The MGM Resorts breach started with a single phone call to the IT helpdesk. The warning signs were there—unusual access requests, credential resets, suspicious network activity. Yet no one connected the dots until $100 million in damage was done.
This isn’t unusual. A shocking 85% of cyber attack victims admit they noticed red flags before disaster struck but dismissed them as probably nothing.
In cybersecurity, what you ignore will cost you. The difference between breached companies and secure ones isn’t just better technology—it’s recognizing and acting on warning signs everyone sees but few heed.
Let’s uncover what these warning signs are and why we miss them.
When 241 days becomes $4.4 million: The real price of missed red flags
When organizations miss the warning signs of a cyber attack, the bill comes due—and it’s shocking. According to the latest IBM Cost of Data Breach Report, the global average cost of a data breach has reached $4.44 million in 2025.
That’s not a typo. Millions of dollars lost because someone ignored suspicious login attempts or dismissed unusual system behavior as “just a glitch.” The price tag gets even steeper in certain industries.
Healthcare organizations face average costs of $7.42 million per breach, while financial institutions aren’t far behind at $6.08 million.
These aren’t hypothetical numbers—they represent real businesses forced to rebuild after devastating attacks that showed warning signs before striking. Consider the Change Healthcare catastrophe of 2024.
Attackers gained access to their systems and had 9 full days to move through the network before deploying ransomware. Those were 9 days of detectable warning signs, all ignored. The result?
Personal data of 190 million Americans exposed (nearly two-thirds of the U.S. population), a staggering $2.4 billion in losses, and healthcare providers nationwide thrown into chaos. The most painful part?
Many organizations continue bleeding money long after the initial breach. 75% of affected businesses are still dealing with breach-related costs more than 100 days after discovery—paying for forensic investigations, legal support, regulatory fines, and rebuilding customer trust.
The delay between breach and discovery makes these costs multiply. The current average detection time is 241 days—that’s over 8 months of attackers having free access to systems and data.
While this represents a slight improvement from 258 days previously, it’s still an eternity in cybersecurity terms. Organizations that invest in modern detection capabilities see dramatic improvements.
Those using AI and automation in their security stack save an average of $2.2 million per breach and detect intrusions 108 days faster. That’s the difference between a survivable incident and an existential threat.
The human element remains the critical factor, with the Verizon Data Breach Investigations Report confirming that 68% of breaches involve human mistakes or manipulation.
As cybersecurity expert Bruce Schneier puts it: “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
There’s also a shifting attitude toward ransom payments. Today, 64% of ransomware victims refuse to pay attackers—up significantly from 50% in previous years. Organizations are realizing that prevention and early detection deliver better outcomes than negotiating with criminals.
Recognizing warning signs early saves millions. The question isn’t whether you can afford better detection—it’s whether you can afford to miss what’s already happening in your systems right now.
The warning signs hiding in plain sight: What attackers hope you’ll ignore
Before any cyber attack succeeds, there are warning signs. The problem isn’t that these red flags don’t exist—it’s that most people and organizations miss them. Hackers count on this blindness. They know we’re busy, distracted, or simply don’t know what to look for.
Here are the seven warning sign categories that appear in almost every successful attack. Learning to spot these signals could save your organization millions.
1. Phishing Red Flags
Phishing remains the number one entry point for attackers because it works. These emails and messages slip past technical defenses by exploiting human trust.
- Generic greetings instead of personalization – “Dear Customer” or “Account Holder” rather than your actual name
- Urgency language creating false pressure – “Act now,” “expires in 4 hours,” or “immediate action required”
- Mismatched URLs – The text says “PayPal.com” but hovering shows a completely different destination
- Slight domain misspellings – Easy to miss: netfl1x.com (using number “1”), amaz0n.com, or g00gle.com
- Requests that bypass normal procedures – “Don’t tell accounting” or “keep this confidential from the team”
Business Email Compromise (BEC) attacks have exploded by 1,760% since AI adoption made them easier to create. The average loss? A staggering $137,132 per successful attack.
2. Account Compromise Indicators
When someone breaks into your account, they leave footprints. These signs often get dismissed as glitches or technical problems.
