After I posted about the limits of AI in detecting phishing links on LinkedIn, a security provider replied with a familiar example. They pointed to a product feature called Click Time Protection and claimed it can stop phishing by rewriting links and inspecting them at the moment a person clicks.
After hundreds of billions spent on cybersecurity and the arrival of AI promising to transform it, this article explains why people will still be told the same thing. “Stay vigilant.” “Check suspicious links.” “Don’t trust unexpected messages.” We’ve built an entire industry around technology that tells people to be careful
Phishing has shaped the internet more than any other online threat. It began with simple impersonation on AOL and has since adapted to every new communication platform, from email to mobile messaging. Yet, despite decades of technological progress, the technique itself has barely changed. What’s different today is not how
Palo Alto Networks recently described a “sophisticated global smishing operation” built on a complex ecosystem of brokers, developers, and spammers. The language is familiar. Every major vendor publishes similar reports each year, filled with technical diagrams and claims of evolution and complexity. Yet the outcome never changes. People are still
Picture this. You manage security for a government agency or large corporation and you need a reliable way to protect employees from phishing on mobile devices. You will learn what Zero Trust means for web links, how it differs from threat detection, what a Cloudflare and iVerify announcement really does,
Imagine buying a smoke alarm and being told by the company, “We’ll protect you from fires, but stay vigilant in case one we haven’t seen before engulfs your home.” You’d think they’d lost their minds. Nobody buys a safety device that shifts responsibility back to the user the moment it’s
OpenAI’s new browser, Atlas, feels like a glimpse of the future. It’s fast, elegant, and powered by an AI that can explain, summarise, and search across everything you see online. But beneath the excitement lies a quiet omission that repeats one of the web’s oldest mistakes. Atlas launched without support
Paul Walsh
MetaCert CEO & Founder
This is blog is authored by Paul Walsh, one of the first people impersonated online while at AOL in 1996. His work focuses on the psychology of cybercrime. Former FBI profiler Jim Clemente put it best: “Paul, what you do is similar to an FBI profiler.” It’s an investigation into human deception - powered by technology built to stop it.
This is a post to explain why PornHub’s extortion story matters far beyond adult content. This is the same phishing led analytics failure that exposed OpenAI customer data and impacted other Mixpanel customers who still haven’t come forward. Different brands. Same entry point. Same security failure.
This is an account takeover attack that bypasses phishing detection, malware controls, and authentication safeguards. It exploits legitimate authorisation workflows exactly as designed. There is currently no technical control that reliably prevents it. Awareness is the only effective defence. Some referring to this as “device code
Here’s a good example of a security vendor claiming to offer a Zero Trust firewall that’s fundamentally different from everything else on the market. Technically, it isn’t. The same claim is made about their browser software. For the same reason, that isn’t zero trust either. It’s
This article sits in the middle of an important exchange between Paul Rohan, Aidan Herbert, and my earlier post on PSD3, instant payments, and upstream fraud prevention. Paul challenged the casual use of the phrase “new paradigm” in security, arguing correctly that most so called innovations
By the end of this article you’ll understand why fraud, account takeovers, and data theft keep rising, why all of today’s conventional security systems are failing to protect everyone from new phishing scams, and why Zero Trust for web links is now the only way for
The Gist Reuters reported on the new PSD3 agreement and the increased pressure it will place on banks to prevent fraud even as instant payments remove their ability to pause suspicious transactions. Banks are about to face higher liability under PSD3 at the same time instant
There’s a widespread belief that criminals using AI changes something about phishing detection. It doesn’t. And the reason it doesn’t is so simple that most people overlook it. Let’s start with the structure of a phishing attack. A phishing attack exists only when the final object
90% of cybercrime begins with phishing and it usually comes down to one moment. A person interacts with a link they can’t assess after it slips past the security tools they rely on. This is why the link isn’t just the starting point for most attacks.
I came across a LinkedIn article about an OAuth phishing attack, and I want to explain why it’s far simpler than the security industry makes it sound. The article is full of technical language, reactive controls, and long descriptions of Microsoft audit logs, but once you
Think about how you move through your digital life. Every time a text arrives, you pause. Every time an email lands, you hesitate. Every time you see an offer on social media, you wonder if it’s genuine. Every time someone sends you an app, you check
Paul Walsh
MetaCert CEO & Founder
This blog is authored by Paul Walsh, one of the first people impersonated online while helping to launch new Internet technology at AOL in 1996. His work focuses on the psychology of cybercrime. Former FBI profiler Jim Clemente put it best: “Paul, what you do is similar to an FBI profiler.” It’s an investigation into human deception - powered by technology built to stop it.