Learn how attackers use psychological manipulation to trick people into revealing sensitive information or performing unsafe actions. Topics include pretexting, baiting, tailgating, vishing, and real-world social engineering case studies that expose common human vulnerabilities.
posts
The Fake Invoice That Cost a Hospital System $28 Million In 2024, Ascension Health — one of the largest healthcare systems in the United States — suffered a devastating ransomware attack that disrupted operations across 140 hospitals. The initial entry vector? A malicious file that an employee downloaded, believing it to be
In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered the company's IT help desk with a ten-minute phone call. The attacker didn't exploit a zero-day vulnerability. They didn't brute-force a password. They just talked their way
In May 2021, a single phishing email led to the shutdown of Colonial Pipeline — the largest fuel pipeline in the United States. One compromised credential. One employee who didn't catch the red flags. The result: fuel shortages across the East Coast, a $4.4 million ransom payment, and
In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. Yet every week, I still talk to business owners who think phishing is just "those obvious Nigerian prince emails." It'
In March 2025, CISA and the FBI issued a joint advisory warning that the Medusa ransomware gang had compromised over 300 organizations across critical infrastructure sectors — healthcare, education, legal, insurance, and manufacturing. The attack vector wasn't some exotic zero-day exploit. It was phishing. Specifically, carefully crafted Medusa ransomware
A Single Phish Email Cost One Company $37 Million In 2024, Orion SA disclosed that a single employee fell for a business email compromise scheme and wired approximately $60 million to a threat actor's accounts. The company recovered some funds, but the net loss still exceeded $37 million.
That Gmail Notification Might Be Real — Or It Might Be the Attack Itself In January 2024, Google reported blocking over 99.9% of phishing emails from reaching Gmail inboxes. That sounds impressive until you realize that the remaining fraction still amounts to millions of malicious messages daily. Among the most
A Single Email Cost One Company $100 Million In 2019, Toyota Boshoku Corporation lost $37 million to a single business email compromise attack. Facebook and Google collectively lost over $100 million to a Lithuanian man who sent fake invoices via email over a two-year period. These weren't sophisticated
Your Organization Needs a Phish Setlist — Not Just One Test In 2023, the FBI's IC3 received over 298,000 phishing complaints — making it the most reported cybercrime category for the fifth consecutive year. Yet most organizations I work with still run the same single phishing simulation once a
In early 2024, researchers at Proofpoint documented a campaign where a single threat actor group rotated through at least six distinct phishing lure templates in under three weeks — targeting financial services, healthcare, and education sectors in sequence. Security teams that recognized the first lure missed the second. Those who caught
