Loading module...
Loading module...
GSA-02
Recognize how attackers manipulate human psychology, identify modern phishing techniques including AI-generated lures, and know how to report suspicious communications.
General Security Awareness Training
Estimated Time: 25 minutes
By the end of this module, you will be able to:
Social engineering is the art of manipulating people into giving up information or taking actions that compromise security. It's the oldest trick in the book, predating computers entirely. Con artists have been exploiting trust, fear and authority for centuries. The only thing that's changed is the delivery mechanism.
Here's the critical thing to understand: social engineering doesn't exploit stupidity. It exploits psychology. Specifically, it exploits the mental shortcuts your brain uses to process information quickly. These shortcuts (cognitive scientists call them heuristics) are the same ones that help you navigate a busy day without analyzing every single decision from scratch. They're useful. They're necessary. And they're exactly what attackers target.
Think of it this way. If someone in your office walked up to you wearing an IT badge and said, "I need to check your laptop for a security update," most people would hand it over without a second thought. You wouldn't demand to see their employee ID, call the help desk, and verify the request. You'd use a mental shortcut: "They look like IT, they sound like IT, this seems reasonable." That shortcut is what social engineering exploits.
The difference between a social engineering attack and a random scam is targeting. Scams cast a wide net and hope somebody bites. Social engineering is researched, personalized, and crafted to exploit specific trust relationships, organizational structures, and individual behaviors. The attacker has done their homework on you, your company, or both.
In the 1980s, psychologist Robert Cialdini identified six principles of influence that explain how humans are persuaded. Those six principles still form the backbone of virtually every social engineering attack. But modern security research has identified two additional triggers, curiosity and greed, that operate independently and deserve their own spotlight. Together, these eight triggers make up the attacker's psychological toolkit. Understanding them is your most powerful defense, because once you can name what's happening to you, it loses most of its power.
How it works: The attacker creates time pressure that forces you to act before you can think. Your brain shifts from analytical mode to reactive mode, and that's exactly where they want you.
What it sounds like:
Why it works: Under time pressure, humans default to fast, instinctive decision-making. We skip the steps we'd normally take (verifying the sender, questioning the request, checking with a colleague) because the perceived cost of delay feels higher than the perceived cost of acting.
Your defense: Urgency is the single most common trigger in phishing attacks. When you feel rushed by a message, treat that feeling itself as a red flag. Legitimate requests almost never require you to act within minutes. Take a breath, slow down, and verify through a separate channel.
How it works: The attacker impersonates someone with power over you or your organization. A message from "the CEO," "your bank," "the IRS," or "the IT security team" carries weight precisely because you're conditioned to comply with authority figures.
What it sounds like:
Why it works: Stanley Milgram's famous obedience experiments in the 1960s demonstrated that ordinary people will follow instructions from perceived authority figures even when those instructions conflict with their own judgment. Attackers exploit this same instinct. When a request appears to come from someone above you in the hierarchy, questioning it feels risky. Complying feels safe.
Your defense: The more authority a message claims, the more skeptically you should treat it. Executives don't typically email individual employees asking for urgent wire transfers. Banks don't ask for your password by email. IT doesn't need you to click a link to verify your identity. When authority and urgency appear together in the same message, that combination is the hallmark of social engineering.
How it works: The attacker threatens a negative consequence: account suspension, legal action, data loss, job consequences. Fear narrows your focus to the immediate threat and suppresses the critical thinking that would normally help you spot the deception.
What it sounds like:
Why it works: Fear activates your fight-or-flight response. In that state, your brain prioritizes survival over analysis. You're not evaluating whether the email is legitimate. You're reacting to the threat.
Your defense: Ask yourself: "Would a legitimate organization communicate this way?" Banks don't threaten account termination by email. Your company's legal team doesn't send demands through a random Gmail address. If a message makes you feel panicked, that panic is the attack working. Pause before you act.
How it works: The attacker gives you something (information, a favor, a "free" tool) and then asks for something in return. The social obligation to reciprocate is deeply ingrained.
