Social Engineering: Real-World Attacks That Worked

#Social_Engineering has recently dominated the headlines, a term rich with examples of attacks and diverse tactics. After defining #social_engineering, we will explore some notable cases.

What is Social Engineering?

Social engineering attacks are a type of #cybercrime. They encompass a wide range of malicious activities achieved through human interactions. These attacks rely on psychological manipulation to trick users into making security mistakes or revealing sensitive information. Attackers may pose as a manager, a supplier, an IT team member within the victim’s company, or even someone requesting assistance.

According to Verizon’s 2020 Data Breach Investigations Report, the primary goals and motivations of social engineering are financial gain or data theft. Financially motivated social engineering attacks doubled between 2018 and 2019 and continued to rise after the COVID-19 outbreak.

Below are six examples of social engineering attacks, each using different techniques:

1. Phishing Attack on Google

Lithuanian citizen Evaldas Rimasauskas executed one of the largest social engineering attacks against Google and Facebook, causing Google losses of $100 million. Rimasauskas and his team created a fake company, pretending to be a computer hardware manufacturer that worked with the two tech giants. They set up bank accounts under the company’s name and sent phishing emails to targeted employees, issuing invoices for goods and services actually provided by the legitimate manufacturer. The employees were tricked into depositing funds into the attackers’ fraudulent accounts.

2. UK Energy Company, March 2019

The CEO of a UK energy company received a phone call from someone posing as his superior. The call was so convincing that the CEO transferred $243,000 to a “Hungarian supplier,” which was in fact an account belonging to a scammer dubbed a #social engineer.

3. FACC, Chinese Aircraft Parts Manufacturer

FACC lost nearly $60 million in what is known as a CEO fraud scheme. Scammers impersonated high-level executives and deceived employees into transferring funds. Following the incident, FACC spent additional resources attempting to sue its CEO and CFO for failing to implement adequate internal security controls. Although the case failed, it underscores that cybersecurity is critical to business and everyone’s responsibility. Gartner predicts that by 2024, CEOs may be held personally liable for cyber breaches.

4. Crelan Bank, Belgium

Crelan Bank experienced possibly the most successful social engineering attack to date. During a routine internal audit, the bank discovered that its CEO had fallen victim to a whaling attack, losing €75 million. The perpetrators escaped without facing justice.

5. Twitter Breach, July 2020

Twitter lost control of 130 accounts, including those of high-profile figures such as Barack Obama, Joe Biden, and Kanye West. Attackers accessed users’ direct messages and posted tweets requesting Bitcoin donations within minutes. Before Twitter could remove the tweets, the attackers earned approximately $110,000 in Bitcoin from over 320 transactions.
Twitter described the incident as a phone-based phishing attack (also called vishing). Details of the calls remain unclear, but employees were somehow tricked into revealing account credentials. The FBI investigated Twitter’s security practices, and the scandal caused Twitter’s stock to drop 7% in pre-market trading the next day.

6. SMS Scam, September 2020

This widespread SMS phishing attack prompted the Texas Attorney General to issue a public warning. Victims received fraudulent texts claiming to be from delivery companies such as DHL, UPS, or FedEx, asking them to click a link to “claim ownership” of an undelivered package. Following the link, targets were prompted to provide personal information and credit card details. The Attorney General warned that delivery companies do not contact customers in this manner, and anyone receiving such a message should report it to the Attorney General’s office or the Federal Trade Commission (FTC).

Social engineering threats defy logic and rely on highly convincing methods that make them difficult for victims to detect. Preventing these attacks requires awareness, vigilance, and continuous education.

To learn how to prevent these attacks, read the full guide here: (/post/5)