Over the last several months, “social engineering” has been making headlines more and more frequently. But, before we dive into real-world examples of social engineering attacks, let’s define exactly what social engineering is.
Social engineering attacks are a type of cybercrime wherein the attacker fools the target through impersonation. They might pretend to be your boss, your supplier, someone from our IT team, or your delivery company. Regardless of who they’re impersonating, their motivation is always the same — extracting money or data.
So, what’s the biggest threat vector for social engineering attacks? Email. Why do hackers do it? According to Verizon’s 2020 data breach report, money. In fact, the rates of financially-motivated social engineering attacks doubled between 2018 and 2019 and continued to increase after the outbreak of COVID-19.
In this article, we’ll look at six social engineering examples — some big and some recent — all using different techniques. We’ll also tell you how to avoid falling victim to these sorts of attacks.
The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national Evaldas Rimasauskas against two of the world’s biggest companies: Google and Facebook.
Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.
The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts.
Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.
The Rimasauskas case is a classic example of a spear phishing scam. The attacker hacks or impersonates a trusted person and then “spears” specific individuals.
Spear phishing is more convincing than regular, “spray and pray” phishing because they’re highly targeted.
An attacker might also be impersonating someone with whom the target communicates regularly. They may have a near-identical email address, with a very subtle change in the domain name (for example, [email protected] becomes [email protected]–name.com).
You can read more about email impersonation on our blog.
Unfortunately, humans — even those working at the world’s most powerful tech firms — sometimes don’t spot small changes. It could be because they’re distracted or over-worked, or it could simply be because the email was a convincing fake. Whatever the reason, it’s important people aren’t left as the last line of defense.
The best thing you can do to prevent spear phishing scams, then, is to implement technology that protects against advanced impersonation attacks like spear phishing.
In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.
This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”
To learn more about how hackers use AI to mimic speech patterns, listen to Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI at Tessian Human Layer Security Summit.
Deepfakes are an emerging threat that could soon become a widespread problem. 74% of IT leaders think deepfakes threaten their organizations’ and their employees’ security.
But there are some steps you can take to protect your business from this new type of fraud.
For more information about deepfakes, read this article: Deepfakes: What are They and Why are They a Threat?
After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.
While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.
It’s easy to see why CEO fraud is a successful type of social engineering attack.
Imagine working late at the office one day. You get an email from the CEO herself, asking you to make some last-minute amendments to an invoice. The tone is urgent, the email looks genuine, and you have a chance to impress the top boss — why wouldn’t you go ahead and do it?
CEO fraud is a common form of Business Email Compromise (BEC). Using impersonation techniques, scammers can send emails using your CEO’s display name, or email addresses that are nearly indistinguishable. Alternatively, hackers can hijack your CEO’s email account.
Tessian’s machine learning technology knows what your CEO’s emails should look like and can alert employees to tiny differences in email addresses and even subtle deviations from their “normal” tone.
Learn more about how Tessian prevents CEO Fraud at some of the world’s leading businesses. Read customer stories here.
Perhaps the most successful social engineering attack of all time was conducted against Belgian bank Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice.
Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.
You can read more about whaling here: Whaling Email Attacks: Examples & Prevention Strategies.
In defending against whaling attacks, the same principles apply as when defending against spear phishing and CEO Fraud. In addition to making sure employees – including senior executives – are trained on how to spot impersonation attacks, you need to implement email security solutions to detect and prevent successful inbound attacks.
To learn more about how Tessian bolsters training, reinforces policies and procedures, and stops threats – all without disrupting employee’s workflow – book a demo.
In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.
The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.
Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.
Vishing attacks typically utilize “Voice over Internet Protocol” (VoIP) technology in order to fake their caller ID. Attackers can also use “war diallers” to contact many people in a short period. The attack may start with a recorded message directing the target to call back.
The key to protecting your business from vishing attacks is staff training. Ensure your employees understand what a vishing attack might sound like (the caller has an urgent tone or offers unexpected benefits), and make it clear that they should never respond to such a call.
Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.
Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.
The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.
While 96% of phishing occurs via email, smishing is an increasingly serious threat to individuals and businesses. Consumer Reports claims that the Federal Trade Commission (FCC) received 93,331 complaints about fraudulent text messages in 2018 — a 30% increase from 2017.
Smishing scams follow the same patterns as other social engineering attacks. Smishing text messages are typically urgent in tone, claiming that the target is in danger or a fine or have been the victim of credit card fraud. Or they may claim that the target has won a prize, or is owed a tax refund.
So, how do you avoid falling victim to a scam? In the workplace, security teams should ensure employees exercise the same caution when responding to text messages as they do with emails.
Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.
While we’ve included three tips to help you detect social engineering attacks in this blog: What is Social Engineering? 4 Types of Attacks, it’s important to remember that these scams – whether delivered by email, text, or voicemail, are really, really hard to spot.
That’s why technology is essential and where Tessian comes in.
Powered by machine learning, Tessian Defender analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.
Best of all, it does all of this silently in the background in real-time and, in-the-moment warnings help bolster training and reinforce policies. That means employee productivity isn’t affected and security reflexes improve over time.
To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today.