Example 1: Olusegun's AP Invoice Fraud ($280K)
The vendor email impersonation in Olusegun's casebook is representative of a well-documented category. The attacker used a lookalike domain (one hyphen difference from the real vendor) to send a professional email to the AP department announcing a routine banking detail change. AP updated the payment details in their system. Three months of invoices β $280,000 total β were paid to the attacker's account before the real vendor called asking about the outstanding balance.
Detection came from outside the organization: the legitimate vendor contacting AP directly via phone. Internal controls β email filtering, payment processing software β saw nothing unusual because the invoice content, amounts, and communication style were consistent with the established relationship. Only the banking details had changed.
Root cause analysis: no out-of-band verification policy existed. The AP team had no process requiring a callback to a known vendor phone number when banking details changed. After the incident, the firm implemented a policy requiring all banking detail changes to be verified by phone to a number from the original contract, plus dual manager approval for changes to any payment account above $10K in monthly volume.
Example 2: Stuxnet USB Drop (2010)
The Stuxnet worm is the most consequential known USB drop attack in history. Infected USB drives were placed near the Natanz nuclear enrichment facility in Iran. Workers found the drives and plugged them into control system computers that were specifically air-gapped β disconnected from any external network β as a security measure. The USB drop bypassed the air gap entirely.
Stuxnet exploited four zero-day vulnerabilities and specifically targeted Siemens S7-315 and S7-417 PLCs (Programmable Logic Controllers) that controlled the centrifuges used for uranium enrichment. The malware caused the centrifuges to spin at incorrect speeds while reporting normal operations to the monitoring systems β operators saw normal readings while the centrifuges were physically destroying themselves. An estimated 1,000 centrifuges were damaged or destroyed.
Attribution: the attack is widely attributed to a joint US-Israeli intelligence operation codenamed Olympic Games. It represents the first known cyberweapon to cause physical destruction in the real world. The means of delivery was a $5 USB drive and human curiosity.
Example 3: RSA SecurID Breach via Social Engineering (2011)
RSA Security β the maker of SecurID two-factor authentication tokens used by defense contractors and government agencies worldwide β was breached when an employee opened a spear phishing email with an Excel spreadsheet attached, titled "2011 Recruitment Plan.xls." The attachment exploited a zero-day Adobe Flash vulnerability embedded in the file.
While not a hoax in the traditional sense, this incident demonstrates the importance of context in making social engineering attacks credible. The email arrived during hiring season, in a subject matter (recruitment planning) that was entirely plausible for the recipient's role, from what appeared to be a known industry context. The action β opening an Excel file from a seemingly relevant source β was completely routine.
The breach compromised seed values used to generate SecurID tokens. Attackers subsequently used this information in targeted attacks against Lockheed Martin and other defense contractors whose employees used RSA SecurID for VPN access. A single phishing email against one RSA employee ultimately threatened the authentication security of major US defense contractors.
Example 4: Twitter Bot Farms β Influence Operations
During the 2016 US election and subsequent years, Twitter identified and removed millions of coordinated bot accounts attributed to the Internet Research Agency (IRA), a Russian state-linked organization. The accounts operated under fake American personas β built over months to appear authentic, with profile photos, activity histories, and social connections β and posted divisive political content while amplifying each other's posts to create the appearance of widespread organic opinion.
Similar documented operations targeted the UK Brexit referendum, the 2017 French presidential election, and corporate reputations. In the corporate context: attacker-controlled accounts have been used to spread false product safety claims, fabricate regulatory investigation news, and amplify real controversies out of proportion.
Key techniques: fake personas built patiently over months to appear authentic before activation; coordinated amplification (bots retweeting each other to boost visibility); emotionally charged content that spreads virally because it provokes engagement; seeding to real journalists through DMs with fabricated "tips."
Example 5: DEF CON Social Engineering Competition
The annual DEF CON Social Engineering Capture the Flag (SECTF) competition demonstrates elicitation in a legal, consent-based research framework. Participants attempt to elicit information from company employees via phone calls to a live audience of conference attendees, using a structured flag system. The information sought is not classified or sensitive in isolation β but combined, it builds a reconnaissance profile for a targeted attack.
