00:00 Josh
The FTC estimated that Americans lost 12.5 billion dollars to scams in 2024. This was a 25% increase from a year earlier. and in 2025 the attacks are growing in scope and scale, even taking advantage of trusted sites like LinkedIn. One company that is trying to protect consumers is Push security. Mark Orlando, Push’s chief technology officer joins me now. Mark, it’s great to see you. So maybe start here Mark, you know, as the year draws to a close, we’re going into 2026, Mark. What’s the big deal
00:36 Josh
cyber security themes, Mark, we should be aware of. What are the big trends? The scale, for example, seems to be one that is emphasizing.
00:51 Mark Orlando
Hi Josh, absolutely. The scale is really one of the biggest developments we’ve seen not only this year but in the last few years, as the infrastructure behind these types of attacks becomes easier and easier to get up and running. I think we can expect the scale of these attacks to continue to grow exponentially. We have also seen the sophistication of these attacks uh really increasing and higher. Uh you mentioned exploitation
01:23 Mark Orlando
legitimate sites and services like LinkedIn, um but we’re seeing that across the board, whether it’s social media networks or uh sponsored ads in Google results, attackers have come up with some very creative and sophisticated ways to deliver these scams and these attacks to unsuspecting users.
01:36 Josh
It seems like, Mark, you’re also highlighting how more attacks are happening inside the browser. Why is that, Mark? I mean, technically just technically, how does that help the attacker?
01:50 Mark Orlando
Sure, also the browser has really evolved from a tool that we use to view web pages to, you know, essentially a platform that runs software on demand. I mean, this is where, you know, the work really happens these days including, you know, where users are logging into accounts and all the various services that we use on a daily basis. So, the attackers realized that and moved away from different areas of the network like email uh or, you know, strictly web access that are pretty well defended in the browser, which is somewhat
02:29 Mark Orlando
less well defended, certainly an area where most organizations lack great visibility into what is going on and how users are interacting with websites. So, the attackers realized that, they changed the focus to do more in the browser where users can be tricked into doing a variety of different things, uh give up information that maybe they don’t have, enter websites that they don’t have, um and again, they do it in a place that is very difficult for security teams uh to observe.
03:00 Josh
You also highlight here, Mark, what these LinkedIn-based phishing attacks sound like. explain those, Mark, how they work?
03:13 Mark Orlando
Sure. So, I think historically when you talk about phishing or email scams, I mean it’s strictly like that. It’s something that comes via email. and I think that’s more or less what users have come to expect. if they’re going to get scammed, it’s going to be some, you know, kind of suspiciously worded email that comes with an attachment or a link. And really that’s uh always not the case anymore. So, uh you mentioned LinkedIn, we identified an attack campaign uh earlier this year where
03:44 Mark Orlando
uh an executive, CEO actually, uh of a company we work with was targeted through LinkedIn. He received a message from someone in his network, a first level connection uh about something that was very relevant to that company and to his work. And so uh click on the link, you know, along the lines of hey, check out this investment information, this opportunity, let me know what you think. Uh there was a lot of kind of sophisticated um
04:14 Mark Orlando
kind of hoops he had to jump through to validate that he was actually, uh accessing the attacker’s website. and ultimately the goal was uh to collect his login information. So, in fact, it was not the trusted contact who had sent this message through LinkedIn, but rather someone else who compromised his contact’s uh account. So, this is a situation where not only is the message very, very convincing, but it comes from a trusted source, in this case, you know, a known trusted contact.
04:47 Mark Orlando
So, very, very hard to choose. and again, it’s very difficult for an organization to see what’s going on inside those LinkedIn communications, much less do anything to stop it.