Social Engineering Surge: ClickFix, AI Phishing, Device Code Phishing, Payment Fraud Automation
Key Questions
How widespread has the ClickFix technique become?
It grew 500% and is now the second-most common social engineering vector. APT28, Kimsuky, and MuddyWater have adopted it alongside Chinese PhaaS operations.
What phishing trends involve AI and automation?
AI-generated lures cost $0.04 per email with 54% click-through rates. Device Code Phishing bypasses URL checks via Microsoft sites, while real-time token interception matures in PhaaS tools.
Why do financial institutions lag on MFA?
Only 28% of MFA deployments are phishing-resistant despite known threats. Reports highlight gaps between awareness and implementation amid rising account takeover and APP fraud.
ClickFix technique grows 500%, now second most common social engineering vector, adopted by APT28, Kimsuky, MuddyWater. Chinese PhaaS operations mature with real-time token interception, AI-generated lures, and MFA bypass. Carnival Corporation breach exposes 6M customer records. AI-powered bots blur human vs. automated attacker lines. AI phishing at $0.04/email with 54% click-through. Credential stuffing remains high-volume (19% of auth attempts). Payment fraud automation rising—63% of consumers prioritize security, account takeover and APP fraud rising. Device Code Phishing attack via Microsoft website bypasses URL checks. China-aligned APT targeting academic IP via Roundcube XSS and weak DMARC. New: Financial institutions report only 28% of MFA is phishing-resistant despite awareness of worsening phishing; 8Layers funding signals ISPM/ITDR convergence. New resource: comprehensive guide on human risk mitigation challenges critiques legacy awareness training and positions HRM as continuous, data-driven discipline addressing 62% human-related breach rate and AI-powered threats.