A woman in accounting at a Fortune 500 company wired .7 million to a bank account in Hong Kong because her CFO told her to on a Zoom call. Except it wasn’t her CFO. It was a deepfake — AI-generated video and voice cloned from public earnings calls. The attackers had spent weeks in her inbox first, building context, learning communication patterns, establishing what felt like trust. By the time the video call happened, the transfer felt routine. She found out it was fake three days later.
And that’s the part nobody wants to sit with. We spend billions on security infrastructure, and the weakest point is still the person sitting at the desk.
The Attacks That Actually Work
Kevin Mitnick, probably the most well-known social engineer ever, used to say he rarely touched a keyboard to break into systems. He’d call employees. Pretend to be a coworker, a vendor, someone from another department. Just talk his way in. His book The Art of Deception reads like a manual for manipulating people, and the scary part is how simple it all is. No sophisticated malware. A phone book and some confidence. That was his toolkit. He once called an employee at Digital Equipment Corporation, claimed to be a lead developer who’d forgotten his credentials, and the employee just… gave them to him. No pushback. No verification. That was the 1990s, and I’m here to tell you: the same trick works right now. I’ve seen it happen at organizations spending millions on security.
Why does it work? Probably because we default to trust. We’re social creatures. We want to help. Social engineers treat that instinct like a software vulnerability — because in a way, it is. But you can’t patch it. There’s no update that fixes curiosity, or fear, or the urge to comply with someone who sounds like they’re in charge. Those are baked into how we operate, and attackers have been pulling on those strings since long before computers existed.
Let’s talk about phishing, because it’s still the number one way in and it isn’t close. According to the FBI’s Internet Crime Complaint Center, phishing resulted in over $10 billion in losses in a single year. That number keeps climbing. Not because people are getting dumber — the attacks are getting sharper. The Nigerian prince emails with broken grammar? Mostly gone. What shows up now is polished, personalized, and almost impossible to tell apart from a real message.
I remember one that hit a client of ours back in 2019. Looked exactly like an internal HR email about updated health insurance benefits during open enrollment. Perfect formatting. Correct company logo. Even referenced the actual insurance provider the company used — the attacker had scraped that from LinkedIn profiles and the company’s public benefits page. Out of 400 employees, 67 clicked the link and entered their credentials. That’s roughly a 17% success rate, and the attacker only needed one.
Spear phishing is the targeted version. Instead of blasting thousands of generic messages, the attacker researches a specific person and builds a message just for them. They’ll mention recent projects, drop the names of actual coworkers, time their email to line up with real events. I investigated one where the attacker had been watching a company’s Twitter feed and sent a fake invoice the same day they announced a new partnership. An accounts payable clerk assumed it was related to the new deal and wired $43,000 overseas. Gone.
Business Email Compromise — BEC — is where the real money goes. The FBI put BEC losses at roughly $2.7 billion in 2022, and those are just the ones that got reported. Plenty of companies quietly eat the loss rather than admit what happened. The mechanics are almost embarrassingly simple: impersonate a senior exec, instruct someone to make an urgent wire transfer or hand over data. That’s it.
I dealt with one personally. The CFO was traveling overseas — information the attacker likely picked up from social media. While he was in transit and unreachable, the finance team got an email that appeared to come from his account. It told them to wire $128,000 to a new vendor for a “time-sensitive acquisition.” Used his actual signature block. Referenced a real project. Included a note: “I’m in meetings all day, don’t call, just handle this.” The finance coordinator processed the transfer. By the time anyone figured out what happened, the money was in the wind.
What made it work wasn’t technical skill. It was homework. The attacker knew the CFO’s travel schedule, the company’s projects, and who on the finance team would be most likely to comply without questioning things. That’s social engineering at its worst. Or its best, I guess, depending on which side of the table you’re sitting on.
Stats from the Anti-Phishing Working Group show BEC attacks went up over 80% between 2020 and 2023. Average loss per incident sits around $125,000, but some have gone way higher. Ubiquiti Networks lost $46.7 million to one. Crelan Bank in Belgium lost $75.8 million. These aren’t small shops with no budget. Major organizations. Dedicated security teams. Still got caught.
Pretexting works differently. Instead of sending you a link, someone constructs a believable scenario and engages you directly, usually over the phone or face to face. They build a fake identity and a story that gives them a plausible reason to ask for whatever they want.
A guy called our help desk once claiming to be a new employee at the satellite office. Said HR had given him his employee ID but the VPN wasn’t working and he had a presentation due by morning. Friendly. Slightly stressed. Dropped the hiring manager’s name — pulled straight off LinkedIn. Our help desk tech, trying to do the right thing, walked him through resetting his VPN credentials. There was no new employee. There was no satellite office presentation. Just a social engineer who’d spent twenty minutes on LinkedIn and made one phone call.
