Mother Lode: (209) 694-4599
Central Valley: (209) 790-4560

Tag: phishing

  • 16 Billion Passwords Discovered on the Dark Web: What You Need to Know and Do Now

    16 Billion Passwords Discovered on the Dark Web: What You Need to Know and Do Now

    In a chilling reminder of how fragile digital security can be, cybersecurity researchers recently uncovered a staggering 16 billion unique passwords circulating on the dark web—the largest known cache of stolen credentials to date. This massive breach highlights the growing threat posed by infostealer malware, and it underscores the urgent need for every organization and individual to take cybersecurity hygiene seriously.

    How Did 16 Billion Passwords End Up on the Dark Web?

    These leaked credentials weren’t the result of a single hack. Instead, they’re the result of years of breaches, data leaks, and infostealer malware infections. Infostealers—such as RedLine, Raccoon, and Vidar—silently infect computers, often through phishing emails or malicious downloads. Once installed, they harvest login credentials, browser cookies, crypto wallets, and other sensitive data and send it back to cybercriminals.

    The recently discovered cache, known as “rockyou2024.txt,” is believed to be a compilation of older leaked passwords combined with new, freshly stolen ones. It’s a hacker’s goldmine—and your worst nightmare if you’re not prepared.

    Why Cybersecurity Hygiene Matters More Than Ever

    With this many credentials in criminal hands, password reuse and weak passwords become catastrophic risks. Strong cybersecurity hygiene—including complex, unique passwords and multifactor authentication—isn’t optional anymore. It’s the baseline.

    But even the best passwords can be stolen. That’s why proactive monitoring and training are essential.

    Protect Your Business with Credential Monitoring

    When credentials are compromised, time is critical. A solution like Dark Web ID continuously monitors the dark web for your company’s stolen or leaked credentials. Early detection means you can change passwords, lock accounts, and take action before attackers do.

    Think of it as a burglar alarm for your digital identity.

    Train Your Team to Recognize the Threat

    Technology is only part of the solution. People are the first line of defense—and also the biggest vulnerability. That’s why ongoing security awareness training is critical.

    Solutions like BullPhish ID offer regular phishing simulations and training modules tailored to real-world threats. These help employees recognize suspicious emails, avoid malicious links, and respond correctly if they suspect something’s wrong.

    The more your team knows, the safer your business is.

    Best Practices for Better Security

    Here’s what you can do right now to protect your organization:

    Implement strong password policies – Use long, complex, and unique passwords. Consider a password manager.
    Enable multifactor authentication (MFA) – MFA blocks over 90% of account takeover attempts.
    Deploy Dark Web ID – Get alerts when your credentials are exposed so you can act fast.
    Use BullPhish ID to train staff – Regular phishing simulations keep your team sharp.
    Patch systems and software regularly – Infostealers exploit outdated software.
    Segment networks and enforce least privilege – Limit what users and attackers can access.

    Don’t wait until it’s too late. The 16 billion password leak is a wake-up call—and your opportunity to take action. Cybersecurity is not just an IT problem. It’s a business risk, a reputational risk, and a leadership responsibility.

    Need help getting started? Let us show you how Dark Web ID and BullPhish ID can strengthen your cybersecurity posture and give you peace of mind. Contact us today!
  • Social Engineering Attacks: The Secret Behind Why They Work

    Social Engineering Attacks: The Secret Behind Why They Work

    Cybercriminals don’t need to use brute force or write malicious code to break into your systems. All they need to do is target your people. That’s what social engineering is all about. It’s a method that relies on psychological manipulation to bypass technical safeguards to get inside your business and take harmful action.

    These attacks come in many forms. You might recognize terms like phishing, baiting and tailgating. Each one uses a slightly different approach, but the objective is the same: to manipulate someone’s response.

    The goal of this blog is to help you understand the psychology behind these attacks and show you how to protect your team before they become the next target.

    The psychology behind social engineering

    Social engineering succeeds because it targets human instincts. Humans are built to trust when nothing appears to be clearly suspicious. Attackers know this, and they use that knowledge to influence our behavior.

    Once that trust is triggered, they rely on a set of psychological techniques to push you to act:

    Authority: The attacker pretends to be someone in a position of power, such as your manager or finance head, and sends a request that feels urgent and non-negotiable. For example, a message might say, “Please transfer this amount before noon and confirm when complete.”

    Urgency: The message demands immediate action, making you feel that a delay will cause serious problems. You might see alerts like “Your account will be deactivated in 15 minutes” or “We need this approved right now.”

    Fear: A fear-inducing communication creates anxiety by threatening consequences. A typical message might claim your data has been breached and ask you to click a link to prevent further exposure.

    Greed: You are tempted by something that appears beneficial, such as a refund or a free incentive. A simple example would be an email that says, “Click here to claim your $50 cashback.”

