How do social engineering attacks lead to data breaches?

Social engineering attacks bypass technical defenses by manipulating employees into handing over credentials or approving unauthorized access. Once an attacker has valid login credentials — obtained through a phone call, email, or AI support channel — they can access systems as if they were a legitimate user. The Charter Communications breach is a direct example: one compromised employee account led to 4.9 million exposed records.

What is vishing and how does it target small businesses?

Vishing (voice phishing) is when attackers call employees impersonating IT support, vendors, or government agencies to trick them into revealing credentials or approving account changes. Google Mandiant's research on UNC3753 shows this tactic is being used in coordinated campaigns against small professional, legal, and financial services firms — not just large enterprises. A verbal verification protocol (calling back on a known number) is one of the most effective low-cost defenses.

What MFA method is hardest to social engineer?

Hardware security keys (like YubiKey) and passkey-based authentication are significantly more resistant to social engineering than SMS-based MFA, which can be defeated through SIM swapping or real-time phishing proxies. Authenticator apps offer a middle ground that's better than SMS but still vulnerable to MFA fatigue attacks. Oscar Six Radar can help identify which of your exposed services are still relying on weak authentication methods.

How much does a vulnerability scan cost for a small business?

Oscar Six Security's Radar vulnerability scan costs $99 per scan, making it one of the most affordable options for small businesses that need to understand their external attack surface. Unlike enterprise platforms that charge thousands per month, Radar is designed specifically for small organizations managing their own security. A scan gives you a clear picture of what's exposed and exploitable before attackers use that information against you.

Can social engineering attacks be stopped with employee training alone?

Training helps, but generic awareness programs have limited effectiveness — employees need to recognize the specific scripts and urgency tactics attackers actually use. The most resilient organizations combine targeted training with technical controls like phishing-resistant MFA, least-privilege access, and regular external attack surface reviews. Knowing what information about your organization is publicly visible (which a tool like Oscar Six Radar can show you) also removes ammunition attackers use to make their calls more convincing.

Social Engineering Breach: 4.9M Records Lost

Your firewall is fine. Your antivirus is up to date. Your patches are current.

And then one of your employees picks up the phone.

That's the story behind the Charter Communications breach — and it's a story that should matter deeply to every small business owner who thinks they're too small, too obscure, or too well-defended to be a target.

One Employee. One Account. 4.9 Million Records.

The ShinyHunters hacking group didn't crack Charter Communications through a sophisticated zero-day exploit. They didn't brute-force their way through hardened infrastructure. They socially engineered a single employee's Microsoft account — and walked out with 4.9 million customer records.

That's the brutal efficiency of modern social engineering. Attackers don't need to beat your technology. They need to beat one person, once, on one bad day.

If you're thinking "that's a big company problem" — read on, because the threat has moved squarely into your neighborhood.

UNC3753: The Group Actively Targeting Small Professional Firms

According to The Hacker News, Google Mandiant has documented a threat actor called UNC3753 running an active vishing (voice phishing) and physical intrusion campaign specifically targeting professional, legal, and financial services firms in the United States. These aren't Fortune 500 companies — they're exactly the kind of small and mid-sized businesses that make up the bulk of the American economy.

The playbook is straightforward and devastating:

Caller ID spoofing — The attacker calls an employee impersonating IT support, a vendor, or even a government agency.
Urgency injection — "Your account has been compromised. We need to verify your credentials right now or you'll lose access."
Credential harvest — The employee, trying to be helpful, hands over their login or approves an MFA push.
Lateral movement — The attacker is now inside. From one account, they pivot to everything that account touches.

This is vishing industrialized. UNC3753 isn't running one-off scams — Mandiant's findings indicate a coordinated, financially motivated campaign. Your employees are receiving these calls today.

AI Support Channels: The New Social Engineering Frontier

The threat doesn't stop at phone calls. According to Schneier on Security, researchers demonstrated how Meta's AI support chatbot could be manipulated through social engineering to facilitate a full account takeover — no technical exploit required. The attacker simply convinced the AI assistant to take actions that cascaded into complete account compromise.

This matters for your business because Microsoft, Google, and virtually every major SaaS vendor now deploys AI-assisted support. If your employees — or your IT team — use these support channels to recover accounts or reset credentials, those channels are now attack surfaces. The social engineering playbook has expanded beyond human targets to include the AI systems designed to help them.

We've covered the broader risks of AI tools in your environment in our post on questions to ask before an AI tool accesses your business data. The answer isn't to avoid AI — it's to understand where it creates new exposure.

Your Technical Defenses Are Being Actively Bypassed

Here's the other half of the picture: even as attackers are going around your people, they're also going around your tools. Attackers are now using AI to automate endpoint detection and response (EDR) evasion testing — meaning your antivirus and endpoint security tools are being stress-tested by the same adversaries targeting your employees.

The implication is uncomfortable but important: you cannot out-tool this problem. If your entire security strategy is "we have antivirus and a firewall," you have a gap that social engineering walks right through. The human layer is the most exploitable attack surface in your organization, and sophisticated threat actors know it.

What Small Businesses Can Actually Do

The good news: the defenses that work aren't exotic or expensive. They're disciplined and consistent.

1. Implement phishing-resistant MFA — not SMS. SMS-based MFA can be defeated by SIM swapping and real-time phishing proxies. Hardware keys (YubiKey) or passkey-based authentication are significantly harder to social engineer. We've broken down the tradeoffs in our comparison of passkeys vs SMS MFA vs authenticator apps.

2. Establish a verbal verification protocol. Any request to reset credentials, grant access, or approve an unusual action — whether it comes by phone, email, or chat — should require a second verification through a known, pre-established channel. "Let me call you back on the number we have on file" is a complete sentence that stops most vishing attacks cold.

3. Limit what each account can reach. The Charter breach was catastrophic because one compromised account had access to millions of records. Least-privilege access means a compromised employee account reaches only what that employee needs — not your entire database. Audit this quarterly.

4. Train for the specific script, not just general awareness. Generic security awareness training doesn't move the needle. Employees need to hear the actual words attackers use: "This is urgent," "Your account will be locked," "I'm from IT support." Role-play the scenario. Make the recognition automatic.

5. Know your external attack surface. Social engineering often starts with reconnaissance. Attackers research your company, your employees, your vendors, and your exposed services before they ever pick up the phone. Knowing what's visible about your organization from the outside is the first step to reducing what attackers can use against you.

We also cover the Microsoft 365-specific version of this threat in our post on Microsoft 365 breach prevention for small businesses — worth reading if your team runs on M365.

The Throughline

The Charter breach. UNC3753's vishing campaign. The Meta AI chatbot exploit. These aren't isolated incidents — they're data points in a trend. Attackers have learned that the fastest path through your defenses is the one that bypasses your technology entirely and goes straight to your people.

Your firewall didn't fail. Your employee did — because they weren't set up to succeed against a professional adversary running an industrialized attack.

The organizations that survive this threat aren't the ones with the best tools. They're the ones that treat the human layer as seriously as the technical one.

Take Action

Social engineering attacks often succeed because attackers know more about your external footprint than you do. They research your exposed services, your employee names, your vendors — and they use that intelligence to make their calls more convincing.

Proactive scanning catches the reconnaissance opportunities before attackers do. Oscar Six Security's Radar gives you a clear picture of your external attack surface for $99 per scan — so you know what's visible, what's exploitable, and what needs to be locked down before a phone call turns into a breach.

Focus Forward. We've Got Your Six.