July

NIST PR.AT-2

“Preparing for the Inevitable”

Social Engineering

Artificial Intelligence has eliminated the ability to trust your eyes and ears online. For a consulting firm, this means 'Standard Operating Procedures' (SOPs) are the only thing standing between a legitimate request and a multi-million dollar fraud.

Cautionary tale: The Deepfake CFO $25 Million Call

A finance worker at a multinational firm in Hong Kong was invited to a video conference with the company’s CFO and several colleagues. The “CFO” ordered a secret $25 million transfer for a new acquisition. It was later revealed that every person on that call, except the victim, was an AI-generated deepfake created from public footage.

The Lesson: AI can now perfectly mimic human voices and faces. 'Visual proof' is no longer a valid security strategy. Verification must now be based on 'what you know' (secrets), not 'what you see.'

Understanding Social Engineering

Attackers exploit human psychology rather than technical vulnerabilities.

  • Vishing (Voice Phishing): Using phone calls or AI voice cloning to impersonate trusted authority figures.

  • Urgency & Secrecy: Scammers pressure you to act fast and keep the request quiet so you don’t have time to verify the facts.

  • Authority Bias: We are naturally inclined to obey requests from “executives” or “legal counsel” without questioning them.

Spotting the Signs

  • The “Confidential” Pivot: A request for money that requires you to bypass normal accounting or approval channels.

  • Technical Glitches: On video calls, deepfakes may have slight sync issues or “glitch” when the person turns their head.

  • Strange Requests: A high-level executive asking a junior employee to handle a massive, secret financial transaction.

July Checklist

  • Establish a Challenge Word: Use an internal “safe word” for high-stakes requests that cannot be found on social media.

  • Verify Out-of-Band: If a boss asks for money on Zoom or Email, call their known desk phone or message them on Slack to confirm.

  • Challenge the Urgency: If a request demands you “skip the process”, that is your cue to slow down and follow the process strictly.

Symbol Security

Ready to Implement This Month's Security Focus?

Deploy automated security awareness training with Symbol Security. Schedule simulations, track progress, and measure improvement across your organization.

Get Started Today View Full Calendar