What it sounds like:
Why it works: Reciprocity is one of the strongest social norms across virtually every culture. When someone does something for you, refusing a return request feels rude, even if the original "favor" was unsolicited.
Your defense: Be skeptical of unsolicited gifts, especially digital ones. Free security scans, unexpected attachments, and surprise "tools" are common bait. If someone you don't know well asks for something after offering you something, that sequence is worth examining.
How it works: The attacker implies that others have already complied with the same request, making it seem normal and expected.
What it sounds like:
Why it works: Humans are social creatures. When we're uncertain about the right course of action, we look to what others are doing. If "everyone else" has already done it, the request must be legitimate. Attackers manufacture this social proof to reduce your resistance.
Your defense: You can't verify what other people did or didn't do based on a claim in an email. The fact that a message references other people's behavior should make you more skeptical, not less. If the request is legitimate, you can verify it through normal channels regardless of what "everyone else" has supposedly done.
How it works: The attacker builds rapport, finds common ground, or impersonates someone you already trust. People are far more likely to comply with requests from someone they like or believe they know.
What it sounds like:
Why it works: Trust is efficient. We extend it to people within our social and professional circles because constantly verifying everyone's identity would be exhausting and impractical. Attackers insert themselves into those trust relationships by impersonating people you already know or by demonstrating insider knowledge that makes them seem legitimate.
Your defense: If a request is unusual, verify it regardless of who appears to be sending it. Email addresses can be spoofed. Writing styles can be mimicked (especially by AI). Internal terminology can be learned from your company's website, job postings, and LinkedIn profiles. Trust the request, not the apparent sender, and verify through a different channel when something feels off.
How it works: The attacker dangles something intriguing, mysterious, or seemingly relevant and counts on your natural desire to find out more. Unlike urgency or fear, curiosity doesn't create stress. It creates interest, which makes it sneaky. You don't feel pressured. You feel pulled.
What it sounds like:
Why it works: Curiosity is one of the strongest human drives. Researchers have shown that an "information gap," the feeling of knowing that something exists but not knowing what it is, creates a psychological itch that people will go out of their way to scratch. Attackers exploit this by crafting subject lines, file names, and messages designed to make you feel like you need to know what's inside. The content doesn't even have to be threatening. It just has to be interesting enough to click.
Your defense: If a message exists purely to make you curious, with no clear business context for why you'd be receiving it, that's a signal worth pausing on. Ask yourself: "Was I expecting this? Does this fit into a workflow I'm actually part of?" Unsolicited attachments, mystery links, and "you have to see this" messages are classic curiosity bait. When in doubt, verify with the apparent sender before opening.
How it works: The attacker offers something valuable: money, a prize, an exclusive opportunity, a gift card, a bonus, or access to something you'd normally have to pay for. The offer is designed to override your skepticism by making the potential reward feel too good to pass up.
What it sounds like:
Why it works: The prospect of gaining something valuable activates the same reward circuits in the brain that drive impulse purchases. When something feels like a windfall, your critical evaluation drops because you want it to be real. Attackers exploit this by calibrating the offer to be enticing but plausible. They won't promise you a million dollars (too obvious). They'll promise you a $200 gift card (just believable enough to click).
Your defense: If something arrives unsolicited and offers you something of value, be suspicious. Legitimate bonuses, refunds, and rewards are processed through known internal systems, not through links in unexpected emails. Ask yourself: "Did I do anything to earn or expect this?" If the answer is no, the offer is almost certainly the bait.
In the real world, attackers rarely rely on a single trigger. The most effective social engineering attacks layer two or three triggers together, creating a psychological pressure that's much harder to resist than any one trigger alone.
Consider this email:
"Hi [Your Name], this is David Chen from the CEO's office. I need you to process an urgent vendor payment before our 5 PM deadline today. The CFO has already approved it (see attached). Please keep this confidential as it's related to a sensitive acquisition. I've included a $25 Starbucks gift card as a thank-you for handling this on short notice."
