One in five American adults who have encountered online scams have ended up falling for one of them and losing money, according to a Consumer Reports survey out today.

Why it matters: Scams are now a normal part of nearly everyone's online experience — and new AI tools are already making them easier to believe and fall for.

By the numbers: Overall, 46% of American adults said they've encountered a scam or cyberattack, according to the report from Consumer Reports, Aspen Digital and the Global Cyber Alliance released today.

• Black and Hispanic Americans were more likely to lose money: one-third of Black respondents and 30% of Hispanics said they lost money to a scam, compared with 13% of white Americans.
• Consumer Reports fielded part of the report in a survey conducted in April among 2,042 U.S. adults.

Zoom in: About half of the scam attempts Americans experienced started via email (30%) or on social media (23%).

• One in five started through a text message or messaging apps like WhatsApp or iMessage.
• 22% of those who experienced a scam said their social media account was hacked, and 11% said a scammer hacked their email.
• 27% said a scammer impersonated their bank or credit card company; another 27% said the scammers pretended to be tech support.

The big picture: People are being bombarded by scammers looking to make a quick buck, especially on social media.

• 67% of people said they've received a friend request on social media from someone they don't know, and nearly half said they've received potentially scammy messages on social media.

The other side: A separate Consumer Reports survey conducted in May found that 80% of U.S. adults use some sort of multifactor authentication, up from 76% in last year's survey.

• 83% have used text-based login codes, although many security experts warn those can be easily intercepted.
• 54% use a separate app to get the code, like Google Authenticator.
• 25% have confirmed their identity using their voice over a phone call.

Between the lines: New AI tools can make it easier for even more Americans to be scammed.

• Hackers are using chatbots to perfect the language in their phishing emails so they're harder to detect.
• New AI tools can help scammers create a complete clone of someone's voice or likeliness.

Threat level: Consumers reported losing more than $10 billion to fraud in 2023, a 14% increase from the year before, according to the Federal Trade Commission.

• Someone needs to be distracted for only a brief moment to be tricked into falling for a phishing email, especially one that looks real or seems to come from a legitimate email address.

The bottom line: Consumer Reports recommended that people switch to app-based multifactor authentication tools or use a physical security key — which will add another layer of protection to their accounts.

• The organization also called on social media companies and email vendors to dedicate more staff to help people regain access to their accounts after they've been hacked.

Kevin Mandia is joining the board of managed security startup Expel, the company first tells Axios.

Why it matters: Mandia is a powerhouse name in cybersecurity, having founded now-Google-owned Mandiant.

• His support will help Expel stand out in the crowded cybersecurity startup market.

Zoom in: Mandia, who is also a general partner at Ballistic Ventures, is joining Expel's board as an independent director.

• Founded in 2016, Expel provides managed cybersecurity services to a range of companies, including in the aviation, entertainment, legal, health care and consumer brand markets.
• The company has roughly 450 employees and reached $100 million in annual recurring revenue last year, and Expel CEO David Merkel told Axios he tapped Mandia to come aboard to help them bring that metric to $500 million.

The big picture: Expel is up against an increasingly competitive market.

• Several startups and large cyber vendors are in the managed security space, which basically provides an outsourced cyber team that companies can rely on to monitor their security tools and threat alerts.
• Competitors include major players like SentinelOne and Sophos.

Between the lines: This competition is precisely why Merkel asked Mandia, a longtime friend of his, to join the board.

• Expel has "performed extremely well" with early adopters, or companies that have the resources to invest in advanced cybersecurity rather than the bare basics, Merkel said.
• "But not every company can be an early adopter; that's not their business and that's not their model," he said. "We need to meet them where they are and make sure we're relevant to their problems."

Flashback: Mandia and Merkel have known each other for roughly 30 years and first met when they were in the Air Force.

• Mandia also brought on Merkel to help build out Mandiant's managed cybersecurity service offering.

The intrigue: Customer satisfaction and referrals are how the best cybersecurity companies will survive, Mandia told Axios.

• "For security-aware buyers, best of breed probably wins a lot [of the time]," he said.

What's next: Merkel is keeping all options for the company on the table, including the possibility of going public.

A new set of critical security flaws in Linux operating systems may not be as critical as previously believed.

Why it matters: The new bugs, when taken together, could give an attacker the ability to remotely execute commands on vulnerable Linux systems.

• Linux is a popular open-source operating system used by everyone from software developers to major corporations.

State of play: Researcher Simone Margaritelli discovered a chain of flaws in Linux last week that could allow hackers to install a new printer and execute code whenever they successfully "print" something from the new device.

• At least one of those flaws was given a 9.9 out of 10 severity score.
• Several cybersecurity firms, including Censys and Aqua Security, have written their own analyses of the bugs.

Threat level: Some experts have called into question the rationale for such a high severity score.

• Not all Linux systems are vulnerable to the flaws.
• And an attack would require hackers to bypass a firewall, which would alert the organization and block any new remote connections like these.

Yes, but: These conditions haven't stopped hackers from scanning the internet for vulnerable devices to target, Risky Business reported yesterday.

• At least 75,000 systems are running the affected Linux printing system, according to the report.

The bottom line: Fixes are already available to solve the new set of flaws, and network administrators are advised to update any affected systems as soon as possible.

@ D.C.

🚔 The Justice Department has charged three men with carrying out Iran's hack-and-leak attack against former President Donald Trump's re-election campaign. (Washington Post)

🗳️ Senate Intelligence Chair Mark Warner (D-Va.) is urging the Cybersecurity and Infrastructure Security Agency to ramp up its efforts to help state and local governments detect and respond to online disinformation campaigns. (NBC News)

🚀 NASA has bought Clearview AI's controversial facial recognition tech, according to a government procurement contract. (404 Media)

@ Industry

👀 Proofpoint is considering potential strategic mergers and acquisitions and plotting a possible return to the public markets in the next 12 to 18 months. (CNBC)

💰 T-Mobile has agreed to pay a $15.75 million civil penalty to settle the Federal Communications Commission's investigation into data breaches at the company. (Reuters)

🍎 E-learning platform Udemy gave instructors only a small window to opt out of having their materials used to train AI models — and many of those instructors didn't even know it was happening. (404 Media)

@ Hackers and hacks

💔 Operations running pig-butchering scams (aka romance scams) are proliferating around the world, building beyond their Southeast Asian roots. (Wired)

🇮🇷 A deep dive into the ways Russia's Doppelganger network created and spread fake news stories, based on FBI affidavits and other research. (Foreign Affairs)

📕 The Codebook Book Club is officially kicking off this month! Yay!

• Our first pick is "Sandworm" by Wired reporter Andy Greenberg.

Why it matters: The book, released in 2019, details the NotPetya malware incident — in which Russian hackers ended up infecting hundreds of companies around the world with ransomware.

• It was one of the first major incidents to highlight how vulnerable the world's biggest companies are and was a turning point in our understanding of what cyber warfare can actually look like.
• Here's an excerpt in case you're curious or haven't read it yet.

What's next: Watch this space!

• If you're reading along with us, I'll share a few of my own thoughts and ask a few discussion questions throughout the month.
• Based on interest, we might even start an online discussion forum where we can all hang out and chat.

What we're watching: Your recommendations for the next book club pick!

• Just reply to this email with your thoughts.