Cybercrime is evolving faster than ever, and Business Email Compromise (BEC) stands out as one of the most insidious threats. Unlike flashy malware attacks, BEC is a subtle, social engineering scam where fraudsters impersonate trusted figures like CEOs, vendors, or partners to trick employees into wiring funds, sharing data, or authorizing bogus transactions. The result? Massive financial losses, data breaches, and shattered reputations. According to the FBI's Internet Crime Complaint Center (IC3), BEC scams racked up a staggering $2.9 billion in losses in 2023 alone, with an average hit of $137,000 per incident. Fast-forward to 2024, and BEC accounted for 73% of all reported cyber incidents, with losses soaring past $55 billion over the decade. What's more alarming? A 13% spike in attacks in early 2025, fueled by AI-generated emails that are now 40% of BEC phishing attempts—making them eerily polished and undetectable. In addition, nearly 40% of ransomware attacks begin with a compromised email. These attacks exploit poor habits like credential reuse across personal and work accounts. Real-world examples paint a grim picture. In 2023, Children's Healthcare of Atlanta lost $3.6 million to fake invoices from a spoofed CFO. The School District of Philadelphia saw $700,000 diverted in a vendor impersonation scheme in 2024. Even charities aren't safe: Treasure Island in San Francisco was fleeced of $625,000 in a month-long BEC ploy. These aren't isolated incidents—they highlight how BEC preys on trust and rushed decisions, turning everyday emails into financial nightmares. Don't let BEC blindside your organization. Dive into myNetWatchman's special report, "The Rising Threat of Business Email Compromise (BEC) Fraud" for in-depth insights, more case studies, and actionable strategies.

Cyber insurance is a critical tool for businesses to mitigate financial losses from cyberattacks. However, insurers' traditional approach of using questionnaires to assess cyber risk is inadequate in today’s rapidly evolving threat landscape. Unless insurance companies stop relying primarily on questionnaires for risk assessment, they will continue to experience increased financial losses due to cyber fraud and crime. Questionnaires have long been a staple for insurers to evaluate a company’s cybersecurity posture. They typically ask about basic security measures, such as whether a company uses firewalls, antivirus software, or Multi-Factor Authentication (MFA). However, these static, self-reported assessments fail to capture the dynamic and sophisticated nature of modern cyber identity threats. Avoiding real world catastrophes like 23&Me and Marks & Spencers requires insurers to update risk assessments protocols to meet the ever-evolving threat today’s criminals present. This new Special Report outlines what is needed to protect Cyber Insurance Carriers and reduce losses for both insurers and policy holders.

According to the 2025 Verizon Data Breach Incident Report, credential abuse (i.e., credential stuffing, account takeover attacks, etc.) is the leading initial attack vector and is up over 22%. Credential screening – evaluating credentials for potential compromise at various points, including login, signup, and account reset – is a best practice for enhancing security measures to fight these types of attacks. Many organizations use breach data to screen against compromised credentials. However, using breach data alone for credential screening can result in higher false positives rates, poor user experiences, and increased fraud remediation costs. Why? Here’s a breakdown of breach data compared to live data. Breach Data Live Data Can be months or even years old – Data breaches are not always known right away nor is the data available immediately. This means the data accessed by criminals could have been in use for weeks, months, or years before it is available for credential screening. Provides recent activity – Data gathered through live channels is actively being used by criminals and can be used for credential screening immediately, demonstrating a clear threat in real time. Known to criminals & corporations – Data from breaches is known to both criminals and corporations which diminishes the effectiveness of credential screening. Known only to mNW – Live data is known only to myNetWatchman which makes it more accurate and more actionable when conducting credential screening. 100% of the live data presented by myNetWatchman is criminal activity and shows a higher risk of account compromise. Everyone’s data has been breached – With more than 12,000 data breaches in 2024 alone, it is a safe bet that everyone’s data has been breached in the past few years and is available on the dark web. So, credential screening with breach data alone can be lacking in actionable information and in determining where the highest risk is. Not everyone’s data is being used – Knowing whose data is actively being tested and used by criminals is far more predictive of risk and account compromise. Credential screening with live data results in zero false positives and a better customer experience. Comes in batches – Breach data generally comes in batches and needs to be constantly updated to get the latest data available. Seen in real-time – Live data is delivered in real time via an API with the most recent activity on over 38 billion credential pairs highlighting risk immediately. No updating necessary. Doesn’t require monitoring – Breach data is not real time, so monitoring is not a factor. Monitoring for compromised credentials – myNetWatchman constantly monitors for criminal activity to ensure the latest data is available and delivered in real time. mNW improves breach data by adding “live data”, enhancing detection of compromised credentials linked to criminal activity. This helps companies prevent account takeovers and other fraud events. The difference between using typical breach data and live data for your credential screening can make a significant difference. In this webinar we reviewed The problems of using breach data alone What does “live data” add to enhance fraud detection? Two case studies highlighting the increased levels of accuracy for preventing ATO Audience Q&A Presenters: David Montague David is the CEO of myNetWatchman and an experienced risk and security executive and GM with highly specialized skills in eCommerce, fintech, payments, fraud, risk and security. For more than 20 years, David has applied his skills in executive positions at leading technology companies like Amazon, Expedia, IBM and consulting firms like The Fraud Practice, Inc. A true technology leader, David blends business acumen, empathy and technical expertise to solve the toughest challenges facing enterprises today. Jen Baldwin Jen is the COO at myNetWatchman and a seasoned technology professional with a passion for fighting fraud. Experienced in management, data analysis, and investigations in cyber and identity fraud, specialty retail loss prevention, contract fraud, litigation support, and due diligence projects. Jen’s time at Cars.com and CareerBuilder managing Fraud Prevention and Site Security respectively give her an insider's view of what really happens when criminals target your organization. Watch the webinar by clicking here .