- Logins from unusual geographic locations – Your account accessed from Russia when you’re in Chicago should trigger alarms
- Multiple failed login attempts followed by a successful login (sign of password guessing)
- Changed authentication settings – Different recovery email, new security questions, or disabled two-factor authentication
- Password reset emails you didn’t request suddenly appearing in your inbox
- Friends or colleagues saying they got strange messages from your email or social accounts
The Verizon Data Breach Investigations Report shows that 22% of breaches start with stolen credentials. Someone using your username and password opens the door to everything else.
3. Ransomware Early Warnings
Ransomware attacks don’t just happen instantly. Attackers spend days or weeks inside your systems before they encrypt your files. During this time, they leave clues.
- Unusual file extensions appearing (.locked, .encrypted, .crypt) on your documents
- Antivirus suddenly disabled or showing it’s been turned off without your knowledge
- Slow network performance as encryption quietly begins in the background
- Remote access tools (AnyDesk, TeamViewer) installed without IT approval
- Reconnaissance tools detected on your network (BloodHound, Mimikatz)
MGM Resorts lost $100 million in a 2023 attack that showed multiple warning signs: MFA fatigue attacks (repeated login attempts), prior breach history they ignored, and industry warnings about the exact technique used against them—all dismissed until it was too late.
4. Social Engineering Tactics
When technical defenses are strong, attackers target human psychology instead. These tactics work because they trigger emotional responses that override logical thinking.
- FUDGE indicators: Fear, Urgency, Desire to please, Greed, and Emotions are the buttons attackers press
- Authority exploitation – “This is the CEO” or “IT Department here” to make you comply without question
- Refusal to provide callback verification – “I’m in a meeting” or “This is too urgent for a callback”
- Requests for gift cards or wire transfers with unusual urgency or secrecy
- Communication during off-hours or busy periods when you’re less likely to verify properly
A startling 57.9% of phishing emails now come from compromised accounts—meaning they’re sent from real people you know and trust, making them much harder to spot.
5. Malware Symptoms
Malicious software reveals itself through changes in how your computer or network behaves.
- Dramatic performance slowdown without clear reason
- Unknown processes running in task manager with odd names or high resource usage
- Browser homepage changes or redirects to websites you didn’t set
- New toolbars or extensions appearing in your browser that you don’t remember installing
- Pop-ups appearing even when your browser is closed
Most people write these off as “computer problems” when they should be treated as potential security incidents.
6. Business Email Compromise (BEC) Signals
BEC attacks target financial transactions by pretending to be trusted contacts. The warning signs are subtle but consistent.
- Payment requests with artificial urgency – “Vendor will cut service if not paid today”
- Banking detail changes via email only without phone confirmation or secondary verification
- Slightly altered display names – “John.Smith@company.com” becomes “John.Smiith@company.com” (note the double ‘i’)
- Missing standard email signatures or signatures that don’t match previous communications
- Requests for unusual confidentiality – “Don’t discuss this with accounting” or “Handle this personally”
$16.6 billion lost to BEC fraud in 2024 alone, making it the most expensive form of cybercrime. Most of these attacks succeed because nobody picked up the phone to verify the request.
7. System-Level Anomalies
For IT teams, these technical warning signs often appear days or weeks before an attack becomes obvious.
- Unusual outbound data transfers – Large amounts of data leaving your network at odd hours
- After-hours access by non-IT staff to systems or servers they normally don’t use
- Security logs being cleared or showing gaps in the timeline
- Backup systems accessed unexpectedly or backup jobs failing without explanation
- VPN connections from foreign countries where your organization has no employees or operations
These technical warnings often get buried among thousands of other alerts, causing “alert fatigue” that lets critical signals slip through.
The warning signs of an attack are rarely subtle in hindsight. But in the moment, we’re wired to normalize strange activity and find innocent explanations for concerning behavior.
Attackers count on this psychology. They know most people will see the warnings but choose to ignore them because addressing them feels inconvenient or alarmist.
The key is creating a culture where spotting and reporting these warning signs is rewarded, not dismissed. Because your best defense isn’t your firewall—it’s the person who says, “This doesn’t look right to me.”
