Overview

Social Engineering, also known as human hacking, has been a common theme of TADSummit’s cybersecurity sessions in 2025.

Social engineering in cyber security refers to the psychological manipulation of individuals to perform actions or divulge confidential information that compromises security. 

Instead of exploiting technical vulnerabilities, it relies on human error and trust to gain access to systems, networks, or sensitive data. Attackers use various techniques to deceive and trick victims into revealing information, installing malware, or granting access. 

Here’s Enrico and Matt’s book, “Social Engineering 2030” on Amazon: https://www.amazon.co.uk/dp/B0FJY5W16N?&linkCode=sl1&tag=vishr-21&linkId=954da2e10a7ce59178b8bb03734f0c34&language=en_GB&ref_=as_li_ss_tl. The important shift is the quality and scale AI now enables.

BTW, Bohdan is seeking a new employment opportunity. We’ve discussed the importance of culture in cybersecurity, check out the SKT Hack Debrief. Bohdan’s cybersecurity expertise in addition to his years in messaging make him an impressive asset. Here is Bohdan’s Linkedin post of his search.

The Book: Social Engineering 2030

Matt Holland is the CTO & Co-founder of Vishr.ai, we did a podcast on them here, using AI to train employees on vishing (voice phishing). He is also CTO/CISO & Co-Founder seedata.io, co-founded with Enrico. And brings over 30 years of cybersecurity expertise, from large corporations to start-ups and is now an author.

Vishr has been a driver for the creation of the book, talking to customers highlighted they fear social engineering and the impact AI is having. The changes are happening much faster than they expected. Scattered Spider is a prolific criminal group. responsible for many recent attacks, e.g. M&S. The BBC did a good report on what happened to M&S by Scattered Spider. Voice in social engineering is part of their skill set. They tend to target the IT helpdesk and convince an employee to allow access.

SCATTERED SPIDER typically pivots from compromised Entra ID (Azure Active Directory (Azure AD), a cloud-based identity and access management service), SSO, and VDI (Virtual Desktop Infrastructure) accounts to integrated software-as-a-service (SaaS) applications. They use access to these platforms to search for data that enables lateral movement (such as network architecture diagrams, VPN instructions, or text files containing credentials), extortion, or other monetization activity.

The number of criminals using social engineering has risen dramatically, as mentioned in the Vishr.ai session Voice AI attacks have risen 442%. AND the sophistication behind the ‘cons’ has also risen. AI has not only raised the quality and scale, it now tunes the quality to the channel. Spelling is often correct but common grammar errors and verbal inflections are introduced to make it appear ‘more’ real.

Voices can be cloned today in 60 seconds when 1 year ago it was a rare specialized skill. Convincing people is an old skill, in Matt and Enrico’s book, they share how the Eiffel Tower was sold five times over by a crook pretending to be a government official.

I reframed it as, social engineering is the art of the con.

Instead of hacking systems or using software vulnerabilities, attackers exploit human psychology to gain access to sensitive
data such as passwords, bank details, or personal information.

Some common social tactics include:

1. Phishing: Sending emails or messages that appear to be from a legitimate
   source (e.g., a bank or employer) to deceive individuals into sharing
   sensitive information.
2. Pretexting: Creating a fabricated scenario to obtain sensitive information. For example, pretending to be a company representative or authority figure to gain trust.
3. Baiting: Luring victims with promises of something enticing (like free
   software, gifts, or movie downloads) to get them to click on malicious links or hand over personal details.
4. Tailgating: Physically following someone into a secure area without proper credentials or permission, often by exploiting common courtesies like holding the door open for someone.
5. Impersonation: Pretending to be someone else to gain access to restricted information or systems, often by mimicking authority figures or trusted individuals.
   
   The goal of social engineering is to bypass security measures by exploiting human vulnerabilities, making it a dangerous and effective tool for cybercriminals.

Dr Cialdini’s, Compliance Professionals

There are several references made to Dr. Cialdini’s book on “compliance professionals” – people engaged in hardcore door-to-door selling such as second-hand car salesman, multi-level marketing (read Amway) professionals, etc. He talks about the following 6 techniques adopted by these professionals:

1. Reciprocation: We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us. One such example given by Cialdini is the aid given in 1985 by Ethiopian Red Cross to earthquake victims in Mexico as repayment of aid given by Mexico when Ethiopia was invaded by Italy, way back in 1935!
   