Seriously, McDonald's? A Wake-Up Call for Enterprise Security Leaders. To all CISOs, cybersecurity managers, and fraud prevention experts out there, pull up a chair. We need to talk about something both utterly shocking and yet unbelievably common. It's about a recent data breach that affected a global powerhouse, a multi-billion dollar corporation, through a vulnerability so basic, it's almost a cartoon villain's password: " 123456 ." Yes, you read that right. The Golden Arches' Glaring Security Gap Remember that news about McDonald's and its 64 million job applicants? The one where their personal information was exposed? This wasn't some sophisticated nation-state attack or a zero-day exploit requiring an army of highly specialized threat actors. This was, quite frankly, a facepalm moment brought to you by a third-party AI system, Paradox.ai, which provides the McHire platform for screening candidates. …they tried common credentials, including "123456" for both username and password, and it worked. This simple password granted them administrator access to a test McDonald’s restaurant on McHire, without multi-factor authentication. Security researchers Ian Carroll and Sam Curry uncovered this gaping hole. While initially looking for prompt injection vulnerabilities in the AI chatbot, Olivia, they stumbled upon a login link for Paradox.ai staff. What happened next is almost unbelievable for a company of McDonald's' stature: they tried common credentials, including "123456" for both username and password , and it worked . This simple password granted them administrator access to a test McDonald’s restaurant on McHire, without multi-factor authentication. The compromised account, a test account, was the obvious weakness in the first layer of defense and had not even been logged into since 2019 and "should have been decommissioned." And with that oversight they had access to "virtually every application that's ever been made to McDonald’s going back years." This single, neglected, and woefully insecure credential exposed names, email addresses, phone numbers, and IP addresses of 64 million job applicants. Beyond the initial access, the researchers found they could also manipulate applicant ID numbers to view other candidates' chat logs and contact information. The implications? Massive phishing risks and potential payroll scams, as applicants are eager and waiting for communication from McDonald's. McDonald's was, understandably, "disappointed by this unacceptable vulnerability from a third-party provider", but the truth is, this highlights a fundamental, yet often overlooked, vulnerability in today's interconnected digital landscape. Whether a first line of defense or the last, credentials like passwords should be secure at least as far as not being easily guessed, should not be a known-breached credential pair, and at best should be screened for recent criminal activity. The Achilles' Heel: Reused and Compromised Credentials The McDonald's breach is a stark reminder that your most sophisticated firewalls and cutting-edge threat detection systems can be utterly bypassed by the simplest weak link: a compromised credential. Why is this such a prevalent problem? Because users—whether your customers, employees, or third-party vendors—often reuse credentials across many sites and accounts . A staggering 52% of US adults reuse the same password across two or more accounts, and 13% admit to using the same password for ALL their accounts. The McDonald's breach is a stark reminder that your most sophisticated firewalls and cutting-edge threat detection systems can be utterly bypassed by the simplest weak link: a compromised credential. This habit is the fuel for devastating attacks like credential stuffing , where credential pairs obtained from one source (like a data breach) are used to attack other systems. Weak Active Directory (AD) credentials are a primary vector for both initial compromise and lateral movement within an organization, leading to ransomware, data breaches, and business email compromise (BEC). Even when multi-factor authentication (2FA) is enforced, gaps can exist, especially with third-party applications, making the security of the "first factor"—the password—paramount. In fact, employees using company credentials outside of work were tracked in 40% of data breaches. The Easiest, Most Effective Defense: Proactive Credential Screening Given the staggering statistics and the McDonald's debacle, it's clear: screening credentials for your corporation's customers, employees, and vendors is one of the easiest, most accurate, and highly effective ways to drastically reduce access to your corporate and customer data. This isn't about blaming users for their password habits; it's about putting robust systems in place that protect your organization despite those habits. Enter myNetWatchman. We provide the tools to proactively detect and mitigate these risks before criminals can exploit them. myNetWatchman's Active Directory (AD) Audit Tool : This powerful solution directly scans your Active Directory to identify compromised employee and vendor credentials . It screens your organization's internal credentials against our extensive repository of known compromised credentials, making it paramount for preventing account takeover. It's designed to secure your AD against modern threats and address weak credentials that can lead to initial compromise and lateral movement. Our secure API compares NT hashes from your AD against our vast password repository, leveraging K-Anonymity for enhanced privacy. This allows you to securely identify compromised accounts instantly and helps you get ahead of potential credential stuffing attacks against your employees. myNetWatchman's AllCreds Compromised Credential Screening : This solution enables you to detect if compromised credentials are being used by your consumers and/or employees at key events like account creation, login, and password changes . AllCreds doesn't just screen for breached credentials; it identifies ones that are actively being used, focusing on credential pairs to significantly reduce false positives and unnecessary friction. It allows you to prevent account takeover (ATO) by directing users to choose secure passwords and can even trigger 2FA for high-risk accounts. AllCreds is your front-line defense against credential stuffing attacks, which are effective because so many consumers reuse passwords. We've built an ever-expanding database of 35+ billion unique compromised credential pairs , with 15 million new pairs added daily. Stop Playing Catch-Up, Start Leading The McDonald's breach was a painful, public lesson in the critical importance of basic credential hygiene, and, of course, security-conscious configuration settings. It's mind-boggling that the combination of two such significant missteps such a simple vulnerability could open the floodgates to 64 million records. Don't let your organization be the next cautionary tale because of a "123456" moment. With myNetWatchman's AD Audit and AllCreds, protecting your organization from credential-based attacks is not just possible, it's remarkably easy and effective. Stop wishing you had fries with that breach and start putting a real defense in place.