And that’s the part that sticks with me. The technician didn’t feel attacked. He felt like he was helping someone. Pretexting doesn’t feel like an attack. It feels like a normal conversation. The attacker builds rapport, establishes trust, gently steers things toward what they need. By the time they ask the question, it seems perfectly reasonable. Professional penetration testers have told me pretexting is their most reliable method. One guy I know claims a near-100% success rate when he calls pretending to be from IT conducting a security audit. People will literally read their passwords out loud to someone who says they’re from IT. They’ll plug in USB drives they found in the parking lot. They’ll hold the door open for someone carrying boxes, even in a secure facility.
Vishing — voice phishing — has been around forever but got more dangerous with VoIP technology that lets attackers spoof caller ID. You might get a call that appears to come from your bank’s actual number. It’s really some person in a call center reading from a script designed to make you panic and hand over your account details. Smishing uses text messages. You’ve probably gotten them — texts pretending to be from your bank, Amazon, FedEx, the IRS. “Your account has been locked. Click here to verify your identity.” Short, urgent, designed to bypass the thinking you might apply to a longer email. People tend to trust texts more than email because they feel more immediate and personal. Attackers know this.
I saw a smishing campaign that went after employees of one specific company by sending texts that looked like they came from the company’s two-factor authentication system. Something like “Your 2FA token has expired. Click to re-enroll.” The link led to a perfect copy of the company’s auth portal. Employees entered their credentials and their existing 2FA codes, which the attackers captured in real time and used to log in. A real-time man-in-the-middle attack, delivered by text message. It was, from a certain angle, impressive. From every other angle, it was a disaster.
Baiting is exactly what the name suggests. Leave something tempting where your target will find it, wait for curiosity to do the work. Researchers at the University of Illinois found that 48% of USB drives dropped in public places got plugged into computers. Nearly half. Some people said they wanted to find the owner. Some were just curious. End result was the same — code running on their machine. I ran a security awareness test once where we left branded USB drives in the break room labeled “Q4 Salary Review — Confidential.” Within two hours, eleven people had plugged them in. Our drives just had a harmless tracking payload, but they could’ve carried anything. Ransomware. Keyloggers. A full remote access toolkit. The desire to see confidential salary data beat whatever security training those people had gone through.
Quid pro quo attacks offer something in exchange for information. An attacker calls random extensions at a company claiming to be tech support, offering to help fix a slow machine or install an update. Eventually somebody with a real IT problem takes the bait and accepts the “help.” Then the attacker walks them through steps that actually install malware or grant remote access. It’s help desk social engineering in reverse.
Physical social engineering is its own category. Getting into buildings and restricted areas by manipulating people, not systems. Tailgating is the simplest version — you wait by a secure door and follow someone through when they badge in. Most people won’t stop you, especially if you’re dressed right, carrying stuff, or chatting them up. I’ve seen pen testers walk into server rooms wearing high-visibility vests and carrying clipboards. Nobody said a word. One tester told me he walked into a corporate headquarters, went straight to the executive floor, sat at an empty desk, and stayed for three hours before anyone asked who he was. By then he’d already accessed the network from an unattended workstation. The best physical social engineers don’t sneak around. They walk with confidence. Make eye contact. Say good morning. They act like they belong, and that’s usually enough.
Why It Keeps Working (And What Maybe Helps)
Robert Cialdini’s six principles of influence are basically the field manual for this stuff. Authority — people do what perceived authority figures ask. Urgency — time pressure short-circuits thinking. Social proof — if others seem to be doing something, it must be fine. Reciprocity — if someone does you a favor, you feel obligated. Commitment and consistency — once you’ve started going along with something, you tend to keep going. Liking — we say yes more often to people we find likable.
Social engineers use all six, often stacked together. A phishing email “from the CEO” uses authority. “Your account will be suspended in 24 hours” uses urgency. “All employees have already completed this form” uses social proof. A pretexting call that starts with the attacker doing something nice for you? Reciprocity. These aren’t random moves. They’re deliberate applications of psychological principles that have been studied for decades. And fear might be the strongest lever of all. When someone’s afraid — of losing an account, getting in trouble with their boss, being responsible for a breach — they don’t think clearly. They act fast. Social engineers manufacture fear and then hand you a solution. “Your computer has been compromised. Do these steps right now to fix it.” You’re so focused on the fear that you don’t question the person giving instructions.
