Social Engineering: Voice, Image, Context

What Has Changed

In the past, a blunt phishing link was enough. Today, attacks come in a business-like guise – including correctly spelled names, real signatures, and precise timing. AI generates voices, faces, and meeting invitations; deepfakes imitate managers, suppliers, or authorities. At the same time, adversary-in-the-middle (AitM) attacks bypass classic MFA flows by capturing sessions live. This is not science fiction; it’s everyday reality. The weak point is rarely the technology – it’s rushed approvals, missing call-backs, and a “you’ll manage it” mindset.

Tactics That Work Today

• Voice imitation + time pressure: A “boss call” shortly before the end of the day, paired with “approve urgently.” The content is trivial, but the context is perfect.
• Calendar injection: Real meeting invitation with a disguised link; participant list looks legitimate.
• AitM against MFA: Login via fake portals, tokens are stolen, sessions hijacked – despite “MFA in place.”
• Supplier spoofing: Change of bank account “due to a merger.” Supporting documents look real, attachments are neatly formatted.
• Post-compromise phishing: After initial access, attackers send real emails from real mailboxes – any “checks” appear positive.

Where Companies Fail (Honestly)

Two weaknesses are constant: missing process anchors and unclear responsibilities. Many policies are PDF decoration, not lived behavior. There are no mandatory out-of-band checks, no four-eyes principle for financial transactions, and helpdesk or departments are not obliged to report “strange calls” immediately. In addition, legacy flows are left open (Basic/IMAP), making MFA ineffective in reality.

How to Stop Social Engineering – In Practice

Focus on behavior first, then technology. The order is intentional.

1. Process over personality cult. No payment, account change, or privilege escalation without documented counter-check via a second, known channel. No exception bonus for “important” people – they are the ones imitated.
2. Mandatory out-of-band rituals. Predefined callback numbers (from internal directory), code words for sensitive approvals, callback only via centrally stored contacts – not the number from the email.
3. Phishing-resistant login. MFA with passkeys/FIDO2, disable weak protocols, session re-challenge on risk. Against AitM, technology plus context checks help (e.g., domain binding, device binding).
4. Take least privilege seriously. The fewer permanent rights, the smaller the impact of coerced approvals. Time-based admin rights (JIT) reduce pressure situations.
5. Realistic exercises. No slides. Simulate boss calls, supplier changes, calendar invites – including time pressure and “please do quickly.” Goal: make the stop-signal (“call back!”) reflexive.

Processes for Money & Identity Changes (Minimal Standard)

• Four-eyes principle for all payments over threshold X and for any bank data changes.
• Two-channel verification: Callback via internally maintained number plus written confirmation using a stored template.
• Blocking period: New bank data activated only after documented verification chain.
• Supplier whitelist: Changes only if the requesting person and channel match a stored record.
• Audit trail: Every approval generates a ticket with timestamp, verification steps, and participants. No ticket – no change.

Technology That Really Helps (Without Vendor Names)

• Email authentication & anomaly detection (SPF/DKIM/DMARC + heuristic checks) reduce noise – but never replace the process.
• Link/attachment policies with pre-execution checks, sandboxing for unknown files, and blocking known abuse flows.
• Browser isolation for high-risk targets (Finance, HR) when opening external links from emails or calendars.
• Session security: Token binding to device/browser, short validity, automatic logout on context change.
• Identity telemetry: Impossible travel, role deviations, unusual approvals → immediate query/step-up auth.

Metrics That Matter (And Apply Pressure)

• Verification rate for money/identity changes: proportion of cases with successful two-channel checks.
• Time-to-verify: Time from request to completed counter-check – goal is fast and strict.
• Reporting rate: Proportion of employees reporting suspicious contacts/calls.
• AitM block rate: Blocked/aborted attempts thanks to domain/device binding.
• Push-fatigue events: Thwarted MFA spam attempts and number of disabled “click-to-approve” flows.
• Exercise success: Rate of passed real-scenario simulations (boss call, supplier change) – without warning.

Common Objections – Answered Calmly

• “It slows down our business.” – Correct. It only slows down what moves money or changes identities. Everything else continues.
• “Our people would notice this.” – Until stress, vacation, or shift changes occur. Processes protect people – not the other way around.
• “We have MFA.” – If AitM captures sessions or legacy flows are open, that’s cosmetic. Harden or disable.

Conclusion

Social engineering is precise, polite, and credible. Relying on gut feeling loses. Enforcing processes, hardening MFA against AitM, and practicing realistic scenarios drastically reduces hit rates – measurable in verification and exercise metrics. This is not optional; it’s damage control in euros and hours. In short: train a counter-voice, mandate callback, keep rights minimal. Then “please approve quickly” becomes “wait, we’re checking this” – and that saves money, data, and nerves.

FAQ about blog post