Notifications
Clear all
Topic starter
27/06/2026 1:27 pm
TL;DR: Social engineering still underpins modern invoice fraud, vishing, and impersonation attacks because attackers exploit human trust rather than technical flaws, according to Abnormal AI’s Vision 2023 session with Rachel Tobac and James Linton. The governance problem is that awareness alone does not close the gap between human decision-making and adversary deception.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams reduce social engineering risk in identity workflows?
A: Start by identifying where a message, call, or chat can trigger a privileged action without a second verification step.
Q: Why do social engineering attacks still succeed in mature security programmes?
A: They succeed because many controls verify systems and identities, but not intent.
Practitioner guidance
- Harden approval paths for sensitive requests Require a second verifier for bank detail changes, payment exceptions, password resets, and privileged access requests.
- Treat support and recovery as privileged access Apply step-up verification, call-back rules, and tighter logging to help desk resets, identity recovery, and account unlocks.
- Train staff on manipulation patterns, not slogans Use scenario-based exercises that cover urgency, authority, pretexting, and supplier impersonation.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Live discussion of how Rachel Tobac and James Linton executed their most notable social engineering attacks and what made them work.
- Practical examples of what information attackers can gather from the impersonated victim and the target before they strike.
- A deeper look at how the social engineering landscape is changing as employees become more alert to common pretexts.
- Recorded webinar format with the original session context from Vision 2023 and CPE eligibility details.
👉 Watch Abnormal AI's Vision 2023 session on social engineering and fraud →
Social engineering and invoice fraud: what security teams need to know?
Explore further
27/06/2026 2:47 pm
Human trust is the first control boundary, and attackers know it. This session reinforces that social engineering succeeds when organisations treat the human as the least predictable part of the identity chain. Technical authentication can be intact while the person still authorises the wrong action. The implication is that fraud and identity programmes must be measured against decision quality, not just authentication strength.
A few things that frame the scale:
- Average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own social engineering defence across the organisation?
A: Ownership should be shared across IAM, security awareness, fraud prevention, finance, and help desk operations. Social engineering crosses these domains, so controls fail when each team assumes another one is responsible for the final verification step.
👉 Read our full editorial: Social engineering remains the present and future fraud threat
