How social engineering actually breaks a business

European Cybersecurity Month highlights social engineering for good reason. Attacks now target people more than code. Even a cloned voice or a routine approval process can lead to failures, despite having good controls in place. These issues can be avoided only if leadership recognises social engineering as a business risk that involves people, processes, and technology rather than viewing it solely as an information technology problem.

How an attacker really gets paid

Most incidents start with an ordinary moment. A calendar invite. A supplier email. A call from a familiar voice. Usually, the first click does not break the business. What happens next does.

1. The lure lands with the right context and timing. Finance receives a thread hijack about a live invoice. HR receives a fake payroll update. An exec’s PA sees a request that matches the diary.

2. The attacker builds trust by replying within an existing thread, spoofing a familiar domain, or using a convincing Teams or Zoom room. If questioned, they escalate to voice or video communication.

3. Inbox rules and impersonation help reduce friction by concealing messages and directing replies elsewhere. A shared mailbox is used to keep the conversation private.

4. Process gaps do the rest. The payment workflow allows an email confirmation instead of a call to a pre-approved number. The approver is travelling and accepts a calendar pop-up. The supplier bank change form is received without a verified callback.

5. Money moves. The controls functioned correctly, but their design assumed the request was authentic.

A short UK vignette

Social Engineering is not a problem that lives in a vacuum. It can affect any business at any time. The following is an example of a situation that has appeared in the real world:

A professional services firm gets a Teams invite for a quick deadline project review. The finance lead joins and sees familiar faces. The chair asks for an urgent stage payment to secure the supplier’s capacity. The voice sounds familiar from previous calls. The screen shows the right contract reference. Three issues line up: no out-of-band verification, no segregation of duties for supplier bank changes, and no alerts for unusual payee risks.

Within an hour, five transfers go through. The bank notices the pattern later, not right away. Some funds are recovered, but others are lost. It wasn’t ransomware, malware, or a new exploit—just social proof, pressure, and convincing details, all aided by AI-generated media and stolen email info.

What changed this year

Phishing has evolved significantly from simple, rudimentary templates to sophisticated, highly tailored methods that can be scaled effortlessly. Artificial intelligence is empowering attackers to craft precise, convincing lure messages, generate realistic voice and video clips, and automate tasks that once limited the reach of targeted campaigns. UK guidance has been explicit about this progression. The clear outcome is an increase in more believable messages, sent at larger volumes, that are increasingly difficult to detect and quicker to deploy.

For leadership teams, this means traditional awareness tactics are no longer sufficient. Posters and annual training sessions fall short in countering synthetic voices or complex thread hijacking. The critical gap to bridge now lies in enhancing decision quality under intense time pressure. This responsibility primarily rests with finance approvers, executive assistants, budget holders, HR leaders, and IT service managers, who must work proactively to adapt to this evolving threat landscape.

Five controls that actually reduce loss

These are practical, budgetable measures that align to Cyber Essentials Plus and ISO 27001 Annexe A. They address people, process and technology together.

1. Payment verification that cannot be faked
   Design the workflow so that no single channel can authorise a payment or bank change. Require a recorded callback to a number retrieved from a trusted system, not from the request. Build a pre-approved contact list for critical suppliers, reviewed monthly. Map to CE Plus control families and ISO 27001 A.8 and A.5 on information security policies and physical and logical access.

2. Risk-based authentication for finance and HR
   Treat finance and HR like privileged access. Enforce phishing-resistant multi-factor authentication and conditional access tuned for role, device health, and location. Alert on impossible travel and sudden changes in device posture. Map to CE Plus boundary controls and ISO 27001 A.9 on access control.

3. Just-in-time awareness for executives and PAs
   Run short, scenario-led refreshers that focus on executive impersonation tells. Teach voice clone red flags, video lag cues, and how to pause a call without losing face. Provide a standard phrase to invoke the verification workflow. Measure attendance and behavioural change, not quiz scores. Map to ISO 27001 A.6 on organisation of information security and A.7 on human resources security.

4. Phishing simulations tied to coaching, not blame
   Simulate real executive impersonation, supplier fraud, and calendar lures. Link results to targeted coaching within a week, not annual refreshers. Capture evidence to support CE Plus assessment and to inform board reporting. Track improvement by function, not only by click rate.

5. Board-level tabletop on executive impersonation
   Run a 90-minute exercise that walks from a fake calendar invite to a contested payment. Include the CFO, COO, CISO, Head of Legal, and the Payment Operations lead. Identify where to add friction without breaking delivery. Assign owners and deadlines. Repeat every six months.

Metrics that matter

Leaders should push for measures that reflect real exposure.

• Percentage of supplier bank changes verified by recorded callback.

• Time to challenge a high-risk payment request.

• Adoption of phishing-resistant MFA on finance and HR systems.

• Percentage of exec and PA cohort who have completed just-in-time training in the last 60 days.

• Reduction in successful thread hijack-driven changes to payment details.

These metrics change behaviour because they sit where money moves and decisions are made.

Where Conosco helps

Conosco’s view is straightforward. Controls, culture and choreography need to work together. People, technology, and processes must work in tandem to prevent Social Engineering. We customise conditional access and MFA to match the roles that criminals typically target. We deliver concise, respectful training that teaches individuals how to pause, verify, and proceed with confidence. We also test the entire process from start to finish and then adjust the controls to eliminate any single points of failure.

Book a 30-minute social engineering risk review.

The session is designed for the CFO, COO, CISO and the IT manager who owns identity and access. It covers current exposure across finance, HR and executive workflows, CE Plus and ISO 27001 alignment gaps, a two-week stabilisation plan, and the top three measures that cut risk fastest with minimal friction. A calendar booking module sits below. Choose a slot, bring one live supplier change example, and expect direct, practical guidance you can apply the same day.