What is Social Engineering

Install a Report Phish button in Outlook, Gmail, and the mobile mail clients, plus a published phone-report number for vishing, an SMS-forward number for smishing, and a Slack or Teams shortcut for impersonation in chat. Publish the median triage time and the count of confirmed pretexts caught in the previous month, so reporting feels useful rather than ignored. Reporting rate is the leading indicator most strongly correlated with breach resilience; the gap between first contact and first report is the window an attacker uses to escalate. A program that climbs reporting rate from 18% to above 65% routinely cuts confirmed-incident dwell time by an order of magnitude.

Generic awareness content plateaus inside two quarters. Role-based exercises that mirror current attacker tradecraft keep the verification reflex live. Finance and AP get BEC, vendor-invoice, deepfake-wire, and gift-card pretexts. IT and help-desk staff get vishing and MFA-reset scenarios drawn from the MGM playbook. Engineering gets OAuth consent, supply-chain code commit, and AI assistant prompt-injection patterns. Executives and their assistants get whaling, deepfake video calls, and personal-device hardening. Customer success and partnerships get vendor-impersonation pretexts. The result is a verification reflex that transfers across every channel the workforce uses.

Write a one-page policy that requires a callback to a published internal number before any wire change, banking detail update, MFA reset, payroll edit, vendor onboarding, or executive request that arrives outside normal channels, regardless of the inbound channel. Adopt a code-word system for high-value finance requests so deepfake voice or video cannot complete the chain alone. Require dual authorization (two named approvers, with the second approver picked from a published rotation, not the requester) for any payment above a defined threshold. Rehearse the policy with finance, AP, HR, and the help desk every quarter. The 2024 Arup $25 million loss, the FACC $54 million loss, and the Toyota Boshoku $37 million loss were each preventable by this single control.

Public shaming kills the reporting culture you need. Coach repeat clickers privately with a 60-second microlesson tied to the exact pattern they missed, pair with a manager check-in only if the pattern recurs, and never publish individual click rates. Most breaches that involve a social-engineering click also involve a delayed report, and most delayed reports are produced by fear of consequence rather than failure of detection. The cultural posture of the program decides the time-to-report curve, which decides the blast radius of every successful pretext.

Hardware-bound keys (YubiKey, Titan) and platform passkeys on iOS and Android cannot be phished by adversary-in-the-middle proxies. The cryptographic challenge is bound to the legitimate domain, so a fake login page or a Modlishka-style proxy cannot complete the handshake even when the user enters real credentials. Move every employee from SMS, push, and TOTP to FIDO2 or passkeys, starting with finance, IT, executives, and developers. Cloudflare publicly credited mandatory hardware keys with stopping the 2022 0ktapus / Scatter Swine campaign at its perimeter while peer companies on push-based MFA were breached.

Brief reception, security, facilities, and warehouse staff on the same pretext patterns that hit the inbox. Common physical scripts: a delivery courier who needs the badge held open, a contractor with a laminated lanyard but no scheduled visit, a vendor field engineer arriving for an unscheduled audit, and the USB drop with a fake "annual safety audit" cover letter. Require photo-ID match and a directory callback for every unbadged entry, prohibit USB plug-in on facility computers, and run quarterly tailgating drills measured against a published baseline. The loading dock and the front desk are tier-one social-engineering targets that the SOC cannot see.

Voice cloning APIs need 30 seconds of source audio to produce a convincing pretext, and live-face video deepfakes ran in production during the 2024 Arup wire fraud and have since appeared in private-equity diligence calls and CFO authorization workflows. Train executives, finance teams, and assistants that visual identity on a live call is no longer evidence. Require a code-word challenge response for any high-value request placed through video or voice, never give the code word out on the same channel that requested it, and rotate the code word quarterly. Pair with synthetic-media detection tools where deployed, but do not rely on them as the sole control.

Whaling and CEO-fraud targets are researched through public profiles. Lock down executive LinkedIn (turn off followers, scrub speaking schedules, remove tenure and reporting lines), enroll personal phones in MDM if used for work mail, enforce passkeys on personal Apple and Google IDs that hold work data, and commission a quarterly OSINT pass to identify lookalike domain registrations, impersonating social accounts, and leaked credentials in breach dumps. The verification reflex matters most at the top of the org chart: one CFO who follows the callback policy prevents the eight-figure loss the rest of the program is designed to avoid.