04:00 PM
Sara Peters
Sara Peters
Connect Directly

The 7 Best Social Engineering Attacks Ever

Seven reminders of why technology alone isn't enough to keep you secure.

Image, via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town Canakkale
Image, via Wikipedia: Maquette Trojan Horse, used in the movie Troy, a gift from Brad Pitt to the Turkish town anakkale

Social engineering is nothing new.

In 1849, Samuel Williams, the original "confidence man," as the newspapers named him, engineered gullible strangers out of their valuables simply by asking "Have you confidence in me to trust me with your watch until tomorrow?" Through the late 19th and early 20th century Joseph "Yellow Kid" Weil ran a variety of scams, including conning Benito Mussollini out of $2 million by selling him phony rights to mining lands in Colorado. And of course in the 1960s, Frank Abagnale, subject of the movie Catch Me If You Can, made a living faking identities and passing bad checks.

While technology has made some kinds of fraud more difficult to commit, it's created all sorts of new opportunities for adaptable fraudsters. And even the very strongest security technology can be overcome by a clever social engineer. That's part of the reason security awareness training for end users is so essential.

"Executives 'get it' right away," says Wombat Security president and CEO Joe Ferrara, about awareness training. "The people who are harder to convince are...the die-hard technologists who don't want to leave [anything] in the hands of the user." 

So for you die-hard technologists out there who need convincing, here are a few examples of social engineering prevailing over security technology. A few are my own personal favorites, and a few are Ferrara's, who will be presenting a session on the topic at the Interop Las Vegas conference.


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Megan is Always Wright
Megan is Always Wright,
User Rank: Apprentice
10/9/2017 | 11:15:58 AM
Re: What is Social Engineering really?
Social engineering is basically a technique that has long been used by humans even before the birth of the Internet. By using these techniques, the evildoers among us are able to win our trust, or more like fool us into sharing stuff that we shouldn't.

I also didnt understand what it was until i read this article ( which explained what it was and how to protect against it
User Rank: Apprentice
10/5/2017 | 8:03:33 AM
What is Social Engineering really?
I have been reading about the social engineering thing lately, I am getting lots of phishing emails lately and I wonder where I went wrong. May be someone has got a hold of my email. I have become more aware now and I literally check every link before even opening it.
User Rank: Apprentice
3/14/2017 | 6:00:19 AM
Forex security and vulnerabilities
Great post as always. Technology advances every day, new vulnerabilities arise all the time. Security is everyones main priority and rightly so. For any site owner nowadays you need a dedicated security team to make sure you and your customers are safe. Its a scary world out there.
User Rank: Strategist
10/2/2015 | 4:56:47 AM
thank's for post
system security in any country is the future !
User Rank: Apprentice
10/1/2015 | 3:18:11 PM
Re: name required
The post refers to "Ferrara" repeatedly, but never describes who he is or what he does. 
User Rank: Apprentice
5/9/2015 | 9:41:21 AM
Social Engineering examples
Here's another example:

It's not one of 'the best social engineering attacks' ever, but shows that anyone can be a target.


User Rank: Apprentice
3/28/2015 | 2:37:41 AM
Re: name required
great post
User Rank: Apprentice
3/24/2015 | 7:21:23 AM
Confidence Man
The name of the "confidence man" was "William Thompson" and not "Samuel Williams". The article "Arrest of the Confidence Man" (New-York Herald, July 8, 1849) can be found online.
User Rank: Strategist
3/19/2015 | 4:24:22 AM
Good examples
Great article!  Periodic User awareness training to reduce social engineering is of paramount importance.  Some phishing emails are so good that high trained security people can fall for them.  The examples in the article effectively demonstrate the issue.

The rule I use for my own emails is not click links in emails, including unsubscribe, unless the email is expected, such as one as confirmation during new account setup. Of course, never click on attachments either unless they are expected.  I have within Spyshelter (anti-keylogger) where I can save an attachment, right click the file and on the pop-up menu click 'Spyshelter-> Check it on VirusTotal'; it uploads to .   It's then scanned by over 50 antivirus software products. 

I think this rule is probably the most important security measure I use for computers at my home.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
3/18/2015 | 6:45:32 PM
name required
Can we all agree to ignore any email that isn't addressed by name?
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-20
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
PUBLISHED: 2019-02-20
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
PUBLISHED: 2019-02-20
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
PUBLISHED: 2019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
PUBLISHED: 2019-02-20
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.