Social-Engineer

Voice phishing is no longer a fringe threat.

Mandiant now ranks highly interactive voice phishing as the second-most observed initial access vector.

That matters because voice phishing is different from email phishing.

It is live.
It is interactive.
It adapts in real time.
It targets trust, process, identity, and decision-making.

Organizations cannot rely only on automated controls or traditional awareness training to defend against it.

They need to understand how their people and processes respond when someone is on the phone, applying pressure, impersonating authority, or asking for access.

Realistic social engineering assessments help identify where verification workflows, help desk procedures, and identity processes break down before attackers find them.

Every security decision begins with a human.

AI is making social engineering more scalable.

But trust is still what makes attacks successful.

Voice cloning. Deepfakes. AI-generated conversations. Personalized phishing.

The technology is evolving fast—but attackers still rely on the same psychological triggers:
• Trust
• Urgency
• Familiarity
• Authority

That’s why organizations can’t treat AI-driven social engineering as only a technical problem.

Because the real target is still human decision-making.

Understanding how people respond under realistic AI-driven social engineering scenarios may reveal risks traditional metrics miss.

The next frontier of cybersecurity is human behavior.

Organizations are asking deeper questions about:
• Human behavior
• AI-driven manipulation
• Trust and influence
• Decision-making under pressure

Those conversations are now shaping:

• conferences
• law enforcement training seminars
• leadership discussions
• community security events like BSides

This month, SECOM speakers are contributing to those discussions across multiple audiences and events:
• Chris Hadnagy at WRITA
• Dr. Abbie Maroño speaking on behavioral science and leadership
• Rosa Rowles at BSides Tampa

Because every security decision still begins with a human.

The challenge with human risk isn’t awareness. It’s inconsistency.

An employee may respond securely in one situation…

…and make a completely different decision under a different set of operational pressures.

That’s what makes human risk difficult to measure.

Because behavior changes based on:
• Urgency
• Workload
• Environment
• Perceived authority
• Competing priorities

Completion rates and phishing scores may show progress…

…but they don’t always reflect how decisions change in real-world conditions.

That’s why human risk is often more dynamic and harder to quantify than organizations expect.