Count the triggers:
That single message hits six of the eight triggers simultaneously. Each one, individually, might not be enough to override your judgment. Together, they create a layered pressure where compliance feels like the path of least resistance and questioning the request feels socially risky.
This is why understanding the individual triggers matters so much. When you can identify them by name ("That's urgency. That's authority. That's a confidentiality request designed to isolate me from verification."), the spell breaks. The pressure doesn't disappear entirely, but it stops being invisible, and visible pressure is dramatically easier to resist.
"Phishing" is the umbrella term, but the family has grown considerably. Each variant targets a different channel and exploits slightly different behaviors. Here's how the whole family works.
The original and still the most common. The attacker sends an email that impersonates a trusted entity (your bank, a SaaS tool you use, a colleague, a shipping company) and tries to get you to click a link, download an attachment, or reply with sensitive information.
What a modern phishing email looks like: Forget the Nigerian prince. Modern phishing emails reference real services you use, replicate brand formatting pixel-for-pixel, and often come from domains that differ from the real one by a single character (amaz0n.com instead of amazon.com, or company-hr.com instead of company.com).
Example scenario: You receive an email that appears to be from your company's Okta administrator saying your MFA enrollment is expiring and you need to re-authenticate through the provided link. The email includes your company's logo, uses the same font as legitimate Okta emails, and references your actual username. The link goes to a page that looks exactly like Okta's login screen but is hosted on a domain registered 48 hours ago.
Phishing with research. Rather than sending the same email to 10,000 people, the attacker targets you specifically. They've studied your role, your projects, your colleagues, and your communication patterns. The email references real things in your work life, making it significantly harder to identify as fake.
Example scenario: You're a product manager who just posted on LinkedIn about launching a new feature. You receive an email from what appears to be a journalist at a tech publication asking if you'd be willing to do a quick interview. They include a link to "schedule a time" that leads to a credential-harvesting page disguised as a calendar booking tool.
The most financially devastating form of phishing. The attacker impersonates a senior executive (CEO, CFO, or general counsel) and instructs an employee to transfer funds, change payment details for a vendor, or share sensitive information. BEC attacks cost U.S. organizations over $2.7 billion in reported losses in 2024 alone, according to the FBI.
What makes BEC different: These emails often contain no links and no attachments. They're pure social engineering: a text-only email that looks like it came from your boss, asking you to do something that falls within your normal job responsibilities. Because there's no malicious payload, email security filters frequently miss them.
Example scenario: The controller receives an email from what appears to be the CEO's personal email address: "I need you to process a wire transfer for a confidential acquisition we're closing today. I'll send the details shortly. Please keep this between us for now. I'm in meetings all day so email is best." The confidentiality request is deliberate. It isolates the target from the very people who would say, "Wait, that's not right."
Phishing via text message. Smishing exploits the fact that people tend to trust text messages more than emails and respond to them faster.
Example scenario: You receive a text that says: "USPS: Your package cannot be delivered due to an incomplete address. Update your information here: [link]." The link leads to a convincing USPS-branded page that asks for your name, address, and credit card number to "reship" the package. Variations include fake toll notifications, bank fraud alerts, and two-factor authentication codes.
Phishing by phone. The attacker calls you, impersonating tech support, your bank, a government agency, or a colleague, and uses conversation to extract information or direct you to take an action.
What makes vishing dangerous: Phone calls feel personal and immediate. It's much harder to critically evaluate a request when someone is speaking to you in real time, especially if they sound confident and knowledgeable. The social pressure to be polite and helpful on a phone call works in the attacker's favor.
Example scenario: You receive a call from someone identifying themselves as your company's IT help desk. They say they've detected unusual login activity on your account and need to verify your identity. They already know your name, your email address, and your department (all available on LinkedIn). They ask you to "confirm" your password or read back a verification code that was just sent to your phone. That verification code is actually an MFA prompt they triggered by attempting to log in to your account.