According to the Global Anti-Scam Alliance ( GASA ) and Chainalysis Reports , "pig butchering" scams, which involve luring victims into investing in fraudulent financial schemes often involving cryptocurrency, represent a growing menace in the cybersecurity landscape, costing victims $75 billion globally from 2020 to 2024. Compromised credentials on dating sites, for example, provide scammers with a valuable toolset for executing pig butchering scams. By leveraging stolen information and impersonating real individuals, they can effectively target and manipulate victims, leading to significant financial losses and emotional distress. MyNetWatchman has seen ongoing credential testing at multiple dating sites, with 235 thousand compromised accounts accessed by miscreants in the past year. These scams combine social engineering, romance fraud, and fraudulent investment schemes, often leveraging cryptocurrency to exploit customers and challenge enterprise security teams. For Chief Information Security Officers (CISOs), fraud prevention managers, and cybersecurity professionals, understanding and countering this threat is critical to protecting customers and organizational reputation. The Anatomy of a Pig Butchering Scam Pig butchering is a long-con fraud where scammers build trust with victims over weeks or months, often posing as romantic or friendly contacts, before luring them into fake investment platforms, typically cryptocurrency-based. The scam’s name reflects the process of “fattening” victims with trust before “slaughtering” them financially. Operated by sophisticated crime syndicates, these scams exploit human psychology and the anonymity of crypto transactions, posing unique challenges for cybersecurity teams. Pig butchering isn’t just a scam—it’s a systemic threat that exploits customer trust and bypasses traditional security controls. The Pig Butchering Playbook: A Step-by-Step Breakdown Understanding the scam’s methodology is essential for developing effective countermeasures. The process unfolds as follows: Initial Contact (Social Engineering) Scammers initiate contact through unsolicited texts, social media, or dating apps, often using “wrong number” messages to engage victims. These messages exploit human curiosity and are tailored to appear personal. Example: “Hi, is this Sarah? It’s been ages!” CISO Challenge : Detecting these initial vectors requires monitoring unusual communication patterns across customer-facing channels. Trust-Building Phase Over weeks or months, scammers cultivate relationships via frequent messaging, fake personas, and AI-generated content (e.g., deepfake images or videos). They pose as successful investors to establish credibility. CISO Challenge : Social engineering bypasses technical controls, requiring behavioral analytics to identify manipulative patterns. Investment Pitch Scammers introduce fraudulent investment opportunities, often directing victims to malicious apps or websites mimicking legitimate platforms like Binance. These platforms display fake returns to build confidence. CISO Challenge : Identifying and blacklisting fraudulent domains and apps in real time is critical but complex due to their rapid proliferation. Escalation and Fake Gains Victims are encouraged to invest small amounts, often seeing “returns” to build trust. Scammers then push for larger investments, sometimes pressuring victims to borrow funds. CISO Challenge : Monitoring for micro-transactions or unusual crypto wallet activity can signal early scam involvement. Financial Extraction and Disappearance When victims attempt withdrawals, scammers cite fees or technical issues, eventually vanishing with the funds. CISO Challenge : Post-scam recovery is nearly impossible due to cryptocurrency’s anonymity, emphasizing the need for preemptive detection. Real-World Impacts: Case Studies Pig butchering scams have caused significant harm, illustrating the stakes for cybersecurity teams: Connecticut Financial Institution (2020) : A customer lost $180,000 after a scammer, initiating contact via WhatsApp, guided them to a fake crypto platform. The institution faced reputational damage and legal inquiries for failing to flag the transfers. Message Sample: “Sorry, wrong number! But you seem nice, what’s your story?” Ohio Bank (2024) : A regional bank reported $6 million in customer losses to pig butchering scams, with scammers using cloned apps to mimic legitimate trading platforms, overwhelming the bank’s fraud detection systems. Illinois Credit Union (2024) : A widower lost $1 million after months of communication with a scammer posing as a romantic partner. The credit union’s lack of real-time monitoring delayed detection, leading to regulatory scrutiny. The FBI’s IC3 logged 4,300+ pig butchering complaints in 2021, with losses exceeding $429 million, underscoring the scale of the threat to financial institutions. Enterprise Risks and Detection Challenges For CISOs and fraud prevention managers, pig butchering presents unique hurdles: Bypassing Traditional Controls: Scams rely on human manipulation, not malware, evading firewalls and antivirus solutions. Cryptocurrency Anonymity : Blockchain transactions are hard to trace, complicating recovery efforts. Scalability of Attacks : Crime syndicates operate at scale, using call centers and trafficked labor, overwhelming manual detection efforts. Customer Education Gaps : Even sophisticated customers fall for well-crafted scams, requiring proactive monitoring to compensate for human error. Pig butchering exploits the human element, making it a blind spot for traditional cybersecurity. Advanced monitoring is our best defense. Conclusion Pig butchering scams pose a sophisticated threat to customers and enterprises alike, exploiting trust and evading traditional cybersecurity controls. For CISOs and fraud prevention managers, the stakes are high: financial losses, reputational damage, and regulatory scrutiny demand proactive measures. By combining customer education, behavioral analytics, and advanced tools like those provided by myNetWatchman, organizations can detect and disrupt these scams early, safeguarding customers and their bottom line. Explore myNetWatchman’s solutions at myNetWatchman.com to strengthen your defenses.

