Find practical strategies for defending against social engineering attacks at both the individual and organizational level. Content covers awareness training techniques, verification protocols, policy development, and building a security-first culture that resists manipulation attempts.
posts
Your Board Doesn't Care About Completion Rates I sat in a meeting last year where a CISO proudly reported a 97% training completion rate. The board nodded politely. Two months later, a single phishing email led to a credential theft incident that cost the organization $2.3 million
In 2024, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to the help desk. The threat actor didn't exploit a zero-day vulnerability or deploy some exotic malware. They impersonated an employee. That's it. And it
In 2024, MGM Resorts lost an estimated $100 million after a social engineering attack that started with a single phone call to a help desk employee. The threat actor impersonated an employee, convinced IT staff to reset credentials, and within hours had access to critical systems. One conversation. No malware.
93% of Breaches Start With a Person, Not a Firewall In 2023, Verizon's Data Breach Investigations Report confirmed what security professionals have been screaming about for years: the human element was involved in 74% of all breaches. By 2024, that figure remained stubbornly high. A cybersecurity awareness quiz
In March 2025, a mid-size healthcare provider in the Midwest lost 1.4 million patient records because one employee in accounts payable clicked a link in a fake DocuSign email. The organization had antivirus software, a firewall, and an email gateway. What they didn't have was a phishing
In May 2024, a single employee at a midsize healthcare company clicked a link in what looked like a routine Microsoft 365 password reset email. Within 72 hours, a threat actor had exfiltrated 1.4 million patient records, triggered a ransomware payload, and the organization was staring down an eight-figure
The Text Message That Cost One Company $40 Million In 2024, a sophisticated smishing campaign targeted employees at several major financial institutions. Threat actors sent SMS messages impersonating IT support, directing staff to fake login portals that harvested credentials and multi-factor authentication tokens. The attackers then used those stolen credentials
In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They exploited a person — someone who hadn't been trained to recognize what was happening. That single
In September 2023, a teenager used a phone call to trick an MGM Resorts employee into resetting credentials. That single social engineering attack cost MGM an estimated $100 million. No malware exploit. No zero-day vulnerability. Just a convincing voice on the other end of a help desk line. If you
MGM Resorts lost an estimated $100 million in September 2023 because a threat actor called an IT help desk, impersonated an employee, and talked their way into a privileged account. No zero-day exploit. No nation-state malware. Just a phone call and a human who hadn't been trained to
