#NSBCS.092 - Security Fatigue: When Cyber Safety Becomes Exhausting
Source: NSB Cyber
Security Fatigue: When Cyber Safety Becomes Exhausting
“Another massive data breach? My credentials have been leaked again? Last time it was my provider, then my medical insurer, then my bank and now it’s something else? Ah, I’m used to it at this point. It’s always going to happen.”
”I always need to change my password every month. I’m tired of it, and now the system tells me I can’t reuse the same password used 6 months ago. What’s the issue? Can’t they make it more simple?”
“This is probably another false positive right? It’s the 500th alert I triaged this week.”
“My MSSP sent me another threat escalation this week. I’ll get to it later, we already fixed three before.”
Most of us know the feeling: Another email about a data breach. Another password reset prompt. Another multi-factor code texted at the worst possible moment. At some point, it all feels like too much. Unfortunately, if you are thinking this way, you may be experiencing Security Fatigue. This is not something unique or rare; actually, it is more and more common. Dangerously common.
Security fatigue is the weariness or reluctance to deal with security after constant exposure to warnings (alerts), security news (such as data breaches), password changes, and other security issues. When people are bombarded with security reminders and alerts, they eventually tune them out. Also, when people tire of constant instructions (being told what to do online), they stop doing it, even if it puts them or their organisation at risk.
Unfortunately, this feeling of exhaustion or worse, complacency, may actually bring more serious consequences.
For the public, this may show up as reusing the same weak password across dozens of accounts (sometimes only changing a single character to ‘comply’), ignoring breach notifications, or putting off software updates.
For employees, similar symptoms show. However, they may start bypassing policies that feel inconvenient, lose attention (and retention) during cyber awareness training, connect to servers over public Wi-Fi networks, and even start losing vigilance during phishing attempts.
For clients and organisations, the stakes rise further. A workforce tuned out of security practices means increased likelihood of breaches, regulatory fines, and loss of customer trust. This challenge doesn’t stop with employees, it extends to security teams as well. The “alert fatigue” can desensitise analysts who face thousands of notifications a day, raising the chance that a critical threat slips through.
So how do we begin to address this?
The answer isn’t more rules. Research suggests the solution lies in avoiding overload altogether. Some experts stress the importance of making security simpler and smarter.
For the public, it means helping them start small: using a password manager to avoid reuse, enabling MFA where it matters the most, acting quickly to reset affected accounts in data breaches. More importantly, communication needs to be clear and explain directly the impacts to affected people, not just provide free coverage for identity theft.
For employees, that means reducing noise, filtering out low-priority alerts so that they can focus on truly what is relevant. This means replacing endless password changes with password managers and single sign-on. It also means designing training that’s short, relevant, and engaging. It needs to shift away from scare tactics toward positive reinforcement and practical tips people can actually use.
For organisations, they need to treat fatigue as a real cyber risk in its own right. It is going to require leadership buy-in, investment in automation to cut manual workload, engaging and interactive training, and a culture where employees feel supported rather than blamed when mistakes happen.
From an analyst’s perspective, addressing security fatigue takes understanding as well as technical solutions. If you, your team, or your customers are feeling the strain, the Security Fatigue, it’s time to step back and reshape security into something that protects without overwhelming.
Security fatigue is not a personal failing; it is a signal that systems and processes need to be smarter. By simplifying security, prioritising what matters, and supporting people instead of overwhelming them, organisations can turn fatigue into vigilance and ensure their teams stay alert when it really counts.
What we read this week
Microsoft and Cloudflare Disrupt Massive RaccoonO365 Phishing Service - Microsoft and Cloudflare dismantled the RaccoonO365 Phishing-as-a-Service network by seizing 338 malicious websites and Cloudflare Worker accounts earlier this month. Active since at least July 2024, the group (tracked as Storm-2246) stole more than 5,000 Microsoft 365 credentials from victims in 94 countries using phishing kits with CAPTCHA pages and anti-bot evasion. One large United States (U.S) campaign in April 2025 targeted 2,300 organisations, including over 20 healthcare providers, whose stolen data was later abused for fraud, extortion, and follow-on attacks such as ransomware. The service operated on a subscription model, advertised in a private Telegram channel of 840+ members, charging Tether or Bitcoin. Investigators linked the operation’s leadership to Nigerian programmer Joshua Ogundipe, aided by Russian-speaking cybercriminals, and have referred the case for international law-enforcement action.
Firebreaks for the Digital Age: Why Australia Needs its Cyber Coordinator - Australia’s Cyber Security Act 2024 has formally established the National Cyber Security Coordinator as a trusted crisis partner with legal protections for information shared during cyber incidents. The law ensures that sensitive details provided voluntarily by affected organisations can only be used for response, recovery and national situational awareness, not for regulatory or enforcement purposes, encouraging rapid, transparent reporting. Separate from ministers or regulators with coercive powers, the coordinator’s role is to unify government, industry and regulators during major cyberattacks, cutting through confusion when speed is critical. Beyond crisis response, the office leads national preparedness by running scenario exercises, stress-testing infrastructure, and fostering open discussions to strengthen resilience.
New FileFix Attack Uses Steganography to Drop StealC Malware - Acronis has uncovered a new FileFix campaign that pretends to be Meta account suspension alerts, luring victims into pasting hidden PowerShell commands that install the StealC InfoStealer. FileFix, an evolution of the ClickFix social engineering method created by researcher mr.d0x, abuses the Windows File Explorer address bar instead of the Run dialog to execute malicious code. This attack hides a second-stage PowerShell script and encrypted payload inside a seemingly innocent JPG image on Bitbucket, which is extracted and run in memory to avoid detection. StealC then harvests browser credentials and cookies, messaging app logins, cryptocurrency wallets, cloud access keys, VPN details, and can capture desktop screenshots.
AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto - Threat actors have abused legitimate ConnectWise ScreenConnect remote monitoring and management (RMM) deployments to gain hands-on-keyboard access and launch a layered VBScript/PowerShell loader that pulled obfuscated components from external URLs. Phishing emails carrying trojanised ScreenConnect installers were used to start the chain, after which the loader fetched encoded .NET assemblies that unpacked and executed the AsyncRAT payload. Persistence was achieved by writing a secondary VBScript to disk and creating a scheduled task masquerading as a “Skype Updater,” so the malicious code runs at each user login. AsyncRAT can log keystrokes, steal browser credentials, fingerprint the host, and hunt for desktop cryptocurrency wallets and browser wallet extensions across Chrome, Edge, Brave, Opera and Firefox.
Scattered Spider Resurfaces with Financial Sector Attacks Despite Retirement Claims - Cybersecurity researchers from ReliaQuest has linked new cyber intrusions against financial institutions to Scattered Spider, contradicting the gang’s earlier claim of disbanding. In one case, attackers gained access by socially engineering a bank executive and exploiting Azure Active Directory self-service password resets, then moved through Citrix and VPN systems to compromise VMware ESXi, escalate privileges, and attempt data theft from Snowflake and AWS. Researchers observed a rise in financial sector lookalike domains and tactics like resetting Veeam service passwords, assigning Azure Global Administrator rights, and relocating virtual machines to avoid detection. Experts note that Scattered Spider overlaps with groups like ShinyHunters and LAPSUS$, which often extort victims long after initial breaches.
Referenceshttps://www.bleepingcomputer.com/news/security/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/https://www.aspistrategist.org.au/firebreaks-for-the-digital-age-why-australia-needs-its-cyber-coordinator/https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.htmlhttps://www.securityweek.com/samsung-patches-zero-day-exploited-against-android-users/https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html