10 real and famous cases of social engineering attacks
Updated at: Jun 18, 2020
Social engineering is the tactic behind some of the most famous hacker attacks. It's a method based on research and persuasion that is usually at the root of spam, phishing and spear phishing scams, which are spread by email.
The purpose of social engineering attacks is, basically, to gain the victim's trust to steal data, information, and money. Social engineering incidents often also involve the use of malware, such as ransomware and trojans.
The cases of social engineering listed below will give you an idea of how these attacks work and how costly they can be for companies, people and governments. If you ever doubted that a mere fake Apple support email could do some real damage, this list is for you.
In this article, we'll show you the following examples of social engineering:
- Shark Tank.
- Cabarrus County.
- Ethereum Classic.
- Democratic Party
- Ubiquiti Networks.
- Sony Pictures.
- South Carolina Department of Revenue.
Check out 10 social engineering attacks
1. Shark Tank, 2020
Shark Tank television judge Barbara Corcoran was tricked in a nearly USD 400,000 phishing and social engineering scam in 2020. A cybercriminal impersonated her assistant and sent an email to the bookkeeper requesting a renewal payment related to real estate investments. He used an email address similar to the legitimate one. The fraud was only discovered after the bookkeeper sent an email to the assistant's correct address asking about the transaction.
2. Toyota, 2019
Toyota Boshoku Corporation, an auto parts supplier, was the victim of a social engineering and BEC (Business Email Compromise) attack in 2019. The money lost amounts to USD 37 million. Using persuasion, attackers persuaded a finance executive to change recipient's bank account information in a wire transfer.
3. Cabarrus County, 2018
Due to a social engineering and BEC scam, Cabarrus County, in the United States, suffered a loss of USD 1.7 million in 2018. Using malicious e-mails, hackers impersonated county suppliers and requested payments to a new bank account. According to the investigation, after the money was transferred, it was diverted to several accounts. In the emails, the scammers presented apparently legitimate documentation.
4. Ethereum Classic, 2017
Several people lost thousands of dollars in cryptocurrency after the Ethereum Classic website was hacked, in 2017. Using social engineering, hackers impersonated the owner of Classic Ether Wallet, gained access to the domain registry, and then redirected the domain to their own server. Criminals extracted Ethereum cryptocurrency from the victims after entering a code on the website that allowed them to view private keys that are used for transactions.
5. Democratic Party, 2016
One of the most iconic cases of social engineering is the United States presidential election in 2016. Spear phishing attacks led to the leak of emails and information from the Democratic Party that may have influenced the result of the election, with Donald Trump's victory over Hillary Clinton. Hackers created a fake email from Gmail, inviting users, through a link, to change their passwords due to unusual activity. Fraudsters then had access to hundreds of emails containing sensitive information about the Clinton campaign.
6. Ubiquiti Networks, 2015
Ubiquiti Networks, a manufacturer of technology for networking, lost almost $40 million dollars, in 2015, after a phishing attack. It’s believed that an employee email account was compromised in Hong Kong. Then, hackers used the technique of employee impersonation to request fraudulent payments, which were made by the accounting department.
7. Sony Pictures, 2014
After an investigation, the FBI pointed out that the cyberattack on Sony Pictures, in 2014, was the responsibility of the North Korea government. Thousands of files, including business agreements, financial documents and employees’ information, were stolen. Sony Pictures was targeted by spear phishing attacks. It appears employees were lured by fake Apple emails.
8. Target, 2013
As a result of the Target data breach, in 2013, hackers gained access to 40 million customers’ payment information. Through a phishing email, criminals installed a malware on a Target partnering company, which allowed them, in a second moment, to access the network of the second-largest department store retailer in the United States. Hackers then installed another malware on Target's system to copy customers' credit and debit card information. What can we learn from this attack? Be very cautious with companies and partners that have access to your network.
9. South Carolina Department of Revenue, 2012
Hackers stole millions of Social Security numbers and thousands of credit and debit card information from the South Carolina Department Revenue, in 2012. Employees fell into phishing scams, sharing their usernames and passwords with criminals. After that, with credentials in hands, the hackers gained access to the state agency's network.
10. RSA, 2011
It’s estimated that the RSA, a security company, has spent about $66 million because of its data breach, in 2011. The attack started with an Excel document, sent to a small group of employees via email. The email subject said something like "Recruitment Plan”. The attachment contained a malicious file which opened a backdoor for the hackers.
How to prevent social engineering incidents
As seen in the examples, social engineering is based on the fact that the attacker gains the victim's trust. For this reason, it's important to pay attention to emails, check attachments and links, and be suspicious of urgent orders that mainly involve money.
Technology is also in your favor. Gatefy provides different email protection solutions for companies. For example, we’ve a secure email gateway solution and an anti-fraud solution (based on DMARC) that will help your business to fight social engineering attacks, phishing, and other threats.