Learnings from 5 social engineering attacks that cost millions

Launching threats through emails has been going on for decades now. Even though email users across the globe are aware of the different types of threats, they still fail to exercise caution when it comes to a real-world threat. Cybercriminals exploit this deficiency when they create and disperse cyber attacks. They don't always rely on sophisticated malware or technical exploits. The most effective attacks focus on manipulating human psychology, otherwise known as social engineering. 

When threat actors use social engineering tactics, even the most robust email security measures can't help combat the attack. Because humans are at the same time the weakest link and the first line of defense for a company, it's crucial that organizations train their employees to identify these attacks and take steps to mitigate them. 

Over the past decade, some of the most common email attacks have been through conversations that are designed to manipulate people. This damages even high-profile companies, leading to millions of dollars in monetary losses, reputational damage, and public embarrassment. In this article, we’ll examine five major social engineering attacks on Google and Facebook, MGM Resorts, Ubiquiti, Belgian bank Crelan, and RSA Security, and explore what organizations can learn from each case.

The Google and Facebook phishing scam

Between 2013 and 2015, two of the world's largest tech giants, Google and Facebook, fell prey to a social engineering attack by a Lithuanian national. A cybercriminal named Evaldas Rimasauskas orchestrated a scheme that exploited fake invoices and corporate impersonation. 

The threat actor impersonated a Taiwan-based company called Quanta Computer, a hardware supplier who has ties with both Facebook and Google. Using their identity, he created legitimate-looking contracts, purchase orders, and invoices with Quanta's branding included in all of the documents. Because Quanta Computer is a vendor both companies have ties with, and due to the believable nature of the sending domain, the accounts payable departments of both companies processed the transactions. 

Due to the negligence of the employees, Google and Facebook wired about $100 million to bank accounts in Latvia and Cyprus. The threat actor was later arrested and sentenced, but the incident remains a stark reminder that even the most tech-savvy organizations can be fooled by paperwork that seems routine.

Learnings

The Google and Facebook scam is a classic example of a vendor email compromise attack. Fraudsters often succeed by exploiting the routine documents and paperwork. Invoices, contracts, and vendor details can all be manipulated. Organizations need strict vendor verification processes, multi-step payment approvals, and routine audits to ensure that even familiar requests are legitimate. This way, the onus on making the right decision isn’t on a single person, ensuring that such mistakes are identified in at least one of the approval layers. 

The MGM Resorts cyberattack

The 2023 MGM Resorts cyberattack led to days of operational disruption. This attack was launched by a cybercriminal group called Scattered Spider, allegedly a sub-group of the ALPHV ransomware group. While the exact details were not initially revealed, based on further investigation, it came to light that the attack was initiated through a vishing attack emulating the voice of IT personnel and vendors. By tricking unsuspecting employees, the attackers obtained valid login credentials and then elevated their access to reach sensitive systems.

Later investigations revealed that Scattered Spider also relied on MFA fatigue. They bombarded targeted employees with repeated MFA prompts until one was eventually approved. With this foothold, the attackers moved deeper into MGM’s environment, stealing sensitive data and deploying ransomware that locked portions of its IT infrastructure, causing disruption across operations.

Due to this disruption, MGM faced about $84 million in losses. While they chose not to pay the ransom, the money was redirected towards cancelled bookings and a huge revenue hit in the financial quarter in which the attack occurred.

Learnings

Security awareness training must extend beyond phishing emails. Helpdesk staff and frontline employees need to be trained to verify identities through secure processes. Zero-trust practices and strong identity verification mechanisms are crucial. The use of MFA fatigue demonstrates that even strong security measures can be undermined if attackers exploit user behavior. Employees need to understand that repeated prompts are a red flag, and organizations should adopt resilient measures like number matching, biometric authentication, or adaptive MFA.

The attack also underscores the importance of incident response readiness. MGM faced prolonged downtime because attackers were able to escalate privileges and deploy ransomware once inside. A well-tested incident response plan, including rapid credential revocation and network isolation, can dramatically reduce the scale of damage.

The Ubiquiti networks fraud

In 2015, a networking firm named Ubiquiti Networks Inc., faced a cybersecurity incident in which threat actors impersonated the company's executives and tricked the finance department into transferring a huge sum to overseas bank accounts controlled by the hacker. A fraudulent request was made by the attacker using employee impersonation techniques. By mimicking the email identity of an employee, the hacker sent genuine-looking requests to the finance department.

The finance department believed the request and proceeded to transfer funds worth of $46.7 million to the threat actor's bank account. However, once the company became aware that the request was fraudulent, they contacted the bank officials and were able to reverse $8.1 million of the transferred money. This attack  is particularly striking as Ubiquiti was a technology company familiar with cybersecurity risks. Yet even in a security-conscious environment, carefully crafted deception proved more effective than technical exploits.

