Social engineering scams often prey on human emotions such as urgency, fear, and trust. Relaying real-world stories to your organization can help train employees to take a step back, verify requests, and carefully inspect emails in an effort to lower click-rates and in general, prevent cybersecurity breaches. Advice to your employees should include: always logging in directly to vendor accounts, verifying any suspicious communication with the IT department, and avoiding interacting with unverified phone numbers, links, attachments, and QR codes. Following these steps can help your company avoid devastating financial losses and data breaches caused by social engineering attacks. The following are six real-world examples of successful social engineering tactics resulting in significant loss and/or data theft.

1. The Fake CEO Emergency

At a large manufacturing company, the CFO received an urgent email that appeared to come from the CEO, who was allegedly traveling and needed an immediate wire transfer of $250,000 to close a confidential overseas deal. The email matched the CEO’s usual communication style and referenced recent internal discussions, making it highly convincing. Attackers had previously gained access to the CEO’s email through a phishing scheme and monitored conversations for weeks. They exploited the CFO’s sense of urgency and loyalty to the CEO. Without double-checking the request through another communication channel, the CFO authorized the wire transfer. Outcome: The funds were sent to a foreign bank account, and the scam was discovered only after the money was lost.

2. The Vendor Payment Auto-Renewal Scam

A mid-sized tech company received an email that appeared to come from a vendor they had used two years ago. The email claimed that the contract had auto-renewed and the company’s credit card had just been charged $12,000. An official-looking invoice and a customer service phone number were attached, with instructions to call if there were questions. The scammers played on the company’s fear of unauthorized charges and their need to resolve issues quickly. The financial department panicked and called the number. The scammer on the phone asked for the company’s credit card details to "reverse" the charge. Outcome: The scammers used the card information to make fraudulent purchases before the company realized the scheme.

3. The Gift Card Trick

At a marketing firm, several employees received an email from what seemed to be a senior executive asking them to purchase $5,000 worth of gift cards for a client campaign. They were instructed to scratch off the backs of the cards and send the codes via email. Because buying gift cards for clients was not unusual, employees assumed the request was valid. The attackers exploited the employees' trust in leadership and their desire to complete tasks quickly without raising suspicion. Outcome: Multiple employees sent gift card codes to the scammer, who drained the value of the cards within minutes. The company lost thousands of dollars.

4. The Payroll Support Call

At a large organization, a payroll clerk received a call from someone claiming to be from their payroll software provider. The caller insisted there was a critical issue that would prevent employees from receiving their paychecks unless immediate action was taken. The scammer exploited the clerk’s fear of payroll disruptions. Without verifying the call with the IT department or the provider, the clerk gave the attacker login credentials to "fix" the issue. Outcome: The attacker used the credentials to access the payroll system and reroute several employees' direct deposits to fraudulent accounts.

5. The Fake Vendor Payment Update

A Fortune 500 company received an email appearing to be from a long-standing vendor, notifying them of a change in bank account details for future payments. The email looked authentic, including the vendor’s logo and correct contact details, making it seem legitimate. The accounts payable department updated the bank account information and wired $500,000 to the new account. However, they didn’t confirm the change by calling the vendor directly. By targeting the accounts payable department, the scammer exploited the associate's fear of late payment resulting in additional fees, interest charges, and possibly loss of a critical supplier. Outcome: The company realized too late that the vendor had never requested a bank account change, and the funds were unrecoverable.

6. The QR Code Scam

A large retailer received a wave of customer complaints about malicious software infecting their phones. It turned out that scammers had placed fraudulent QR code stickers on products sold at the store. These codes directed unsuspecting customers to a phishing website, which prompted them to download what they thought was a loyalty app but was actually malware that granted the attacker access to their personal information. The scammers targeted the curiosity and convenience associated with QR codes, knowing that many people would scan without verifying the source. Outcome: Customers’ devices were compromised, and attackers gained access to personal data and accounts. The retailer had to issue a public apology and assist customers in recovering their compromised accounts.

Do's and Don'ts for Employees to Prevent Social Engineering Scams

Do’s:
  1. Verify Financial Requests and Changes: Always confirm wire transfers, bank account changes, or payment requests by calling the vendor or executive directly using a known, trusted phone number—not the contact information provided in a suspicious email.
  2. Go Directly to the Vendor’s Website: If you receive an email from a vendor about payment issues or contract renewals, go directly to the vendor’s website by typing the URL into your browser manually. Log in to your account to check for any legitimate notices or messages. Never trust links in the email.
  3. Forward Suspicious Emails: Immediately forward any suspicious emails to your information security or IT department or the helpdesk for review—preferably before opening them. These teams can determine whether the email is a phishing attempt.
  4. Check the "From" Email Address: When you open any email, hover over the "From" address to reveal the full email address and look closely for subtle changes. Attackers often use fake email addresses that look almost identical to legitimate ones. For example, they might change accounting@vendor.com to accounting@vvendorr.com or accounting@vendor.co. This tiny change can easily go unnoticed if you're in a hurry.
  5. Use Multi-Factor Authentication (MFA): Enabling MFA is critical for logging into sensitive platforms. Even if a hacker steals your password, MFA adds an extra layer of protection that can prevent unauthorized access.
  6. Scan QR Codes with Caution: Only scan QR codes that come from trusted sources, such as those provided in verified emails from your IT department or those that are part of a legitimate process you’ve prompted, like setting up an authenticator app. If a QR code is on packaging or in materials that you haven’t directly requested, avoid scanning it—it could lead you to a malicious website.
Don’ts:
  1. Don’t Call the Number or Click the Link in a Suspicious Email: Never call the number or click on the link provided in a suspicious email or message. Scammers often set up fake customer support numbers or websites designed to steal your information.
  2. Don’t Open Attachments from Unknown Senders: Attachments from suspicious or unknown sources can contain malware. Never open them unless you are certain the sender is legitimate and the attachment is safe.
  3. Don’t Act on Urgency Alone: Social engineering attacks often create a sense of urgency to pressure you into acting without thinking. Take a moment to verify the request through secure, independent channels.
  4. Never Enter a Website or Code You Don’t Recognize: Never enter a website address or code into your computer based on a verbal or written prompt that you don’t recognize. Attackers can use this method to install malware or gain remote access to your computer, potentially exposing sensitive company information.
  5. Never Scan Unknown QR Codes: Avoid scanning QR codes found on random packaging, posters, or flyers unless you are certain they are legitimate. Scanning a malicious QR code can lead to compromised personal data or allow malware to infect your device.
  6. Don’t Assume Familiarity Means Safety: Just because an email seems to come from a known contact or vendor, don’t automatically assume it’s safe. Attackers can easily spoof email addresses to make them look genuine with slight modifications to the name or domain.