Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
In this article, we’ll look at 11 social engineering examples — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks.
Did you know? Social engineering is the most commonly seen pattern in breaches last year according to Verizon’s 2021 DBIR.
Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data.
The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook.
Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.
The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts.
Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.
In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.
This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”
To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit.
After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.
While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.
Here’s how the attack works. Pay attention—it’s actually pretty clever,
The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise.
Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials.
You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.
This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.
In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in.
The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data.
It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal.
The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.
Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP).
BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files.
Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft.
But once again, cyber criminals have found a way to exploit the rule-based security approach.
To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email.
This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.”
In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system.
The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate.
Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.
If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data.
This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter.
But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help.
Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here.
April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software.
The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint.
The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials.
Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.
Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice.
Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.
In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.
The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.
Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.
Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.
Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.
The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.
Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.
There’s one common thread through all of these attacks, whether delivered by email, text, or voicemail: they’re really, really hard to spot.
That’s why technology is essential and where Tessian comes in.
Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.
To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.
Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.