Modern attacks rarely stick to one method. They chain techniques together. An attacker might start by scraping LinkedIn, Facebook, corporate websites, press releases — building a profile. Then they call the help desk with a pretext to get an employee’s email. Then they send that employee a spear phishing message using details from the earlier call. Each step feeds the next one.
The 2020 Twitter hack is maybe the best example. Attackers used phone-based social engineering to get Twitter employees to hand over access to internal tools. They didn’t break into servers. They broke into people. And with that access, they took over accounts belonging to Barack Obama, Elon Musk, Apple, and others, posting cryptocurrency scam messages. The attackers were teenagers. I think about that a lot. Teenagers brought one of the world’s biggest social media platforms to its knees with phone calls. The SolarWinds attack, while mostly a supply chain compromise, also had social engineering threaded through it — targeted communications, exploited trust relationships between organizations. The technical parts get the headlines, but the human manipulation was a big piece of it.
So what actually works for defense? Here’s the blunt version: annual security awareness training doesn’t. People sit through a slideshow, pass a quiz, forget everything within a month. I’ve watched companies run the same phishing simulation year after year and get the same click rates. Twenty percent of employees fail every time. Often the same twenty percent.
What seems to work better — and I’d hedge this by saying it’s hard to measure precisely — is building a culture where questioning suspicious requests is normal and encouraged. If someone calls the help desk to verify a weird email, that should be treated as a win, not a time-waster. If someone challenges a tailgater at the door, they should be thanked, not told they’re being rude. Security-conscious behavior has to become the default, not the exception.
Simulated phishing campaigns do more than classroom training, but only if you run them right. Monthly. With immediate, non-punitive feedback. When someone clicks a test phish, they should get instant education about what they missed — not a write-up from HR. Shaming people into security awareness backfires. It just makes them afraid to report real incidents.
On the technical side: multi-factor authentication stops most stolen credentials from being usable. Even if someone gets phished, they can’t log in without the second factor. Hardware security keys like YubiKeys are the strongest option for sensitive accounts. SMS-based 2FA is better than nothing but it’s vulnerable to SIM swapping, which is itself a form of social engineering — kind of a depressing recursion there.
Email authentication protocols — SPF, DKIM, and DMARC — make it harder to spoof your domain. Set your DMARC policy to quarantine or reject. It won’t stop all phishing, but it raises the bar. Also, configure your email gateway to flag external messages with a visible banner. Something like “[EXTERNAL] This email originated outside the organization.” Simple. I’ve seen it prevent countless attacks at companies I’ve worked with.
For BEC and wire fraud, out-of-band verification is probably the single most effective policy you can implement. Any request to change payment details or send money to a new account must be confirmed by phone — to a number you already have on file, not one from the email. This one rule, consistently followed, would stop the majority of BEC losses. I’ve personally watched it catch attacks that would’ve cost hundreds of thousands.
Building what people call a “human firewall” — I’m not crazy about the term but it’s the one that stuck — means ongoing education, not a yearly box-check. Share real attack examples with your team. Sanitized case studies from your own org work best. When someone reports a phishing email, share it company-wide (safely) so everyone learns. Bring it up in team meetings. Keep it visible.
Create short, clear policies for common scenarios. Someone calls claiming to be IT? Hang up, call IT at a number you already know. Email from the CEO asking for a wire transfer? Verify by phone or in person. Stranger asks you to hold a secure door? Politely ask them to badge in. These have to be simple enough to remember and practiced often enough to become reflexive.
And — this is the one I’d put in bold if this format allowed it — make it safe to fail. People will click phishing links. They’ll give information to pretexters. It’s going to happen. When it does, the response should be fast containment and support, not blame. If people are scared to report that they fell for something, you’ll hear about the breach weeks later instead of minutes later. Those minutes could be the difference between a contained incident and a catastrophe.
AI-generated voice cloning is already being used in vishing attacks these days. Deepfake video calls are coming next, from what I’ve seen in recent proof-of-concept demos. The tools for creating convincing impersonations are getting cheaper and more accessible, and I’m not sure our defenses are keeping pace. Maybe they can’t. Maybe the answer isn’t better detection but better processes — verification steps that work regardless of how convincing the deception is.
I don’t have a tidy ending for this. The honest answer is that I’m still working it out, and I think anyone who tells you they’ve “solved” social engineering is either selling something or hasn’t thought about it hard enough. The fundamental defense is still what it’s always been: skepticism, verification, and a culture that treats security as everyone’s job rather than the security team’s problem. But whether that’s enough going forward, with AI-powered attacks and deepfakes and who knows what else around the corner — I could be wrong, but I’m not confident it is. Build the culture anyway. It’s the best option we’ve got, and maybe, probably, it’ll be enough for most of what’s coming. I just can’t promise that.
(0) Comments