩 Every post, profile update, or photo might feel harmless… but to an attacker, it’s a puzzle piece. Put enough of those pieces together, and they can launch phishing, social engineering, or business email compromise (BEC) attacks against your company. 🚨 That’s why I’ve built a simple Employee OSINT Awareness Guide 📄 to help everyone understand: ✅ What OSINT is (in plain language) ✅ Why it matters to all employees, not just executives ✅ What to share vs. what to avoid online ✅ Privacy checklist for LinkedIn & social media ✅ Real-world examples of how attackers exploit oversharing 💡 Key takeaway: Culture, values, and achievements are safe to share. Tools, processes, and travel schedules are not. By being intentional with what we share, we protect ourselves, our colleagues, and our company. 🛡️ 👉 Check out the guide attached to this post, and let’s keep building a strong security culture together. #Cybersecurity #OSINT #SecurityAwareness #Phishing #SocialEngineering

𝐌𝐨𝐬𝐭 𝐩𝐞𝐨𝐩𝐥𝐞 𝐭𝐡𝐢𝐧𝐤 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 = 𝐟𝐚𝐤𝐞 𝐞𝐦𝐚𝐢𝐥𝐬. 𝐓𝐡𝐚𝐭’𝐬 𝐨𝐮𝐭𝐝𝐚𝐭𝐞𝐝. Today, attacks start in your DMs. LinkedIn. Instagram. Comments. I saw a founder get a message from a “recruiter.” Looked real. Felt normal. One click later… Account gone. Here’s the shift: Attackers don’t guess. They study you. Your role. Your posts. Your network. Then they craft messages that feel personal. Common traps: ➤ “Your account will be restricted” ➤ “Check this urgent request” ➤ “We used your content” Looks real. Feels urgent. That’s enough. And once they’re in? They target your team. Payments. Data. Systems. 𝐎𝐧𝐞 𝐦𝐢𝐬𝐭𝐚𝐤𝐞 → 𝐛𝐢𝐠 𝐝𝐚𝐦𝐚𝐠𝐞. Simple rule: Never trust DMs for -logins -money -sensitive info Move it to official channels. Always. Key takeaway: Phishing didn’t change. Your attention did. 𝐖𝐡𝐢𝐜𝐡 𝐩𝐥𝐚𝐭𝐟𝐨𝐫𝐦 𝐜𝐨𝐮𝐥𝐝 𝐟𝐨𝐨𝐥 𝐲𝐨𝐮 𝐭𝐨𝐝𝐚𝐲? ----- Hi, I’m Harris D. Schwartz, 𝐅𝐫𝐚𝐜𝐭𝐢𝐨𝐧𝐚𝐥 𝐂𝐈𝐒𝐎 & 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐋𝐞𝐚𝐝𝐞𝐫. I help CEOs and executive teams strengthen their security posture and build resilient, compliant organizations. With deep expertise across 𝐍𝐈𝐒𝐓, 𝐈𝐒𝐎, 𝐏𝐂𝐈, 𝐚𝐧𝐝 𝐆𝐃𝐏𝐑, I focus on making security a business enabler, not just a control function. If you’re planning how your security program should evolve in 2026, this is the right time to start the conversation. #CyberSecurity #Phishing #SocialMediaSecurity #InfoSec #CyberAwareness #DataSecurity #DigitalSafety #SecurityTips #OnlineSecurity #CyberThreats