This is a post to explain why PornHub’s extortion story matters far beyond adult content. This is the same phishing led analytics failure that exposed OpenAI customer data and impacted other Mixpanel customers who still haven’t come forward. Different brands. Same entry point. Same security failure. The problem isn’t who

This is an account takeover attack that bypasses phishing detection, malware controls, and authentication safeguards. It exploits legitimate authorisation workflows exactly as designed. There is currently no technical control that reliably prevents it. Awareness is the only effective defence. Some referring to this as “device code phishing” but I don’t

Here’s a good example of a security vendor claiming to offer a Zero Trust firewall that’s fundamentally different from everything else on the market. Technically, it isn’t. The same claim is made about their browser software. For the same reason, that isn’t zero trust either. It’s a threat detection firewall

This article sits in the middle of an important exchange between Paul Rohan, Aidan Herbert, and my earlier post on PSD3, instant payments, and upstream fraud prevention. Paul challenged the casual use of the phrase “new paradigm” in security, arguing correctly that most so called innovations are just faster versions

By the end of this article you’ll understand why fraud, account takeovers, and data theft keep rising, why all of today’s conventional security systems are failing to protect everyone from new phishing scams, and why Zero Trust for web links is now the only way for EU banks and payment

The Gist Reuters reported on the new PSD3 agreement and the increased pressure it will place on banks to prevent fraud even as instant payments remove their ability to pause suspicious transactions. Banks are about to face higher liability under PSD3 at the same time instant payments remove their last

There’s a widespread belief that criminals using AI changes something about phishing detection. It doesn’t. And the reason it doesn’t is so simple that most people overlook it. Let’s start with the structure of a phishing attack. A phishing attack exists only when the final object exists. Everything before that

90% of cybercrime begins with phishing and it usually comes down to one moment. A person interacts with a link they can’t assess after it slips past the security tools they rely on. This is why the link isn’t just the starting point for most attacks. It’s the single place

I came across a LinkedIn article about an OAuth phishing attack, and I want to explain why it’s far simpler than the security industry makes it sound. The article is full of technical language, reactive controls, and long descriptions of Microsoft audit logs, but once you strip away the jargon

Think about how you move through your digital life. Every time a text arrives, you pause. Every time an email lands, you hesitate. Every time you see an offer on social media, you wonder if it’s genuine. Every time someone sends you an app, you check it twice. We’ve all