Learnings

Unlike many other cyberattacks, the Ubiquiti attack was quickly recognized by the company, which highlights the importance of continuous monitoring. Having an incident response plan enabled the company to recover some of the lost funds. 

However, this attack is a classic example that financial controls must not rely solely on employee judgment under pressure. Multi-person approval workflows, mandatory callbacks, and independent confirmation processes should be in place for all high-value transfers. This attack also highlights the importance of building a security-first culture. Employees must feel safe questioning unusual instructions, even when they appear to come citing extreme urgency, from the top.

The Belgian bank heist

In 2016, Belgian bank Crelan fell prey to a CEO fraud scheme. Attackers impersonated senior executives and instructed employees to carry out transfers related to what they described as confidential, high-level operations.

The fraud remained undetected for months because the attackers blended their requests seamlessly into the company’s existing workflows. In an internal audit, the large-value transactions were spotted and investigated. During the investigation it was revealed that $75.8 million was transferred to the hacker's account. 

The threat actors succeeded by preying on employees’ respect for hierarchy and reluctance to challenge directives from top management. By the time the deception was discovered, it was too late to reverse the damage that had already been caused.

Learnings

The bank established in their statement that the underlying profitability remains intact. However, such a mishap causes serious reputational damage and brings down the public image of the institution. This attack is similar to the many other attacks that come in the line of executive impersonation attacks. Only when the companies build a culture in which employees are given the space to question such large-value requests will these attacks be stopped. 

Additionally, multi-step payment approvals are also required. This ensures that the legitimacy of the request is verified in multiple layers before it gets processed. Employees must also be taught to check the username and domain name for correctness to verify that the email is legitimate. 

The RSA breach

In 2011, one of the most trusted names in cybersecurity, RSA, found itself a victim of highly nuanced cyberattack. The breach began quietly, with a carefully crafted email disguised to look harmless, which slipped past defenses and landed in employee inboxes. A single click on the malicious attachment was all it took. Hidden inside was malicious code that exploited an unknown weakness in Adobe Flash.

From that moment, the attackers had a foothold. They installed a remote access tool, later identified as a strain of the “Poison Ivy” malware, that gave them visibility into RSA’s internal systems. They moved deeper, escalating their access step by step. Their ultimate target was RSA’s SecurID tokens, a technology used by major corporations and government agencies to secure logins with two-factor authentication.

The company spent about $66 million to repair the damages caused by the attack. The incident underscored the sobering truth that even the most sophisticated defenses can unravel when a single human action opens the door.

Learnings

The incident revealed the dangers of zero-day vulnerabilities. RSA’s attackers exploited an unpatched flaw in Adobe Flash, a reminder that software supply chains and third-party applications often provide attackers with indirect routes into critical systems. Rapid patch management, vulnerability monitoring, and layered defenses like sandboxing are vital in limiting exposure to such risks.

The use of Poison Ivy malware and lateral movement within the network showed the hallmarks of an advanced persistent threat (APT). Defending against this requires more than perimeter security. Organizations need segmentation, behavior-based monitoring, and strong incident response capabilities to detect subtle anomalies before attackers reach their target.

Finally, the consequences demonstrated that trust itself is at stake. RSA’s SecurID tokens were widely relied upon by governments, military departments, and Fortune 500 companies. The loss of confidence in a security vendor shook the industry and drove home the point that cybersecurity isn’t just about protecting assets, it’s about protecting reputation and credibility.

Common threads across these attacks

Though these five incidents differ in scope and sector, they share striking similarities:
Humans were the entry point: In every case, attackers manipulated employees rather than directly hacking systems.
Authority and urgency drove compliance: Whether it was executives “ordering” transfers or a caller pretending to be a colleague in crisis, attackers relied on pressure to override critical thinking.
Processes were exploited: Fraudulent invoices, IT helpdesk resets, and confidential project requests all took advantage of normal business operations.
The financial and reputational costs were massive: Losses weren’t limited to stolen funds. Downtime, recovery, customer compensation, and long-term trust erosion all added to the damage.

Protection tips for organizations

All five of these attacks were similar in one aspect. They manipulated an organization's employees into taking action without giving them too much time to think about it. By psychologically manipulating the recipients, threat actors made them act to their benefit. 

Take a look at our article on protecting your organization from social engineering attacks to provide top-notch security for your company. 

Wrapping up

All the five cyber attacks explored show that social engineering is both varied and devastating. From tech giants to banks, casinos, and even cybersecurity firms, no sector is immune. The costs run into millions, but the lessons are invaluable. Organizations must recognize that technology alone cannot stop deception. True resilience comes from combining strong technical defenses with a culture where security is at the forefront.

In addition to human defenses, it's also important for organizations to deploy an email security solution that spots and thwarts anomalies that are immune to the human eye. 

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.