All posts by Jose Luis

It’s a statistic that sends a shiver down the backs of SME owners, managers and employees.  According to the FBI’s 2025 Internet Crime Report, business email compromise (BEC) cost US businesses more than $3 billion last year.This makes it one of the most financially damaging cybercrimes on record. AI has made these attacks harder to detect. The question for AP teams is no longer whether they can identify suspicious requests. It is whether the processes around payments make fraud difficult regardless of how convincing it looks.Why AP Teams Are in the CrosshairsAccounts payable sits at the intersection of trust and timing. AP teams process invoices, manage supplier details, and execute payments, often under pressure to keep operations running smoothly. For attackers, that combination is ideal.Most successful fraud does not involve breaking into systems. The FBI’s Internet Crime Complaint Center (IC3)  has consistently found that BEC attacks rely on impersonation. This involves posing as a

You click a link, sign in, approve the MFA prompt, and get on with your day. Completely unaware that someone else just logged into your account at the same moment.That scenario surprises many businesses, particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts. But this is exactly how Adversary-in-the-Middle (AiTM) phishing attacks work. Rather than stealing passwords for later use, these attacks silently hijack an already-authenticated session in real time.MFA remains a core control, and getting it implemented correctly is still a critical first step for any business. But AiTM attacks exploit something MFA was never designed to protect: the trusted session that exists after authentication has already completed.Phishing Has Moved Beyond PasswordsPhishing remains the most common starting point for account compromise, but the objective has changed. Traditional phishing collected usernames and passwords. Modern phishing is after something more immediately useful: the authenticated session itself.Security researchers have documented a significant

MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there. If an attacker steals that wristband, they may not need to beat your MFA prompt at all.That’s the core of session cookie hijacking. The attacker isn’t “cracking” MFA. They’re skipping it by replaying your already authenticated session.This isn’t a reason to stop using MFA. It’s a reason to stop treating MFA as the finish line. When sessions can be stolen, the practical defence shifts to layered controls: phishing-resistant sign-ins, device hygiene, tighter session policies, and detection that catches suspicious access early.Why MFA Isn’t a “Game Over” ControlMFA is still one of the best upgrades

Browser add-ons have a funny reputation. They feel “small”. A quick install. A tiny productivity boost. A harmless little helper that lives in your toolbar.But in practice, a browser extension is more like a micro-SaaS vendor sitting inside your browser session. It can see what you see, interact with the pages you open, and sometimes access the same cloud apps your business runs on all day.That’s why a browser extension security check matters. Not because every extension is bad, but because it only takes one over-permissioned add-on or one bad update to turn “helpful” into exposure.The good news is you don’t need a 40-page policy to reduce the risk. A simple five-minute check can prevent most extension problems before they start.Why Browser Extensions Are a High-Leverage RiskBrowser extensions sit in the most sensitive place in modern work: the browser tab where your staff live all day. That matters because extensions aren’t just