By Aneika Gunning, Lead Cybersecurity Consultant, MSC

For years, cybersecurity relied on the idea that using both a password and a code protected our assets. But as we enter 2026, that assumption is under serious strain. The real threat isn't expert hackers breaking in, it's insiders, colleagues granting access, undermining defenses from within.

Public Reporting suggests that a new threat is transforming attacks: the Scattered Lapsus$ Hunters (SLH). This isn't merely hackers using technical tricks. SLH is recruiting employees, exposing that Multi Factor Authentication (MFA) is vulnerable when the danger comes from insiders, not advanced technology.

The $1,000 USD Phone Call

The shift in tactics is alarming. While defenses focus on firewalls, groups like ShinyHunters and LAPSUS$ now invest in exploiting human greed. Their operations occur openly on encrypted Telegram channels and public forums, posting "help wanted" ads for corporate insiders.

The process is deceptively simple. A disgruntled or opportunistic employee at a major firm, whether a local BPO or a global tech provider, is offered a "reward" that can dwarf their monthly salary. In exchange for a few thousand dollars in Bitcoin, these insiders provide their login credentials or, more critically, "push" an MFA notification through to a hacker’s device.

In some cases, recruitment  is even more specialized. Recent intelligence suggests these groups are actively seeking out female "vishing" (voice phishing) agents, betting on the psychological fact that a feminine voice is often more trusted by IT help-desk staff when "resetting" a blocked account. By the time the real employee realizes their account has been hijacked, the data, millions of customer records, is already being held for ransom on the group’s extortion portals.

The Fall of the 'Trusted' Gatekeepers

The recent timeline of attacks reads like a post-mortem for traditional security. Between October and December 2025, a breach of the Salesloft "Drift" platform exposed vulnerabilities in interconnected cloud systems, allegedly resulting in the leak of massive volumes of . But the real blow came in early 2026, with reports of compromises involving Okta and Microsoft’s Single Sign-On (SSO) systems.

When the systems we use to verify trust are themselves compromised, the traditional "something you have, something you know" security model becomes obsolete. We are no longer fighting software; we are fighting a social engineering engine that utilizes AI to clone voices and scripts, thereby manipulating human psychology.

A New Rulebook: Defending the 'Overthrown' Perimeter

As JaCIRT (Jamaica Cyber Incident Response Team) recently noted, cyber threats in Jamaica are increasingly "people-centered." To survive this era, our organizations must move beyond the "Three Pillars" of security and adopt a posture of continuous suspicion.

1. Patch the "Human Hack": Your help desk is your weakest point. Organizations must implement strict verification for all internal requests. A persuasive caller asking for an MFA reset isn't just a support ticket; they are a primary threat vector.

   
   

2. Audit the Gatekeepers: The Okta/Microsoft compromises prove that identity providers are now targets. Security teams must monitor the health of the sign-on infrastructure itself, not just individual user logins.

   
   

3. Weaponize Against AI-Enhanced Phishing: Training must evolve to include "Deepfake Voice" simulations. If your team isn't prepared for a call that sounds exactly like their CEO or a government official, they aren't prepared for 2026.

   
   

4. The "Zero-Day" Contingency: When your primary authentication is "overthrown" by a zero-day exploit, what is your Plan B? Companies must maintain offline or secondary verification methods for administrative access.

   
   

5. Shift to Phishing-Resistant Hardware: The scramble for the "next keys" is on. Jamaican firms should prioritize physical security keys (FIDO2) that require a physical touch, making them impossible to intercept via a WhatsApp scam or a bribed phone call.

A Crossroads for Jamaican Business

For Jamaica, this isn't a distant problem. As a hub for international BPOs and a growing fintech sector, our economy relies on being a "trusted" partner. If our local infrastructure can be bypassed by a bribed employee or a clever phone call, that trust evaporates.

The "scramble" is now on. Organizations must move beyond the "comfort" of basic MFA. The future of security lies in "phishing-resistant" hardware physical keys that must be touched and cannot be intercepted by a hacker in another country.

The era of the "unhackable" password is over. The era of the "human firewall" has begun, and right now, hackers are winning the recruitment war.

Glossary for the General Reader

• Multi-Factor Authentication (MFA): The digital equivalent of requiring both a key and a fingerprint to open a door.

•JaCIRT: The Jamaica Cyber Incident Response Team, the government's primary body for handling national cyber threats.

• Vishing: "Voice Phishing" using deceptive phone calls to trick people into giving up secrets.

• BPO (Business Process Outsourcing): Local centers that handle customer service or tech support for global brands; a prime target for hackers seeking "insider" access.

• Single Sign-On (SSO): A "Master Key" system (like Okta) that lets you log into all your work apps with one account.

• Phishing-Resistant MFA: Security that requires a physical USB key (like a YubiKey) instead of a code sent to your phone, making it much harder to steal.