The Return of Identity Theft: In the Age of Phishing and BEC

Everyone’s talking about ransomware. Sure: encrypted data, ransom demands, PR disasters – that screams for attention. But while we stare at the skull on the front page, a once-familiar threat is quietly reclaiming center stage in the cyber threat landscape: identity theft.

With surgical precision and a toolkit full of camouflage, we are witnessing a renaissance of account compromise, business email compromise (BEC), and credential phishing. Particularly insidious: attackers are increasingly targeting High Net Worth Individuals (HNWIs) and prominent IT figures – such as Troy Hunt, the founder of “Have I Been Pwned.”

The Troy Hunt Incident – Hitting the Sheriff

Troy Hunt is no lightweight. As a security researcher, Microsoft Regional Director, and founder of “haveibeenpwned.com,” he’s one of the most internationally recognized experts in data breach and password security. Yet recently, he reported that his Mailchimp account had been compromised. The attackers gained access to his mailing lists – a valuable trove of email addresses belonging to individuals who trust his work. To his credit, Hunt proactively and transparently informed those affected – a textbook case in professional crisis communication.

Even someone of Hunt’s caliber falling victim to such a targeted attack reveals the deeper truth: this is no longer about technical exploits alone. It’s about social engineering – the psychology of deception.

(Source: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/)

Target: Email. Weapon: Trust.

The attackers’ preferred battlefield? The inbox. No surprise – with access to a compromised email account, doors open to financial transactions, sensitive data, and, in corporate settings, entire infrastructures.

The classic: Business Email Compromise (BEC). Legitimate accounts – often those of executives or finance departments – are hijacked to send fraudulent payment instructions. The damages are staggering. According to the FBI’s Internet Crime Report 2023, BEC alone caused over USD 2.7 billion in damages in the U.S. (Source: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf)

The Invisible Threats

Why the comeback? Identity theft is quiet. And efficient. Multi-factor authentication (MFA) helps, but doesn’t eliminate the risk. These attacks scale – and they work.

Because when an email looks like it’s from the CEO, signs off like the CEO, and replies like the CEO – who questions it?

The Door Is Ajar: MFA Is Necessary, But Not Sufficient

MFA is no silver bullet. As shown in the April 2025 report from IKDOK, even accounts with active MFA can be compromised – like the official X account of the Czech Prime Minister.

Phishing, MFA fatigue, MFA bombing, SIM swapping – there are plenty of ways to undermine that second factor.¹ Anyone still relying solely on SMS or TOTP, without FIDO2, secure push notifications, and device binding, is leaving themselves exposed.

A New Front: AI as an Attack Vector

The rise of AI has changed the game. Deepfakes enable real-time identity impersonation. Voice synthesis fools employees with perfectly imitated executive voices. LLMs are used to craft highly personalized phishing messages at scale. What once required hours of planning can now be generated in minutes – complete with context, tone, and formatting.

AI amplifies the effectiveness of BEC and social engineering. The deceptions are more convincing, the losses more severe.

Who Protects the Wealthy?

HNWIs are increasingly in the crosshairs. Why? Their digital footprint is massive – but their personal cybersecurity maturity often doesn’t match the sophistication of enterprise IAM systems. Yet even those enterprise solutions like Microsoft Entra ID, Okta, or AWS IAM aren’t invulnerable. Time and again, we see incidents where complex policies, conditional access, and RBAC models fail due to social engineering or misconfiguration. Whether it’s account takeovers, spear phishing, or deepfake-driven identity fraud – the arsenal is ready.

Conclusion: Old Threats, New Teeth

The Troy Hunt case, in its boldness, is reminiscent of the Kristi Noem handbag theft – an attacker going straight for something highly personal, right in public view. The difference? In cyberspace, it’s silent, efficient, and maximally damaging.

Identity theft is no longer a sideline concern – it’s a core risk. MFA via SMS or TOTP is no longer enough. Zero Trust isn’t a concept – it’s survival. And in cyberspace, trust isn’t a virtue – it’s a vulnerability.

What To Do If You Suspect Something

If you suspect something’s off – strange login activity, failed MFA prompts, or unexplained emails – don’t wait. Contact the experts at CERTAINITY.

CERTAINITY conducts forensic investigations to assess the real impact and identify other possibly compromised accounts. The team defines actionable, technically sound mitigation strategies and implements effective response measures. Backed by years of hands-on experience in comparable incidents, CERTAINITY works swiftly, discreetly, and with deep technical expertise.

CERTAINITY also provides preventive check-ups: have your digital identities, access controls, and IAM configurations (e.g. Azure AD/Microsoft Entra ID, Okta, or Keycloak) reviewed before trouble starts. These reviews go beyond obvious misconfigurations and uncover hidden weaknesses in role models, policy scope, and MFA setups.

Fast, confidential, and technically rigorous support. Better to ask once too often than once too late.

Hotline: AT: +43 664 888 44 686 || DE: +49 800 2378246

E-Mail: csirt@certainity.com