#social-engineering

#social-engineering

Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.

"While many have been discussing the privacy risks of people following the ChatGPT caricature trend, the prompt reveals something else alarming - people are talking to their LLMs about work," said Josh Davies, principal market strategist at Fortra, in an email to eSecurityPlanet. He added, "If they are not using a sanctioned ChatGPT instance, they may be inputting sensitive work information into a public LLM. Those who publicly share these images may be putting a target on their back for social engineering attempts, and malicious actors have millions of entries to select attractive targets from."

Romance scams used to feel like a cliché. Everyone pictured an email from an overseas "prince" that was poorly written and full of typos and pleas for cash. Now, that cliché is dead. Today's romance scams are industrial-scale operations. Attackers use artificial intelligence to clone voices, create deepfake video calls, and write scripts with large language models (LLMs). In 2024 alone, the Federal Trade Commission reported that financial losses to romance scams skyrocketed, with victims losing $1.14 billion.

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. "The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim," Google Mandiant researchers Ross Inman and Adrian Hernandez said.

Betterment, which offers automated investment and financial planning services, first disclosed the breach in January after detecting unauthorized access to certain internal systems on January 9. Betterment said the hacker gained entry through a social engineering scheme that relied on impersonation to infiltrate third-party marketing and operations tools, then used that access to send customers a fraudulent cryptocurrency promotion disguised as an official company message.

The phone rings at 2:47 AM. Your heart pounds as you fumble for the receiver. "Grandma?" The voice is shaky, desperate. "I'm in trouble. I got arrested. Please don't tell Mom and Dad." The voice sounds just like your grandson. He uses the nickname only family knows. He remembers that trip you took together last summer. Everything about this call feels real because, in many ways, it is.

Picture this: Your phone rings. The caller ID shows your local hospital. The voice on the other end sounds professional, maybe a bit urgent. They're calling about Medicare coverage changes that could affect your upcoming procedures. They just need to verify some information to ensure your benefits continue uninterrupted. Sounds legitimate, right? Here's the thing - it probably isn't. And that's exactly what makes modern phone scams so dangerous.

Last month, I sat across from one of the brightest people I know as he explained how he'd lost nearly everything to a sophisticated scam. This wasn't some naive teenager or technophobe. This was my friend from university days, a retired executive who'd navigated corporate politics for decades and made shrewd investment decisions his whole life. Watching him piece together how it happened was like watching someone solve a puzzle in reverse.

"This took all of 20 minutes," Exempt, a member of the group that carried out the ploy, told WIRED. He claims that his group has been successful in extracting similar information from virtually every major US tech company, including Apple and Amazon, as well as more fringe platforms like video-sharing site Rumble, which is popular with far-right influencers. Exempt shared the information Charter Communications sent to the group with WIRED, and explained that the victim was a "gamer" from New York.

"The holiday season is filled with gifts, including the ones we unknowingly hand over to threat actors in the form of sharing personal information and other security mishaps that result in cyberattacks," says Nathan Wenzler, Field CISO at Optiv. "This year, consumers across the U.S. plan to spend nearly $80 billion online and in-store during Black Friday and Cyber Monday, an increase of about $20 billion compared to last year, according to a new survey conducted by Omnisend."

As Kent Halliburton stood in a bathroom at the Rosewood Hotel in central Amsterdam, thousands of miles from home, running his fingers through an envelope filled with 10,000 euros in crisp banknotes, he started to wonder what he had gotten himself into. Halliburton is the cofounder and CEO of Sazmining, a company that operates bitcoin mining hardware on behalf of clients-a model known as "mining-as-a-service."

Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel's account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled. The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare.

The campaign spreads the Odyssey Stealer and AMOS (Atomic macOS Stealer) malware families. Both families focus on stealing system information, browser data, and crypto wallet login details. The attacks are carefully designed to exploit developers' trust. The fake Homebrew and TradingView sites display seemingly legitimate download portals with buttons such as Copy command. When a user clicks the button, a hidden, base64-encoded Terminal command is copied to the clipboard.

Organizations are heavily investing in zero trust, a security framework that requires strict verification and ongoing monitoring of every user, device, and application. As of 2025, the size of the zero trust market is estimated at $38.37 billion USD and is projected to grow to $86.57 billion USD by 2030. Investmentsinclude not only tools but also organizational transformation, policy overhaul, and long-term architectural changes. When combined with strong, phishing-resistant multi-factor authentication (MFA) and AI-powered threat detection, a move toward zero trust will significantly enhance cybersecurity. However, help desks often lack robust identity verification, creating a critical vulnerability.

Gladinet vulnerability exploited in the wild A vulnerability affecting Gladinet's CentreStack and Triofox products has been exploited in the wild, Huntress warns. CentreStack is a mobile access and secure sharing solution while Triofox is a secure file access solution. Huntress earlier this year discovered exploitation of CVE-2025-30406, a hardcoded machine key issue affecting the products, and it has now detected exploitation of a new vulnerability, CVE-2025-11371, which allows unauthenticated local file inclusion. Gladinet is aware of the issue and is in the process of providing a workaround to customers until a patch is developed.

Cybersecurity Researcher Jeremiah Fowler discovered a database that lacked password protection as well as encryption, exposing 85,361 files (158 GB in total). The records included invoices, claims, and emails that contained policy holder names, addresses, phone numbers, email addresses, and other personally identifiable information (PII). The personal information of pets were also exposed, including their names, ages, breeds, medical histories, microchip numbers, and more.

The attack chains, per the cybersecurity company, leverage ZIP archives containing decoy PDF documents along with malicious shortcut (LNK) or executable files that are masked as PDF to trick users into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an external server to download a lure document, a PDF for a marketing job at Marriott.

Dutch mobile security company ThreatFabric said it discovered the campaign in August 2025 after users in Australia reported scammers managing Facebook groups promoting "active senior trips." Some of the other territories targeted by the threat actors include Singapore, Malaysia, Canada, South Africa, and the U.K. The campaigns, it added, specifically focused on elderly people looking for social activities, trips, in-person meetings, and similar events. These Facebook groups have been found to share artificial intelligence (AI)-generated content, claiming to organize various activities for seniors.