Why brilliant people make terrible security decisions: The cognitive biases that blind us
The most puzzling aspect of cybersecurity isn’t the technology—it’s the people. Why do smart, capable professionals repeatedly miss warning signs that seem obvious in hindsight? The answer lies not in technical knowledge but in how our brains are wired.
1. Alert Fatigue: When Warnings Become Wallpaper
Imagine your phone buzzed with an alert every time someone walked past your house. At first, you’d check each one. By day three, you’d turn them off. This is exactly what happens in security.
- 49% of security analysts admit to turning off high-volume alert sources completely
- Security teams face hundreds or thousands of alerts daily, with over half being false positives
- The infamous Target breach had multiple warnings that were buried among routine alerts, resulting in 70 million customer records stolen
Security systems are often designed by engineers focused on catching everything—but the human mind can only process so much. As Andrew Morris, founder of GreyNoise, puts it: “Alert fatigue creates a negative mindset leading to rushing, frustration, mind not on the task, or complacency.”
The more warnings your security tools generate, the less likely your team is to notice the ones that matter.
2. Cognitive Biases: Your Brain Is Working Against You
Our brains evolved to make quick decisions based on limited information—a useful skill when running from predators, but dangerous when assessing security risks.
- Optimism bias: We consistently underestimate our personal risk. Dr. Tali Sharot’s research shows people estimate their cancer risk at 10% when the actual rate is 30%—and even when told the real numbers, barely adjust their beliefs. This same bias makes us think, “Sure, attacks happen, but not to me.”
- Normalcy bias: Nearly 80% of people freeze or deny evidence during disasters, assuming things will continue as normal. This leads security teams to rationalize warning signs: “That’s probably just a glitch” instead of “We might be under attack.”
- Confirmation bias: We see what we expect to see. Security pros who believe their systems are secure interpret ambiguous signals as confirming that belief, filtering out contradictory evidence.
- Availability bias: Risks that are easy to recall (like recent news) seem more likely than those that aren’t. If ransomware is in the news, that’s what teams focus on—potentially missing other attack types.
Dr. Margaret Cunningham of Forcepoint explains why even experts fall victim. “Security professionals are as vulnerable as laypeople to cognitive biases.
Security experience, training, and education do not show an observable significant effect on circumventing these biases.”
3. Organizational Culture Failures: When Security Is Just Paperwork
Even with the right tools, organizations create environments where security warnings are systematically ignored.
- 67% of organizations report their employees lack basic security awareness
- 25.7% provide no IT security training whatsoever to their staff
- Executives show 100% confidence in security while 68% of breaches involve human mistakes—a massive perception gap
- Many companies treat security as a checkbox exercise rather than a culture
As Perry Carpenter, Chief Evangelist at KnowBe4, “Awareness is critical, but it is just one piece of the puzzle. Being aware is not the same as caring.
Knowing about security doesn’t guarantee anything other than head knowledge.” When security is seen as the IT department’s problem rather than everyone’s responsibility, warning signs get ignored by those best positioned to spot them.
4. The Busy Professional Trap: When You’re Too Rushed to Notice
Our capacity for good decision-making isn’t constant—it depletes under specific conditions that attackers exploit.
- Decision fatigue peaks during end-of-quarter pushes, holidays, or major deadlines
- Cognitive overload impairs judgment when we’re juggling too many tasks
- Authority bias makes us less likely to question requests that seem to come from executives
- Time pressure activates System 1 thinking (fast, automatic, emotion-driven) rather than the slower, more analytical System 2 thinking needed for security
These factors combine to create perfect attack windows. It’s no coincidence that ransomware attacks often strike on Friday afternoons or holiday weekends—attackers know you’re mentally exhausted and rushing to finish work.
5. Why Training Fails: The Knowledge-Behavior Gap
Perhaps most frustrating is that traditional security training doesn’t solve the problem. Knowledge rarely translates to behavior change.
- 85% of employees understand what phishing is, yet 34% still click on simulated phishing links
- The average organization sees only a 7% reporting rate with quarterly security training
- Adaptive, continuous training programs can boost reporting to 60% (a 9x improvement)
- The Ebbinghaus forgetting curve shows people forget 70% of what they learn within 24 hours without reinforcement
Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance, identifies the core problem: “Security awareness training is increasingly surrounded by characterless instruction, preventing meaningful behavior change.”
