ClickFix attacks trick employees into running malware themselves, without any exploit needed. Learn how this fast-growing threat works, who it targets, and how Arsen's new ClickFix simulations help you stay ahead of it.
Google Safe Browsing protects billions of users from malicious websites and phishing threats. But for organizations running internal phishing simulations, it creates real technical hurdles....
Smishing has moved well beyond a fraudulent text. From MitM OTP hijacking to cross-channel escalation, here's how sophisticated SMS-based attacks work, and what it takes to stop them.
ClickFix is one of the fastest-growing social engineering attack techniques. It needs no exploit, no malicious attachment, just a fake error message and a willing user. Here is what happened, why...
AI voice cloning has turned vishing into a scalable, high-precision weapon against financial institutions. A Canadian insurer lost $12M after an AI-cloned executive voice authorized fraudulent...
Your perimeter controls mean nothing if an attacker compromises a trusted vendor first. The SitusAMC breach in November 2025 exposed data across 100+ financial institutions without touching a...
Deepfake video impersonation has crossed from theoretical risk to documented loss. The 2024 Arup attack cost $25 million after a finance employee was deceived by a live AI-generated video call....
AI regulation is accelerating fast. From DORA to the EU AI Act, financial services CISOs face a tightening compliance landscape in 2026. Arsen breaks down what may change, what is at stake, and...
AI-powered social engineering is reshaping the threat landscape for banks, insurers, and fintechs. This guide gives financial services CISOs the frameworks, checklists, and strategic intelligence...
ShinyHunters are exploiting a legitimate Microsoft OAuth feature to compromise Entra accounts. No fake login page, no stolen password. One convincing vishing phone call is all it takes to hand...
Blockchain lending firm Figure confirmed a significant data breach resulting from a social engineering attack on an employee, leading to the leak of customer data and highlighting the persistent...
The AI revolution of the 2020s has positioned Large Language Models (LLMs) as the new foundation for digital transformation. With unparalleled data processing power and text comprehension, LLMs...
The ShinyHunters group is currently orchestrating vishing attacks and exploiting SSO to bypass multi-factor authentication. These sophisticated campaigns have led to breaches of cloud platforms...
Identity attacks are evolving into hybrid vishing operations. New phishing kits allow attackers to manipulate a victim’s browser in real-time, syncing web visuals with phone scripts to perfectly...
Our latest release note: Building effective cybersecurity training takes time. Arsen’s new AI-assisted builder combines hyper-realistic simulations with customizable learning paths that blue teams...
The FBI warns that North Korean group Kimsuky is using quishing to target organizations. Discover how bad actors exploit QR codes to bypass security controls and how to test your defense against...
AI and LLMs are creating a paradigm shift in cyberattacks. Attackers now use AI-powered kits to automate the entire attack lifecycle with unprecedented speed and precision. CISOs must adapt...
Phishing has evolved. Zscaler ThreatLabz recently revealed BlackForce, a toolkit hijacking active sessions and bypassing MFA, using the "Man-in-the-Middle" (MITM ) attack tactic. CISOs must update...
Call centers are prime targets for voice phishing due to high-pressure environments and shared access. Discover why specialized vishing training platforms are essential for BPOs to defend against...
Protect your financial institution from voice phishing. Learn why vishing targets banking and fintech teams, the limitations of traditional defenses, and how to implement scalable, compliant...
A new vishing campaign weaponizing Microsoft Teams and Quick Assist for fileless malware execution was recently revealed. Learn how this hybrid attack bypasses defenses and why AI-driven vishing...
A recent massive phishing campaign targeted financial institutions by weaponizing trusted services like Mimecast and DocuSign. Discover how these attacks bypass filters and learn how to protect...
Email phishing is still the #1 entry point for social engineering, but attackers no longer stop at the inbox. They follow up with phone calls, pressure employees in real time, and stitch channels...
Vishing simulations are a powerful awareness tool — but without legal guardrails, they can put your organization at risk. Here’s how to approach them safely.
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records in the United States. While FERPA places legal obligations on schools, universities, and...
The NIST Cybersecurity Framework (CSF) is a widely adopted set of best practices for managing cybersecurity risks across all sectors — from critical infrastructure to cloud-native startups. It...
