Blog

How To Avoid a Caesars-Like, Social Engineering Catastrophe

Could you spot a social engineering attack? Learn how hackers tricked Caesars into paying $15M and discover the protection strategies to keep your company safe.

minute read

By

Last Updated March 28, 2025

Category Cybersecurity

Visual representing interconnectivity of social people

Share

If you’re running a business or advising clients, it’s important to know what happened at Caesars Entertainment in the late summer of 2023.

The Caesars attack was a ransomware attack, but it was not typical. That’s because the attackers used a ploy that has proved quite effective—and popular—among hackers: social engineering.

What is a social engineering attack?

Social engineering means taking readily available information and using it to dupe an employee into thinking that they’re talking to a real person rather than an impersonator.

According to one report, social engineering accounts for as much as 74% of data breaches. Other data shows that this type of attack causes an average of $4.1 million in damage.

How do social engineers successfully manipulate people?

Social engineers exploit basic human psychology to manipulate their targets.

They’re successful because they:

  • Build false trust through familiarity and impersonation.
  • Create urgency that pressures victims to act quickly without verification.
  • Exploit authority by pretending to be executives or IT personnel.
  • Play on fear by suggesting negative consequences for non-compliance.
  • Use social proof by referencing mutual connections.

Caesars’ attackers were adept at these techniques.

They spoke English fluently and with little to no accent. They were familiar with common American phrases and conversational norms.

When they called the casino’s IT help desk, pretending to be employees, they got away with it. Not only was their conversation realistic, but they also had a lot of data at their disposal.

Using LinkedIn, Facebook, X, and other social sites, the attackers knew names, places, interests, connected colleagues, and other information about the person they were impersonating to make it seem like they were that employee.

They told the help desk that they had lost their username and password. The help desk, untrained in such tactics, warmed up to the conversation and ultimately reset and shared new passwords with the attackers.

“Although members of the group may be less experienced and younger than many of the established multifaceted extortion and ransomware groups, they are a serious threat to large companies in the United States,” a Google executive told CNBC. “Many members are native English speakers and are incredibly effective social engineers.”

Once the attackers received the new credentials, they could access the company’s network. They dropped malware through the system that encrypted key files and data.

They stole information. The casino would never be the same.

After suffering this massive disruption, Caesars’ executives ultimately relented and paid the attackers a $15M ransom to unlock their data. Caesars is still sorting out lawsuits and always faces the uncertainty that the hackers left something behind and could strike again.

A similar cyberattack on MGM’s casinos happened around the same time.

Executives there chose not to pay a ransom and instead rebuilt their systems.

Losses exceeded $100 million. Lawsuits also continue there.

How could these large companies with such well-recognized brands and seemingly all the resources in the world fall victim to such an attack?

The story is newsworthy. However, the media doesn’t cover the countless similar attacks on small and mid-sized businesses around the world that lack the same brand recognition.

Your business. My business. And it’s only going to get worse.

Types of social engineering scams, attacks, and tactics

The attack on Caesars Entertainment demonstrates how sophisticated these scams have become. As an employee—and certainly as a business owner—you must know how to recognize a social engineer’s tactics to avoid falling victim.

Let’s look at the common ways these attackers operate:

Pretexting

Pretexting is when a hacker creates a fabricated scenario to obtain information. Caesars’ attackers used pretexting when they called the help desk. They crafted a convincing story about forgetting their password, complete with personal details gleaned from social media. Once they had new credentials, they accessed the network and unleashed their attack.

Phishing

When an attacker sends an email or message that appears legitimate but actually contains malicious links or attachments, it’s phishing. The attacker often impersonates trusted entities like banks, vendors, or colleagues.

Phishing attacks are growing more sophisticated. Gone are the days of obvious spelling errors and strange email domains. Today’s phishing attempts can be nearly impossible to distinguish from legitimate communications.

Baiting

Baiting is when a hacker offers something enticing to swap for information or access.