Traditional training focuses on transferring facts rather than changing habits. It’s the difference between knowing smoking is bad for you and actually quitting.
When 10 minutes costs $100 million: Recent attacks that could have been stopped
Cyber attacks often seem inevitable only after they happen. The truth? Most major breaches show clear warning signs that were simply ignored.
Let’s look at four recent disasters that might sound familiar—because your organization may be missing these exact same warnings right now.
1. MGM Resorts (September 2023)
It started with a single phone call. In September 2023, an attacker called MGM’s IT helpdesk claiming to be an employee who needed password help. This 10-minute social engineering call ultimately cost the company $100 million.
Timeline of Disaster:
- Day 1: Attacker calls helpdesk, convinces staff to reset credentials
- Days 2-4: Attacker explores network, discovers unprotected systems
- Days 5-7: Ransomware deployed across all systems
- Days 7-17: MGM properties offline, hotel room keys disabled, slot machines down, restaurants taking cash only
But the warning signs were everywhere:
- MFA fatigue attacks were already well-known across the industry months earlier
- No MFA protection on critical Okta Sync servers
- Previous 2019 breach exposing 10.6 million guest records apparently taught them nothing
- MGM’s own security team had flagged their helpdesk training as inadequate
The result? Ten days of crippled operations across Las Vegas properties, $100 million in damages, and a class-action lawsuit from affected customers and employees.
2. Change Healthcare (February 2024)
The Change Healthcare breach is now the largest healthcare data breach in U.S. history, affecting an estimated 190 million Americans (that’s 2 out of every 3 U.S. citizens).
Timeline of Catastrophe:
- Day 1: Attackers gain access through unprotected Citrix portal
- Days 2-8: Attackers move through network, stealing credentials and data
- Day 9: Ransomware deployed, bringing down healthcare payment systems nationwide
- Week 2: Company pays $22 million ransom
- Month 6: Still recovering, with $2.4 billion in damages
The ignored warnings were basic and preventable:
- No multi-factor authentication on their Citrix portal, violating HIPAA security standards
- 9 full days of suspicious activity in the network before encryption
- Compromised credentials used to access critical systems
- Medical clinics reporting issues days before the full attack
Doctor’s offices unable to process insurance, patients facing delayed care, and sensitive medical data of 190 million Americans exposed.
3. BEC Epidemic (2023-2024)
While ransomware grabs headlines, Business Email Compromise (BEC) quietly steals more money than any other cyber attack method.
Recent Devastating Examples:
- Orion S.A. lost $60 million in a single fraudulent wire transfer
- Johnson County Schools had $3.36 million stolen via fake invoice payment
- BEC attacks are up an astounding 1,760% since AI tools made creating convincing fake emails easier
In each case, the same warning signs were ignored:
- Unusual payment urgency (“must process today”)
- Banking details changed with minimal verification
- Communication limited to email only (no phone confirmation)
- Normal approval processes bypassed (“the CEO said this is urgent”)
These attacks resulted in $16.6 billion lost in 2024 alone, with most victims never recovering the stolen funds.
4. Caesars vs. MGM – A Tale of Two Responses
Perhaps the most interesting case is what happened when the same hacking group targeted two Las Vegas casino giants in the same week of September 2023.
Caesars Entertainment:
- Detected attack early
- Paid $15 million ransom quickly
- Limited operational disruption
- Recovered most systems within days
MGM Resorts:
- Detected attack late
- Refused to pay ransom
- 10-day operational shutdown
- $100 million in damages
Both companies faced nearly identical initial attacks. Both had similar security vulnerabilities. But their different response approaches led to dramatically different outcomes.
This isn’t about whether paying ransoms is right—it’s about how prepared each organization was to detect and respond to the warning signs.
Every organization in these case studies would have answered “yes” to some of these questions. The real test isn’t what you believe your security can handle—it’s what happens when real attackers test those beliefs.
The common thread across all these disasters wasn’t sophisticated hacking. It was that human psychology and organizational culture created blind spots to warnings that, in hindsight, were screaming for attention.
