Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Social Engineering Attacks

Social Engineering Attacks

Social engineering is the manipulation of people to gain unauthorized access, steal information, or trick victims into performing harmful actions. Instead of exploiting technical flaws, it exploits human weaknesses such as trust, curiosity, fear, or urgency.

• Phishing

Mass fraudulent emails or messages designed to trick users into clicking malicious links or giving away credentials.

• Spear‑Phishing

Highly targeted phishing aimed at specific individuals, executives, or departments.

• Pretexting

Crafting a believable false identity or story to obtain information (e.g., pretending to be an IT technician).

• Baiting

Using something tempting (free downloads, USB drives, giveaways) to lure victims into a trap.

• Tailgating (Piggybacking)

Physically following authorized personnel into restricted areas without valid access.

🏆 Top 10 Biggest / Most Significant Social Engineering Incidents

High‑level, historical, and defensive-oriented.

1. Google & Facebook Invoice Scam (~$100M, 2013–2015)

Attackers impersonated a legitimate hardware supplier and tricked accounting departments into sending over $100M in payments.

2. RSA Security Breach (2011)

Phishing emails with a malicious Excel file compromised RSA’s SecurID system, impacting major corporations and government agencies.

3. Ubiquiti Networks BEC Fraud ($40M, 2015)

Attackers impersonated company executives to authorize fraudulent financial transfers.

4. Target Breach Entry Point (2013)

Attackers stole vendor credentials through phishing, enabling access to Target’s network and exposing over 40 million payment cards.

5. 2020 Twitter Admin Panel Breach

Teens social‑engineered Twitter employees, gaining control over internal tools and major verified accounts.

6. Sony Pictures Hack (2014)

The attack began with phishing emails that led to credential theft, allowing hackers to steal massive amounts of data.

7. Snapchat Payroll Scam (2016)

A fake request from the CEO tricked HR into sending employee payroll information.

8. FACC Aerospace CEO Fraud ($50M, 2016)

An email impersonating the CEO caused the company to transfer tens of millions to criminals.

9. Google Docs Worm (2017)

Millions received a fake Google Docs sharing message that attempted to gain access to their contacts and spread further.

10. Colonial Pipeline Initial Compromise (2021)

The ransomware event stemmed from a compromised user account—believed to have originated from prior phishing or password exposure.

Social Engineering “Must-Know” Techniques for Cybersecurity

Common Tactics

  • Urgency Pressure (“Your account will be closed in 24 hours!”)
  • Authority Impersonation (CEO, IT support, law enforcement, vendors)
  • Fear and Threats (“Your tax refund is frozen unless…”)
  • Curiosity Hooks (“Look at these photos of you!”)
  • Greed / Incentive Hooks (“You’ve won a free iPhone!”)

Major Social Engineering Channels

  • Email (phishing, spear‑phishing)
  • SMS (smishing)
  • Phone calls (vishing)
  • Social media impersonation
  • USB drop attacks
  • Physical access/social presence

Organizational-Level Threats

  • Business Email Compromise (BEC) Executive impersonation to authorize fraudulent transfers.
  • Vendor/Third-Party Compromise Attacking suppliers to bypass stronger internal defenses.
  • Insider Manipulation Convincing employees to share credentials or system access.

Phishing – Focuses & Variants

Major Phishing Types

  • Standard Phishing – Mass emails.
  • Spear‑Phishing – Targeted individuals.
  • Whaling – Targeting high-value executives.
  • Smishing – Fraudulent SMS messages.
  • Vishing – Phone call–based social engineering.
  • Clone Phishing – Re-sending legitimate emails with malicious payloads.

Well-Known Phishing Examples

  • Google & Facebook scam
  • RSA breach
  • Ubiquiti BEC
  • Google Docs worm
  • PayPal/banking phishing kits (ongoing)