Social engineering is the tactic behind some of the most famous hacker attacks. It's a method based on research and persuasion that is usually at the root of phishing and spear phishing scams spread by email.
The cases listed below will give you an idea of how these attacks work and how costly they can be for companies, people and governments. If you ever doubted that a mere fake Apple support email could do some real damage, this list is for you.
Check out these seven real cases of social engineering attacks:
1. Ethereum Classic, 2017
Several people lost thousands of dollars in cryptocurrency after the Ethereum Classic website was hacked, in 2017. Using social engineering, hackers impersonated the owner of Classic Ether Wallet, gained access to the domain registry, and then redirected the domain to their own server. Criminals extracted Ethereum cryptocurrency from the victims after entering a code on the website that allowed them to view private keys that are used for transactions.
2. Democratic Party, 2016
One of the most iconic cases of social engineering is the United States presidential election in 2016. Spear phishing attacks led to the leak of emails and information from the Democratic Party that may have influenced the result of the election, with Donald Trump's victory over Hillary Clinton. Hackers created a fake email from Gmail, inviting users, through a link, to change their passwords due to unusual activity. Fraudsters then had access to hundreds of emails containing sensitive information about the Clinton campaign.
3. Ubiquiti Networks, 2015
Ubiquiti Networks, a manufacturer of technology for networking, lost almost $40 million dollars, in 2015, after a phishing attack. It’s believed that an employee email account was compromised in Hong Kong. Then, hackers used the technique of employee impersonation to request fraudulent payments, which were made by the accounting department.
4. Sony Pictures, 2014
After an investigation, the FBI pointed out that the cyberattack on Sony Pictures, in 2014, was the responsibility of the North Korea government. Thousands of files, including business agreements, financial documents and employees’ information, were stolen. Sony Pictures was targeted by spear phishing attacks. It appears employees were lured by fake Apple emails.
5. Target, 2013
As a result of the Target data breach, in 2013, hackers gained access to 40 million customers’ payment information. Through a phishing email, criminals installed a malware on a Target partnering company, which allowed them, in a second moment, to access the network of the second-largest department store retailer in the United States. Hackers then installed another malware on Target's system to copy customers' credit and debit card information. What can we learn from this attack? Be very cautious with companies and partners that have access to your network.
6. South Carolina Department of Revenue, 2012
Hackers stole millions of Social Security numbers and thousands of credit and debit card information from the South Carolina Department Revenue, in 2012. Employees fell into phishing scams, sharing their usernames and passwords with criminals. After that, with credentials in hands, the hackers gained access to the state agency's network.
7. RSA, 2011
It’s estimated that the RSA, a security company, has spent about $66 million because of its data breach, in 2011. The attack started with an Excel document, sent to a small group of employees via email. The email subject said something like "Recruitment Plan”. The attachment contained a malicious file which opened a backdoor for the hackers.