On Wednesday 15 July 2020, several high profile Twitter accounts, including those of Elon Musk, Barack Obama, Kanye West, Joe Biden and Bill Gates, were hijacked.

The visible aim was simple, a familiar bitcoin scam asking followers to send cryptocurrency in return for a promised higher payment. The implications were far more serious. Attackers proved they could impersonate influential figures on a global platform, raising questions about trust, political influence and the security of major social media services.

This incident is often framed as a big tech problem, but the underlying weakness it exposed affects every organisation that relies on digital systems and people.

How the Twitter hack happened

Details of the attack point to misuse of powerful internal access. Early reports suggested that attackers used high level employee privileges to access and control the targeted accounts. Twitter later described the incident as a coordinated social engineering attack against staff with access to internal tools.

The immediate impact included

• Fraudulent posts from verified accounts
• Temporary restrictions on verified users posting
• A drop in Twitter’s share price and damage to trust

The key lesson is that social engineering can bypass sophisticated technical security by exploiting people who have legitimate access.

What social engineering is and why it matters

Social engineering is the practice of manipulating people into performing actions or revealing information that attackers can use. Instead of directly breaking systems, criminals focus on the human side of security.

Tech companies such as Facebook, Twitter and Snapchat have all suffered breaches linked to human factors. Even with strong technical defences, attackers regularly succeed by targeting employees and exploiting trust, urgency and authority.

This is often done through

• Phishing emails
• Fake login pages
• Impersonated support contacts
• Requests that appear to come from senior staff

The weakest point is often the so called human firewall, the employees who interact with these messages and requests every day.

Common types of social engineering attacks

Social engineering tactics vary, but many share the same theme of pretending to be a legitimate person or resource. Common examples include

• Baiting
• Quid pro quo offers
• Phishing
• Spear phishing
• Whaling that targets executives
• Voice phishing and SMS phishing
• Watering hole attacks that compromise trusted sites
• Pretexting, where attackers create a detailed false identity
• Fake password reset or password change requests
• Fake IT support contacts
• Fake professional profiles on platforms such as LinkedIn
• Name dropping to create a false sense of trust
• Insider threats where employees abuse their access

Understanding these patterns helps employees recognise when something feels wrong.

Social engineering is a risk for every business

Large platforms such as Twitter attract media attention when they are breached, but social engineering is not limited to big tech. Almost every organisation uses digital tools for payroll, finance, communication or customer data, and all of these systems can be targeted through people.

Small and medium sized businesses are often more exposed than global platforms. Research has found a significant share of SMBs experience phishing and impersonation attempts, and many would struggle to survive the financial and reputational impact of a serious breach.

Unlike a global brand that can absorb reputational hits, an SMB may have to close its doors after a major incident.

How businesses can combat social engineering

The Twitter breach shows how a single compromised employee can lead to a serious incident. Reducing this risk requires a mix of training, process and technical checks.

Regular cyber security awareness training

Awareness is the most effective defence against social engineering. Employees who understand how attackers operate are less likely to fall for scams and more likely to report suspicious activity.

Ongoing cyber security awareness training helps staff recognise

• Phishing and spear phishing emails
• Unusual requests for credentials or data
• Attempts to bypass normal processes
• Red flags in voice and SMS messages

A culture of awareness reduces the success rate of social engineering attacks.

Good password hygiene

Strong, unique passwords and secure authentication processes make it harder for attackers to reuse stolen credentials. Employees should be encouraged to

• Avoid simple or reused passwords
• Use different passwords for different accounts
• Change passwords after suspected compromise
• Enable multi factor authentication wherever possible

Since many people still reuse passwords across multiple accounts, a single breach can have a cascading effect if hygiene is poor.

Simulated phishing to assess risk

Simulated phishing campaigns help organisations understand how vulnerable their employees are to realistic attacks. By sending controlled test emails and tracking responses, you can

• Identify which users or departments are at higher risk
• Highlight the need for further training
• Keep secure email habits top of mind

Follow up education after a failed simulation helps staff learn from mistakes in a safe environment rather than during a real incident.

usecure provides automated security awareness training, simulated phishing and policy management tools that help organisations build a comprehensive defence against social engineering.

‍