The newest member of the family. Attackers place malicious QR codes in emails, on physical flyers, over legitimate QR codes on parking meters or restaurant menus, or in PDF attachments. When you scan the code, it takes you to a phishing site or triggers a malicious download.
Why quishing is effective: QR codes are opaque. Unlike a URL, which you can at least glance at before clicking, a QR code reveals nothing about its destination until you scan it. Your phone's camera app also bypasses many of the security filters that would catch a malicious link in an email.
Example scenario: You receive an email from "IT Security" with a PDF attached saying your company is rolling out a new authentication system. The PDF contains a QR code to "enroll your device." Scanning the code takes you to a credential-harvesting page. This attack surged in late 2023, with some organizations reporting a 20x increase in QR code phishing attempts in a single six-month period.
Everything above existed before generative AI. But AI has fundamentally altered the phishing landscape in three ways that make every variant more dangerous.
For years, security training taught people to look for spelling errors, awkward grammar, and generic greetings as signs of phishing. That advice is now obsolete.
Large language models produce flawless, natural-sounding text in any language, any tone, and any style. An attacker can feed an AI tool a sample of your CEO's writing and generate emails that match their vocabulary, sentence structure, and communication patterns. The output won't have typos. It won't have awkward phrasing. It will read exactly like a message from someone you know.
In controlled experiments, AI-generated phishing emails have proven as effective as or more effective than those written by professional human red teams. One ongoing study by a major security firm found that by early 2025, their AI phishing agent was 24% more effective at tricking employees than their elite human social engineers. The AI didn't get tired, didn't have off days, and improved with every iteration.
Before AI, spear phishing was expensive. An attacker had to manually research each target, craft a custom email, and send them one at a time. This limited spear phishing to high-value targets.
AI removes that constraint. An attacker can now feed a model a list of employee names and LinkedIn profiles and generate hundreds of personalized spear phishing emails in minutes, each referencing the target's real job title, recent projects, and professional connections. What used to be a hand-crafted, one-at-a-time operation is now automated. IBM researchers demonstrated that an AI could construct a sophisticated phishing campaign in five minutes using five prompts. The same task took a team of human experts 16 hours.
This means the old assumption ("I'm not important enough to be specifically targeted") no longer holds. When targeting is cheap, everyone gets targeted.
This is the development that should worry you the most. Modern AI tools can clone a person's voice from as little as three seconds of sample audio. Three seconds. That's less than a voicemail greeting.
Where do attackers get these voice samples? From the same places anyone can access: conference talks on YouTube, podcast interviews, company webinar recordings, earnings calls, and social media videos. Once they have the sample, they can generate a phone call that sounds exactly like your CEO, your manager, or your CFO giving you instructions.
The Arup case (February 2024): A finance worker at Arup, the multinational engineering firm, joined what appeared to be a routine video conference with the company's CFO and several senior leaders. Every face on the screen was real. Every voice matched. The employee transferred $25 million based on instructions given during the call. Every participant other than the victim was an AI-generated deepfake.
This case shattered the assumption that video calls are inherently trustworthy. If you're using "I'll just get on a call to verify" as your security check, attackers have already accounted for that.
The voice cloning landscape in 2025: Deepfake-related fraud losses in the United States reached $1.1 billion in 2025, triple the figure from the previous year. The number of deepfake incidents in the first quarter of 2025 alone exceeded the total for all of 2024. And research shows that people can correctly identify AI-generated voices only about 60% of the time, which is barely better than a coin flip.
The old advice ("look for typos") is dead. Here's what actually works in 2026.
Stop evaluating whether an email looks legitimate. Modern phishing emails look perfect. Instead, evaluate whether the request makes sense:
If the answer to any of these is yes, verify through a separate channel before acting.
This is the single most effective defense against every form of social engineering. If you receive a suspicious request by email, don't reply to the email. Pick up the phone and call the person at a number you already have (not a number provided in the suspicious message). If you receive a suspicious phone call, hang up and call the person back at their known number.
The "separate channel" part is critical. If an attacker has compromised someone's email, replying to that email just sends your response to the attacker. You need to use a completely different communication path to verify.
