BeginnerSocial Engineering Defence

Require out-of-band identity verification before any MFA reset or privilege escalation

The MGM Resorts breach and the Caesars Entertainment breach both began the same way: a caller to the IT helpdesk provided an employee's name (found on LinkedIn) and convinced the operator to reset MFA credentials over a phone call. With MFA reset, the attacker had full account access. Any request to reset MFA, change recovery methods, or grant elevated privileges must require verification through a separate, independent channel — a video call where the employee displays their physical badge, a manager confirmation via internal ticketing, or a physical visit to the help desk. The single phone call channel is broken by design.

More in Social Engineering Defence

All guides

beginnerfeatured

Verify wire transfer requests by calling a pre-registered number — never one from the email

Business Email Compromise (BEC) caused more than $3 billion in losses in 2022 alone. Every BEC attack involving a wire transfer succeeded because the victim called back a phone number from the fraudulent email, or did not call back at all. The defence is simple and absolute: any wire transfer request arriving via email must be verified by calling the requestor at a number already in your company directory or phonebook — not a number provided in the email. FACC lost €50 million because no one picked up the phone. Ubiquiti lost $46.7 million for the same reason. A 60-second phone call to a known number prevents these attacks entirely.

See: Ubiquiti BEC FraudSocial Engineering Defence

beginner

Train employees that urgency plus unusual channel is a red flag, not a reason to act faster

Virtually every social engineering attack combines two elements: urgency ("this is time-sensitive, act now") and an unusual communication channel ("my CEO emailed me on WhatsApp"). The urgency is designed to short-circuit the instinct to pause and verify. The unusual channel is used because the legitimate channel would fail verification checks. Train employees to treat these two signals as reasons to slow down and verify, not to act faster. The LastPass employee who received AI-cloned audio of their CEO's voice via WhatsApp correctly identified it as suspicious because it came through an unofficial channel with unusual urgency — and reported it rather than complying.

See: LastPass Deepfake AudioSocial Engineering Defence

intermediate

Conduct quarterly phishing simulations with immediate personalised coaching

Phishing simulations that simply report click rates produce marginal improvement. The most effective programmes deliver immediate, personalised coaching at the moment of failure: when an employee clicks a simulated phishing link, they see an explanation of what they missed and why it was deceptive. Studies show that this just-in-time training reduces repeat click rates by 50–70% compared to annual awareness videos. Simulate a range of attack types: credential harvesting pages, malicious attachments, BEC requests, and SMS phishing. Include AI-generated phishing emails that are grammatically perfect, since poor spelling is no longer a reliable indicator.

See: WormGPTSocial Engineering Defence