The California Consumer Privacy Act (CCPA) and its expanded version, the California Privacy Rights Act (CPRA), have redefined how businesses must handle personal data in the U.S. These laws...
The Payment Card Industry Data Security Standard (PCI-DSS) is a mandatory framework for any organization that stores, processes, or transmits cardholder data. While most PCI compliance efforts...
The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of Protected Health Information (PHI) across healthcare providers, insurers, and business associates. While...
The NIS2 Directive (Directive (EU) 2022/2555) represents a significant expansion of the EU’s cybersecurity legislation, aimed at strengthening resilience across critical infrastructure and digital...
The Digital Operational Resilience Act (DORA) is the European Union’s new regulatory framework aimed at strengthening the operational resilience of financial services — including banks, fintechs,...
ISO/IEC 27001 is one of the most widely recognized standards for Information Security Management Systems (ISMS). Whether you're pursuing certification or maintaining compliance, one thing is...
SOC 2 Type II has become the gold standard for demonstrating security and trustworthiness in the SaaS and technology sectors. Unlike Type I, which evaluates controls at a point in time, Type II...
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, organizations operating in or serving the EU have faced strict requirements for how they handle personal data....
Modern phishing detection is notoriously difficult. As technology evolves, so do attack patterns. What was once a simple scam exploiting an emotional lapse has become a sophisticated,...
Multi-factor authentication (MFA) was supposed to be the silver bullet. By requiring a second step—typically a push notification or a one-time code—organizations could drastically reduce the risk...
Quishing — short for QR code phishing — is a rapidly growing threat vector that blends physical simplicity with digital deception. While many organizations have matured their defenses against...
QR code phishing, sometimes called “quishing,” is a rising threat that cleverly blends the digital and physical worlds. Attackers embed malicious URLs inside QR codes, hoping victims will scan...
"The voice sounds real. The request seems urgent. But the person on the line doesn’t exist." AI is transforming vishing into something faster, more convincing—and terrifyingly scalable. With...
"Your employees might know about vishing—but will they recognize it when it strikes?" Awareness isn’t enough. In today’s threat landscape, attackers exploit emotion, pressure, and live...
"Think you're safe because you made the call? Think again." Callback vishing flips the script—literally. Instead of the hacker calling you, you unknowingly call them. Blending the deceptive power...
"Can you trust the voice on the other end of the line?" With AI-powered voice cloning now accessible to anyone with an internet connection, this chilling question is no longer theoretical. From...
In 2023, Slovakia became a cautionary tale when a fake audio recording targeting a prominent candidate in its national election sparked widespread outrage and concerns about electoral fraud....
Social engineering, the art of manipulating individuals to divulge confidential information or perform actions that compromise security, has evolved dramatically in recent years. But before...
In this article we’ll explore how people’s emotions become business vulnerabilities, why social engineering is so effective, and three powerful principles to secure and protect your environment.
How can you protect your organization from social engineering attacks and their adverse impacts? This article explores different attack strategies, real-world examples, and prevention methods.
"How would your team respond to a voice phishing attack—right now?" In today’s threat landscape, knowing isn’t enough. Simulated vishing attacks are the safest way to uncover how employees...
Call bots, a kind of vishing automation can be used to trick victims and defeat MFA. Here's how.
Cybersecurity threats continue to evolve, and one of the rising concerns for businesses is the domain doppelganger. These deceptive domains are crafted to mimic legitimate websites, luring...
The AIDS Trojan, also known as the AIDS Information Diskette Trojan, is widely recognized as one of the earliest examples of ransomware* Its appearance in 1989 shocked the nascent world of...
Remote Access Trojans (RATs) are a dangerous form of malware that allows cybercriminals to gain unauthorized access and control over an infected computer or network. Understanding the risks posed...
In today's cybersecurity landscape, ransomware remains a top threat to organizations of all sizes. A ransomware attack can lock down your systems, encrypt your data, and demand a hefty ransom for...
Locky ransomware is a notorious form of malware that emerged in 2016, targeting businesses and individuals alike. This sophisticated ransomware spreads primarily through malicious email...
In the world of cybersecurity, Bad Rabbit ransomware has made headlines as one of the more sophisticated and dangerous ransomware attacks. This malware first surfaced in 2017, targeting companies...
