When Sally (not her real name) thought she'd landed a job at ID verification company Socure after months of searching, she was thrilled.

• The only problem: The job wasn't real, and she had just lost nearly $8,000 to fraudsters.

Why it matters: Sally's case isn't unusual. Last year, the Federal Trade Commission received about 105,000 reports of job scams and employment agency impersonations — nearly triple the 38,000 reports in 2020.

• Victims reported losing a combined $501 million in 2024 to these scams, up from $90 million in 2020.

Driving the news: Today, Socure is publicly sharing details of the weeks-long impersonation scam that Sally reported earlier this year. The blog post was first shared with Axios.

How it works: Sally was strung along through emails, phone calls and video interviews into believing she'd been hired as an executive assistant.

• She found the role on a legitimate job board, and it was a real position Socure was hiring for. But scammers had posted their own duplicate listing to ensnare victims like her.
• Once Sally applied, she was contacted via Microsoft Teams under the name of a real Socure HR employee. The email came from a convincing @socure.team domain.
• After a video call with a fake hiring manager, Sally received a job offer, including a forged appointment memo.

The big picture: Hindsight is 20-20 when it comes to scams, but they're easy to fall for when a victim is overextended or desperate to find employment, Rivka Gewirtz Little, Socure's chief growth officer, told Axios.

• The prime targets are typically fresh college grads or mid-career applicants returning to the workforce after a few years away.
• But now, that pool of potential targets is growing as U.S. workers continue to navigate a tense job market.

What they're saying: "Really smart people become victims of these attacks," Little said. "We fool ourselves into thinking that it wouldn't happen to me."

• "This victim was really smart, really capable and had a really good, amazing employment background," she added.

The intrigue: The scammers also asked Sally to purchase an Apple gift card — another tell of a scam — and sent her a digitally manipulated check to make the purchase.

• At first, the check appeared to have been successfully deposited in Sally's account, so she went to her closest Apple Store and purchased roughly $5,000 worth of gift cards. She then sent the gift card codes to the scammers so they could use them.
• The next day, the scammers sent another check and asked her to go back to the Apple Store. But an employee who remembered her intervened and warned she might be getting scammed.
• Soon after, Sally's credit union confirmed both checks had been returned.
• That's when she reached out to Socure's actual HR team about the scheme, as well as the FBI, the Consumer Financial Protection Bureau, the Federal Trade Commission, and the Nevada Secretary of State, since the checks originated in Nevada.

Yes, but: Some of the messages Sally received included classic signs of a scam, including poor grammar and awkward conversations.

• At one point, the purported HR representative asked Sally if she had slept well the night before.
• During the Teams call about the position, the fake hiring manager who interviewed Sally kept his camera off and asked several questions that didn't appear relevant to the position.

Between the lines: While investigating the case, Little tested popular job boards and found she could post fake listings with little to no verification.

• "It's just way too easy to get in," Little said. "These folks really need controls."

The bottom line: After investigating this report, Socure received a similar report from someone else who had experienced the same scam.

• Since then, the company has published its actual hiring practices on its website and is listing jobs only on sites that verify the employers' identities.
• The company has also set up alerts for any new job listing that purports to come from Socure.

In the wake of U.S. strikes on Iranian nuclear facilities, the Department of Homeland Security is warning that Iran and pro-Iranian hacktivist groups are likely to retaliate in cyberspace.

Why it matters: Even outside of active conflict, Iran and its affiliates have repeatedly targeted U.S. critical infrastructure — including water systems and oil and gas operators — with disruptive cyberattacks.

Driving the news: DHS issued an alert Sunday warning that both state-backed hackers and hacktivists "routinely target poorly secured U.S. networks and Internet-connected devices for disruptive cyberattacks."

• U.S. cybersecurity officials have been urging critical infrastructure operators to bolster their defenses amid a week of escalating regional tensions.
• At a Sunday press briefing, Pentagon officials confirmed that U.S. Cyber Command had supported the weekend's military operations.

The big picture: Cyberattacks have become a key front in Israel's shadow war with Iran over the past 10 days.

• Last week, pro-Israel hackers claimed credit for shutting down a major Iranian bank and stealing millions from an Iranian cryptocurrency exchange.
• Israel has also been on the receiving end of some cyber aggression, including disinformation campaigns and distributed denial-of-service (DDoS) attacks, according to Gil Messing, chief of staff at Israeli cybersecurity firm Check Point Software.

Yes, but: Iranian hackers, while capable, are also known to inflate their impact, said John Hultquist, chief analyst at Google's Threat Intelligence Group.

• "We should be careful not to overestimate these incidents and inadvertently assist the actors," he said. "The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware."

What to watch: In a LinkedIn post, former CISA director Jen Easterly urged U.S. critical infrastructure owners and operators to remain "vigilant" for potential cyber retaliation.

