Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: social-engineering (30 articles)Clear

Ransomware crews pose as Interpol to pressure small businesses into paying

Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.

Check
Warn staff, especially at smaller organizations, that law-enforcement bodies like Interpol do not demand payment by email or pop-up, and that any such message should be verified through official channels before acting.
Affected
Small and mid-sized businesses without dedicated security teams, across the US, Europe, and the Middle East; attackers use Interpol-themed intimidation to rush victims into paying rather than verifying the demand's legitimacy.
Fix
Train employees to recognize authority-impersonation scams, verify any law-enforcement contact independently, maintain tested offline backups, and give staff a clear, judgment-free way to report suspicious demands before they act.

Attackers abuse OpenAI organization invites to phish data from security firms

Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.

Check
Tell staff to treat unexpected invitations to join an organization on OpenAI or other SaaS platforms with suspicion, and monitor which external organizations employees' work accounts have joined.
Affected
Employees, including at security firms, who receive genuine-looking organization invitations from SaaS platforms; data typed into an attacker-controlled organization's chats or projects is exposed to the attacker.
Fix
Train staff to verify unexpected SaaS organization invitations through a separate channel, monitor SaaS organization memberships, and set policies on which platforms and tenants employees may join with work accounts.

FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts

The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.

Check
High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
Affected
Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
Fix
Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.

Scammers abuse Shopify's Shop app to plant fake receipts for callback phishing

Attackers are abusing Shop, the order-tracking app from Shopify, by getting fake purchase receipts to appear in users' order histories, then using them to lure victims into callback phishing. Because the bogus orders show up inside a legitimate, trusted app rather than in an easily spotted scam email, they look convincing. The fake receipts typically reference an unexpected charge and a phone number to call to dispute it; when the victim calls, the scammers pose as support staff and walk them into handing over sensitive information or account access. It is a twist on callback phishing that borrows credibility from a real shopping platform.

Check
Warn users that unexpected orders or receipts appearing in the Shop app may be fake, and that any phone number prompting them to call about a charge should be treated as suspicious.
Affected
Shop app users who see unfamiliar purchase receipts in their order history; the goal is to provoke a panicked phone call where scammers extract payment details, credentials, or remote access.
Fix
Verify charges only through official banking and merchant channels, never the phone number in an unexpected receipt, and report suspicious entries. Organizations should add callback phishing to security-awareness training.

WhatsApp malware spreads fake invoices that install remote-access admin tools

Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.

Check
Warn staff to treat unexpected document or invoice files sent over WhatsApp as suspect, even from known contacts, and watch for remote-management tools installed outside approved IT processes.
Affected
Windows users who receive and open script files sent through compromised WhatsApp contacts; the campaign is global, with most confirmed victims in Malaysia, and abuses legitimate remote-management software for access.
Fix
Verify unexpected files through a separate channel before opening, block script attachments, allowlist approved remote-management software and alert on unauthorized installs, and keep User Account Control enabled with endpoint protection active.

Cardiac monitoring firm iRhythm says patient health data stolen in attack

iRhythm, the US digital-health company behind the Zio wearable heart monitor, has told regulators that attackers stole patient data in a breach it considers material. In an SEC filing, the company said it detected unauthorized activity on June 8 in third-party-hosted business applications, accessed through a social-engineering attack, and received an extortion demand the next day from a threat actor claiming to hold proprietary data, protected health information, and other personal data. iRhythm says its clinical systems, medical devices, patient safety, and operations were not affected, with no payment-card or financial data involved. No ransomware group has publicly claimed the attack, and the number of affected people is not yet known.

Check
Healthcare and other organizations should review how third-party-hosted business applications are secured and monitored, and confirm that help desks and staff can resist social-engineering attempts to grant access.
Affected
iRhythm patients and others whose protected health information and personal data sat in the affected third-party business applications; clinical systems, devices, and financial data were reportedly not involved.
Fix
Enforce phishing-resistant MFA and strong identity verification on third-party SaaS, limit and log access to systems holding health data, and rehearse social-engineering scenarios with staff and help-desk teams.

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

Five Eyes warns China is recruiting officials via fake job offers

The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.

Check
Brief staff in sensitive government, defense, and research roles to scrutinize unsolicited recruiter and consulting approaches, and check whether anyone has shared non-public information during one.
Affected
Current and former Five Eyes government, military, defense-contractor, policy, research, and journalist personnel with access to classified or privileged information, especially those linked to the Indo-Pacific.
Fix
Verify recruiters and employers through official channels before engaging, never discuss sensitive work in interviews, and report suspected approaches to your security team or national agency.

HVAC distributor Baker breach exposes 102,000 accounts to ShinyHunters

Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.

Check
If you work with or for Baker Distributing, check whether your email appears in Have I Been Pwned and watch inboxes for HVAC or invoice-themed phishing referencing the breach.
Affected
Baker Distributing employees, contractors, and business customers whose personal and corporate data sat in the breached Salesforce and SharePoint systems; 102,935 accounts confirmed.
Fix
Reset passwords reused with Baker accounts and enable phishing-resistant MFA. For your own org, lock down help-desk identity resets with callback verification to blunt ShinyHunters-style social engineering.

FIFA World Cup 2026 fraud wave hits fans before June 11 kickoff

With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.

Check
Warn staff and remind yourself to verify any World Cup ticket, merchandise, or streaming offer, and check security logs for employee visits to lookalike FIFA domains.
Affected
Anyone buying World Cup tickets, merchandise, hospitality, or streaming access, plus job seekers; employees using work devices or accounts to shop for the tournament.
Fix
Buy only via fifa.com typed directly into the browser, avoid sponsored search results and emailed links, and block known fraudulent FIFA domains at your web gateway.