The WannaCry ransomware attack, which occurred in May 2017, stands as one of the most significant and destructive cyberattacks in recent history. It serves as a critical lesson for organizations...
Ransomware is one of the most prominent cyber threats today, targeting both individuals and organizations alike. In this article, we will dive into the ransomware definition, how it works, and the...
Ransomware attacks have rapidly become one of the most disruptive forms of cybercrime, targeting businesses of all sizes. By encrypting valuable data and demanding a ransom for its release, these...
In today's digital age, regulatory compliance is a critical aspect of running a successful business. Ensuring that your company adheres to applicable laws and regulations helps avoid legal...
In today's highly regulated business landscape, compliance risk is a critical concern for organizations across industries. Failing to comply with laws and regulations can result in severe...
Effective compliance monitoring is critical for ensuring that organizations consistently adhere to internal policies and regulatory requirements. As companies face increasing scrutiny from...
Effective compliance management is essential for organizations to meet legal obligations, protect their reputation, and maintain operational integrity. As regulations evolve, businesses must adopt...
The California Consumer Privacy Act (CCPA) is a pivotal data privacy law that grants consumers more control over their personal information. For businesses operating in or interacting with...
In today’s rapidly evolving tech landscape, **IT compliance** plays a critical role in ensuring organizations meet legal and regulatory requirements. Failure to comply can lead to severe...
In today's increasingly digital world, safeguarding online privacy has become more crucial than ever. One of the most effective ways to protect your personal information while browsing the web is...
In today’s interconnected world, ensuring your online privacy and security is more crucial than ever. One of the most effective tools for safeguarding your digital presence is a **VPN**. But what...
A VPN (Virtual Private Network) is a tool that enhances your online security by encrypting your internet connection and masking your IP address. This makes it an essential part of modern digital...
Data breaches have become a persistent threat to organizations of all sizes. By analyzing data breaches examples, we can uncover key lessons for safeguarding sensitive information. Below are some...
In today’s digital landscape, data breaches are a constant threat. Companies of all sizes are vulnerable to these attacks, making it crucial to adopt effective prevention and response strategies....
Doxxing, short for “document tracing,” refers to the act of publicly disclosing someone’s personal information, like their real name, home address, phone number, or even financial data, without...
Pretexting is a social engineering tactic that involves creating a fabricated scenario to deceive an individual into disclosing sensitive information. Unlike other forms of cyberattacks,...
Pretexting is a sophisticated social engineering technique used by cybercriminals to manipulate individuals into divulging sensitive information. But what is pretexting exactly, and how does it...
The Secure Socket Tunneling Protocol (SSTP) is an important player in ensuring secure and private communication over the internet. Often used in Virtual Private Networks (VPNs), SSTP provides a...
In today's digital landscape, DNS security is a crucial aspect of safeguarding any organization’s network. The Domain Name System (DNS) acts like the internet’s phonebook, translating domain names...
In the world of email communications, SMTP relay plays a critical role in ensuring that emails are delivered efficiently across networks. Whether you're a business sending newsletters or...
Sendmail is a widely-used mail transfer agent (MTA) that handles the delivery of email across networks. It’s been a cornerstone of email server infrastructure for decades, primarily on Unix-based...
Typosquatting, also known as URL hijacking, is a form of cyberattack that exploits common typing mistakes made by users when entering website addresses. A single misspelling can redirect users to...
Social engineering is a technique used by cybercriminals to manipulate individuals into revealing confidential information or performing actions that compromise security. Rather than hacking...
In today's digital world, the term "PII" (Personally Identifiable Information) has become central to discussions around cybersecurity and privacy. But what exactly is PII, and why is it so...
Watering hole attacks are an increasingly sophisticated cyber threat, targeting specific groups or organizations by compromising websites they frequently visit. In this article, we will break down...
When exploring the complex world of the internet, the term "DNS" frequently pops up. But what does DNS stand for, and why is it important? This article will break down the DNS meaning and explain...
In today’s digital age, personal information is more accessible than ever, and this has given rise to a dangerous practice known as doxxing. But what is doxing? Simply put, doxxing (also spelled...
In today’s digital age, Personal Identifiable Information (PII) is more vulnerable than ever. With cybercriminals targeting sensitive data to commit identity theft or fraud, safeguarding your PII...
