The phone rings.
Someone introduces themselves as IT support. They sound calm, informed and slightly urgent. They explain there may be an issue with your account and ask you to log in to resolve it. You are between meetings, your inbox is overflowing, and the request sounds entirely routine.
You comply, not because you are careless, but because you are doing exactly what modern workplaces reward: being responsive, efficient and helpful.
For years, organisations have approached cybersecurity primarily as a technical challenge. Better filters, stronger passwords, more sophisticated software and more awareness training have all formed part of the response. Running alongside this has been a familiar assumption: that employees remain the weakest link.
But recent events suggest something more interesting and perhaps more uncomfortable.
Increasingly, attackers appear less interested in breaking systems and more interested in understanding people.
Recent warnings from the FBI and reporting from cybersecurity researchers have highlighted campaigns in which attackers reportedly impersonated internal IT teams, targeted help desks, used voice-based social engineering and, in some cases, escalated to appearing physically at office locations when remote approaches proved unsuccessful. The objective was not necessarily to bypass sophisticated security controls; instead, it was to persuade trusted employees to grant access voluntarily.
That distinction matters because it changes how we think about risk.
These attacks often do not begin with malware or technical compromise. They begin with something far more ordinary: a conversation, a request for help, an appeal to urgency or a familiar workplace interaction.
What makes these attacks effective is not necessarily technical sophistication but social sophistication. They exploit behaviours that organisations actively encourage.
Think about what many workplaces reward: responsiveness, pace, trust and a willingness to solve problems quickly. Help desks are expected to help, managers value people who remove obstacles, and employees are recognised for being available and keeping work moving. Under normal circumstances, these are characteristics of healthy and effective organisations. Yet in different circumstances, those same behaviours can create opportunities for exploitation.
This creates an uncomfortable tension.
When an employee follows instructions from someone they believe to be internal IT, are they making a poor decision or are they behaving exactly as their environment has taught them to behave? When a help desk accelerates support for someone presenting a plausible and urgent request, is that human error, or good service being manipulated?
These questions matter because the language organisations use influences the solutions they choose.
If incidents are framed primarily as awareness failures, the response becomes more training. If they are understood as behavioural and organisational challenges, a different set of questions emerges.
How much decision-making capacity do employees realistically have left after a day of meetings, messages and competing priorities? Do employees feel able to question requests that appear to come from authority figures? Does urgency routinely override verification? Are organisations rewarding speed in ways that unintentionally discourage reflection?
Research across behavioural science and organisational psychology has repeatedly shown that decision-making changes under pressure. As cognitive demands increase, people are more likely to rely on familiar patterns, trust established signals and default to accepted norms. None of this reflects poor judgement; it reflects how people adapt when operating under constraints.
Attackers do not need to create these conditions. They simply need to recognise them.
Modern working environments may make that easier than many organisations realise. Hybrid working has blurred boundaries, collaboration platforms have accelerated communication and expectations of responsiveness continue to rise. Employees increasingly move between channels, devices and competing demands throughout the day.
Against that backdrop, the distinction between being helpful and being manipulated can become surprisingly thin.
This may explain why newer forms of social engineering feel different from traditional phishing attempts. Rather than relying on obvious warning signs such as suspicious links or implausible stories, interactive attacks rely on trust, conversation and real-time adaptation. In some cases, attackers appear to succeed not by asking employees to do unusual things, but by asking them to do things they would ordinarily do anyway.
That observation suggests a shift in thinking.
The answer is unlikely to be teaching employees to trust nobody. Organisations cannot function without trust, nor should they try to.
Instead, the challenge may be to create environments in which trust and verification coexist, where questioning is culturally acceptable, where friction is deliberately introduced into high-risk processes, and where employees feel permitted to pause and verify requests even when doing so feels inconvenient.
The phrase “human firewall” is often used to describe employees as the final line of defence against cyber threats. Yet the metaphor may be misleading.
A firewall does not experience interruptions, manage competing priorities or make decisions while cognitively overloaded.
People do.
If organisations want employees to make better security decisions, they may need to stop treating those decisions as isolated moments of judgement and start paying closer attention to the environments in which those decisions are made.
The human firewall may not be broken. It may simply be overloaded.
If you would like to explore how organisational culture, human behaviour and practical security measures can work together to reduce phishing and social engineering risk, please get in touch with vXtream.
Photo by Aziz Acharki on Unsplash
If you found this article of interest, please don’t forget to sign up for our NEWSLETTER for the latest industry news and insights delivered direct to your mailbox.