In our digital-first world, passwords, combined with an email address or User ID, are the primary gatekeepers to vast amounts of sensitive data. However, for nearly every online company, this reliance on passwords as a verification and identity method presents a critical weakness. This leaves them vulnerable to a relentless barrage of criminal activities, including credential stuffing, account takeover, and ransomware attacks. The inherent flaws in how passwords are created, managed, and exposed have transformed them into the Achilles' heel of cybersecurity. Pervasive Problems: Weak, Reused, and Leaked Passwords Recent studies paint a bleak picture of password hygiene. A Cybernews study on billions of leaked passwords revealed that a staggering 94% are either reused or duplicated across multiple services. Many users opt for "lazy" patterns like "123456" or simple combinations of lowercase letters and digits, making them trivial targets for brute-force and dictionary attacks. Despite decades of cybersecurity education, there has been little to no progress in user behavior, underscoring the urgent need for more robust authentication methods. Compounding the issue, massive databases of compromised credentials are routinely exposed. For example, two recent incidents of massive data leaks: A recent Wired article revealed a mysterious, unsecured database containing 184 million login credentials, including those for major platforms like Google, Apple, Facebook, Microsoft, banks, and even government services. This trove, possibly collected via infostealer malware, offers cybercriminals direct access into accounts, serving as a dream working list for credential stuffing, phishing, and targeted attacks. Cybernews reported a data leak of nearly 16 billion passwords and other credentials from over 30 databases. The article states in part, “This is not just a leak – it’s a blueprint for mass exploitation.” Even if a company's systems remain unbreached, employees reusing passwords across personal and professional accounts can inadvertently create a critical threat vector, opening the gates for criminals to exploit vulnerabilities and introduce security problems like ransomware. Employees: The Unintentional Weak Link The human element remains a significant vulnerability. Employees unknowingly become the weakest link by reusing emails, passwords, and company credentials across various online services. This practice creates a pathway for criminals to infiltrate corporate networks if even one of those external accounts is compromised, leading to devastating consequences such as ransomware attacks that cripple operations. Building a Protective Barrier: myNetWatchman's 1-2-3 Security Screening Solutions To counteract these pervasive threats, companies must adopt a multi-layered security approach that proactively addresses credential vulnerabilities. myNetWatchman offers a comprehensive 1-2-3 security screening suite designed to create a protective barrier for companies, their customers, and their employees: Securing Company Active Directories with AD Audit : The myNetWatchman AD Credential Audit scans internal Active Directory accounts for compromised passwords and credential pairs. Leveraging a repository of over 35 billion compromised credentials, this tool identifies vulnerable accounts within your organization. By detecting and re-securing these exposed credentials, companies can significantly reduce the chances of infiltration by criminals looking to exploit weaknesses through ransomware and other attacks. This proactive auditing helps prevent breaches and strengthens your core network defenses. Screening Customer Credentials with AllCreds : myNetWatchman AllCreds Compromised Credential Screening proactively screens credentials at login, signup, or password reset against a live data surveillance system containing billions of exposed credential pairs. When a user attempts to authenticate, AllCreds checks if the entered username and password have been compromised. If detected, the system flags them, allowing companies to force password changes or implement step-up authentication. This significantly mitigates the risk of credential stuffing and account takeover attacks, directly reducing financial losses and protecting customer accounts. Screening Email Addresses with Email Reputation : Recognizing that email, never intended as a robust security channel, is frequently targeted by criminals, myNetWatchman Email Reputation provides critical screening for email addresses. This service checks email validity, synthetic nature, and whether it has been actively used by criminals to gain access to accounts. By making a simple API call, companies can determine if an email address is compromised, when it was accessed, and for what purpose. This enables organizations to head off criminal activity like fraud and account takeover, especially in scenarios involving password resets, sign-in links, or new account sign-ups, by enabling crucial decision points for step-up authentication or flagging high-risk transactions. By implementing this strategic 1-2-3 security screening, companies can move beyond the inherent weaknesses of passwords, establishing a robust protective barrier that safeguards their operations, customers, and employees from the ever-present threat of cybercrime. The future of online security lies in proactive, intelligent credential management that assumes compromise and builds defenses accordingly.

