Eli Lilly Loses Billions in a Social Engineering Attack

Image of a man wearing a hoodie is hiding half of his face behind a white mask.
Social engineering attack costs Eli Lilly billions.
Source: Sander Sammy via Unsplash.com

Eli Lilly lost USD15 billion in market cap to a social engineering attack. The attack happened only days after Twitter announced a USD8 fee for the blue check mark verification last Wednesday. Following the social engineering attack, Twitter suspended the option.

Since Twitter first applied the option, parody accounts of known companies and individuals got the blue checkmark by paying the fee. But, few financial losses occurred during this short time, leading many to ignore the dangers fake accounts create. Now that Eli Lilly has lost billions, Twitter will have to take social engineering attacks (SEA) more seriously. 

Interestingly, the attackers only managed to devalue Eli Lilly’s market cap rather than stealing its money. 

Twitter must handle social engineering attacks to improve cybersecurity practices on the platform.

Over USD15 Billion in Market Cap Lost

On Thursday, November 10, a fake account @EliLillyandCo, displaying the blue checkmark, tweeted, “insulin is free now”. Eli Lilly is a major diabetes drug manufacturer in the United States.

The company responded to the tweet eight hours later. However, the original fake tweet was online for almost a day. During this time, Twitter users retweeted the fake tweet thousands of times, causing Eli Lilly (#LLY) to drop 10%, from USD368.36 to USD346.36, or a loss of over USD15 billion.

Over the weekend, the stock price adjusted. Yet, the growth has failed to recover to last month’s levels. In addition, this loss will reduce Eli Lilly’s 30% year-to-date growth.

Image of computer Pepe sending his backup seed phrase to a hooded hacker Pepe because his discord DM said so.
Memes are funny and almost always ridiculous, but we shouldn’t underestimate their social power.
Source: OxBEW Via Words.Yunt.Capital

Dawn of Meme Terrorism

Since 2016, tech and political experts have warned the public about online memes leading to misinformation.

Until recently, many separated social engineering attacks from cybersecurity. Few took them seriously in relation to cybersecurity.

For cybercriminals and political activists, social engineering attacks are a new attack vector. So, how can the public and companies defend against such attacks? 

So far, social engineering attacks have targeted individuals only. During such an attack, cybercriminals blackmail or scam a person to share their private information and access their finances. Now, cybercriminals also target companies or groups by exploiting their audience.

Moreover, normal defenses against such attacks will not work. For example, companies can’t control where their audiences get information. 

Twitter Blue Check Fails against Social Engineering Attacks

Social media platforms are ideal for social engineering attacks. Cybercriminals use social media messages and posts for malware propagation. Even certain groups, chats, and websites actively spread such attacks.

Mostly, cybercriminals manipulate internet users by appealing to their emotions to obtain valuable personal information.

Therefore, experts advise users to rely on verified sources. But, when anyone can buy the blue check for their Twitter handle, social engineering attacks will become easier.

Through verified checkmarks, anyone can pose as a celebrity, a company, or even Elon Musk, Twitter’s new CEO and owner. Before the social engineering attack on Eli Lilly, many experts denied that such attacks could be so damaging.

Now, future scams may use similar attacks to inflict losses on companies. Social media ransomware may also become an issue in 2023.

Image of a woman covering her face with a blanket.
Social engineering attacks (SEA) often play on fear and other human emotions.
Source: Alexandra Gorn via Unsplash.com

Social Media Brand Affirmation—the Only Solution Right Now

Currently, brand affirmation is the only solution against similar attacks. Companies will have to keep their clients and partners informed about their business. 

With brand affirmations, scammers will find it difficult to fool customers and investors. Transparency and direct communication are crucial for brand affirmation. 

Additionally, every brand’s social media handles must be provided to customers. With customers already subscribed and informed, companies could prevent misinformation.

Both marketing and cybersecurity experts will need to work on cyber threat intelligence. With their efforts combined, it’ll be possible to identify and prevent these threats.

Though online fraud is hard to eradicate completely, a combined effort can reduce its damage.

Unethical Business Practices and Vigilante Criminals

The company’s self-advertised perception made the fake Eli Lilly tweet seem credible to the public. People quickly believed the announcement because Eli Lilly markets itself as a socially conscious company.

But, insulin is 10 to 20 times more expensive in Mexico, Canada, and Europe than in the US. Since 2008, the US cost per capita has increased by over USD6,000.

Thus, few criticized the Twitter scammers openly. Many consider Eli Lilly’s business practices unethical. Businesses involved in similar practices will be the first targets of criminal vigilante justice.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top