Cracked digital shield with data streams

Newsletter

Human In[Security] — Week of 2026-05-18

1 week ago

4 min read

Human In[Security]

Human In[Security] — Week of 2026-05-18

This week: fake Microsoft logins stealing accounts, a shady streaming app accused of stealing access codes, and the giant scam-app problem living on our phones.

Three quick stories, why they matter, and what to do about them.

1) Fake Microsoft login pages are being used to steal email accounts

What happened: Researchers say scammers are using a tool called Tycoon2FA to hijack Microsoft 365 accounts. Instead of only asking for your password on a fake page, the scam can push people into a real Microsoft sign-in step that still gives the attacker access. The whole point is to get into your inbox without triggering the usual suspicion.

Why it matters: If someone gets your email, they can try password resets on shopping, social media, and other accounts tied to that inbox. They can also send messages as you and trick family, friends, or coworkers into trusting a fake request for money, codes, or files.

How to protect yourself: Slow down and look hard at the sender and the web address before you do anything. Do not click login links in email or chat. Open Outlook or Microsoft yourself by typing the site, using the app, or using a bookmark, and be careful with search ads that put fake login pages at the top. If a code or approval pop-up appears and you did not start the login, do not approve it. Turn on 2FA, sign-in alerts, and check your connected devices and apps for anything you do not recognize.

2) Italian police say a piracy app was stealing streaming access codes

What happened: Italian police say they broke up a piracy network built around an app called CINEMAGOAL. Investigators say the app did more than offer illegal streams. It also stole authentication codes used to access streaming services. Police say they seized servers and disrupted the system behind it.

Why it matters: Unofficial streaming apps are not just a copyright problem. They can also steal the codes and logins that unlock your paid accounts. If you reuse passwords, one stolen streaming login can become a doorway into your email, shopping accounts, or even banking apps.

How to protect yourself: Delete unofficial TV, movie, and sports apps, and stick to official app stores and official service apps. Check the app maker name and the website carefully before installing anything. Never click a random login link that claims your streaming account needs attention. Open the real app or type the real site yourself, and watch out for fake search ads that lead to lookalike pages. Use a different password for every service, turn on 2FA where you can, and if you ever used a shady streaming app, change your password now and sign out of other devices.

3) Apple says scam apps and fake accounts are still a huge problem

What happened: Apple says it blocked more than $11 billion in fraudulent App Store transactions over the last six years. For 2025 alone, the company says it stopped more than $2.2 billion in suspicious purchases and blocked huge numbers of fake accounts and bad app submissions. The simple takeaway is that scam apps, fake reviews, and sneaky subscriptions are still all over the place.

Why it matters: A bad app can look harmless while it pushes hidden charges, fake subscriptions, or tricks you into handing over personal information. Kids and older adults are easy targets when pop-ups, free trials, and payment screens are confusing on purpose.

How to protect yourself: Before installing an app, check who made it, check the developer website, and read the newest reviews instead of trusting the star rating. Do not tap app-related login links from email, texts, or search ads. Open the app store or the company app yourself and search carefully. Be extra cautious with free trials that quietly turn into paid plans, turn on 2FA on important accounts tied to your phone, and review your subscriptions list for anything you do not recognize.