Security Awareness Training Blog

Keeping You Informed. Keeping You Aware.
Stay on top of the latest in security including social engineering, ransomware and phishing attacks.

Roger Grimes

Recent Posts

The Most Common Password Frustrations

We all know the well-worn adage to make our passwords long and complex. Sometimes trying to do so can be completely frustrating.
Continue Reading

6 Lessons I Learned from Hacking 130 MFA Solutions

I was fortunate enough to write Wiley’s Hacking Multifactor Authentication. It’s nearly 600-pages dedicated to showing attacks against various multi-factor authentication (MFA) solutions ...
Continue Reading

[NEW BOOK] Hacking Multi-Factor Authentication

I’m excited to announce the release of my 12th book, Hacking Multifactor Authentication.
Continue Reading

Beware of Fake Forwarded Phishes

There are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the ...
Continue Reading

Check Your Email Rules for Maliciousness

Email rules have been used maliciously for decades. Learn about email rules and what you need to do to defend your organization against their malicious misuse.
Continue Reading

How to Defend Against Phishes Coming from Trusted Partners

One of the most frequent concerns I hear from IT security practitioners and CISOs is the rise of phishing attacks coming from compromised trusted partners and contractors. The attackers ...
Continue Reading

Watch Out for OAuth Phishing Attacks and How You Can Stay Safe

A steadily growing phishing trend involves phishing emails which attempt to modify your OAuth permissions. Simply clicking on one Allow button or hitting ENTER by mistake can ...
Continue Reading

Phishing Golden Hour

In emergency healthcare settings, the “golden hour” is the time between when a patient suffering a life threatening event (e.g., heart attack, stroke, aneurysm, etc.) is most likely to ...
Continue Reading

Like Twitter, MFA Will Not Save You!

I’m sure we are all interested in the latest Twitter hack. As the author of the soon to be released Wiley book called Hacking Multifactor Authentication, I have to laugh at the “experts” ...
Continue Reading

How You Can Increase Employee Engagement with Security Awareness Training

One of the most common questions I get asked working for a security awareness training company is, how do I make employees more engaged with and care about the training? I get it. Who ...
Continue Reading

Top 12 Most Common Rogue URL Tricks

It’s nearly impossible to find an Internet scam or phishing email that doesn’t involve a malicious Uniform Resource Locator (URL) link of some type. The link either directs the user to a ...
Continue Reading

Increase in BLM Domain Names Forecasts BLM Phishing Attacks

There has been a significant increase in DNS domain names containing blacklivesmatter or George Floyd’s name and there’s a good chance some of those are owned by people with malicious ...
Continue Reading

The Three Pillars of the Three Computer Security Pillars

Much of the world, or at least the United States, is coalescing around the NIST Cybersecurity Framework. It’s a pretty good one to follow out of the many dozens that have been proposed ...
Continue Reading

What is the Right Password Policy?

What is the right password policy? Conventional password policies say you must have a password at least 8-12 characters long…16 characters or longer if it belongs to an elevated ...
Continue Reading

Q&A With Data-Driven Evangelist Roger Grimes on the Great Password Debate

I get asked a lot about password policy during my travels around the globe giving presentations and from people who email after webinars. Many of the questions are the same and I’ve ...
Continue Reading

Is That COVID-19 Email Legitimate or a Phish?

It’s no surprise that phishers and scammers are using the avalanche of new information and events involving the global coronavirus pandemic as a way to successfully phish more victims. ...
Continue Reading

The Best and First Defenses You Should Implement

Every good defense has three pillars of controls: policy, technical, and education. People are always asking what they should do for each to minimize cybersecurity events the most and ...
Continue Reading

Third-Party Risk Management Questionnaire for Extended Emergencies

Here’s a questionnaire you can send to suppliers during extended work from home (WFH) periods.
Continue Reading

Share the Red Flags of Social Engineering Infographic With Your Employees

Social engineering and phishing are responsible for 70% to 90% of all malicious breaches , so it’s very important to keep your employees at a heightened state of alert against this type ...
Continue Reading

The Best Computer Security Solvers Look Beyond the Problem

Who doesn’t love a good computer security “cowboy”? That’s a man or a woman who is a recognized authority in their field of expertise, who groks their subject, who is truly a subject ...
Continue Reading

Get the latest about social engineering

Subscribe to CyberheistNews