In today's interconnected digital landscape, the security of a company's sensitive data is only as strong as its weakest link. While organizations invest heavily in perimeter defenses, a critical vulnerability often lurks within: the exposed email addresses, passwords, and user IDs of employees and third-party vendors. These seemingly small exposures can provide an open door for cybercriminals to unleash devastating ransomware attacks, data breaches, and other malicious activities. Recent incidents at major retailers like Victoria's Secret and Adidas serve as stark reminders of the far-reaching consequences of security lapses. Victoria’s Secret’s internal corporate systems and customer website were shut down for several days, and Adidas’ customer data was stolen from a third-party vendor. Overlooking the security posture of internal personnel and external partners is a significant threat that many companies fail to adequately address. The Ripple Effect of Compromised Credentials Threat actors actively harvest employee credentials from various sources, including previous data breaches, phishing campaigns, and malware infections. myNetWatchman sees millions of attempts every year by bad actors targeting company systems. Once obtained, these credentials become a golden key, allowing attackers to: Gain Initial Access : Compromised credentials provide a legitimate entry point into a company's network, bypassing traditional firewalls and intrusion detection systems. This enables attackers to operate undetected for extended periods. Escalate Privileges : If the compromised account belongs to a privileged user (e.g., an administrator), attackers can rapidly escalate their access, moving deeper into the network and gaining control over critical systems. Lateral Movement : With valid credentials, attackers can move horizontally across a network, accessing various systems and applications without triggering immediate alarms. This allows them to map out the network, identify valuable data, and prepare for their primary objective. Deploy Ransomware : This is often the ultimate goal. Once inside, attackers can deploy ransomware, encrypting critical files and demanding a ransom for their release. The impact can halt operations, cripple productivity, and lead to significant financial losses. Data Exfiltration : Beyond ransomware, compromised credentials can also lead to the theft of sensitive customer, employee, or proprietary business data, resulting in regulatory fines, reputational damage, and loss of competitive advantage. Business Email Compromise (BEC) and Funds Transfer Fraud (FTF) : Compromised email accounts, especially those of executives or financial personnel, can be leveraged for sophisticated BEC scams, tricking employees into making fraudulent wire transfers. The Adidas breach, which originated from a compromise at a third-party customer service provider, highlights the insidious nature of vendor-related risks. Even if a company has robust internal security, its interconnectedness with third parties means that a vulnerability in a vendor's systems can directly impact the company's data and operations. The Victoria's Secret incident led to the company taking down its website and some in-store services. The "security incident" also reportedly locked employees out of email accounts, directly impacting internal operations and implying compromised employee access. These incidents are clear and forceful reminders that the human element and the supply chain are critical attack surfaces that demand constant vigilance. Proactive Defense: Auditing Credentials for Stronger Security The good news is that these risks can be significantly mitigated through proactive security measures, particularly a robust auditing strategy for internal employee and third-party vendor credentials. Key aspects of such an audit include: Continuous Monitoring of Compromised Credentials : Regularly scanning for employee and vendor credentials that have appeared in public data breaches or on the dark web. Strong Password Policies and Enforcement : Implementing and enforcing policies that require complex, unique passwords for all accounts, especially those with elevated privileges. Multi-Factor Authentication (MFA) : Mandating MFA for all access points, significantly increasing the difficulty for attackers even if they obtain a password. Least Privilege Principle : Ensuring that employees and vendors only have the minimum necessary access rights required to perform their duties. Regular reviews of access permissions are crucial. Regular User Access Reviews : Periodically reviewing and revoking access for inactive accounts or those where privileges are no longer needed. Third-Party Risk Management : Establishing comprehensive vetting processes for all third-party vendors, including assessing their cybersecurity posture, contractual obligations for data security, and ongoing monitoring. Security Awareness Training : Educating employees and vendors about phishing, social engineering tactics, and the importance of strong password hygiene. Securing Your Digital Gates with myNetWatchman's AD Audit Understanding the critical role of credential security in preventing ransomware and other attacks, myNetWatchman offers a specialized AD Credential Audit service. This service is designed to help organizations identify and address weaknesses in their Active Directory environment, which is often the central hub for managing user identities and access. myNetWatchman's AD Audit service provides: Comprehensive Scanning : Proactively scans your Active Directory for compromised employee credentials, including emails, passwords, and user IDs that may have been exposed in breaches or are circulating on the dark web. NIST Compliance Checks : Helps ensure your organization's password policies and practices align with the latest NIST (National Institute of Standards and Technology) guidelines for robust cybersecurity. Elevated Privilege Account Monitoring : Identifies accounts with elevated privileges that may be vulnerable to compromise, allowing for targeted remediation efforts. Policy Compliance Verification : Confirms adherence to company security policies regarding credential management, without requiring you to share any Personally Identifiable Information (PII) with myNetWatchman. Real-time Threat Intelligence : Leverages a vast and continuously updated database of compromised credentials to provide real-time insights into potential threats targeting your organization. By leveraging services like myNetWatchman's AD Audit, businesses can proactively identify and remediate credential-related vulnerabilities, significantly reducing their attack surface and bolstering their defenses against the ever-present threat of ransomware and other devastating cyberattacks. In an era where every credential is a potential entry point, diligent auditing is not just a best practice – it's a necessity for survival.

