.png)
Modern cybersecurity threats don't always begin with malware or a suspicious link. Sometimes they start with a conversation that seems completely legitimate. Here's what one recent social engineering assessment can teach small businesses about protecting themselves.
When most people think about phishing attacks, they picture an email filled with spelling mistakes, suspicious links, and obvious red flags.
Unfortunately, that's not how many modern attacks work. "Don't click on a suspicious link" doesn't cut it anymore for security awareness training.
A recent social engineering assessment conducted by security researchers at NetSPI demonstrated just how sophisticated today's attackers have become. Instead of sending a traditional phishing email, the researchers spent time building trust before ever introducing a malicious link.
The scenario they created was simple - and highly believable. Too many people think they'll never fall for a scam, and what's fascinating about this report is it goes into depth and shows just how tricky these things are. ANYONE could fall for this.
The target organization had recently announced plans to build a new facility. The researchers posed as a local journalist investigating an anonymous tip about possible hazardous waste disposal at the construction site. Rather than including a suspicious link in the first email, they simply asked executives whether they would be willing to comment.
At first glance, nothing seemed unusual.
In fact, the executives involved were responding exactly as many responsible leaders would. A potential reputational issue had been raised, and they were trying to address it.
That's what makes this example so important.
The Real Threat Wasn't Carelessness
One of the biggest misconceptions about cybersecurity is that successful attacks happen because someone was reckless or ignored obvious warning signs.
In this case, the executive wasn't being careless.
He was responding to what appeared to be a legitimate inquiry involving a sensitive business matter. The attackers established credibility first, engaged in conversation, and only later introduced a malicious link.
This approach is becoming increasingly common because it bypasses many of the warning signs employees have been trained to look for.
Email security tools are often very effective at detecting malicious links and attachments. They are much less effective at identifying a believable conversation between two people.
By the time the phishing link appeared, trust had already been established.
At Ekaru, we've seen similar situations affect small businesses throughout Massachusetts. The details vary, but the pattern is often the same. An employee receives what appears to be a legitimate message related to a current project, a vendor relationship, a customer issue, an invoice, or an urgent business matter. Because the request fits naturally into ongoing work, it doesn't immediately raise suspicion. We've seen diligent employees fall for a fake negative review by the Better Business Bureau. We've seen sales people open fake Requests for Proposals (RFPs). Its not careless, its someone trying to do their job.
What makes these attacks effective is that they don't feel like cyberattacks at all. They feel like business conversations.
That's why cybersecurity awareness training can no longer focus only on obvious phishing emails. Employees need to learn how attackers build trust, create urgency, and use real-world business situations to lower a target's guard.
How Third-Party Risk Entered the Picture
One of the most interesting findings from the assessment wasn't the initial interaction - it was what happened next.
The executive forwarded information to external contractors involved in the construction project. Fortunately, because this was a controlled security assessment, the researchers immediately stopped the exercise before any contractor credentials could be captured.
But the lesson is important.
Cybersecurity risk doesn't stop at your organization's boundaries.
When employees communicate regularly with vendors, contractors, accountants, attorneys, and other trusted partners, a successful social engineering attack can quickly spread beyond the original target.
For small businesses, these trusted relationships are often critical to daily operations. That makes them attractive pathways for attackers looking to expand access. Another common thing we see is an employee forwarding a questionable email to co-workers and asking "Is this legit" - this increases the reach of the malicious email internally as well.
This is one reason cybersecurity has become a shared responsibility. Your organization's security can be affected by the security practices of vendors and partners, just as their security can be affected by yours.
What Small Businesses Can Learn
Most organizations spend time teaching employees not to click suspicious links.
That's still important.
However, this assessment highlights another challenge: employees also need guidance on how to handle unusual requests, sensitive allegations, media inquiries, vendor communications, and other situations that fall outside normal business processes.
The executive in this assessment wasn't responding to a fake package notification or a password reset request. He believed he was helping address a potentially serious business issue.
We've seen attackers use similar tactics involving vendor payment changes, urgent requests from executives, customer disputes, legal matters, and other situations designed to trigger an immediate response.
The common thread is almost always the same:
Someone feels they need to act quickly. With AI, its so easy for cyber criminals to harvest information online - from websites, press releases, and social media. Take a moment to think about how much of your information is "out there.
Creating a culture where employees are encouraged to pause, verify, and escalate unusual situations can dramatically reduce risk.
Practical Steps to Reduce Social Engineering Risk
While no organization can eliminate risk entirely, several steps can make these attacks significantly harder to execute:
- Slow down when a request feels urgent. Why the urgency?
- Verify journalists, vendors, and other external contacts through independent channels.
- Be cautious when external parties ask you to access internal company systems.
- Avoid using links sent by unknown parties to continue conversations.
- Establish clear procedures for handling media inquiries and sensitive allegations.
- Conduct security awareness training that goes beyond traditional phishing examples. This doesn't make an organization bullet proof, but it sure helps!
- Review email security controls and impersonation protections.
- Implement strong identity security measures such as multifactor authentication and conditional access policies.
Most importantly, employees should know exactly who to contact when something doesn't feel right.
Cybersecurity Is About Process, Not Just Technology
One of the biggest takeaways from this assessment is that technology alone isn't enough.
The vulnerability wasn't simply a malicious email. It was the absence of a clearly defined process for handling an unusual business situation.
The organizations that handle these attacks best are often the ones that have established procedures, clear communication channels, and employees who feel comfortable asking questions before taking action.
That's why cybersecurity isn't just an IT issue. It's a business process issue.
For small businesses, that's actually good news. Improving security doesn't always require buying new technology. Sometimes the biggest gains come from creating clear procedures, providing practical employee training, and helping your team know what to do when something unexpected happens. Run a table top exercise with your team to talk about "what if?"
If you're wondering how your organization would respond to a sophisticated social engineering attempt like this, we'd be happy to have a conversation. We regularly help small businesses throughout Massachusetts evaluate their security awareness programs, review their processes, and identify practical ways to reduce risk without making day-to-day work more difficult.
A quick discussion can often uncover opportunities to strengthen security that don't require a major investment - just a thoughtful approach and the right guidance.
Source: This article is based on research published by NetSPI in "Asking the Wrong Questions: Social Engineering as a Reporter." The original article provides additional details about how the assessment was conducted and the lessons learned.
Interested in continuing the conversation?
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.