Typical successful elicitations in competition and research contexts include: current technology stack (OS, browser, email client, VPN product), number of employees in specific departments, whether specific security tools are deployed, upcoming office moves or product launches, names of IT staff, and internal terminology and project names.
Each piece is benign individually. Combined, they enable crafting highly credible spear phishing emails, vishing scripts, and targeted pretexts. The competition consistently demonstrates that employees at major, security-conscious organizations freely share this information when approached professionally and conversationally.
Exam Scenario 1
"An employee receives a warning in a company chat channel that says: 'URGENT: Microsoft just released an emergency update that requires you to disable your antivirus for 30 minutes to install properly. Share this with all your colleagues immediately.'"
This is a classic security hoax β false information crafted to cause employees to take harmful actions (disabling antivirus) and spread the hoax further (forwarding the message). Indicators: extreme urgency ("URGENT"), instruction to disable a security tool, instruction to share with colleagues immediately, and the technical claim itself is false (legitimate Microsoft updates never require disabling AV).
Correct response: Do not follow the instructions. Do not forward the message. Report to IT security immediately through official channels (email to the security team, use the "Report" function if available). Verify any claimed urgent security actions with IT before taking them.
Why this is a hoax and not disinformation: Disinformation targets public opinion or organizational reputation at scale. This hoax targets security behaviors of internal employees β disabling security controls to create a vulnerability window. It spreads through internal channels and relies on well-meaning employees forwarding a "helpful warning."
Key principle: Any message that instructs you to disable security software, forward urgently to colleagues, or act immediately without verification is a manipulation signal β regardless of how authoritative it appears.
Exam Scenario 2
"A security researcher found 50 USB drives labeled 'Executive Compensation Data β Confidential' scattered in a financial firm's parking lot."
The label "Executive Compensation Data β Confidential" is crafted to trigger two powerful psychological responses simultaneously: curiosity about executive salaries, and self-interest in determining whether the information affects the finder. The "Confidential" label adds a sense that this might be something important to return to HR β creating a rationale for picking it up and checking the contents.
Correct employee response: Pick up the drive (so others cannot find it). Do NOT plug it into any device β not a work device, not a personal device, not in airplane mode. Report found drives immediately to IT security. The IT security team examines them in a forensically isolated environment.
Why "airplane mode" is not safe: A HID device types commands on plug-in regardless of network state. Disconnecting from the network does not prevent the device from opening PowerShell, creating a new admin account, or installing malware that activates when network access is restored.
Implementation: Implement USB device control policy; disable USB storage ports via Group Policy; post awareness reminders in parking areas and building entry points; train staff specifically that compelling labels are the attack vector, not an indication the drive is legitimate.
Exam Scenario 3
"A junior employee at a security conference freely told a 'fellow developer' about an unpatched vulnerability in the company's internal systems and the team's upcoming patch schedule."
No false identity was necessarily used. No phishing email was sent. No technical attack occurred. The attacker used friendly, professional conversation to draw out sensitive information β specifically, the existence of an unpatched vulnerability and the timeline before it would be fixed. This creates an actionable attack window: the attacker now knows what vulnerability exists and roughly how long they have to exploit it before it is patched.
Why this is dangerous: A vulnerability disclosure combined with a patch timeline is essentially an invitation. The attacker can focus resources on that specific vulnerability with confidence that the window is limited β creating urgency to exploit before patching occurs.
Defense:
1. Need-to-know training: vulnerability information is classified by default. Only employees who need to know for remediation purposes should know a specific vulnerability exists or its status.
2. Pre-conference briefings: explicitly cover what categories of information should never be discussed at external events β current vulnerabilities, upcoming patches, system details, personnel information, acquisition discussions.
3. Security culture: employees should feel comfortable saying "I can't discuss internal system details" without social awkwardness.
4. Information classification: ensure employees have a clear mental model of what constitutes sensitive information in a conversational context, not just in document classification schemes.