Top 3 Cybersecurity Trends We Uncovered from GrrCON 2025
Editor’s note: In recognition of National Cybersecurity Awareness Month this October, we are publishing a series of blog posts dedicated to educating and informing you about cybersecurity practices. This is the seventh in a series of posts. Below, you can find a list of links to the rest of the series:
- FBI’s Warning: How to Protect Yourself from AI-powered Schemes
- Stuck on Windows 10? Here Are Your Options After Support Ends
- Job Scam Texts are On the Rise: Here are 5 Red Flags to Watch Out For
- Balance in Cybersecurity: Lock the Doors Before Boarding the Windows
- What is a Vishing Scam and How Do I Protect Myself?
- The CIA of Data Security: What It Means and Why It Matters
- Why MDR is the Security Team Your Organization Needs (Posting Oct. 15)
- BYOD for Smartphones: Balancing Security, Privacy and Cost (Posting Oct. 20)
- Ransomware Is Getting Smarter: How AI Is Changing the Threat Landscape (Posting Oct. 21)
- Numbers Don’t Lie: Phishing Training Works (Posting Oct. 22)
- Beware: Phishing Attacks Can Now Mimic Your Organization’s Login Page in Real Time (Posting Oct. 27)
- Traveling for Work? Here are the Best and Worst Ways to Connect. (Posting Oct. 28)
- Why You Should Care About Your Organization’s Security Culture Score (Posting Oct. 29)
Cybersecurity at GrrCON 2025 wasn’t just about firewalls and passwords; it was about people. The cybersecurity conference’s main takeaway was the strongest defense still comes down to relationships between users, companies and the security team.
Last year, we told you all about the top three cybersecurity threats that we discovered at GrrCON, an information security and hacking conference held in Grand Rapids, Michigan.
This year, the presentations focused on how security impacts you, the end user, and how security-focused companies can improve their security experience by looking at it from the end users’ perspectives.
Here are three of the top themes we noticed at GrrCON 2025.
Passkeys are the Future
Passwords are insecure and outdated. Yet, we still heavily rely on passwords in both the business world and our personal lives.
Passwords are an easy concept for nontechnical people to understand, so why mess with it?
Well, it’s because passwords can be easily guessed or stolen. In fact, 81% of data breaches involve stolen or weak passwords, according to the presentation.
So, what’s the solution? It’s passkeys, which use biometric data to log in to devices or applications.
We discussed passkeys earlier this year, noting they are phishing resistant, more secure than passwords and easier for users, as there is no username/password combination to remember or that can be stolen.
The holdup? A lot of legacy applications and systems don’t support passkeys yet.
If you have a computer with Windows 11, then you can use Microsoft’s passkeys solution without using a biometric scanner or a YubiKey, which is a physical device that plugs into your computer and is tied to you and your device.
Top tech companies like Microsoft, Google and Apple have introduced passkeys so users no longer have to remember their passwords. But there’s been pushback on passkeys that utilize biometric data, as people are worried about tech companies having access to it.
Rest assured, any passkey that uses biometric data stays on the device. Just remember to factory reset your phone/computer when you get a new one so the data is erased.
Your organization should start exploring passkeys now — especially for critical applications — so that you’re ready when passwords become obsolete.
Focus Phishing Simulations on Educating, Not Tricking Users
Some companies use phishing simulations to embarrass employees, and it’s having a negative effect.
The goal of phishing simulations (when companies send fake phishing emails to their own employees) is to educate users to look for the telltale signs of a phishing email.
Cybersecurity is no longer just a tech issue; it’s a people issue. No security tool is 100% effective, and phishing training alone isn’t enough to protect your organization. You need the proper tools and training to safeguard your sensitive data.
Dogs — if they could talk — will be the first to tell you that positive reinforcement is much more effective than negative reinforcement.
Too much negative reinforcement, and you’ll find your employees will be hesitant to click on any email, as they’re afraid they’ll be fooled by a simulated email.
The presenters also challenged the notion of simulating phishing attacks and how much they actually work, citing around 10%-20% of users falling for simulated phishing attacks regardless of whether they have training.
That’s not to say all phishing simulations need to be abandoned (something is better than nothing), but don’t overspend on it just to check a box on compliance.
Simulations, of course, are not the only part of phishing training. Quarterly teaching of new and emerging threats (as well as reminders of the basics) goes a long way toward establishing a culture where security is top of mind and taken seriously.
But phishing training alone will not protect your organization. It needs to be paired with managed detection and response, spam filters, and other security tools so obvious phishing emails never even reach your employees’ inboxes.
Cautionary Tales of Cybersecurity
The last theme we uncovered concerned ransomware trends, phishing trends and things to consider when choosing a managed service provider.
One presentation dissected red flags that are emerging with successful phishing and ransomware attacks around the world.
Emails alerting partners of direct deposit changes topped the list, followed by fake invoices and fake requests for quote.
Direct deposit changes: An attacker will target a specific company, pretending to be one of its vendors. The email will note a new bank account where future payments should be made. Of course, the bank account belongs to the attacker, who collects as much money as possible before either side realizes what’s happening.
Fake invoices: An attacker, again, posing as a specific company’s vendor sends a fake invoice to trick people into providing personal information or make payments for services they never ordered. What’s extra sneaky about this one is that the company does legitimately do business with that vendor, so it’s not out of the realm of possibility to get an invoice.
Fake requests for quote: Similar idea as the fake invoices, except the attacker is hoping to get high-value goods with no intention of actually paying. Leveraging the trust between the two companies, the attacker creates a sense of urgency, sends a fake purchase order with shipping instructions and sells the goods to a third party.
Additionally, one MSP recounted the day in 2021 that attackers exploited an unknown vulnerability and installed ransomware on all its clients’ servers. Luckily, it restored all client data, but this incident still has effects felt today.
The moral of the story? Before you sign with an MSP, know what its incident response plan is and what they will do when something like this happens. The increasing frequency and complexity of attacks today mean it’s no longer “if” your organization will experience one, it’s “when.”
Stay Safe with Cybersecurity Tools and Training
Cybersecurity is no longer just a tech issue; it’s a people issue. No security tool is 100% effective, and phishing training alone isn’t enough to protect your organization. You need the proper tools and training to safeguard your sensitive data.
Let’s discuss ways to defend against today’s cybersecurity threats before you fall victim to a phishing or ransomware attack.
Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.