Most businesses and people assume email is secure. It is not. Every year millions of compromised email accounts are used by fraudsters. Email compromise is an enormous problem that leads to a variety of fraud losses. Among many other things, consumers could have web accounts taken over, or lose travel or loyalty rewards, while businesses can have data stolen or fall prey to ransomware. The following report highlights that the tremendous success fraudsters are having at monetizing compromised emails is a growing concern in cyber insurance claims. 2025 Cyber Claims Report The 2025 Cyber Claims Report from Coalition sheds light on the evolving landscape of cyber threats, highlighting that business email compromise (BEC) and funds transfer fraud (FTF) have become the most frequent sources of cyber insurance claims. This shift underscores a critical vulnerability that businesses face, primarily through the exploitation of email as a key identifier and communication channel. According to the Coalition report, a majority of 2024 cyber insurance claims (60%) originated from BEC and FTF incidents. Significantly, 29% of BEC events were found to result in FTF, demonstrating a direct pipeline from email compromise to financial theft. While ransomware claims stabilized and even saw a 3% decrease in frequency and a 7% decrease in severity year-over-year, and average ransom demands dropped by 22% to $1.1 million, BEC claims severity actually increased by 23%. This indicates that BEC, while perhaps less sensational than ransomware, is a highly effective and increasingly impactful method for cybercriminals to target businesses. Even though FTF claims frequency decreased by 2% and severity by 46% year-over-year after an all-time high in 2023, the sheer volume of claims originating from BEC and FTF makes them a primary concern. While the Coalition report primarily focuses on BEC and FTF from a business insurance claims perspective, it's crucial to understand that consumers are not immune to email compromise, which can then fuel these same types of fraud. Email is widely used as a key unique identifier for customers and is often assumed to be secure, but it is explicitly NOT a secure verification or communication channel. Fraudsters actively target and compromise millions of personal email accounts, gaining access to sensitive information or the ability to impersonate individuals. When a consumer's email is compromised (CEC), it opens up avenues for criminals to initiate account takeover (ATO) fraud, as seen with the top U.S. brokerage that identified over $700,000 in ATO fraud attempts via a malicious actor's access to customer's email. This demonstrates how compromised consumer emails can directly lead to financial theft, exponentially increasing the pool of vulnerable targets and the complexity of the fraud landscape for both individuals and businesses. See The Threat Before it becomes a Problem Addressing this pervasive threat, myNetWatchman offers solutions designed to secure email channels, which are frequently exploited in BEC and FTF scenarios. Our Email Reputation solution provides an easy-to-use API that reveals the likelihood of an email address being "created-for-fraud" or if criminals have access to the email box, specifying when the access occurred and what they were seeking. Companies can leverage myNetWatchman's Email Reputation at various critical points to prevent fraud: At Account Creation : To verify if an email is legitimate, synthetic, or already compromised. At Login with email 2FA or password changes : To confirm an email's integrity before allowing sensitive actions like password resets or new account sign-ups, protecting trusted accounts from malicious actors. When a Sensitive Transaction is Initiated : To confirm end-user authentication on large transactions and validate high-risk accounts, which is vital during breach investigations. myNetWatchman's effectiveness is underpinned by its vast proprietary data repository, which contains over 35 billion compromised credential pairs, including emails and passwords. We continuously update this database by monitoring live, bad actor traffic, adding 15 million new credentials and 150 thousand compromised email addresses daily that criminals are actively using. This allows mNW to proactively identify compromised accounts and prevent them from being used in fraudulent activities. By identifying and flagging compromised emails before they can be used to initiate CEC, BEC or FTF, myNetWatchman directly tackles the very vulnerabilities highlighted by the Coalition report, offering a vital preventative layer against these prevalent and costly cyber threats. For more information on myNetWatchman’s Email Reputation service, click here .

Imagine Johnny, an AI expert, famous for his globetrotting talks, boasting about racking up over a million Delta miles. Unbeknownst to him, in his audience sits Billy, a tech guru with a less-than-ethical focus – stealing travel loyalty points to sell discounted travel. Billy spots Johnny as a potentially "ripe target" for acquiring real points. Billy's initial challenge is accessing Johnny's Delta account without knowing his email or password. At this stage, the odds of success are astronomically low, estimated at 1 in 100 billion. Billy, however, collects vast amounts of breach data, compiling a list of over a billion known breached credentials. He could try automating password guesses using this list, but Delta's systems would likely stop him before he got anywhere. The first critical turn occurs when Billy simply approaches Johnny, expressing interest in a consulting gig and asking for his email. Johnny, unsuspecting, provides it. Now, with Johnny's email address, Billy's odds of taking over the account, even by trying random passwords, improve significantly to 1 in 100 million. But Johnny is still relatively safe, right? "Not even close". Billy immediately checks Johnny's email on services like haveibeenpwned and finds it has been in breaches, which is common for addresses used over time. Knowing the email is in a breach instantly improves the odds to 1 in 10 million because a staggering 70% of people reuse passwords. To zero in, Billy uses tools like MalwareBytes to list the specific breaches Johnny's email was involved in. He then ventures onto the dark web, trading data and scouring bulletin boards to acquire the datasets from those identified breaches. Within a day, Billy compiles a list of username and password combinations linked to Johnny's email from these dark web sources. Using this tailored list to try logging into Delta, the odds of compromise shoot up dramatically to 1 in 100. The story reaches its inevitable conclusion when Billy discovers that one of the breach datasets was from American Airlines, dating back three years. Crucially, Johnny used the same password for all his airline accounts and never changed it. With Johnny's username (his email) and a known, reused password from a breach, the odds of Billy compromising the account become 100%. Billy successfully takes over Johnny's Delta account. This tale perfectly illustrates a critical theme: compromises have different types, and the risk associated with each type varies significantly. As Johnny's story shows, the likelihood and severity of compromise escalate dramatically based on the information a bad actor possesses. Being compromised randomly by bad actor activity is low risk. Being in an old data breach (over 2 years) carries more risk. Being in a recent data breach is riskier still. Being targeted by a bad actor who knows your email increases risk. Even higher risk is when a bad actor knows your email and has found your password in a known compromise list, especially if you reuse passwords. Knowing your specific email and password combination represents a very high risk. The highest risk described is when a bad actor knows your username, password, and has compromised your email. For businesses, understanding these different types and their inherent risks is paramount. Crucially, all screening methods for credentials are not equal, and security actions must match the type and risk level. Applying overly strict security measures designed for high-risk situations (like Billy knowing Johnny's reused password) to a low-risk situation (like someone being in an old breach) creates false positives and unnecessary friction for legitimate users. By tailoring authentication requirements to the risk level, businesses can ensure low-risk users have a smooth experience while applying strong security measures only when truly needed. This balanced approach improves user satisfaction and effectively safeguards sensitive information, preventing your customers from becoming the next Johnny.

