03
14 min read · 5 briefings

Phishing & Social Engineering

The oldest exploit in the book targets the one system you can't patch: a human under pressure.

01 Hacking the Human

Social engineering is manipulation dressed as a normal interaction. It bypasses firewalls entirely because it attacks judgment, not code. And it works on smart people — especially smart people, who trust their own instincts. To defend, you have to understand the psychological levers being pulled.

Most scams lean on the same handful of principles that the psychologist Robert Cialdini catalogued as the drivers of influence:

  • Authority. We comply with bosses, IT, police, banks. A message "from the CEO" or "from Microsoft security" short-circuits scrutiny.
  • Urgency. "Your account will be closed in 24 hours." Time pressure is the attacker's best friend because it stops you from thinking and checking.
  • Scarcity. "Only 3 left," "exclusive offer." Fear of missing out overrides caution.
  • Reciprocity and liking. A small favor, a friendly tone, a shared connection — we want to return goodwill and trust people we like.
Insight The common thread is emotion. Every effective lure tries to make you feel — afraid, excited, flattered, rushed — because emotion suppresses the slow, skeptical part of your brain. The single most protective habit is to notice the feeling and slow down before acting.

02 The Phishing Family Tree

Phishing is fraud that impersonates a trusted party to steal credentials, money, or access. The generic version is mass email. But it branches into a whole family, distinguished by targeting and channel.

TermWhat it isChannel
PhishingMass, generic lures sent to manyEmail
Spear phishingPersonalized to a specific person, using researched detailEmail
WhalingSpear phishing aimed at a 'big fish' — an executiveEmail
SmishingPhishing via SMS text messagesText
VishingVoice phishing — a phone call with a pretextPhone
QuishingMalicious QR codes leading to fake sitesQR code

The trend is toward targeting. Generic phishing has a low hit rate, so attackers invest in research — your job title, your colleagues' names, a recent company event scraped from LinkedIn — to craft a message that fits your world perfectly. A spear-phishing email referencing a real project you are working on is worlds more convincing than "Dear valued customer."

Pro tip Channel-switching is a red flag. An email that pushes you to a text thread, or a call that asks you to check your email for a code, is often an attacker trying to escape the controls of any single system. Verify through an independent channel you initiate.

03 Business Email Compromise: The Quiet Billions

Ransomware gets the headlines, but business email compromise (BEC) quietly steals more money. There is no malware and often no malicious link — just a convincing email that redirects a payment. The FBI's Internet Crime Complaint Center attributes tens of billions of dollars in cumulative losses to BEC, making it one of the costliest cybercrimes there is.

The mechanics are simple and human. An attacker impersonates a CEO ("wire this urgently, I'm in a meeting, keep it confidential"), or a vendor ("we've changed our bank details — please update our account"), or hijacks a real email thread to slip in fraudulent invoice details at exactly the right moment. Because it exploits trusted relationships and normal business processes, technical defenses often never trigger.

The classic case: between roughly 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas defrauded Google and Facebook of over 100 million dollars by impersonating a real hardware supplier (Quanta Computer) and sending fake invoices to accounts-payable departments. Two of the most sophisticated technology companies on Earth paid, because the paperwork looked exactly right.

Watch out A change to payment or banking details is the single highest-risk request in any organization. Treat every such request as suspect until you confirm it by calling a known, previously-verified phone number — never a number from the email itself.

04 Deepfakes and the Voice on the Phone

For decades, "call to confirm" was the gold-standard defense against email fraud. AI is eroding that. Cheap voice-cloning can now mimic a specific person from a short audio sample, and real-time video deepfakes have moved from theory to active use.

In 2019, criminals used AI to clone the voice of a German parent-company chief executive and phoned the head of a UK subsidiary, who — recognizing the voice and even its slight accent — wired roughly 243,000 dollars to a fraudulent account. It was one of the first publicly reported voice-deepfake heists.

Then it scaled. In early 2024, a finance employee at the engineering firm Arup in Hong Kong joined what appeared to be a routine video call with the company's CFO and several colleagues. Every participant except the victim was a deepfake. Convinced by the familiar faces and voices, the employee authorized transfers totaling about 25 million US dollars.

Seeing is no longer believing. Hearing a familiar voice is no longer proof. The face and voice on the screen are now things an attacker can manufacture.
Pro tip Agree on out-of-band verification for high-value actions: a code word, a callback to a known number, or a second approver. When a live video or voice pressures you to move money now, that urgency is itself the tell.

05 Spot It, Stop It, Report It

You do not need to catch every trick — you need a reliable habit that trips the alarm. Run any unexpected message through a quick mental checklist:

  • Emotion. Does it make you feel urgent, afraid, or excited? That is the pressure lever.
  • Sender. Look at the actual email address, not just the display name. Look-alike domains (micros0ft.com, paypa1.com) are common.
  • Links. Hover to preview the real destination before clicking. On mobile, long-press. Where does it truly go?
  • Request. Does it want credentials, payment, gift cards, or a "quick favor"? Legitimate organizations do not ask for your password.
  • Verify. When in doubt, contact the sender through a channel you look up independently.

Then report. At work, forward suspicious mail to your security team or use the built-in "report phishing" button — you may be the early warning that protects hundreds of colleagues. As an individual, report to the platform, forward suspected phishing to the Anti-Phishing Working Group at reportphishing@apwg.org, and file financial fraud with the relevant authority (in the US, the FBI's IC3).

Insight Falling for a scam is not stupidity — it is being human on a bad day. Cultures that punish reporting drive incidents underground; cultures that make reporting easy and blameless catch attacks early. Report fast, without shame.

Field Glossary

Social engineering
Manipulating people into revealing information or taking actions that compromise security, by exploiting trust, emotion, and authority rather than technical flaws.
Phishing
Fraud that impersonates a trusted party — usually by email — to steal credentials, money, or access.
Spear phishing
A phishing attack personalized to a specific target using researched details, making it far more convincing than mass phishing.
Whaling
Spear phishing aimed at high-value targets such as executives, who can authorize large payments or access sensitive systems.
Business email compromise (BEC)
A scam that uses a convincing email to redirect a legitimate payment or wire transfer, often without any malware, causing tens of billions in cumulative losses.
Vishing
Voice phishing: a phone-based social-engineering attack using a false pretext, increasingly aided by AI voice cloning.
Deepfake
AI-generated synthetic audio or video that convincingly imitates a real person, now used to defeat 'call to confirm' verification.

Knowledge Check

Field Assessment

0 / 3

01 Which psychological lever is an attacker using when an email says 'Your account will be suspended in 1 hour unless you act now'?

02 What is the defining feature of business email compromise (BEC)?

03 Why is a request to 'update our banking details' considered especially high-risk?

ESC
↑↓ navigate jack in