    These techniques are not used at random. They’re tailored to seem like ordinary business communication. That’s what makes them difficult to spot—unless you know what to look for.

    Protecting yourself against social engineering

    You can start to defend your business against these attacks with clarity, consistency and simple protections that every member of your team understands and follows.

    Awareness and education: Train your employees to recognize social engineering tactics. Show them how attackers use urgency, authority and fear to manipulate responses. Familiarity is the first step toward better decision-making.

    Best practices: Reinforce security basics in your day-to-day operations. Employees should avoid clicking suspicious links, opening unknown attachments or responding to unexpected requests for information.

    Verify requests: Never act on a request involving sensitive data, money or credentials unless it has been verified through an independent and trusted channel. This could be a phone call to a known number or a direct conversation with the requester.

    Slow down: Encourage your team to pause before responding to any message that feels urgent or out of the ordinary. A short delay often brings clarity and prevents a rushed mistake.

    Use multi-factor authentication (MFA): Add an extra layer of protection by requiring a second form of verification. Even if a password is stolen, MFA helps prevent unauthorized access to your systems.

    Report suspicious activity: Make it easy for employees to report anything unusual. Whether it’s a strange email or an unfamiliar caller, early alerts can stop an attack before it spreads.

    When applied together, these actions strengthen your business’s defenses. They take little time to implement and have a high impact on risk reduction.

    Take action before the next attempt

    Your next step is to put what you’ve learned into practice. Begin by applying the strategies above and stay alert to any unusual attempts.

    If you want support implementing these protections, an IT service provider like us can help. Contact us for a no-obligation consultation to review your current cybersecurity approach, strengthen your defenses and ensure that your business is prepared for the threats that are designed to look like business as usual.
  • Cybersecurity Starts With Your Team: Uncovering Threats and the Benefits of Training

    Cybersecurity Starts With Your Team: Uncovering Threats and the Benefits of Training

    When you think about cybersecurity, your mind might jump to firewalls, antivirus software or the latest security tools. But let’s take a step back—what about your team? The reality is that even with the best technology, your business is only as secure as the people who use it every day.

    Here’s the thing: cybercriminals are intelligent. They know that targeting employees is often the easiest way into your business. And the consequences? They can range from data breaches to financial losses and a lot of sleepless nights.

    So, let’s break this down. What threats should you be worried about, and how can regular training protect your team and business?

    Common cyberthreats that specifically target employees

    These are some of the main ways attackers try to trick your team:

    • Social engineering
      This is a tactic in almost all cybercriminal playbooks. Attackers rely on manipulation, posing as trusted individuals or creating urgency to fool employees into sharing confidential data or granting access. It’s about exploiting trust and human behavior rather than technology.
    • Phishing
      A popular form of social engineering, phishing involves deceptive emails or messages that look official but aim to steal sensitive information or prompt clicks on harmful links.
    • Malware
      Malware refers to malicious software designed to infiltrate systems and steal data, corrupt files or disrupt operations. It often enters through unintentional downloads or unsafe websites, putting your data and functionality at risk.
    • Ransomware
      A specific kind of malware, ransomware, encrypts files and demands payment to unlock them. It’s one of the most financially damaging attacks, holding businesses hostage until a hefty ransom is paid.
    Employee cyber awareness training and its benefits

    You wouldn’t let someone drive your car without knowing the rules of the road, right? The same logic applies here. Cyber awareness training equips your team with the knowledge to spot and stop threats before they escalate. It’s about turning your employees from potential targets into your first line of defense.

    The benefits of regular employee cyber awareness training are:

    • Fewer data breaches
      Well-trained employees are less likely to fall for phishing or other scams, which lowers the chance of a data breach.
    • Stronger compliance
      Many industries require security training to meet legal standards. By staying compliant, you avoid potential fines and build trust with partners.
    • Better reputation
      Showing a commitment to security through regular training shows clients and customers that you take data protection seriously.
    • Faster responses
      When employees know how to spot and report issues quickly, the response to any threat is faster and more effective, minimizing potential damage.
    • Reduced insider threats
      Educated employees understand the risks, minimizing both accidental and intentional insider threats.
    • Cost savings
      Data breaches come with huge costs, from legal fees to loss of customer trust. Training can lessen the chances of cyber incidents and save your company money in the long run.
    So, where do you start?

    Start with a solid cybersecurity program. This isn’t a one-and-done deal. It’s ongoing. Your team needs to stay updated on new threats and best practices. And it’s not just about sitting through a boring presentation. Make it engaging, practical and relevant to their daily roles.

    By investing in your team, you’re not just boosting their confidence—you’re safeguarding your business. And in a world where cyberthreats evolve faster than ever, that’s a win you can count on.

    Not sure how to do it alone? Send us a message. Our years of experience and expertise in cyber awareness training are exactly what you need.

