PornHub, OpenAI, and the Same SMS Phishing (Smishing) Failure
This is a post to explain why PornHub’s extortion story matters far beyond adult content. This is the same phishing led analytics failure that exposed OpenAI customer data and impacted other Mixpanel customers who still haven’t come forward. Different brands. Same entry point. Same security failure. The problem isn’t who was targeted. It’s that phishing […]
Authorisation Code Abuse Is a Major Account Takeover Vector
This is an account takeover attack that bypasses phishing detection, malware controls, and authentication safeguards. It exploits legitimate authorisation workflows exactly as designed. There is currently no technical control that reliably prevents it. Awareness is the only effective defence. Some referring to this as “device code phishing” but I don’t think that’s technically correct. Phishing […]
When a Zero Trust Firewall is Not a Zero Trust Firewall
Here’s a good example of a security vendor claiming to offer a Zero Trust firewall that’s fundamentally different from everything else on the market. Technically, it isn’t. The same claim is made about their browser software. For the same reason, that isn’t zero trust either. It’s a threat detection firewall with better marketing. The single […]
Zero Trust for Web Links, PSD3, and Why Upstream Fraud Prevention Matters
This article sits in the middle of an important exchange between Paul Rohan, Aidan Herbert, and my earlier post on PSD3, instant payments, and upstream fraud prevention. Paul challenged the casual use of the phrase “new paradigm” in security, arguing correctly that most so called innovations are just faster versions of the same reactive model. […]
December phishing will show banks and payment companies why PSD3’s refund mandate will hurt and why their exposure is far bigger than they think
By the end of this article you’ll understand why fraud, account takeovers, and data theft keep rising, why all of today’s conventional security systems are failing to protect everyone from new phishing scams, and why Zero Trust for web links is now the only way for EU banks and payment companies to meet their PSD3 […]
Banks face new liability under PSD3. Phishing drives most fraud. Zero Trust for links is the missing control.
The Gist Reuters reported on the new PSD3 agreement and the increased pressure it will place on banks to prevent fraud even as instant payments remove their ability to pause suspicious transactions. Banks are about to face higher liability under PSD3 at the same time instant payments remove their last opportunity to intervene. Traditional fraud […]
AI Makes No Difference to Detecting Phishing. The Logic Is Impossible to Dispute.
There’s a widespread belief that criminals using AI changes something about phishing detection. It doesn’t. And the reason it doesn’t is so simple that most people overlook it. Let’s start with the structure of a phishing attack. A phishing attack exists only when the final object exists. Everything before that moment is preparation, and preparation […]
The Real Mechanics of Phishing and the Behaviour That Makes It Possible
90% of cybercrime begins with phishing and it usually comes down to one moment. A person interacts with a link they can’t assess after it slips past the security tools they rely on. This is why the link isn’t just the starting point for most attacks. It’s the single place where the entire chain can […]
Why OAuth Phishing Sounds Complicated but Is Really Just the Same Old Problem – Phishing
I came across a LinkedIn article about an OAuth phishing attack, and I want to explain why it’s far simpler than the security industry makes it sound. The article is full of technical language, reactive controls, and long descriptions of Microsoft audit logs, but once you strip away the jargon it becomes clear that the […]
Why do we still have to check links in 2025?
Think about how you move through your digital life. Every time a text arrives, you pause. Every time an email lands, you hesitate. Every time you see an offer on social media, you wonder if it’s genuine. Every time someone sends you an app, you check it twice. We’ve all learned to slow down because […]