See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →
Social engineering attacks are one of the main ways bad actors can scam companies. Here’s 15 of the biggest attacks, and how they happened.
Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data.
The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national, Evaldas Rimasauskas, against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.
The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.
In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a noteworthy example of how convincing phishing attempts are becoming.
The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways.
The emails used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded.
On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us. The fake bidding site instructed users to enter their Office 365 credentials. The site even displayed an “error” message after the first input, ensuring the target would enter their credentials twice and thus reducing the possibility of mistyped credentials.
It’s easy to see how even a relatively scrupulous employee could fall for an attack like this—but the problem would not have arisen if the target organization had better email security measures in place.
As world leaders debate the best response to the increasingly tense situation between Russia and Ukraine, Microsoft warned in February 2022 of a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies and NGOs.
The group—known as Gamaredon and tracked by Microsoft as ACTINIUM—has allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021.
The initial phase of Gamaredon’s attack relies on spear phishing emails containing malware. The emails also contain a tracking pixel that informs the cybercriminals whether it has been opened.
The case is an important reminder of how cybersecurity plays an increasingly central role in international conflicts—and how all organizations should be taking steps to improve their security posture and protect against social engineering attacks.
In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.
This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”
To learn more about how hackers use AI to mimic speech patterns, watch Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI.
Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.
While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.
In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works, and it’s actually pretty clever.
The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise.
Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials.
You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.
This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.
Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers.
The bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as like “fighting a war.”
OCBC customers were duped into giving up their account details after receiving phishing emails in December 2021. The situation escalated quickly despite the bank shutting down fraudulent domains and alerting customers of the scam.
Wong described how, once the phishing campaign had taken hold, the fraudsters had set up “mule” accounts to receive stolen funds. No matter how quickly the bank’s security team managed to shut down a mule account, the scammers would soon find another to take its place.
The CEO described her dilemma after getting the phishing campaign under control: reimbursing customers felt like the right thing to do, but Wong feared it could incentivize further attacks. So far over 200 customers have been compensated.
In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in.
The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data.
It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal.
The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.
Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP).
BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files.
Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft.
But once again, cyber criminals have found a way to exploit the rule-based security approach.
To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email.
This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.”
Five employees at Sacramento County revealed their login credentials to cybercriminals after receiving phishing emails on June 22, 2021.
The attack was discovered five months later, after an internal audit of workers’ email inboxes.
The breach occurred after employees received phishing emails containing a link to a malicious website. The targets entered their usernames and passwords into a fake login page which were then harvested by cybercriminals.
The attack resulted in a data breach exposing 2,096 records of health information and 816 records of “personal identification information.” The county notified the victims by email and offered free credit monitoring and identity theft services.
It remains to be seen whether this proposed resolution by the county will be enough. Protection of health information is particularly tightly regulated in the US, under the Health Insurance Portability and Accountability Act (HIPAA), and data breaches involving health data have led to some hefty lawsuits in the past.
In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system.
The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate.
Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.
If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data.
This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter.
But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help.
Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here.
April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software.
The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint.
The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials.
Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.
Perhaps the most successful social engineering attack of all time was conducted against Belgian bank, Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice.
Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.
In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.
The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.
Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.
Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.
Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.
The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.
Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.
There’s one common thread through all of these attacks: they’re really, really hard to spot. That’s where Tessian comes in. Tessian is intelligent cloud email security that stops threats and builds smart security cultures in the modern enterprise.
Powered by machine learning, Tessian analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.
To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.