In-depth coverage of social engineering tactics used by attackers, including pretexting, baiting, tailgating, and spear phishing. Articles explain how these manipulation techniques exploit human psychology and provide actionable defenses organizations can deploy to protect their people and data.
posts
A $900,000 FTC Settlement Started with a Fake Identity Website In 2020, the FTC took action against operators running deceptive websites that harvested personal information under the guise of offering government services. Consumers thought they were applying for benefits or retrieving official documents. Instead, their Social Security numbers, dates
The FBI Keeps Warning About Gmail — And Most People Keep Ignoring It In 2020, the FBI's Internet Crime Complaint Center (IC3) received 791,790 complaints — a 69% increase from 2019. A staggering number of those complaints involved business email compromise, phishing, and credential theft targeting popular email platforms.
The Colonial Pipeline Attack Started with a Single Compromised Credential As I write this, Colonial Pipeline is still scrambling to restore fuel delivery to the southeastern United States after a ransomware attack that shut down 5,500 miles of pipeline. The FBI confirmed DarkSide as the threat actor. While the
In July 2020, a 17-year-old in Florida convinced a Twitter employee to hand over internal credentials. Within hours, the attacker hijacked accounts belonging to Barack Obama, Elon Musk, and Apple — tweeting a Bitcoin scam to millions. The breach didn't start with a sophisticated exploit or zero-day vulnerability. It
One Phish Email Took Down a $60 Billion Company's Defenses In 2023, MGM Resorts International lost roughly $100 million after a social engineering attack that started with a single phone call to their help desk. But most attacks don't even require that much effort. The average
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 complaints about phishing — making it the most reported cybercrime in the United States for the fifth consecutive year. Yet when I ask employees during security assessments to explain what phishing actually is, most give me a
One Click Cost This Company $100 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call and a phishing email. Threat actors from the Scattered Spider group used social engineering to gain access, eventually deploying ransomware that disrupted operations
A Single Text Message Cost One Company $15 Million In 2022, Twilio disclosed that attackers used SMS phishing — smishing — to trick employees into surrendering their credentials. The threat actors sent text messages impersonating the company's IT department, directing staff to a fake login page. That single campaign compromised
A Single Email Cost This Company $100 Million In 2019, Toyota Boshoku Corporation wired $37 million to a threat actor who impersonated a business partner via email. Facebook and Google collectively lost over $100 million to a Lithuanian man who sent fake invoices over two years. These weren't
A Single Click That Cost $100 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phishing attack that started with a phone call to an IT help desk. Threat actors from the Scattered Spider group used social engineering to impersonate