2. Commitment and Consistency: Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment.

Practical exploitation: During one such test, we posed as auditors and started interviewing the system administrators. After a couple of days of helping us out with information, they led us to the other departments in the organization and further facilitated our “audit”. It was only on the 5th day that someone raised an alarm, but during the first few days once the personnel had hard-wired themselves into co-operating with us, they just went all the way, without even checking our credentials!

3. Social Proof: One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behavior.

Practical exploitation: This is most simply exploited during a social engineering test by leveraging the power of social networking sites such as LinkedIn and Facebook. An attractive enough profile with other members of your organization linked to it is highly likely to make you add it to your network as well, with no clue as to the profile’s veracity.

4. Liking: Few people would be surprised to learn that, as a rule, we most prefer to say yes to the requests of someone we know and like.

Practical exploitation: Our most successful attempts have involved sending our more likeable people across asking for help or requesting for information to complete a “college project”. These individuals are usually well-groomed, smart, personable, and possess decent levels of charm or naivete to get the other person to comply.

5. Authority: The famous Milgram experiments show the power of authority in comparison to all the other factors listed here. The real culprit is our inability to resist the psychological power wielded by the person in authority.

Practical exploitation: We have seen this work in numerous ways by faking authority letters purporting to come from some government agency or from the managing director of the company. A lot of the times the recipient will simply comply with the request. The same effect is seen when depending on which car one is in, and how one is dressed, the security guard at the gate will adjust his level of obsequiousness.

6. Scarcity: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the scarcity principle in determining the worth of an item.

Practical exploitation: One of the most common tactics is to build time pressure. The scarcity of time often makes people comply with requests in violation of their policies and their own common sense. We have used this on numerous occasions be it with a security guard or with a system or network administrator.

For other interesting social engineering experiments, check out “the real hustle” that shows how as humans we easily fall prey to the smart hustler who sweet-talks his or her way into social engineering us.

Awareness and Changing the Language of Criminal Behavior

Aaron brought up an important dilemma in social engineering, where’s the line? Is this just good sales, or is this a con?

Bohdan shared his study of voice ID used for service login of several banks, which is clearly a risk, given the ease of voice cloning. This led onto a discussion about avoiding victim blaming, instead supporting the victim and helping them avoid future incidents – awareness is critical. A term used was politely suspicious. We all know such people, they’re the ones prepared for the world we’re entering.

Matt referenced a discussion with the NCA (National Crime Agency) on their Prepare. Prevent, and Protect awareness campaign, and the importance of the language used. People do not lose money, they have their money stolen, they are the victim of a crime. They did not fall for a con. they had a criminal use a con against them. It’s not victim blaming, rather victim supporting. We’re in a phase of awareness building, and encouraging people to share their experiences to benefit society.

It’s a 360 degree program as the volume of thefts is rapidly growing, 442%!

Jack bought up an important counterintelligence view. You must assume an attack is likely and deny criminals room to operate in your domain. He referenced the work of James Clear’s book, Atomic Habits. James Clear distils the basics of habit formation, so you can accomplish more by focusing on less. And similarly, deny criminals room to con you. Back to the politely suspicious phrase, politely asking for verification. Making that part of your identity.

Jack highlights it’s not about major shifts in behavior, just a few, small ones. I asked should we not use voice for identity? Jack countered, its could be as simple as a code word, so voice could still be used.

Bohdan highlighted the sophistication AI enables for social engineering, and the inevitable loss of trust that will build in society. Which means more friction for transactions. I gave the example of my wife trying to use her driving license for travel within the US. Given her license was not Real ID. In the end an agent that has access to previous travel records and the authority to decide, helped my wife get on the flight. More friction. And my wife telling me I need to bring her passport to the airport now!

We had a discussion on whether governments are able to protect digital identity, including voice. The opinion is criminals do not follow laws and regulations, so their role of governments is limited.

We finished on how are Matt and Enrico protect themselves. Awareness and politely suspicious are critical. If cyber security folks can not protect themselves, what hope is there for the rest of society? Matt ended on the truism, we’ve been here before and survived, and will do again. I think this time awareness, training, and bring politely suspicious are now essential for everyone, not just a few.