social engineering attacks

Social engineering attacks are a tactic used in the most well-known hacking attacks. It’s a research-based and persuasion-based strategy frequently at the heart of email-based spam, phishing, and spear-phishing schemes. The goal of social engineering attacks is to earn the victim’s trust to steal information and money. Malware, such as ransomware and trojans, is frequently used in social engineering attacks.

The following examples of social engineering attacks will give you a sense of how they work and how damaging they can be for businesses, individuals, and governments. If you ever thought that a simple fake Apple support email might cause serious harm, this list is for you.

What if I told you that, according to Verizon’s 2021 DBIR, social engineering was the most common pattern in breaches last year? Given that, let’s now review some of the most well-known social engineering attacks.

Famous social engineering attacks

1. Shark Tank (2020)

In 2020, Shark Tank television judge Barbara Corcoran was tricked into a phishing and social engineering scheme of almost USD 400,000. Her assistant was impersonated by a cybercriminal, who emailed the bookkeeper asking for a renewal payment for real estate investments. He used a fake email account that looked identical to the real one.

2.Twitter Bitcoin scam (2020)

The Twitter Bitcoin scam was one of this year’s recent cyberattacks, demonstrating that even social media giants are vulnerable to cyberattacks. Notable Twitter users with the trusted blue verification checkmark Tweeted “double your Bitcoin” offers, informing their followers that donations made through a specific link would be matched.

Well-known leaders, celebrities, and big companies, such as former U.S. President Barack Obama, media billionaire Mike Bloomberg, Apple, and others, were among the Twitter accounts affected. According to The BBC, because the accounts targeted had millions of followers, the bad actors received hundreds of contributions in minutes, reportedly totaling more than $100,000 in Bitcoin.

But how did cybercriminals gain access to the accounts of so many high-profile users in one fell swoop? Through a series of specific social engineering attacks. Malicious actors manipulated Twitter employees to infect them with malware. They then worked their way through Twitter’s internal systems, gaining administrative access to many verified users’ passwords.

3. Toyota (2019)

In 2019, the auto parts supplier Toyota Boshoku Corporation targeted a social engineering and BEC (Business Email Compromise) attack.

The total amount of money lost is USD 37 million. In addition, attackers persuaded a finance executive to update the recipient’s bank account information in a wire transfer.

4. Cabarrus County (2018)

Cabarrus County in the United States lost USD 1.7 million in 2018 as a result of a social engineering and BEC scam. Hackers impersonated county vendors and solicited money to a new bank account via malicious emails. The money was redirected to several accounts after it was transferred, according to the investigation.

5. Ethereum Classic (2017)

After the Ethereum Classic website was hacked in 2017, several people lost thousands of dollars in cryptocurrency. Hackers impersonated the owner of Classic Ether Wallet, gained access to the domain registry, and then redirected the domain to their own server using social engineering. After entering a code on the website that allowed them to view private keys used for transactions, criminals extracted Ethereum cryptocurrency from the victims.

6. Democratic Party (2016)

The 2016 presidential election in the United States is one of the most well-known examples of social engineering. The leak of emails and information from the Democratic Party due to spear-phishing attacks may have influenced the outcome of the election, with Donald Trump defeating Hillary Clinton. Hackers created a phony Gmail email with a link inviting users to change their passwords due to unusual activity. Hundreds of emails containing sensitive information about the Clinton campaign were then made available to fraudsters.

7. Ubiquiti Networks (2015)

Ubiquiti Networks, a networking technology manufacturer, lost nearly $40 million in 2015 due to a phishing attack. It is believed that an employee email account in Hong Kong was compromised. The hackers then used the employee impersonation technique to request fraudulent payments, which the accounting department processed.

8. Sony Pictures (2014)

Following an investigation, the FBI determined that the cyberattack on Sony Pictures in 2014 was the fault of the North Korean government. Thousands of files were stolen, including business agreements, financial documents, and employee information. In addition, threat actors launched spear-phishing attacks against Sony Pictures. Employees appear to have been enticed by false Apple emails.

9. Target (2013)

In 2013, hackers gained access to 40 million customers’ payment information due to the Target data breach. Criminals installed malware on a Target partnering company through a phishing email, allowing them to access the network of the second-largest department store retailer in the United States in a brief moment.

10. South Carolina Department of Revenue (2012)

In 2012, hackers stole millions of Social Security numbers and thousands of credits and debit card numbers from the South Carolina Department of Revenue. Employees fell victim to phishing scams, giving criminals their usernames and passwords. The hackers then gained access to the state agency’s network using the credentials they had obtained.

11. Yahoo Customer Account Breach (2013)

A few years ago, Yahoo had every single customer account compromised due to a social engineering attack. As a result, Yahoo’s credentials were exposed for a remarkable three billion users, with some of them being sold on the dark web to launch additional attacks on individuals compromised. Because of its size and data exposure, this is widely regarded as one of the worst cyberattacks of the 2000s.

The attack occurred due to an error by a high-level engineer who clicked on a phishing email. Is there a common thread running through these top hacks of the decade? Phishing scams expand and cause some serious damage.

12. RSA (2011)

It is estimated that RSA, a security company, spent approximately $66 million due to its data breach in 2011. The attack began with an Excel document sent via email to a small group of employees. The subject of the email was something like “Recruitment Plan.” In addition, the attachment contained a malicious file that provided the hackers with a backdoor.

How to prevent social engineering attacks?

As demonstrated by the examples, social engineering is based on the attacker gaining the victim’s trust. As a result, it’s critical to pay attention to emails, double-check attachments and links, and be wary of urgent orders involving money!