Today I want to talk about social engineering attacks and how a single phone call can compromise systems, expose sensitive information, and cost companies millions of dollars.
Because the uncomfortable truth is this.
Even organizations with world-class security infrastructure can still be vulnerable when a criminal successfully manipulates a human being.
In this episode of Fraudology, I’m joined by former corporate spy Robert Kerbeck to break down how social engineering actually works and why these attacks remain one of the most effective tools in the cybercriminal playbook.
This episode was originally recorded in September 2023 and later selected by Fraudology listeners as one of the best episodes of the year.
Robert and I revisit the high-profile MGM cyberattack and the broader lessons organizations should take from it. The attack demonstrated how quickly social engineering tactics can bypass expensive technical defenses when employees are not fully prepared to recognize manipulation attempts.
Robert shares insights from his career as a professional “ruser,” explaining how attackers research their targets, exploit trust, and persuade employees to reveal information or grant access that leads to devastating consequences.
And this matters.
Because ransomware attacks combined with social engineering can cripple organizations, disrupt operations, and expose sensitive data.
Understanding how these attacks work is one of the most effective ways companies can protect themselves.
What you’ll hear in this episode
- How social engineering attacks exploit human behavior rather than technical vulnerabilities
- What happened in the MGM ransomware attack and why it shocked the cybersecurity world
- How attackers research and select employee targets before making a call
- The tactics “rusers” use to manipulate employees into sharing sensitive information
- Why ransomware and social engineering often work together in modern cybercrime
You should listen to this episode if you
- Work in fraud, cybersecurity, or information security and want to better understand social engineering attacks
- Lead customer support, IT, or security teams responsible for protecting company systems
- Want practical insight into employee social engineering training and prevention strategies
- Are responsible for corporate cybersecurity training or security awareness programs
- Want to learn cybersecurity lessons from the MGM hack and similar incidents
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.
Episode notes & key takeaways
Social engineering attacks target people, not systems
Let’s start with the most important concept.
Social engineering attacks succeed because they exploit human behavior.
Hackers often do not need to break through firewalls or bypass sophisticated technical defenses. Instead, they convince someone inside the organization to hand over the access they need.
Robert explains that attackers carefully research employees before initiating contact. They study company structures, identify roles with access to sensitive systems, and craft believable scenarios that pressure employees to act quickly.
This might involve impersonating IT staff, executives, vendors, or customers.
Once the target believes the story, the attacker can gain credentials, system access, or other sensitive information.
- Social engineering attacks exploit trust and authority rather than technical weaknesses
- Attackers often conduct extensive research before contacting employees
- Employees in support or administrative roles are frequent targets
- Successful attacks often begin with a simple phone call or email
The MGM cyberattack showed how quickly things can unravel
The MGM ransomware attack became one of the most widely discussed cybersecurity incidents of 2023\.
According to public reporting, attackers used social engineering to manipulate a help desk employee into resetting credentials that provided access to internal systems.
From there, the attackers escalated their access and ultimately launched a ransomware attack that disrupted MGM’s operations across multiple properties.
The incident demonstrated a difficult reality.
Even companies with large cybersecurity budgets can be vulnerable if employees are not trained to recognize manipulation attempts.
- The MGM cybersecurity breach started with a social engineering attack
- Help desk and customer service employees are common targets
- Ransomware attacks often begin with stolen credentials
- Security awareness training is a critical line of defense
How professional “rusers” manipulate employees
Robert Kerbeck spent years working as a corporate spy conducting authorized social engineering tests for companies.
His role involved calling employees and attempting to obtain sensitive information using persuasive tactics.
The techniques he describes are surprisingly simple.
Attackers may create a sense of urgency, pretend to be an authority figure, or frame the request as routine.
Employees often want to be helpful and responsive, which can make them vulnerable to these manipulation techniques.
Understanding these tactics is one of the best ways employees can learn to recognize and stop social engineering attempts.
- Social engineers often rely on urgency and authority to manipulate targets
- Attackers frequently impersonate IT staff, executives, or vendors
- Employees may comply with requests because they want to be helpful
- Awareness of these tactics can significantly reduce risk
Why employee verification processes matter
One of the most effective defenses against social engineering attacks is simple verification.
Employees should be trained to verify unusual requests through independent channels before taking action.
This might involve confirming a request through a known phone number, contacting a manager, or following established internal security procedures.
Robert emphasizes that companies should normalize verification.
Employees should feel empowered to slow down and confirm requests rather than feeling pressured to respond immediately.
- Employee verification processes help prevent unauthorized access
- Security procedures should encourage employees to pause and confirm requests
- Organizations should make verification part of everyday workflows
- Empowering employees to question requests strengthens security culture
Training employees to recognize social engineering attempts
Technology alone cannot stop social engineering attacks.
Organizations must also invest in effective training and awareness programs.
Robert recommends engaging training approaches that use real-world examples and storytelling to help employees remember key lessons.
When employees understand how social engineering works and see how easily attackers manipulate people, they become much more cautious when responding to unusual requests.
That awareness can prevent attacks before they ever gain a foothold.
- Employee social engineering training is one of the most effective defenses
- Real-world examples help employees recognize manipulation tactics
- Security awareness programs should be engaging and memorable
- Prepared employees can stop attacks before they escalate
Final thoughts
The biggest lesson from this conversation is simple.
Social engineering attacks do not succeed because systems are weak.
They succeed because attackers understand human behavior.
When organizations combine strong technical controls with effective employee training, they dramatically reduce the likelihood that a simple phone call can turn into a major cybersecurity incident.
For fraud teams, security leaders, and executives, the takeaway is clear.
Prepare employees.
Encourage verification.
And never underestimate the power of social engineering.
