Find practical strategies for defending against social engineering attacks at both the individual and organizational level. Content covers awareness training techniques, verification protocols, policy development, and building a security-first culture that resists manipulation attempts.
posts
In 2024, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to a help desk employee. The threat actor impersonated an employee, convinced IT staff to reset credentials, and within hours had access to critical systems. One conversation. No malware.
93% of Breaches Start With a Person, Not a Firewall In 2023, Verizon's Data Breach Investigations Report confirmed what security professionals have been screaming about for years: the human element was involved in 74% of all breaches. By 2024, that figure remained stubbornly high. A cybersecurity awareness quiz
In March 2021, a mid-size law firm in Atlanta lost $2.3 million to a single wire fraud attack. The attacker spoofed the managing partner's email, requested an urgent transfer, and a paralegal complied without hesitation. When the firm investigated, they discovered their annual security awareness program consisted
Colonial Pipeline just shut down 5,500 miles of fuel infrastructure this week. One compromised password. That's all it took. While forensic details are still emerging, the early reporting points to a single set of stolen credentials — likely obtained through a social engineering attack on an employee. If
In July 2020, a 17-year-old from Florida convinced Twitter employees to hand over internal credentials. Within hours, the accounts of Barack Obama, Elon Musk, Joe Biden, and Apple were all posting Bitcoin scam messages. The attacker didn't exploit a software vulnerability. He exploited people. These social engineering examples
Most Security Quizzes Are a Waste of Everyone's Time I recently reviewed the cybersecurity training program at a mid-size financial services firm that had been breached through a credential theft phishing email. They had a training program. They had quizzes. Every employee passed with flying colors — 95% average
One Click Cost Them $100 Million In 2023, MGM Resorts was brought to its knees — not by a sophisticated zero-day exploit, but by a phone call. A threat actor called the help desk, impersonated an employee found on LinkedIn, and gained access to internal systems. The resulting ransomware attack cost
The Breach That Bankrupted a 40-Person Company In 2023, a small accounting firm in Sacramento lost every client record it had. A single employee clicked a phishing link disguised as a DocuSign notification. Within 72 hours, a threat actor had deployed ransomware across the entire network. The firm paid $350,
In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They didn't write custom malware. They called IT support, impersonated an employee found on LinkedIn, and
A 45-Minute Training Video Nobody Watched In 2023, a mid-size healthcare company I consulted for spent $60,000 on a compliance-focused security awareness program. It featured a 45-minute narrated slideshow, a 10-question quiz, and a certificate of completion. Their post-training phishing simulation results? A 31% click rate — virtually unchanged from
