This morning, I got a text from my VP. It just said: “available?” It came from an unsaved mobile number and used his full name, “Michael” instead of “Mike”. Red flag. I took a screenshot and forwarded it to my VP’s actual number. Sure enough, wasn’t him. Scammer. Now here’s the scary part: If I hadn’t noticed the odd language or number… how far could this have gone? -A video call using AI to deepfake his voice or face? -A fake purchase request like "we need 100K in SSDs pushed through, urgent!!"? -A phishing attempt to gather intel about others in the org? -Or worse, access to sensitive systems through social engineering? I'm trained to spot this stuff. But what if I wasn't? What if this hit someone who trusts and acts without pausing? That’s how real the human layer of cybersecurity is. It’s not always about firewalls or EDR. Sometimes it’s a split-second gut check that keeps your company safe. If your team isn’t regularly tested or trained on how to handle this kind of thing, they should be. Awareness isn’t a checkbox. It’s a frontline defense. Companies like KnowBe4, Cofense, Proofpoint, and Mimecast offer excellent solutions for training users to recognize and respond to social engineering attacks. If you’re not already using security awareness training as a first line of defense, you’re leaving your organization exposed. #CyberSecurity #SocialEngineering #SecurityAwareness #ITLeadership #Phishing #BusinessEmailCompromise #AIImpersonation #HumanFirewall
If you fall for this..... You should not even be able to transfer any amount in this scenario.... -A fake purchase request like "we need 100K in SSDs pushed through, urgent!!"? Nope... not following procedure, if to many red flags = fail closed.
I mean, not to be too cynical to but that's three red flags right there. you really have to work hard to fall for that. Also, curious how you came to the conclusion it was from your VP if it was an unknown number and the wrong name?
Completely agree. Phishing and social engineering are so common. Nowadays, everyone should be trained in the basics of cybersecurity while they’re growing up in school. It should be part of our lives. Comically speaking of course, should have responded with “nohello.net” ?? Maybe the follow up line would have been gift cards, ha!
I mean, isn't unkown number already a enough red flag?
Well said Tim - scary stuff.
I wish training platforms would take the time to be scientific. When looking at education for schools, there are studies shown to demonstrate why a method works or doesn’t work. Every vendor just pushes out training and tell you to do it. I see people trying different, but no one using research to find better methods. 2 decades and I still have to hope people don’t believe the CEO is going to contact them directly to buy gift cards.
This is such a powerful real-world example — and a critical reminder that no matter how advanced our tech stack is, the human element remains both our greatest vulnerability and our strongest defense. It’s easy to assume phishing or impersonation scams are obvious, but as this example shows, attackers are getting more nuanced — exploiting familiarity, urgency, and trust. Your point about "split-second gut checks" really resonates. Even seasoned professionals can be caught off guard without continuous exposure and training. Security awareness isn't a "one and done" — it needs to be embedded into the culture. Regular phishing simulations, scenario-based drills, and leadership buy-in are key to staying ahead. Thanks for sharing this. Every organization should treat moments like this not just as red flags, but as teachable moments.
IT Leader | Process Improvement, Asset Management, Team Development | I help companies align IT with business goals through smart systems and strong leadership.
1 个月I'm suspicious of anything that comes from a number I don't know.