Learn how attackers use psychological manipulation to trick people into revealing sensitive information or performing unsafe actions. Topics include pretexting, baiting, tailgating, vishing, and real-world social engineering case studies that expose common human vulnerabilities.
posts
In April 2022, researchers at Avast discovered that the GhostDNS botnet had compromised over 100,000 home routers across Brazil — silently redirecting banking customers to pixel-perfect phishing pages. Victims typed their real bank URLs into their browsers. The addresses looked correct. But every keystroke landed on a threat actor'
89% of Employees Think They'd Spot a Phish. The Data Says Otherwise. I ran a phishing simulation for a mid-size law firm last year. Before the test, we surveyed staff — 89% said they were confident they could identify a phishing email. Then we sent three simulated phishes over
The Email That Cost One Company $37 Million In 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated form of phishing — accounted for over $2.9 billion in adjusted losses. That's not a typo. Billions. And it all starts with a
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. And those are just the ones people reported. I've spent years helping organizations respond to breaches, and the vast majority start
In March 2025, CISA and the FBI issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors — healthcare, education, legal, insurance, and manufacturing. The attack vector in the vast majority of cases? Phishing. Not some exotic zero-day exploit. Not a nation-state
That Gmail Account Access Warning Might Be Real — Or It Might Be the Attack Itself In early 2024, a sophisticated phishing campaign targeted Gmail users with emails that looked exactly like legitimate Google security alerts. The messages warned of suspicious sign-in activity and directed users to a pixel-perfect fake login
In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated category of fake email — caused adjusted losses exceeding $2.9 billion in a single year. That wasn't from exotic zero-day exploits. It was from emails that looked real but weren'
In 2024, MGM Resorts lost an estimated $100 million after a threat actor called a help desk, impersonated an employee, and gained access to internal systems. The initial vector? A social engineering call informed by information harvested through phishing. One phone call. One convincing story. Nine figures in damages. If
10,000 Malicious Domains and Counting In early 2025, the FBI issued a stark public warning about a massive smishing campaign — fraudulent SMS text messages — targeting Americans across all 50 states. The FBI warning on smishing texts wasn't routine. It described a coordinated operation leveraging more than 10,
Your Search for a Phish Setlist Could Land You on a Hacker's Hook Last summer, a colleague of mine — a die-hard Phish fan — searched for a phish setlist from a recent show at Madison Square Garden. He clicked what looked like a legitimate fan site. Within seconds, his