Phishing comes in different shapes and forms. This means you have a lot of choices when it comes to creating a phishing simulation, and most companies get confused as to what type of simulation...
In this post, we'll explore the key steps to launch a phishing simulation that will help you protect your company from phishing attacks.
Phishing training for employees is essential in building defense skills against cyberattacks. By educating employees on how to recognize and respond to phishing attempts, businesses can reduce the...
Phishing training is essential for protecting your organization from cyberattacks. By educating employees on how to recognize and respond to phishing threats, you can reduce the risk of data...
Phishing awareness is essential to safeguarding your business from cyberattacks. Learn how to recognize phishing attempts, understand common tactics used by attackers, and implement strategies to...
Quishing is a new phishing tactic where attackers use malicious QR codes to deceive users into visiting fraudulent websites or downloading harmful software. Learn how quishing works, real-world...
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that helps prevent spoofing and phishing attacks. It allows domain owners to define how...
Ensure your email domain is protected from spoofing with Arsen's free DMARC Checker. Validate your DMARC setup, verify SPF and DKIM alignment, and safeguard your emails against cyber threats....
DKIM (DomainKeys Identified Mail) is an email authentication method that verifies the sender's identity and ensures message integrity. By adding a digital signature to emails, DKIM helps protect...
Ensure your emails are protected from spoofing and tampering with Arsen's free DKIM Checker. Easily verify your email's DKIM setup and secure your communications from potential cyber threats....
Identifying common indicators of a phishing attempt is crucial for staying secure online. Look out for suspicious sender addresses, generic greetings, urgent language, unusual links, and requests...
Phishing attacks come in various forms, from deceptive emails to fraudulent text messages. Understanding the types of phishing—including email phishing, spear phishing, smishing, vishing, and...
Spear phishing is a targeted cyberattack that uses tailored information to trick individuals or companies into revealing sensitive data. Learn what spear phishing is and discover key prevention...
Spear phishing is a targeted form of phishing that uses personalized tactics to deceive specific individuals or organizations. Unlike regular phishing, spear phishing exploits trust by mimicking...
Spam and phishing are common types of unwanted emails, but they serve different purposes and pose different risks. While spam typically promotes products or services, phishing aims to steal...
Smishing and phishing are cyber threats that use deception to steal personal information. While phishing typically targets victims through email, smishing uses text messages to trick individuals...
Phishing emails are crafted to deceive and steal sensitive information. Understanding various phishing email examples, such as fake security alerts, unexpected invoices, and prize notifications,...
Phishing emails use deceptive tactics to trick you into revealing sensitive information. Learning to identify phishing email techniques, such as manipulated sender addresses, urgency tactics, and...
Phishing detection is essential to prevent cyberattacks that trick individuals into revealing sensitive information. Combining advanced tools like email filters, web filtering, and anti-phishing...
Phishing emails are a favorite tool of cybercriminals, designed to steal sensitive information. Knowing how to spot a phishing email is key to staying protected. Look out for unusual email...
Facebook phishing is a common scam where attackers attempt to steal your login credentials and personal information. By recognizing tactics like fake login pages, malicious links, and...
Phishing emails often disguise themselves as legitimate communications to trick you into revealing sensitive information. Recognizing an example of phishing email is crucial for protecting your...
Phishing attempts are designed to trick you into revealing sensitive information. Recognizing the common indicators of a phishing attempt is essential for online security. From suspicious sender...
Clone phishing is a deceptive cyberattack where legitimate emails are replicated with malicious intent. Attackers use nearly identical copies of trusted communications but replace links or...
Phishing attacks often involve malicious links disguised as legitimate URLs. Knowing how to check phishing links is essential for your online security. Be cautious with suspicious URLs, hover over...
Vishing, or voice phishing, is a phone scam where attackers use various techniques, such as caller ID spoofing and urgency tactics, to trick victims into revealing sensitive information....
Vishing is a form of voice phishing where attackers use phone calls to trick individuals into revealing sensitive information. Unlike traditional email-based phishing, vishing exploits the trust...
Catfishing is a form of online deception where individuals create fake identities to manipulate others. Learning how to identify catfishing is essential to protect yourself from these scams. This...
