Spread of Social Engineering Threats and Corporate Risk
Global HR and ERP solution company Workday recently announced exposure to an attack campaign utilizing social engineering techniques. While customer data remained safe, some employee and business contact information was confirmed leaked from an external CRM. August 15, 2025: Workday officially confirmed a social engineering campaign targeting its employees. Attackers impersonating HR or IT departments contacted employees via text and phone calls, attempting to steal account access credentials or personal information. Investigation results: some attackers gained access to the external CRM (customer relationship management) platform Workday uses, obtaining general business contact information such as names, emails, and phone numbers. Workday emphasized "there is no access evidence to customer tenant data or major internal systems." Workday blocked access immediately upon recognizing the breach and introduced additional security measures to prevent recurrence. The company notified "all official communications only occur through Workday trusted support channels, and we never request passwords or sensitive information by phone." Social engineering as the primary attack vector: unlike technical exploits that require finding system vulnerabilities, social engineering exploits human psychology -- urgency (account is being locked), authority (I am from IT security), and helpfulness (I am trying to help you); the Workday case demonstrates that even sophisticated enterprise security can be bypassed when attackers successfully impersonate trusted organizational roles; employee security awareness training and authentication procedures that verify caller identity before sharing sensitive information are the primary defenses.