Imagine finding a USB drive in your company parking lot labeled “Confidential: Salary Information.” Human curiosity makes many people plug it in without thinking, which is exactly what attackers want. Similarly, attackers might offer free downloads that secretly install malware.

They’re essentially digital fishermen—the bait looks appealing, but there’s a hook hidden inside.

Quid Pro Quo

Quid Pro Quo means promising a benefit in exchange for information. A common scenario is an attacker calling employees claiming to be from IT support, offering to help with a non-existent problem.

While “helping,” they’ll request login credentials or ask the employee to install software that’s actually malware. It works because it plays on our natural tendency to trust authority figures and our appreciation for unexpected assistance.

Tailgating

Physically following someone into a restricted area. The attacker might pretend to be a colleague who forgot their access card, a delivery person with hands too full to badge in, or a maintenance worker responding to an urgent call.

Once inside, they can access physical systems and plant devices or steal sensitive information. It exploits our natural reluctance to appear rude or unhelpful to someone in apparent need.

AI-enhanced voice spoofing

Thanks to AI, attackers can now clone voices with frightening accuracy. Imagine getting a phone call from your CEO asking for emergency access to a system—except it’s not your CEO; it’s an AI replication.

Within a few years, businesses of every size will face these ultra-realistic impersonation attempts. Don’t believe me? Call any big company nowadays with customer service operations and see how long it takes before you realize you’re initially talking to a bot. Now, imagine that technology is in the hands of attackers. The line between real and fake is blurring rapidly.

How to protect your business from social engineering attacks

The good news is that you can take action to protect yourself and your company against socially engineered attacks.

Here’s a step-by-step approach:

Step 1: Implement comprehensive employee training

Training your employees is critical. People need to know how to spot these callers, what questions to ask, and what data to confirm.

Internal policies should be in place, such as requiring help desk people to call the caller back after validating the phone number.

Depending on the information requested, more than one sign-off may be required before sharing.

Step 2: Establish multifactor authentication systems

The second is a multi-pronged approach for authentication:

  • Password resets should require confirmation via text message, authentication software, or hardware.
  • A passkey system—where PINs are locally stored on a device—should be required to access systems.
  • Biometric access—fingerprints, facial recognition, eye scans—should also be strongly considered.

Step 3: Partner with security experts

Finally, it’s important to outsource this security to companies that do it for a living:

  • Partner with a good cloud services provider to host your data and implement secure access controls.
  • Ask them, or their partners, for continuous training.
  • Confirm that they regularly update and patch your employees’ operating systems and require password changes.

Take action now

Don’t wait until your business becomes the next victim of a social engineering attack. Implement proper training, robust authentication systems, and partner with trusted security experts before it’s too late. Remember—prevention costs far less than a data breach.

Subscribe to our blog for the latest cybersecurity insights and stay ahead of emerging threats.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.
Privacy(Required)

About the author

Gene Marks, CPA

Gene Marks, CPA

Gene Marks is a former columnist for The New York Times and The Washington Post. He now writes weekly on the economy, business, and technology for The Guardian, The Hill, The Washington Times, The Philadelphia Inquirer, Forbes, and Entrepreneur.com. Gene, a certified public accountant, is the author of five business management books and regularly provides commentary on Fox News, Fox Business, ABC Radio's John Batchelor Show, and the Wharton School's Business Channel on Sirius XM. Gene is also the host of two popular business podcasts for The Hartford and Paychex.

More articles by Gene Marks, CPA

Related Posts

WISP 101: Goals, Components, and Best Practices

What exactly is a WISP, why do you need one, and what should it include? All that and more, here.

The Ultimate Cybersecurity Quiz: Test Your Knowledge of Security Best Practices

Put your cybersecurity knowledge to the test with this interactive assessment designed to strengthen your firm’s security posture.

What Is Multifactor Authentication?

What is MFA and why does your accounting firm need it? Learn how MFA compliance adds crucial security layers to protect your firm’s sensitive client data.