The Phone Call That Cost One Company $25 Million

In early 2024, an employee at engineering firm Arup joined a video call with what appeared to be the company's CFO and several colleagues. Every face on screen was a deepfake. The employee transferred $25 million across multiple transactions before anyone realized the entire meeting was fabricated by threat actors. That's not science fiction — that's the current state of social engineering attacks.

If you think your organization is too smart to fall for this, I've got bad news. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a human element — social engineering, errors, or misuse of credentials. The technical sophistication of your firewall is irrelevant when an attacker convinces your accounts payable clerk to wire funds to a new bank account.

This post breaks down exactly how social engineering attacks work in practice, the specific techniques I've watched evolve over two decades in security, and the concrete steps that actually reduce your risk. No theory. No hand-waving. Just what works.

What Are Social Engineering Attacks?

Social engineering attacks are deliberate manipulation of human psychology to gain unauthorized access to systems, data, or money. Instead of exploiting a software vulnerability, the attacker exploits trust, urgency, fear, or helpfulness — emotions every one of your employees carries to work every day.

The attacker's goal is almost always the same: get someone to take an action they shouldn't. Click a link. Share a password. Approve a transfer. Open a door. The delivery mechanism changes constantly, but the underlying psychology hasn't shifted in decades.

The 6 Techniques I See Threat Actors Use Most

1. Phishing — Still the Undisputed Champion

Phishing accounts for the overwhelming majority of social engineering attacks. The attacker sends an email, text, or message that impersonates a trusted entity — your bank, your boss, Microsoft, the IRS. The goal is credential theft, malware installation, or direct financial fraud.

I've reviewed phishing emails that were indistinguishable from legitimate Microsoft 365 notifications. The days of spotting phishing by broken English and Nigerian prince stories are long gone. Modern phishing kits clone login pages pixel-for-pixel and even relay multi-factor authentication tokens in real time.

2. Pretexting — The Long Con

Pretexting involves creating a fabricated scenario to extract information. The attacker might call your help desk pretending to be a new employee locked out of their account. They've already scraped LinkedIn for the employee's name, manager, and start date.

In my experience, pretexting calls succeed most often on Monday mornings and Friday afternoons — when help desk staff are rushed and less likely to follow verification procedures.

3. Business Email Compromise (BEC)

BEC is the most financially devastating form of social engineering. The FBI's Internet Crime Complaint Center (IC3) has consistently ranked BEC as the costliest cybercrime category, with billions in reported losses annually. Attackers compromise or spoof an executive's email and instruct a subordinate to make a wire transfer or change payment details.

What makes BEC lethal is that there's no malware to detect. No malicious attachment. No suspicious link. It's just an email that says "Please process this payment" from what looks like the CEO's account.

4. Vishing and Smishing — Voice and Text Attacks

Voice phishing (vishing) and SMS phishing (smishing) have exploded. Attackers use spoofed caller IDs and AI-generated voice clones to impersonate executives, IT support, or bank representatives. The MGM Resorts breach in September 2023 reportedly started with a social engineering call to the help desk that lasted roughly 10 minutes. That single call led to a ransomware attack that cost the company over $100 million.

5. Baiting and Quid Pro Quo

Baiting uses the promise of something enticing — a USB drive labeled "Salary Data Q4" left in a parking lot, a link to a "leaked" document. Quid pro quo attacks offer a service in exchange for information: "I'm from IT support, I can fix your slow computer if you give me your login."

Both techniques exploit curiosity and the human desire to reciprocate. They work disturbingly well in environments without regular security awareness training.

6. Deepfake and AI-Powered Attacks

The Arup incident I mentioned isn't an outlier anymore. Generative AI has given threat actors the ability to clone voices from short audio samples and create convincing video in near real-time. I've seen demonstrations where a 30-second voicemail clip was enough to generate a full synthetic phone call.

This changes the threat model fundamentally. "I recognized their voice" is no longer a valid authentication method.

Why Technical Controls Alone Can't Stop Social Engineering

Here's what actually happens when an organization relies only on technology: the email gateway catches 95% of phishing. The remaining 5% hits inboxes. Out of every 100 phishing emails that land, research consistently shows that somewhere between 10 and 30 people will click. And it only takes one.

Spam filters don't stop a phone call to your front desk. Firewalls don't prevent an employee from reading a fake invoice and changing vendor payment details in your ERP system. Endpoint detection doesn't trigger when someone holds a door open for a "delivery driver" carrying a Raspberry Pi in a package.