Email display names are trivially easy to fake. An email that shows "Jane Smith, CFO" in your inbox might actually come from jane.smith8847@gmail.com. Always check the actual sender address, not just the display name. And look carefully: attackers register domains like yourcompany-hr.com or yourcompanny.com (note the double 'n') that pass a quick glance.
On desktop, hover your mouse over any link before clicking it. The actual URL will appear in the bottom of your browser or in a tooltip. If the displayed link says "Sign in to Microsoft 365" but the actual URL points to microsoft-365-verify.sketchy-domain.com, don't click it. On mobile, long-press a link to preview the URL before opening it.
If a message makes you feel a strong emotion (fear, urgency, excitement, guilt, obligation), recognize that feeling as a potential indicator of social engineering. Legitimate business communications rarely need to trigger a stress response. If you feel pressured, that pressure is data. Use it as a signal to slow down and verify.
Even from people you know. If your colleague sends you an unexpected attachment, especially a zip file, macro-enabled document, or PDF with a QR code, confirm with them through a separate channel that they actually sent it. Compromised accounts are frequently used to distribute malware to the victim's contacts.
You will eventually receive a phishing email, a suspicious text, or a questionable phone call. It's not a matter of if but when. What you do next matters enormously.
If you haven't yet interacted with the suspicious message, don't. Don't click links, don't open attachments, don't reply, and don't call phone numbers provided in the message. Leave it alone.
Use your company's designated reporting process. For most organizations, this means one or more of the following:
Report quickly. If you received this phishing email, your colleagues probably did too. The faster the security team knows about it, the faster they can warn others and block the attack.
Don't panic, and don't try to hide it. If you clicked a link, entered credentials, opened an attachment, or transferred funds, report it immediately. The information you provide by reporting quickly is far more valuable than the error that preceded it. Every minute of delay gives the attacker more time to use whatever they obtained.
Specifically:
The single worst thing you can do is stay silent. Every major breach that spiraled out of control has a moment where someone knew something was wrong and didn't report it quickly enough. Your security team would rather hear about 100 false alarms than miss one real attack.
These are the most common phishing scenarios targeting companies like yours in 2025 and 2026. Knowing the patterns makes them dramatically easier to spot.
The fake MFA reset: An email or text claiming your multi-factor authentication is expiring and needs to be reconfigured. The link leads to a fake login page that captures both your password and the MFA code you enter.
The CEO wire transfer: An email from the CEO or CFO requesting an urgent, confidential wire transfer. Always verify by phone, no matter how legitimate it looks.
The vendor invoice change: An email appearing to come from an existing vendor saying they've changed their bank account details. The next payment goes to the attacker's account instead. Verify all banking changes by calling the vendor at a number you have on file.
The shared document notification: A fake Google Drive, SharePoint, or Dropbox notification claiming someone shared a document with you. The link goes to a credential-harvesting page.
The IT support call: Someone calls claiming to be from IT, says they've detected a problem with your account, and asks you to install a remote access tool or read back a verification code.
The package delivery text: A text claiming a package couldn't be delivered and asking you to update your address or pay a small redelivery fee. The link leads to a phishing page.
The job applicant with a malicious resume: An email to HR or a hiring manager with an attached resume in .doc or .zip format that contains malware. Particularly dangerous because receiving resumes from strangers is a normal part of the job.
Next up: Module 3, Passwords & Authentication, where we'll show you exactly how passwords get cracked, why "P@ssw0rd123!" isn't as clever as it looks, and how multi-factor authentication works (including how attackers try to beat it).
Module Version: 1.0
Last Updated: March 2026
Framework References: NIST Cybersecurity Framework 2.0 (Protect, Detect), SOC 2 Trust Services Criteria (CC 2.2)
Data Sources: Verizon Data Breach Investigations Report 2025, FBI Internet Crime Complaint Center (IC3) 2024, IBM Security/Ponemon Cost of a Data Breach Report 2025, Hoxhunt 2025 Phishing Trends Report