• "While it's unclear whether its cyber capabilities were at all impacted by recent Israeli strikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including: water systems; financial institutions; energy pipelines; government networks; and more," she wrote.

Approximately half of the companies that paid a ransom to hackers last year ended up paying less than the criminals originally asked for, according to new Sophos data.

Why it matters: That's good news for companies worried about devastating losses from data-encrypting ransomware attacks.

The big picture: Even if hackers are getting paid less, they're still getting paid.

• Half of the 3,400 IT and cybersecurity leaders surveyed — all of whom faced ransomware attacks in the last year — said their companies paid hackers a ransom.

Yes, but: Law enforcement and security experts warn that paying hackers could further embolden them.

• It's also not a guarantee that hackers will follow through with their promises to decrypt systems or delete stolen data.

By the numbers: 53% of ransomware victims said their companies ultimately ended up paying less than the initial asking price.

• The median ransom demand dropped by one-third to about $1.3 million last year, down from $2 million the previous year.
• Meanwhile, the median ransom payment was cut in half in the last year, according to the data. Companies paid a median of $1 million, down from $2 million.
• Organizations bringing in more than $5 billion in annual revenue faced steeper price tags: Their average ransom demand was about $5.5 million.

Between the lines: Of the companies that paid less, 47% said they did so by actively negotiating with the hackers.

• Another 45% said the attackers also reduced their demands due to external pressures, such as law enforcement actions and bad press.

The intrigue: The percentage of companies that recovered from a ransomware attack after just one week grew to 53%, up from 35% in the previous year's data.

Twenty-five students from around the world spent last week breaking into John Deere's tractors — with the company's full blessing.

Why it matters: Few companies open up their devices to this kind of global hackathon. But John Deere's bet is that doing so will help the entire agriculture industry stay ahead of malicious hackers.

Zoom in: The fourth annual Cybersecurity Challenge, held at Iowa State University, brought together students to break into John Deere's equipment for vulnerabilities.

• The event — which is now run through a nonprofit John Deere helped establish in 2023 — covers students' travel, lodging and meals.
• But the hacking didn't start right away: For the first two days, John Deere engineers and Iowa State professors led technical workshops on various protocols and hacking tactics.
• The rest of the week was hands-on as students tested exploits on live machinery from John Deere and industry partner CNH Industrial.

Reality check: DEF CON presented what they called a "tractorload" of vulnerabilities across agriculture tech — including John Deere's products.

• Historically, the company has aggressively fought against the right for U.S. customers to repair their own equipment and has been slow to embrace security researchers' findings.
• The company did launch its own bug bounty program in 2022 and worked in good-faith with DEF CON presenters.

The big picture: The challenge is now also about talent development for the broader agricultural sector, James Johnson, chief information security officer at John Deere, told Axios.

• "Security is part of the quality equation," Johnson said. "Our customers can't afford downtime during planting or harvest."

What's next: After final presentations, John Deere's and CNH Industrial's security teams will review the students' findings. The organizers declined to share the findings with Axios.

• If anything critical surfaces, the company will prioritize a patch and push it to affected machines.
• Students are also encouraged to stay engaged through John Deere's bug bounty program.

Editor's note: This story was updated to reflect that John Deere did not launch its bug bounty program in response to research presented at DEF CON.

@ D.C.

❌ The White House has rejected the Pentagon's pick to lead the U.S. Cyber Command and National Security Agency. (Politico)

🔍 The FCC is investigating the Cyber Trust Mark program over chairman Brendan Carr's concerns that the company contracted to manage the program has "potentially concerning ties to the government of China." (PCMag)

🇨🇳 A U.S. official says DeepSeek has been sharing user data with the Chinese government and helping Beijing create shell companies in Southeast Asia to evade American chip sanctions. (Reuters)

@ Industry

🧐 New research from Anthropic finds that large language models are increasingly willing to evade safeguards, deceive users, and try to steal corporate secrets. (Axios)

🤫 Cloudflare, CrowdStrike and Ping Identity have quietly ended a program that started at the beginning of the Russian invasion of Ukraine and offered free services to vulnerable critical infrastructure sectors. (Nextgov)

🤖 Xbow — a year-old startup that operates an AI hacking tool that's topped the HackerOne leaderboard for weeks — has raised $75 million in new funding led by Altimeter Capital. (Bloomberg)

@ Hackers and hacks

🪿 Aflac is investigating a recent cyberattack that bares the trademarks of cybercriminal group Scattered Spider. (Axios)

☎️ Hackers are increasingly targeting outsourced call centers that U.S. companies rely on for tech support and other needs. (Wall Street Journal)

💡 So, about that viral report that 16 billion passwords were leaked on the dark web? It's likely just a database of previously leaked, possibly old passwords. (Axios)

🏝️ If you're following along (and caught up) with "Love Island USA" this year, I have thoughts and I need to talk about them. Hit reply and let's chat!