Technical controls are necessary. They are not sufficient. The human layer is the attack surface, and it requires its own defense strategy.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report found the global average breach cost hit $4.88 million. Breaches involving social engineering and stolen credentials consistently rank among the most expensive because they take longer to detect. The longer an attacker has access, the more damage they do.

Organizations that invested in security awareness training and incident response planning saw significantly lower breach costs. This isn't a soft metric — it's a measurable financial difference.

If your organization hasn't implemented structured cybersecurity awareness training, you're leaving your most critical defense layer completely untrained.

How to Defend Against Social Engineering Attacks: Practical Steps

Build a Human Firewall Through Training

Awareness training works — but only when it's ongoing, realistic, and specific to the threats your employees actually face. Annual checkbox training doesn't change behavior. Monthly phishing simulations with immediate feedback do.

I recommend starting with a baseline phishing simulation to measure your organization's current click rate. Then implement regular training that covers the exact techniques I described above. Rotate scenarios. Include vishing. Test every department, including the C-suite.

If you need a structured program to get started, phishing awareness training designed for organizations can give you the framework and simulation tools to build real resilience.

Implement Verification Procedures That Can't Be Socially Engineered

Every financial transaction above a threshold should require out-of-band verification. If you get an email requesting a wire transfer, you call the requester at a known phone number — not the number in the email. No exceptions. No urgency overrides this.

For help desk operations, implement callback verification and challenge questions that aren't available on social media. The MGM breach could likely have been prevented by a single callback to a verified number.

Deploy Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) remains one of the strongest defenses against credential theft from phishing. But not all MFA is equal. SMS-based codes can be intercepted through SIM swapping. Push notification MFA is vulnerable to fatigue attacks where the attacker triggers dozens of prompts until the victim approves one.

Phishing-resistant MFA using FIDO2/WebAuthn hardware keys is the gold standard. If your organization handles sensitive data, this isn't optional anymore. CISA's guidance on multi-factor authentication provides clear implementation recommendations.

Adopt Zero Trust Architecture

Zero trust operates on a simple principle: never trust, always verify. Every access request is authenticated, authorized, and encrypted regardless of where it originates. If an attacker compromises one employee's credentials through a social engineering attack, zero trust limits what they can reach.

This means network segmentation, least-privilege access, continuous monitoring, and identity verification at every layer. It's not a product you buy — it's an architecture you build.

Create a No-Blame Reporting Culture

Here's something I've seen kill security programs faster than any threat actor: punishing employees who report mistakes. If someone clicks a phishing link and fears they'll be fired, they won't report it. The attacker then has hours or days of undetected access.

You want employees racing to report suspicious activity. Reward reporting. Celebrate catches. Make the security team approachable. The faster you detect a social engineering attempt, the less damage it causes.

How Do You Know If You're Being Socially Engineered?

Watch for these red flags in any communication:

  • Unusual urgency: "This must be done in the next 30 minutes or we lose the deal."
  • Authority pressure: "The CEO personally asked me to handle this quietly."
  • Requests to bypass procedure: "Skip the usual approval process just this once."
  • Emotional manipulation: Fear, excitement, curiosity, or sympathy designed to override critical thinking.
  • Unusual communication channel: Your CFO suddenly texting you from a new number about a wire transfer.
  • Requests for credentials or sensitive data: No legitimate IT department asks for your password. Ever.

If something feels off, it probably is. Verify through a separate, trusted channel before taking action.

Social Engineering Is Evolving — Your Defenses Must Too

Threat actors don't stand still. The attacks I responded to five years ago look primitive compared to what I see today. AI-generated phishing emails have near-perfect grammar and personalization. Deepfake video calls are commercially viable for criminal groups. Voice cloning requires minimal source material.

Your defense strategy needs to evolve at the same pace. That means regular training refreshes, updated phishing simulations that incorporate new techniques, and continuous evaluation of your verification procedures.

The organizations that treat social engineering defense as a one-time project get breached. The ones that treat it as an ongoing program build genuine resilience.

Your Next Move

Start with an honest assessment. When was the last time your organization ran a phishing simulation? Do your employees know what vishing is? Does your help desk have a verified callback procedure? Can your finance team spot a BEC attack?

If you hesitated on any of those questions, you have work to do. The good news is that effective defense against social engineering attacks doesn't require a massive budget — it requires consistent effort and the right training foundation.

Build your baseline with cybersecurity awareness training that covers the full spectrum of social engineering techniques. Then layer in targeted phishing simulations for your organization to measure and improve real-world resilience.

The threat actors are already studying your employees. Make sure your employees are studying them back.