Social-Engineer

Voice phishing is no longer a fringe threat.

Mandiant now ranks highly interactive voice phishing as the second-most observed initial access vector.

That matters because voice phishing is different from email phishing.

It is live.
It is interactive.
It adapts in real time.
It targets trust, process, identity, and decision-making.

Organizations cannot rely only on automated controls or traditional awareness training to defend against it.

They need to understand how their people and processes respond when someone is on the phone, applying pressure, impersonating authority, or asking for access.

Realistic social engineering assessments help identify where verification workflows, help desk procedures, and identity processes break down before attackers find them.

Every security decision begins with a human.

Social engineering is a human discipline, not just a security discipline.

In her conversation on Authentically Cyber with Kathy Chambers, Rosa Rowles shares how her journey from hospitality into social engineering shaped the way she approaches people, communication, confidence, and preparation.

She talks about:
• Navigating the field as an introvert
• Overcoming imposter syndrome
• Building confidence through experience
• Preparing for social engineering engagements
• Using communication skills in both professional and personal settings

What makes this conversation powerful is that it shows social engineering beyond the attack path.

It is about understanding people.
Building trust.
Reading context.
Preparing with intention.
And learning how to show up with confidence, even when the situation feels uncomfortable.

The episode is live on YouTube, and Kathy is encouraging people to join the conversation in the comments.

Watch the episode and leave Rosa a comment there.

Every security decision begins with a human.

The strongest defense against social engineering is not faster reactions.

It’s better habits.

Most attacks rely on people reacting before they pause.

A request feels urgent.
A name feels familiar.
A process feels routine.
A decision feels harmless.

That’s where risk shows up.

Stronger defense starts with simple habits:

• Pause before reacting
• Verify through a second channel
• Treat familiarity with caution
• Normalize slowing things down
• Focus on decision-making, not just detection

Awareness matters, but response habits are what help people make better decisions when the situation feels real.

People rarely make good decisions under attack conditions the same way they do during training.

Training environments are controlled.

Real-world attacks are not.

In reality, people are balancing:
• Deadlines
• Meetings
• Pressure
• Leadership requests
• Constant distractions

That’s what makes social engineering so effective.

Real-world attacks don’t just test awareness. They test judgment, trust, and decision-making under pressure.

AI is making social engineering more scalable.

But trust is still what makes attacks successful.

Voice cloning. Deepfakes. AI-generated conversations. Personalized phishing.

The technology is evolving fast—but attackers still rely on the same psychological triggers:
• Trust
• Urgency
• Familiarity
• Authority

That’s why organizations can’t treat AI-driven social engineering as only a technical problem.

Because the real target is still human decision-making.

Understanding how people respond under realistic AI-driven social engineering scenarios may reveal risks traditional metrics miss.

The next frontier of cybersecurity is human behavior.

Organizations are asking deeper questions about:
• Human behavior
• AI-driven manipulation
• Trust and influence
• Decision-making under pressure

Those conversations are now shaping:

• conferences
• law enforcement training seminars
• leadership discussions
• community security events like BSides

This month, SECOM speakers are contributing to those discussions across multiple audiences and events:
• Chris Hadnagy at WRITA
• Dr. Abbie Maroño speaking on behavioral science and leadership
• Rosa Rowles at BSides Tampa

Because every security decision still begins with a human.

The challenge with human risk isn’t awareness. It’s inconsistency.

An employee may respond securely in one situation…

…and make a completely different decision under a different set of operational pressures.

That’s what makes human risk difficult to measure.

Because behavior changes based on:
• Urgency
• Workload
• Environment
• Perceived authority
• Competing priorities

Completion rates and phishing scores may show progress…

…but they don’t always reflect how decisions change in real-world conditions.

That’s why human risk is often more dynamic and harder to quantify than organizations expect.

Why do social engineering attacks keep succeeding in Fortune 100 companies, even with mature security controls?

In our March blog, Shelby Dacko explains how process complexity, fragmented ownership, and urgency-driven workflows create exploitable gaps attackers routinely abuse. When employees trust handoffs, prior approvals, or familiar internal language, well-researched pretexts blend into normal operations, and traditional controls validate steps, not intent.

If you are ready to uncover where process friction and human behavior create risk in your organization, read the full article and see how Social-Engineer helps enterprises measure and reduce human-layer exposure before attackers do.

Read the March blog: How Process Complexity Enables Social Engineering in Fortune 100 Companies
👉 https://hubs.ly/Q0464rwb0

BSides Tampa is this Saturday!

Catch Rosa Rowles at 2:00 PM for her session:

The Voice of Deception: How Vishing Exploits Human Emotion

Vishing works because it targets trust, urgency, and emotion—not just technology.

Rosa will break down how attackers use voice-based manipulation to influence decisions and extract sensitive information.

Saturday, May 16
2:00 PM
BSides Tampa | Tampa, FL

Add this session to your schedule.