Catfishing is a form of online deception where someone creates a fake identity to lure others into fraudulent relationships. This practice can involve emotional manipulation, financial scams, or...
Spoofing is a deceptive cyberattack where criminals disguise themselves as trusted sources to steal sensitive information or spread malware. One of the most prevalent forms is email spoofing,...
Email spoofing is a deceptive cyberattack where hackers forge an email's sender address to appear as though it's from a trusted source. This tactic is often used in phishing schemes, business...
Email spoofing is a dangerous cyber threat that can compromise your organization’s security and reputation. Attackers disguise their emails to appear as though they come from a trusted source,...
Conference on the Impact of AI on Cyberattacks in 2024.
Aymeric from Klaxoon explains why they chose Arsen to train their employees and improve their reflexes against phishing attacks.
In this discussion with Benjamin Leroux from Advens, we explore the changes brought by generative AI to the attack landscape when it comes to phishing and social engineering.
Spreading malware or gaining initial access through email attachment is the third most common phishing tactic. Because of the scale of our phishing operations at Arsen, we wanted to explore the...
GenAI phishing is now a thing. You might want to deploy it for your clients or your company but you might also want some scenario suggestions to get your creative juices flowing. This article is...
With the rise of genAI phishing, you might be tempted to use it for your phishing operations. Using a third party, well trained LLM has obvious advantages, from infrastructure cost — this GPU...
If you’ve been reading our content, you’re probably itching to shoot some genAI phishing for your next simulation campaign. But one does not simply ask ChatGPT for a cool phishing email. Here...
A paradox has struck me for several years now. Everyone I speak to is convinced of the predominance of human risk. The internet is full of statistics linking initial access to employee behavior...
At Arsen, we love Gophish. It’s by far the most comprehensive open-source solution for deploying phishing, whether for evaluation, training, or research purposes. That being said, GoPhish has...
Phishing simulation tools have become the front line of defense in cybersecurity training. By mimicking real-life phishing attempts, these tools assess human vulnerability in digital landscapes....
From phishing to fake transfer scams, social engineering is rampant. User manipulation is responsible for a large number of cyberattacks, and the situation is not improving. Simultaneously, the...
A new feature has arrived on Arsen: multi-scenario campaigns. It allows you to use multiple phishing scenarios within a single campaign. The benefit? Stay realistic by not targeting all your...
An attack via USB drive, also known as USB Drop, is a danger that is still underestimated. USB drives are very effective in helping us store and transport small amounts of data. We use them...
At Arsen, we help businesses protect themselves against phishing. Part of this work involves simulating attacks on employees. We are therefore particularly attentive to real attacks that can be...
In this article, we will see how to customize a phishing test with Arsen. More specifically, what elements can be included in the email to have a realistic, personalized, and more or less...
Learn how to report a fraudulent email is a crucial step in the fight against phishing. In an ideal world, everyone facing a phishing attempt would report it, as it contributes to the fight...
After seeing how to secure your remote work at home, we will now talk about mobility situations: working remotely outside. Laptops are blossoming on café terraces and it is pleasant to answer a...
The use of teleworking has exploded and represents a major trend. This brings new challenges in terms of cybersecurity. Between the perceived improvement in quality of life for many employees and...
In this video, we explain [how to effectively raise awareness against phishing](https://arsen.co/blog/sensibiliser-efficacement-phishing). The objective of this awareness is to improve the...
Whether it's clicking on a malicious link or sending confidential data to a fake third party, if the threat is always external, 90% of effective cyber attacks involve an error resulting from human...
During a phishing simulation, you will retrieve behavioral data and be able to determine your level of resilience. But what are the results to observe following a false phishing campaign and how...
Often, when an individual needs to create a new password, they will rack their brains and choose personal information that relates to them, then modify it by changing elements or adding special...
Managing identification, and more specifically passwords, is a key lever in cybersecurity. This is part of [good cybersecurity practices](/blog/personal-cybersecurity): if you have a good...
Juice jacking is a type of cyber attack that exploits USB charging cables or chargers to compromise devices with USB ports, especially mobile phones. Charging cables don't just power your phone's...
Very often during discussions with our clients, we realize that some basics of cybersecurity are not necessarily mastered. It is both common and dangerous. Cybersecurity is everyone's business...