Belani to Drive Innovation in ATO Prevention and Enhanced Cybersecurity myNetWatchman, a leader in real-time compromised credential monitoring and account takeover (ATO) prevention, is delighted to announce the appointment of Madhura Belani as Chief Product Officer. This strategic addition to the leadership team underscores myNetWatchman’s unwavering commitment to advancing cybersecurity solutions for digital businesses. Madhura is a seasoned executive with extensive leadership experience in payments, fraud prevention, and identity management. She has a proven track record of launching and scaling category-defining products, implementing successful go-to-market strategies, and forging strategic partnerships to drive sustainable growth. Her career journey includes distinguished leadership roles at global giants such as PayPal and Visa, as well as dynamic startups like Speedpay, Offerpal, and Danal, providing her with the unique ability to thrive in organizations at various stages of product maturity. During her tenure at Visa, Madhura led the development of Buy Now, Pay Later (BNPL) APIs, successfully launching a partner program across six countries and onboarding industry leaders. As the founding Chief Product Officer at Danal, she spearheaded the creation and scaling of a mobile identity product, a key achievement that paved the way for its acquisition by Boku. Prior to these roles, Belani held Product Management positions at Tapjoy and PayPal, further honing her expertise in product innovation. “I’m thrilled to join myNetWatchman and contribute to its mission of enhancing cybersecurity and detecting and disrupting fraud,” Madhura said. With Madhura's leadership, myNetWatchman aims to further strengthen its position as a trusted partner for industries facing high ATO risks, such as travel, e-commerce, and financial services, empowering clients to stay ahead of bad actors through real-time intelligence. “The experience Madhura adds to our team will help us move faster and scale our efforts to protect businesses and their customers from ATO and other fraudulent events,” said David Montague, CEO of myNetWatchman. “I’m really excited to have her as part of our executive staff and leading myNetWatchman’s product development.” Madhura holds an MBA from Duke University’s Fuqua School of Business and a Bachelor of Engineering in Electronics and Telecommunications from the College of Engineering Pune (COEP), Pune University, India. About myNetWatchman myNetWatchman provides real-time intelligence to help organizations detect cybersecurity threats, specializing in real-time monitoring of compromised credentials and bad actor behavior to prevent ATO and other fraudulent activities.

According to cyber-insurance claims data from Coalition’s 2025 Cyber Claims Report , Business Email Compromise (BEC) attacks and Fund Transfer Fraud (FTF) accounted for a staggering 60% of all claims in 2024. These email-based attacks have been the bulk of claims for organizations over the past three years. The financial impact is significant: BEC incidents cost organizations, on average, $35,000. Furthermore, 29% of BEC attacks also led to FTF incidents, with an even higher average loss of $106,000. FTF events frequently occur through social engineering or directly result from a BEC event, where attackers impersonate trusted parties to trick employees into making unauthorized wire transfers. Email is the lifeblood of modern business communication, but it can also be a significant vulnerability. BEC and FTF continue to pose major threats, costing businesses vast sums every year. While large-scale breaches often grab headlines, sometimes vigilance in a single transaction can prevent considerable loss. Consider the story of a friend, a banker at a large regional bank. A customer, a landscaper, came in to finalize the purchase of a much-needed large truck for their growing business. The final step was a $50,000 wire transfer to the truck dealership. Wire transfers are a common, fast, and generally reliable method for moving large sums, often used for major purchases like vehicles. As part of the standard procedure for wire transfers, the banker asked the customer how they received the dealership's bank details. The customer showed an email from their contact at the dealership. This raised a slight concern for the banker, leading to the crucial next question: "did you call the dealership to confirm the banking details?" Fortunately, the customer was happy to make the call right then, putting the phone on speaker. When they spoke to the truck dealer, the landscaper mentioned the $50,000 transfer and double-checking the bank account information from the email. The dealer's response was immediate and distressed: "No, no. Oh, no. That’s not our information at all. I never sent you that email." It became clear that a bad actor had compromised the dealership's email account. They sent a legitimate-looking email with fake bank details, hoping the landscaper would unknowingly wire the $50,000 to the fraudster instead of the dealer. Thanks to the banker's diligence, both the landscaper and the dealer were saved from losing $50,000. The grateful landscaper exclaimed, "you just saved me $50,000, AND a claim on my cyberfraud insurance." While the frequency of FTF claims dropped slightly, the severity of BEC claims saw a significant 23% increase, particularly in the latter half of 2024. This spike in BEC severity was partly due to increased costs associated with legal expenses, incident response, data mining, and other mitigation and recovery efforts. This near-miss, thankfully averted by a vigilant banker, serves as a reminder that while email remains essential, it's also a prime target for malicious actors. The rising tide and severity of BEC and FTF attacks, accounting for a staggering 60% of cyber insurance claims, underscore the need for proactive defense. So, what can organizations do to shield themselves from these costly threats? First, implement routine credential screening to ensure your employees and consumers aren't compromised. Furthermore, before processing significant financial transactions or allowing critical account changes, verify the legitimacy of the involved email accounts. While robust security measures like employee training and multi-factor authentication form a strong foundation, layering in checks specifically around large transactions and email compromise can provide an extra line of defense, potentially saving your organization from substantial financial losses and the headache of a cyber insurance claim. Read more about our solutions for Email Reputation , ATO Threat Monitoring , and AD Credential Audit .