  • Protect Your Employees Against Vishing

    Cybercriminals are always looking for new ways to scam users. Attacks continue to be more sophisticated and common. Organizations must remain vigilant and understand all the different avenues, including vishing (voice phishing), which uses the telephone as the channel for scamming.

    This post will define what vishing is and critical steps to take to protect your employees from falling prey to it.

    What is Vishing?

    Vishing is a cybercrime that uses voice communication, most often VoIP (voice over IP) phone systems. Cybercriminals use social engineering tactics to attempt to defraud the person on the other end.

    In many cases, these scammers impersonate the government, the IRS, a bank agent, the police, or another trustworthy organization. The content of the call is typically a threat of arrest, bank account closure, or other serious consequences.

    Unfortunately, many fall victim to it, giving in to the demands of the scammer. They may release private information, such as banking accounts, Social Security numbers, or other sensitive data.

    What’s the State of Vishing?

    Vishing grew tremendously in 2020, somewhat as a consequence of remote work. The FBI (Federal Bureau of Investigation) and CISA (Cybersecurity and Infrastructure Security Agency) released a joint advisory on the surge.

    They noted that in mid-July, a vishing campaign targeted various companies through VPN login pages. Actors created phishing pages for the internal VPN login page. They then created employee dossiers with social engineering tactics. The hackers often posed as another employee using spoofed numbers. They advised victims of a new VPN page, which they would send to the targeted employee. When the victim used the fake VPN page, the hacker could gain access to the company’s networks.

    The combination of VPNs and the elimination of in-person verification made these attacks fruitful for many.

    One example was the Twitter breach in July 2020. Hackers were able to hijack 130 accounts of prominent figures. The company admitted that social engineering and phone spear-phishing were the cause.

    Vishing Techniques

    There are several ways that cybercriminals can execute vishing.

    • VoIP: Creating fake numbers is easy for hackers. That can appear to be local or use the 1-800 prefix.
    • Wardialing: This approach uses software to call specific area codes and leave an urgent voicemail claiming that some security issue occurred. In the voicemail, they ask the victim to call back with account information.
    • Caller ID Spoofing: This is similar to VoIP vishing. Cybercriminals use a fake number or caller ID. It could appear as unknown or as a legitimate number, such as the phone number of a trusted government organization.

    These represent the more technologically forward tactics. However, there’s a low-tech way for hackers to get information—from your trash. They can collect vital information if documents aren’t shredded or properly destroyed.

    Now that we’ve covered the background of the topic, let’s discuss prevention

    Ways to Protect Against Vishing Attacks

    There are many ways to protect against cybercriminals that use these tactics. They fall into a few buckets of awareness, technology, and best practices.

    Ensure Every Employee Is Aware and Trained

    Employees are often the weak link in a cyber breach. Vishing is just one more way to isolate them. The best thing you can do is to create a continuous campaign of awareness around cyberattacks. It should be part of your wide-ranging cybersecurity education. Here are some ideas for implementing and maintaining such a campaign:

    • Every new employee should undergo training.
    • All employees should have at least yearly training if not more.
    • IT teams should work with marketing or HR to deliver bite-sized security content. You could distribute this via internal newsletters, intranet sites, or visually with signs and posters.
    • If employees receive a suspicious call, they should have a process to report it to security leaders.
    • Companies should issue advisories to employees about specific scams going on right now, so they’ll be more alert (i.e., scams related to COVID-19 or the IRS around tax time).
    Use Technology to Prevent Calls

    Most organizations employ cloud-based phone systems. Often these platforms have built-in spam caller protection. That’s a good first defense. The technology can detect calls from fraudsters. You then have the chance to either block them or send them to voicemail, so they never get answered.

    Further, phone systems today are often part of a unified communications (UC) platform. There are various security features you’ll want the system to have to protect it from hackers. Having these features in place will mitigate any attack if the hacker successfully gets information from the employee.

    • Advanced firewall systems that prevent intrusions and integrate with VPNs and traffic management
    • Intrusion protection systems (IPS) for detecting traffic that appears suspicious that made it through the firewall
    • DDoS (Distributed Denial of Service) protection
    • Commercial-grade edge routers, which are configured to resist IP-based network attacks
      Regular vulnerability scans
    Other Best Practices to Protect Against Vishing

    There are several other practices to put into place to keep vishing attacks at bay. The use of mobile apps via your UC platform will keep calls routing through your company’s VoIP. Calls won’t come directly to your smartphone number.

    You can also let employees know, especially those working in contact centers, that it’s okay to hang up the phone. If an employee can quickly define the call as vishing, the best thing to do is end the call.

    Finally, be sure you have strict security protocols about exchanging information, especially around accounts or wires. With this as part of your bedrock, employees won’t fall for scams.