Not all phishing emails are equal. When I ask someone what they think of a "phishing email," the descriptions are very varied. Among these descriptions, the level of difficulty, that is to say,...
Click campaigns are now available on Arsen! When you schedule a phishing campaign, it is possible to do Credential Harvesting or a click campaign. If an employee clicks on the link during a...
Why conduct a fake phishing exercise? Phishing is the entry point for 91% of attacks*. The objective of phishing simulations is to prevent the hacking of your company in order to avoid financial...
We live in an increasingly connected world. Everyone has a phone with capabilities that surpass most computers available a few years ago, telecommuting is strengthening, most employees have a...
In this article, I will show you in a video how, from a simple phishing email, we can bypass multi-factor authentication, also known as MFA or 2FA."
Ransomwares are becoming increasingly present on our systems. Reveton, WannaCry, Cryptolocker, REvil: if you know these names, it's because they are all ransomwares that have caused significant...
Cryptolocker is a notorious type of ransomware that has become a major threat in the world of cybersecurity. This malicious software is designed to encrypt a victim's files and demand payment,...
When a company adopts a new phishing simulation solution, the question often arises: "How often should I conduct phishing simulations?" The frequency of phishing simulations is a crucial...
"I don't think we are at risk: we have a very technical and educated team on the subject, but I would like to be sure..." This is the first exchange we had with Jonathan Brossard, CTO of...
Originally, Emotet was a banking Trojan malware. Its role was to discreetly infiltrate computers in order to steal sensitive information such as banking details. The malware carried out malicious...
In March 2021, the top 10 dating sites in France recorded 46.4 million visits, according to a study conducted by [monpetitdate](https://www.monpetitdate.fr/etude-statistiques-sites-de-rencontre/)....
WannaCry is the ransomware behind one of the most significant ransomware attacks. In this article, we look back at the history of this particularly virulent ransomware.
The risks associated with phishing are often underestimated. Many still believe that the consequences are limited to having to change a few passwords, scan their network, or even have a...
The compromise of email addresses, or Business Email Compromise (BEC), is a popular attack aimed at compromising a company's mailbox for malicious purposes. The simplest monetization is generally...
Instagram is a highly popular social network, making phishing on the platform equally prevalent. According to the "Digital Report 2021" by Hootsuite and We Are Social, Instagram ranks fifth among...
Discover the evolution of phishing attacks over time, from the first phishing attack to the most advanced attacks occurring today.
In this article, we will focus on cybersecurity at home, or how to secure your telecommuting from home. The rules and best practices explained in this article apply to telecommuting of all kinds,...
In this article, we will discuss the limitations of different awareness solutions. The goal is not to criticize these types of solutions, but to present the missing parts so that you can either...
It is not always easy to know the steps that follow a [phishing test](https://arsen.co/test-phishing). Many of our clients contact us initially for a phishing test and ask us what they should do...
In this article, we will analyze the process of a phishing test, from its setup to reporting. We will discuss framing, technical deployment, execution, and post-mortem of the exercise.
Did you know that SMS has an average open rate of over 95%? The definition of smishing is a digital attack through SMS that can have serious consequences. SMS marketing has become a strategy that...
Managing numerous phishing campaigns takes time. That's why many of our clients share the various tasks related to phishing test management or scenario design. Our awareness platform allows you...
How to secure telecommuting? In recent months, we have published various articles on cybersecurity and telecommuting. Indeed, the context of the health crisis has led to an increase in...
A new variant of phishing has been observed lately, called Browser in the Browser (BitB). It is simply an attack aiming to deceive usual human detection techniques by generating a fake window...
Phishing is the entry point for 90% of cyberattacks today. This threat poses various risks to a company, including organizational, reputational, financial, and legal risks. It is therefore...
Instagram is a very popular social network, so it is logical that phishing on Instagram is just as popular. According to a study, "Digital Report 2021" published by Hootsuite and We Are Social,...
The aim of your phishing campaigns is to get as close as possible to real attacks threatening your company in order to improve your resilience against them. Some hackers are increasingly focusing...
"Vishing may be less known than phishing—but the damage it causes is just as real." From tech giants like Twitter to global banks and energy firms, voice phishing has quietly become one of the...
Discover how our phishing simulations can effectively reduce your human attack surface.
Request a Demo
