Social engineering attacks: How millions can be stolen in one phone call
Guest: Robert Kerbeck
Today I’m talking about social engineering attacks, and honestly, this is one of those topics that keeps proving how dangerous human manipulation can be when it gets paired with weak verification and a little urgency. If you have been watching the headlines around major breaches and ransomware incidents, this episode will sound very familiar. And that is exactly why it matters.
I sat down with Robert Kerbeck, former corporate spy and author of Ruse, to talk about how phone-based social engineering actually works, why smart employees still fall for it, and how a short conversation can open the door to massive financial and operational damage. At first glance, this can sound like a cybersecurity story. But when you look closer, it is also a fraud story, a training story, and a process story.
Robert has a perspective very few people can offer because he used to be the one running the ruse. He understands how attackers build trust, how they choose targets, and how they turn small disclosures into bigger access. That is the part I really wanted Fraudology listeners to hear. Because social engineering fraud does not usually start with something that looks obviously criminal. It starts with a voice, a reason, and a request that feels just plausible enough.
And when that request reaches the wrong person at the wrong time, the consequences can get very expensive very quickly.
Here is what that means in practice:
- Social engineering attacks often succeed by exploiting routine, trust, and urgency rather than technical weaknesses
- Phone-based social engineering can bypass strong systems when employees are not trained to verify unusual requests
- Employee verification procedures matter most in the moments when someone sounds credible and confident
- Corporate fraud prevention depends on making it harder for attackers to talk their way into access or information
What you’ll hear in this episode:
- How social engineering fraud can escalate from one short phone call into major business loss
- Why vishing attacks and suspicious phone requests still work on well-intentioned employees
- How corporate social engineering often targets the people most likely to help, not the people with the most technical knowledge
- Why ransomware attacks become even more dangerous when social engineering is used to gain access first
- What companies can do to improve employee security training and reduce avoidable mistakes
You should listen to this episode if you:
- Lead fraud, risk, InfoSec, support, or operations and want to understand how social engineering attacks really unfold
- Need stronger employee security training or cybersecurity training that reflects how attacks happen in real conversations
- Are reviewing employee verification procedures, callback processes, or escalation paths
- Want better corporate fraud prevention tied to real-world manipulation tactics, not generic awareness advice
- Care about cybercrime prevention, identity theft prevention, and reducing the odds of a costly internal mistake
If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.
Episode notes & key takeaways
Why social engineering attacks still work so well
Let’s break this down.
One of the biggest misconceptions about social engineering attacks is that they only work because someone made an obvious mistake. That is usually not what happens. More often, the attacker sounds prepared, calm, credible, and specific enough to lower the target’s guard. They do not need to sound perfect. They just need to sound believable long enough.
That is the real issue.
Robert explains how these conversations are built to feel ordinary. Not dramatic. Not suspicious right away. Just familiar enough that the employee starts cooperating before they fully stop to question the request. And that is exactly why social engineering fraud is so effective. It turns helpfulness into exposure.
This is where companies get into trouble. They assume employees will recognize a bad request if they see one. But a lot of suspicious phone requests do not feel suspicious in the moment. They feel urgent. Or routine. Or like something the caller should reasonably know.
What good teams should keep in mind:
- Social engineering attacks often rely on confidence and context more than technical trickery
- Phone-based social engineering works best when the target is rushed, distracted, or trying to be helpful
- Information security awareness has to include real conversational manipulation, not just email red flags
- Corporate social engineering thrives in environments where trust is assumed too quickly
Why a 10-minute phone call can lead to massive losses
Here’s what’s actually happening.
A short call can do a lot of damage because it does not need to solve the entire attack in one step. It only needs to move the attacker closer to access, information, or the next internal person. That is why the “10-minute phone call” framing matters so much. The speed is part of the lesson.
And that matters.
An attacker might use that call to confirm a detail, reset a process, gather internal language, learn who has authority, or create enough trust to make the next ask seem normal. Then those pieces get used in executive impersonation scams, follow-up vishing attacks, account access attempts, or even ransomware attacks when the attacker can pivot from information into systems.
We have seen this playbook before.
The social engineering piece is often what makes the technical attack possible. So if a company only focuses on infrastructure and ignores the verbal path into the business, it is leaving a pretty obvious gap.
A few practical takeaways:
- Social engineering fraud often succeeds in stages, not all at once
- Vishing attacks can be used to collect information that powers later compromise
- Ransomware attacks become more dangerous when attackers use people to open the first door
- Cybercrime prevention needs to include phone-based risk, not just digital channels
Why the best targets are usually the most helpful people
This is one of the most useful parts of the conversation.
Attackers do not always target the most senior or most technical employee first. They target the person most likely to engage. The person who answers the phone. The person who wants to solve a problem. The person who has enough access to be useful and enough trust to keep the interaction moving.
That usually does not end well.
Robert talks about who attackers look for and what they research ahead of time. And honestly, that is the part a lot of companies underestimate. Good social engineers do homework. They learn names. Roles. Internal terminology. Reporting lines. They build enough familiarity to sound like they belong.
So when teams hear “employee security training,” they should not think only about executives or engineers. Customer-facing teams, assistants, support staff, operations teams, and anyone who can validate information or route a request can become a target.
That is the part fraud teams should care about:
- Corporate social engineering often starts with the most accessible employee, not the most privileged one
- Suspicious phone requests should be treated seriously even when the ask seems small
- Employee verification procedures need to apply to all roles, especially frontline teams
- Corporate fraud prevention improves when support, security, and leadership all follow the same verification rules
Why training has to be memorable to change behavior
I say this a lot, and this episode reinforces it.
If training is forgettable, it will fail right when employees need it most. People do not rise to vague policy language in a high-pressure moment. They fall back on what they remember clearly. That is why the best fraud prevention training and employee security training is specific, practical, and memorable.
Robert is especially effective on this point because he can explain not just what happened, but how it felt from the attacker side. How the script was built. How the trust was developed. How the conversation stayed controlled. That makes the lesson stick in a very different way than a generic slide deck ever will.
Right.
Because the goal is not to make employees paranoid about everything. The goal is to help them recognize patterns, slow down unusual interactions, and know exactly what to do next. That means stronger scripts, better callback procedures, clearer approval paths, and more reinforcement for saying no when something does not line up.
What strong training should include:
- Employee security training should use realistic scenarios tied to actual workflows
- Fraud prevention training works better when it teaches employees what to do, not just what to fear
- Cybersecurity training should cover executive impersonation scams and verbal pressure tactics
- Information security awareness improves when teams practice escalation and verification in real terms
Why verification processes matter more than good instincts
This might sound simple. But it really is the foundation.
You cannot build a reliable defense around hoping every employee will have perfect instincts every time. That is not realistic. Good companies reduce risk by making verification part of the process, not part of personal judgment.
That is where employee verification procedures become so important.
If someone asks for account details, internal information, system access, or anything that could increase exposure, there should be a known process. A callback. A secondary approval. A documented escalation path. Something that breaks the momentum of the ruse and forces the request into a controlled workflow.
Because that is what social engineering attacks hate. Friction. Process. Delay. Independent verification. Those things are not exciting, but they work.
The big takeaway from this episode is pretty straightforward. Social engineering attacks are still one of the fastest ways for criminals to get around strong infrastructure by going straight through people. That is why companies need better training, better verification, and better coordination across fraud, support, security, and leadership. The attack may start with a phone call, but the outcome depends on whether the organization has built a process strong enough to interrupt it.
That is the part that holds up.