The cybersecurity landscape is currently facing unprecedented challenges, marked by an alarming surge in sophisticated attacks. And businesses are falling behind in robust, proactive defense strategies and real-time intelligence to effectively combat these evolving threats creating a perfect storm for criminals. As highlighted in the most recent Verizon report, a critical element in this increasingly challenging environment is the pervasive threat of compromised credentials. Verizon's 2025 Data Breach Investigations Report (DBIR) Credential abuse (22%) and exploitation of vulnerabilities (20%) continue to be the leading initial attack vectors. The report analyzed over 22,000 security incidents, including 12,195 confirmed data breaches, underscoring the critical need for enhanced security measures focused on these areas. The human element remains a significant factor, with a substantial overlap noted between social engineering and credential abuse. Furthermore, the DBIR highlights concerning trends such as the doubling of third-party (like a vendor, supplier, etc.) involvement in breaches to 30%, emphasizing the risks associated with supply chains and partner ecosystems, and a 34% surge in the exploitation of vulnerabilities. Compromised credentials and exploited vulnerabilities serve as primary pathways for various malicious activities, including Account Takeover (ATO), ransomware, and other forms of online fraud. Account Takeover (ATO) as a Major Threat Account Takeover is repeatedly emphasized as a significant risk. Criminals leverage stolen email addresses, user IDs, and passwords to take control of legitimate user accounts, leading to fraud events.  Ransomware and Other Fraud Losses Ransomware attacks have seen a significant rise of 37% since last year and are now present in 44% of breaches. For small and medium-sized businesses (SMBs) that may lack proper IT and cybersecurity maturity, the impact is disproportionate, with ransomware appearing in 88% of their breaches. Compromised credentials often provide attackers with the initial access needed to deploy ransomware. Beyond ransomware and ATO, the use of stolen credentials facilitates various other online fraud activities. What Can be Done? - The Power of Proactive Credential Screening myNetWatchman (mNW) has a long history of tackling the risk of compromised credentials. Our proactive credential screening process involves evaluating credentials for potential compromise at various points, including login, signup, and account reset. Proactive Screening Consists of Two Key Elements. First, by continuously collecting data on compromised credentials from sources like the darknet, phishing attacks, and malware-infected devices, we capture fraudsters' live use. This "inline real-time credential screening," or proactive screening, integrates directly into customer credential processes—signup, account reset, or login—to proactively prevent the use of credentials already known to be in criminal possession. Second, a vast dataset is crucial for proactive credential screening. This dataset should extend beyond basic breach information and password lists to include userID/password and email/password combinations. Such comprehensive data provides deeper insights into potential account-related risks. Such proactive screening and monitoring services offer a comprehensive approach to combating threats: Stopping Account Takeover : By identifying and preventing the use of compromised credentials at login or signup, ATO attempts can be significantly reduced. Solutions can also monitor company domains and users to alert organizations to attack activity and compromised accounts. Preventing Credential Stuffing : Proactive screening helps identify users attempting to log in using credential pairs known to be compromised, preventing credential stuffing attacks. Compromised Credential Pentests can also assess a site's vulnerability to credential stuffing. Detecting Compromised Users and Employees : Solutions can detect if customers' email accounts, used for actions like account creation or reset, have been compromised. Scanning employee credentials for compromised passwords helps ensure compliance and identifies employees using credentials known to be compromised, uncovering threats in Active Directory. Mitigating Ransomware and Fraud : By preventing initial access often gained via compromised credentials, proactive screening can help reduce the risk of ransomware and other online fraud. Breach Response : When a breach is suspected, these services can help determine its extent and identify which credentials were used or previously exposed. Part of a Multi-Layered Defense Experts emphasize the need for a multi-layered defense strategy, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training. Proactive credential screening is a crucial component of this strategy, complementing other security measures by directly addressing one of the leading initial attack vectors. The findings from sources like the Verizon DBIR underscore that compromised credentials are a persistent and growing threat enabling ATO, ransomware, and widespread online fraud. myNetWatchman’s proactive approach to credential screening, leveraging real-time intelligence and comprehensive data, is no longer optional but a necessary investment for businesses seeking to safeguard their assets, protect customers, and ensure resilience in today's challenging digital world.