Please fill in the form below to subscribe to our blog

Let’s Play Cybersecurity Fact or Fake

November 05, 2021
"fact" in white modern lettering n a purple background bisected by lightning and surrounded by smaller versions of the word fake.

Explore the Mythology of Cybercrime Risk


Cybersecurity is a fast-moving world that requires extensive technical knowledge to master and there are myriad sources to get that knowledge from. In order to defend organizations from cybercrime, IT professionals need to have solid facts about today’s cybercrime landscape at their fingertips, enabling them to make smart defensive choices. However, for every fact about cybersecurity that is published by a reliable source, there are a dozen myths about the same subject being bandied about. Separating the facts from the fakes can dispel those myths to bring new clarity that empowers everyone to make the right decisions and stay out of trouble.


This post is excerpted in part from our scary good eBook Monsters of Cybersecurity. DOWNLOAD IT>> 


13 Frightening Facts About Cybercrime 



dark web danger represented by a shadowy hacker using a hook to steal a password from a square flating over a laptop with other warnings in an animated style

What risk will you face next? Get a look at what to expect in The Global Year in Breach 2021. DOWNLOAD NOW>>


Is That Cyberseurity Claim a Fact or a Fake?


Chilling tales of hacks and breaches are always floating around. Are these cybersecurity legends true stories or the fancies of an unquiet mind? Knowing how to separate the real facts and from fake news when it comes to cybersecurity can spell the difference between life and death for an organization. 

CLAIM: Security awareness training doesn’t work, it’s wasted money. 

FAKE. Security awareness training works, and it is a highly effective way to reduce an organization’s chance of a cybercrime disaster. Security awareness training reduces an organization’s chance of a data breach by up to 70% – and a data breach has never been more expensive. As an added bonus, it also reduces phishing expenses by more than 50% on average. 

How do you get that awesome result? By conducting security awareness training at the right cadence – at least 11 times per year. Repetition and reinforcement are crucial for building good security habits. In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of their employees are likely to open malicious links or attachments.  In follow-up testing, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25%. Further training produced a steeper drop. After 3 to 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.     

CLAIM: An email from a big company like Microsoft is always safe. 

FAKE. Spoofing and brand impersonation are popular cyberattack tactics because people believe that emails from major companies are safe, but it’s a dangerous misconception. In fact, Microsoft is the most widely impersonated brand. An estimated 45% of all brand impersonation phishing attacks were related to Microsoft in Q2 2021, up six points from Q1 2021. Amazon landed in second place, and shipping giant DHL followed closely behind in the number three position. Most businesses have employees interacting with those brands every day, ramping up the danger.   

Email spoofing is also an ascendant risk that every business needs to be alert to – spoofing ballooned by more than 220% in 2020. One major category of spoofing that has become especially prevalent in the pandemic era is the spoofing of government messages. The US IRS (Internal Revenue Service) released an official warning in early April to alert tax professionals about spoofing emails supposedly sent from “IRS Tax E-Filing” with the subject line “Verifying your EFIN before e-filing.” The U.S. Financial Industry Regulatory Authority (FINRA) was also forced to issue a regulatory notice in March 2021 warning brokers of an ongoing phishing campaign. Attackers using carefully faked messages based on FINRA templates with bogus but believable URLs were sending out fake compliance audit notices, spurring companies to react – and get their credentials stolen.   

CLAIM: It’s ok to keep using an old password and use the same passwords at work and at home.  

FAKE. Reusing and recycling passwords is a fast road to ruin. Huge lists of passwords stolen in previous cyberattacks around the world are available on the dark web for cybercriminals to use in attacks. An estimated 60% of passwords that appeared in one or more breaches in 2020 were recycled or reused. Businesses are in even greater danger if an employee reuses a password at work that they’ve used at home. At least 60% of people reuse their favorite passwords across multiple sites regularly, driving up the chance that it’s already compromised. 

This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise, the most expensive cybercrime of 2020.  Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime.    

CLAIM: A cyberattack will only come from outside the company. 

FAKE. Insider risk is up by more than 40% in 2021. IBM Security Intelligence says that more than 60% of cyberattacks can be attributed to insiders. That category includes non-malicious blunders by accidental actors and deliberate actions taken by malicious insiders. About 25% of data breaches in 2020 were caused by malicious insiders. It can also be hard for companies to spot a malicious insider at work. The unfortunate result of that problem is that slow detection gives those malicious insiders more time to do damage. An insider incident takes more than twice the time to detect as other intrusions that can lead to ransomware or a data breach. 

Malicious insiders can have a host of reasons why they’ve made the choice to turn on their employers, but the perennial top reason doesn’t really change. According to the Verizon Data Breach Investigations Report 2021, an estimated 70% of malicious insider breaches are financially motivated, chiefly through employees selling credentials or access to systems and data on the dark web. Another 25% of malicious insider incidents are motivated by espionage or theft of intellectual property, like selling formulas in, stealing sensitive data or disclosing company secrets on the dark web. However, some employees are simply out for vengeance. Around 4% of malicious insider incidents are caused by angry employees who want to damage the company.  

CLAIM: We’re too small to need fancy things like multifactor authentication.

FAKE. Just under 45% of all cyberattacks are aimed at small to medium businesses every year. Even more disturbing is the fact that over 50% of ransomware attacks are aimed at SMBs with less than 100 employees. It’s essential to realize that every business of every size is at risk of a cyberattack, and that number won’t be going down anytime soon. As we continue to see record-breaking numbers for data breaches, intrusions and other types of cybercrime, secure identity and access management including multifactor authentication (MFA) is a key component of a good defensive strategy. MFA is also a requirement for compliance in many industries, and it is becoming a must-have for US federal contractors as the US federal government moves toward zero trust architecture.

Unquestionably, one of the fastest ways for the bad guys to slip inside a company’s environment and wreak havoc is to obtain a legitimate company password. It doesn’t make a difference if they buy it from an unscrupulous employee or harvest it from a dark web data dump; that password could spell doom for an organization. In fact,  70% of SMBs had employee passwords compromised in the last year. A small security upgrade like multifactor authentication stops more than 99% of password-related cyberattacks. 


Are you ready to slay the Monsters of Cybersecurity? This checklist tells you what you’ll need to succeed! GET CHECKLIST>>


Are You Ready to Face the Monsters of Cybersecurity?  


FACT: ID Agent helps businesses and MSPs develop and maintain strong defenses against horrifying attacks from monsters of cybersecurity while also boosting cyber resilience with affordable solutions and common-sense strategies that will help you sleep at night. 

Dark Web ID – Don’t let cybercriminals sneak into your network to snatch your data with a compromised credential. Get the power of 24/7/365 human and machine-powered on your side monitoring employee passwords, business and personal credentials, domains, IP addresses and email addresses. 

Passly – Multifactor authentication alone stops 99% of password-based cybercrime. In addition to MFA, Passly also includes single sign-on, automated password resets, multiple options for identifier delivery and seamless integration with more than 1,000 apps making it one amazing value.  

BullPhish ID – Protecting a business from cybercrime starts with protecting it from phishing. Educate staffers on how to spot and stop the latest threats including phishing, ransomware, compliance, password safety and more using done-for-you kits or customized lessons.

Contact us today to get started. ID Agent’s solutions experts are ready to help you protect your business and your clients with strong solutions that are both effective and cost-effective, giving you peace of mind about cybercrime.  


malicious insider threats can include cryptocurrency risk represented by a crime comic style blue eye looking through a peephole.

Use our Cybersecurity Risk Protection Checklist to find vulnerabilities before the bad guys do! GET IT>>