Strengthening Defenses Against AI-Driven Social Engineering
Deepfakes and voice cloning have lowered the barrier to believable impersonation. Attackers now mimic executives, rush finance teams into authorizing payments, and pressure IT or developers to bypass multifactor authentication. The result: fewer obvious red flags and more high-confidence mistakes.
Rob Shapland, director and ethical hacker at Psionic, says the fix isn't more quizzes. It's training that sticks. "Storytelling is the best way to get people to remember things. If you show them how a criminal could actually pull off an attack using their badge or their info, that makes it real. They'll remember that far longer than a compliance quiz."
How AI Voice Clones Trick Staff Into Bypassing MFA
Voice clones make social proofs feel real: the right voice, right cadence, right urgency. Attackers lean on context pulled from LinkedIn, email signatures, and public posts to sound "inside." Then they push for a fast exception.
- "Approve the push-board call starts in 2 minutes."
- "I'm locked out-read me the one-time code the system just sent."
- "We're onboarding a new device-can you enroll it for me?"
- "Urgent vendor change-move payment today, I'll explain later."
Defenses work best when policy, process, and tech line up. That means strict identity checks for account recovery, phishing-resistant MFA, and clear rules on what never happens over chat, email, or phone.
Why Online-Only Training Falls Flat
Passive content doesn't change behavior under pressure. People revert to habit when a "CEO" calls with urgency. Without hands-on practice and emotional anchors, lessons evaporate within weeks.
Behavior shifts when people feel the risk, see the trick, and practice the response. That requires story-led sessions, safe simulations, and quick follow-ups that build muscle memory.
Turn Training Into Behavior: What Works
- Run live, story-driven sessions: show real-world attack paths that use a badge, a calendar screenshot, or public photos to gain trust.
- Use controlled hidden-camera or recorded simulations to make the threat concrete, then debrief what worked and what didn't.
- Publish "never do this" rules: no OTPs, backup codes, or authenticator changes over phone, chat, or email. No exceptions-ever.
- Lock down help desk flows: require ticket, manager confirmation via a separately verified channel, and step-up verification from known devices.
- Adopt phishing-resistant MFA (FIDO2/security keys or passkeys), enforce number matching for push, and remove SMS/voice as fallbacks.
- Dual-control for money movement and vendor banking changes, plus mandatory out-of-band callbacks to a verified number on file.
- Instrument the process: log all resets, add rate limits and anomaly alerts, and make unusual requests slow by design.
- Reinforce monthly: 10-15 minute refreshers with a single story, a single behavior, and a quick test.
Create a Report-Without-Fear Culture
People won't speak up if they expect blame. You need fast reporting and psychological safety, or silence wins and attackers keep probing.
- Make reporting easy: one-click button, short code, or Slack channel monitored by security.
- Reward reports-even false alarms-with quick thank-yous and visible shoutouts.
- Share "save stories" so teams see why reporting early matters.
90-Day Rollout Plan (IT, Security, Finance, Dev)
- Week 1-2: Publish "never do this" rules. Update help desk and payment playbooks. Remove SMS/voice MFA fallback where feasible.
- Week 3-4: Story-led training for high-risk roles (help desk, finance, exec assistants, on-call engineers). Launch fast-reporting channel.
- Week 5-8: Run controlled voice-clone and payment-change drills with consent and measurement. Fix gaps immediately.
- Week 9-12: Roll out security keys/passkeys for admins and finance approvers. Add dual approvals and enforced delays for high-value actions.
If your teams need role-specific upskilling on AI and security, explore courses by job at Complete AI Training.
Further Reading
About Rob Shapland
Rob Shapland is director and ethical hacker at Psionic with over 16 years of penetration testing and red team experience. He specializes in physical and social engineering intrusions for global clients and appears in the upcoming documentary "Midnight in the War Room."
Your membership also unlocks:
