The Future of Social Engineering
CISOs from NTT DATA North America, Zscaler, and Paychex on how generative AI has stripped phishing of its old red flags, why attacks have expanded to voice, WhatsApp, and deepfakes, and what effective cyber defense requires.
David DellaPelle: Welcome everyone to the second webinar in Dune Security's series. This one is titled The Future of Social Engineering. Super excited to have Dan Glass, Brad Schaufenbuel, and Ben Corll join us. Why don't we start with Ben for a quick intro, then go to Brad and Dan.
Ben Corll: Good afternoon, or good morning depending on where you are joining from. My name is Ben Corll. I am serving as CISO in Residence at Zscaler. I have been in cybersecurity for over a decade and operate in an advisory capacity, so I essentially get to be a CISO to other CISOs. I have been with Zscaler for a couple of years now.
Bradley Schaufenbuel: Thank you, Ben. I am Brad Schaufenbuel. I am Vice President and Chief Information Security Officer at Paychex. I have been in that role for about five years, but I have been in security for 28 years.
Dan Glass: My name is Dan Glass. I am the Chief Information Security Officer and Vice President at NTT DATA North America. I have been with the company for about five years, have been a CISO for about 13, and have been in security for about 25 years overall.
David DellaPelle: Thank you all for joining. I know your schedules are incredibly busy, so we really appreciate the time today. Let us jump right in. My first question is directed towards Ben, but we will open it up for conversation. Ben, in today's rapidly evolving threat landscape, what social engineering attacks are you seeing as the most prevalent? What do you hear the most in your role advising other CISOs?
Ben Corll: The landscape is constantly evolving, but old is new and new is old. We still see emails — it is so cheap and so easy to send them that email-based attacks remain very prevalent. Business email compromise is still a significant threat out there. What we are seeing evolve is that there used to be seven or nine red flags you could look for: spotty language, poor English, poorly written content. We are not seeing that as much anymore.
We are seeing an uptick in smishing — SMS phishing — but the more interesting thing we are picking up on is the number of employees getting the same types of messages on their personal applications, on WhatsApp or Signal. Fraudsters are purporting to be the CFO or CEO, saying things like: I am locked out of my corporate account, we have an M&A situation and we are trying to keep it off corporate communications, but they are stealing photos from the company website to add a degree of legitimacy to these messages. And they are asking employees to release a $250,000 purchase order, but the message comes from a Gmail address because, again, they claim to be keeping it out of corporate communications. So both the sophistication and the modality of social engineering continue to increase.
David DellaPelle: Absolutely. Any additional thoughts on that one?
Bradley Schaufenbuel: From my perspective, the most prevalent types are phishing and smishing. That has been the case for years, but we have definitely seen a big increase in smishing and AI-generated voice messages or AI-generated voicemails. We have seen an uptick in those modalities recently. And obviously the major change is generative AI being used by attackers to improve the efficacy of those attacks — they are getting substantially better and harder to spot.
Dan Glass: We are seeing similar things. I will now challenge myself to use the word "modality" at some point during the rest of this day. But what we have also seen is attacks targeting the service desk and IT help desks — going after those folks through old-school social engineering and subterfuge, or in some cases even outright bullying: change the password on this account or else. Social engineering, both old and new, is very much alive.
David DellaPelle: Just to follow up on Brad's point — with generative AI, is it more about sophistication, the deepfakes, the effectiveness of the attack, or is it more about scale? More attacks?
Bradley Schaufenbuel: The answer is yes to both. The volume is higher and the quality is higher.
Dan Glass: Quality has gone sky-high. For a while, our phishing training simulations were almost too good and we had to dumb them down. Now we are finding that real attacker phishing messages are as good as our best training simulations were. And they are trying novel attacks as well — QR codes, for example, are something we are seeing come through.
David DellaPelle: The traditional approach to educating employees and increasing security awareness is to train them and make them a kind of frontline defense. KnowBe4 was a pioneer of this space, 12 to 14 years ago. Fast-forwarding to today — Brad, how effective do you think current training programs are, and do you think there needs to be innovation in how we increase security awareness within the employee base?
Bradley Schaufenbuel: Most organizations assign a mandatory cybersecurity training course once a year and conduct maybe quarterly phishing simulations. Those programs may decrease susceptibility to social engineering in the short term, but efficacy tends to drop off between training sessions. Furthermore, a one-size-fits-all methodology is being used — people who are already security-conscious get the same training as those who are highly susceptible to social engineering. What we have found is that adaptive, risk-based security awareness training is far more effective. Training that is uniquely tailored to each person based on their role and indicators of their individual susceptibility to social engineering — that is really the way of the future.
Dan Glass: We have also moved from once-a-year monolithic security training to what we call nano learnings — small five-to-ten-minute trainings once a month or so. They add up to the same total time you would get from an annual training, but they are delivered much more frequently. Even though the subjects rotate, we hit social engineering and phishing awareness on basically every module. It does not matter if the main topic is password management — we remind people that they need to stay vigilant.
The other thing I will add is that our examples try to be locally relevant. Not what happened somewhere else in the world, but what we have actually seen happen here at our organization. That resonates far more with people. When something happened here and you tell that story, it lands. No one can say "well, that will never happen here."
David DellaPelle: What about just-in-time intervention? We at Dune Security do replace legacy security awareness training for enterprises, but there is also a lot of innovation happening in that space right now — quality UX on just-in-time intervention, whether it is something that pops up within the email client and alerts a user in real time or a separate page. Any thoughts on that?
Ben Corll: It is the future. Just-in-time training, as Brad mentioned, is important — but so is the intervention piece. If we detect that someone clicked on a link, being able to proactively and automatically lock their account, reset their credentials, or take some other action without requiring human intervention is going to become more and more critical. The bad guys have gone from dwell time measured in days to hours and now minutes, so time is of the essence.
David DellaPelle: Dan, as the quality of phishing and social engineering increases, how do you actually track metrics? A click-through rate on a phishing simulation is kind of our starting premise, but as attacks become more sophisticated, it seems increasingly difficult to use that as the primary measure.
Dan Glass: We depend on lots of things, and there is a little bit of art to this because there is no black-and-white answer. We look at phishing simulation scores and identify the repeat problem users — the ones who click on every single test — and we target them for more training, or even note it in their file. We monitor incident response times very closely: how quickly do we react once we detect something, and does the automation work? And we track the efficacy of our anti-phishing platforms — how well do they work, how often does a phish get through.
The QR code issue is a perfect example of a gap. If an attacker can get someone to pull out their personal phone, I do not have the same level of visibility I would have on a corporate endpoint. They may not be behind my SASE product, and even if we manage the device, it does not have the same level of protection and monitoring.
Ben Corll: Just-in-time intervention also lets you engage with context, and context is everything. When something relevant to your current situation is surfaced in the moment, it makes sense. People say, "this actually happened to me right now, now I understand what this means." I love just-in-time with context.
David DellaPelle: That is actually a key reason why Michael and I founded Dune Security — there seemed to be a lack of technology that could help CISOs, GRC leads, and security awareness leads actually hold employees accountable. The old process was: send someone an email saying you failed a phishing test, go do your training. What we provide is complete transparency — here is your risk profile based on comprehensive input data, communicated directly and specifically. That seems to be pretty effective with our early enterprise customers.
Ben, looking ahead — with AI and social engineering, what are you most afraid of? What scares you most as a security leader?
Ben Corll: Bad things are going to happen. People are going to misuse technology to take advantage of other people. We are going to continue to see AI being misused in ways that are already becoming apparent.
Voice manipulation is one I am watching closely. You can go on social media, find recordings of someone's voice, and now construct a convincing message that even their mother would not be able to identify as fake. Deepfakes are only going to get worse. We are already seeing them show up in films and television — The Fall Guy, for example — and we are going to start seeing a world where someone who was recorded doing or saying something will claim it was a deepfake because they do not want to be held accountable.
The natural language processing improvements are also significant. Early AI systems could only write very basic sentences. Now look at how well they craft phishing messages. Add context — things you have said, things you have posted — and you have an even more effective, highly personalized attack vector.
What is the solution? I have gone back and forth with peers who say "do not bother training people, they are going to fail anyway — just buy better tools." But the tools fail too. They are built by people, configured by people, monitored by people. If you are saying people are the weakest link, then do not eliminate education — make people your best sensors instead. Use real-world examples, including things like that Fall Guy deepfake, to show people what is actually possible. Explain what was sensationalized and what is real. Educate them in context.
David DellaPelle: It is a mix of the technology — the castle walls and system-centric approaches — and also dealing with the human layer. Microsoft recently funded a company called Clarity for deepfake detection. There was that attack in Hong Kong where 10 executives were on a Zoom call and nine of them were deepfakes, which led to a $25 million wire transfer. That could potentially have been prevented with deepfake detection embedded in the call — but also the person authorizing the transfer could have been more aware of that risk. You have to approach it from all angles.
Ben Corll: There were actually two or three separate calls involved in getting to that $25 million.
David DellaPelle: What we did the next day after that story broke was build a completely customized, high-quality training module within two hours and ship it to all of our end users. As attacks increase in sophistication, immediately alerting people and getting their attention matters.
Let us go to the next question. How can AI be used as a defensive mechanism? Dan and Brad, what are you seeing, and how do you think AI can best be used to prevent social engineering attacks?
Bradley Schaufenbuel: One way to fight sophisticated AI-generated attacks is to leverage sophisticated AI to detect them. You can implement technology that detects AI-generated text, video, and audio. The problem is that it is a cat-and-mouse game — attackers will eventually find ways to fool AI-based detection mechanisms, then defenders will find ways to detect that, and the cycle repeats.
I have found that the most effective mechanisms for foiling social engineering are often the most old-fashioned and unsexy. Things like dual control and callback verification for transactions.
Dan Glass: We have done the same — adding friction back in. We spent a decade removing friction from our processes and our technology, and unfortunately I think we are having to put some of it back. I was actually saying to someone the other day that the return-to-office trend for a lot of companies may not ultimately be about real estate or productivity or camaraderie. It may be because that is the only way we can be sure that the person on the Zoom call with you is not a deepfake, and that someone has not automated their presence with an AI that nods occasionally and speaks for them.
I also tested this myself — I went to Gemini and ChatGPT, generated some articles and blog posts, then fed them through AI detection tools. The detection rate was around 30 to 40 percent. And the better my prompts were, the lower the detection percentage. So there are ways to manipulate current AI detection tools. And with GPT-5 reportedly representing as large a leap over GPT-4 as GPT-4 was over GPT-3, the pace of improvement is staggering.
David DellaPelle: Dan, NTT DATA has around 37,000 employees. Adding friction is something I hear from a lot of CISOs, but there is sometimes tension between the CISO and the COO or CFO when it comes to introducing friction at scale. How do you navigate that, and is there a way to increase friction only for higher-risk users?
Dan Glass: We are in a unique position as a service provider — security is our lifeblood. If our clients do not trust us, we lose business. So it does not take a lot of convincing internally. We see the attacks ourselves, we see where they were marginally successful, and we see where our technology stopped them but could have failed. As long as we communicate clearly to leadership what we are doing and why, they have been on board. I know I am lucky in that respect — a lot of other leaders struggle with that messaging.
That said, I think this is going to become table stakes. Someone at RSA called AI a double-edged sword, and I said: it is a double-edged sword without a handle. We are all going to get cut regardless of how we try to grip it. I do not think AI alone is going to be the answer. Going back to what Brad said, older processes like manual callbacks to a number already on file — not a new number provided by the caller — are going to become more and more important. Getting CIOs, COOs, and even CEOs used to that added friction and framing it in terms of the productivity gains AI has already provided elsewhere is how you make that case.
David DellaPelle: Board-level reporting is also part of this — having quantifiably accurate metrics to report back on. That is something we have focused on at Dune: quantifying risk based on all available input data without generating false positives, and then presenting it in a format that is easily communicable to the board. That is some of the coaching we have received from our CISO Advisory Council.
Brad, any thoughts before we go to the next question?
Bradley Schaufenbuel: No, let us move on.
David DellaPelle: Humans are obviously fallible, and social engineering exploits human vulnerabilities. How do we better understand those vulnerabilities and mitigate them? Ben, can you talk about the psychology of social engineering — what attackers do to manipulate people and get inside companies?
Ben Corll: People are relationship-oriented. We want to connect, we want to help, we want to feel needed, helpful, and relevant. Attackers take advantage of those emotions. They might say a family member was in an accident and you need to transfer money immediately for life-saving care. Or they will say: transfer this payment in the next 30 minutes or your credit card will be disabled. They toy with emotions and they use time pressure to get people to act before logic can kick in — before something starts to feel off.
That time manipulation is critical. They want immediate action before you have time to think. So how do you get around that? You put processes in place. You educate people on the common scams. Let them know: the CFO is never going to call you and ask you to go pick up gift cards. That is not legitimate. When people know what those patterns look like, they know how to handle it.
From a corporate perspective, I am a strong believer in process. At my last organization, before you could change a bank account or issue a purchase order over $25,000, you had to have two-person integrity — two people had to sign off. It was not just what one person thought. Processes slow things down deliberately, and in this context, slowing things down is often the right answer.
David DellaPelle: Slowing things down is critical. And one of the things we have found is that you need to figure out where the risk actually is, which is a big part of why we automatically spear phish our clients' users — simulations based on their role, their company, and their function. Ben, attackers are often not concerned with being politically correct. They will send things that are genuinely offensive — "you are fired, click here to get your severance." How do you manage that within a phishing simulation environment? How far do you go?
Ben Corll: Testing should mimic real life. People are going to receive those kinds of messages in the wild. So you have conversations with your executives, you have conversations with HR, you get sign-off and approval on the test scenarios, and you make clear: these are things that are seen in real life. We cannot hold back from realistic testing.
Dan Glass: From my perspective, the main difference between a human firewall and a hardware firewall is that the hardware firewall consistently responds the same way to threats. That consistency is what makes humans such a perfect target — their inconsistency. But that human weakness can be reduced with training. Training is essentially vulnerability remediation for the human firewall. If we change how people think, we can change their susceptibility to social engineering.
My background is actually in finance and economics, and a core tenet of economics is that people respond to incentives. You always want to look at what the incentives are and try to change them. Take the service desk — if their incentive is first-call resolution, and they are measured and paid by that, social engineering is going to work very effectively. But if you add in a second incentive — that security and following process is equally important, and that deviating from process is penalized more than it is rewarded by closing tickets quickly — you change the behavior. Understanding that incentive structure and adjusting it so people are not just incentivized to do the most expedient thing is critical.
David DellaPelle: Brad, touching on culture — training is critical, but at an organizational level, how do you think about improving security culture so that employees truly feel empowered to defend the company?
Bradley Schaufenbuel: The goal of most security awareness training programs is to drive a security-conscious culture. Humans are inherently social animals, and cultural norms significantly impact individual behavior. If you can make good security hygiene a cultural norm, individual employees will adopt good security behaviors. Cultural norms are typically driven from the top down, so you need your organization's most influential leaders to model the behaviors you want. One of the reasons we leverage company leaders to help spread the word is because everyone in the company knows who they are. We have found that using short micro-videos from key executives is incredibly effective.
David DellaPelle: Dan, let us go back to incentives and the carrot versus stick model. Do you think there is ever a place for the stick — restricting people's access if they are repeatedly failing tests or real phishing attacks?
Dan Glass: It is a tough one. My philosophy is that we should never put a security decision entirely in an end user's hands if we can avoid it. Take data classification — if the incentive is that clicking "confidential" prevents them from sending something to someone outside the company, but they need to send it, the incentive structure pushes them toward mislabeling it. Understanding that incentive and designing around it is important.
On training: I will raise my hand and admit that I have been guilty of sending out corporate communications saying "do not click on links" and then ending with "for more information click on this link." I see that as part of the problem. Better training technology and a different way of thinking about training is needed. We need to stop inadvertently training people toward bad behavior, continue improving technology to filter bad content before it reaches users, and train end users to spot anomalous situations — even though that is increasingly hard to do.
Going back to what Ben was saying: it is more about context. Why would the CFO suddenly email, text, or call someone who has never spoken to the CFO before? Having that idea percolate through people so they think: this is probably off — let me call you back, or let me loop in my manager — training people to push back or punt through the process is key.
Ben Corll: It is letting people know it is okay to say no. You will not get in trouble for pushing back, for challenging, or for asking for verification.
David DellaPelle: Ben, do you think Performance Management is ever warranted? If someone is the highest-risk employee in the company, would you sandbox them entirely, or do you think there is a role for Performance Management?
Ben Corll: Yes. You have to lower the risk somehow. Think about blast radius and risk mitigation. Grant only the access they actually need. If the organization is mature enough, use just-in-time access, just-in-time alerting, limit their exposure. But also keep having conversations. Help them understand the implications of what they are doing. If someone is clicking on everything, send them more convincing simulations and keep working through it with them.
Bradley Schaufenbuel: Security is part of everyone's responsibility, and in many companies we are making it an explicit part of their job description. If someone consistently fails to apply good security practices, they should be subject to Performance Management just as they would be for other parts of their job. That said, my first inclination is always to reduce the risk by increasing controls for that specific user before going to any job-related action. What the processes are there for is to protect not just the company, but also the employee. If somebody gets fooled on the phone once, that is not a warning letter — we send them through training. If it becomes a repeat pattern, then yes, it can become a performance management issue.
But protecting honest mistakes through process — and making it so that someone would have to actively go outside the process to do the wrong thing, such as resetting a password without going through the proper MFA mechanism — that is when Performance Management needs to step in, and it needs to step in quickly and firmly. Willingness to subvert controls is the behavior you really need to root out.
David DellaPelle: We differentiate between carelessness and ignorance, and I think they are very different things. And what this conversation affirms for us is that every organization has different policies, processes, and culture. What we try to do is provide the central repository and intelligence engine of employee risk so that security teams can deal with it however fits their environment and integrate it with their existing systems.
Let me raise a different question. There is often a balance between trust and security, between privacy and security. As AI increases the sophistication of attacks across all vectors, not just social engineering, the CISO's job becomes increasingly difficult. How do you manage that balance?
Dan Glass: It really comes down to communication — not just communicating with peers and employees on security matters, but having a clear policy that is human readable. You can have an extensive library of ISO-compliant policy documents, but what I have focused on is taking what people actually need to know out of those policies and putting it into something readable. A nanolearning format where people click through the top ten things they need to know. Not every employee needs to read the section on system administration — only the subset of the company who actually administers systems. Understanding what people need to know, making it clear, and making sure they know how to access it is how you start to build trust with employees.
Ben Corll: The biggest takeaway for me is transparency. Communicate openly. Be clear and concise. And publish policies in people's natural language — do not write an acceptable use policy only in English and expect everyone globally to understand it equally. Also let people know: we are putting guardrails in place not to frustrate you, but to protect you and to help the business operate better. If an attacker gets in, it can lead to a catastrophic loss that costs people their jobs.
Bradley Schaufenbuel: I would agree with that. There is a "trust but have a backup plan" element to this. You can reduce human vulnerability through training, but it is very difficult — if not impossible — to eliminate human error entirely. That is one of the reasons zero trust architectures are taking off: the recognition that inherent trust will often result in control failure. With social engineering, you always need a backup control, because no matter how much you train employees, that control will sometimes fail.
David DellaPelle: Music to Ben's ears — zero trust. That is actually where I started my career in cybersecurity, at a company called Perimeter 81. I am going to open it up now. If anyone has questions, now is the time to put them in the Q&A.
While we wait for questions — what drove you all toward Dune Security as a solution? We quantify risk, remediate it automatically at the user level where possible, and adaptively automate security controls around high-risk users. Which piece is most compelling? Ben, I will start with you.
Ben Corll: It really comes down to customization — not one-size-fits-all. We are all different, and our risk profiles should not be the same. When I started in security in 1999, there were no granular controls. It was all or nothing. I love the ability to take it down to the individual level and say: based on this risk profile for this user, apply these specific controls — isolated environments, cloud browser isolation, whatever is needed — to better protect the organization while still enabling that person to do their job. That was one of the first compelling things.
Bradley Schaufenbuel: It was similar for me. The contextualization of the training and the fact that it is targeted to a specific individual based on their individual behavior makes it so much more meaningful. That results in end users actually grasping the concepts rather than getting a one-size-fits-all experience.
Dan Glass: Having technology is not a panacea, but it sure can help. Being able to quickly and automatically do what I would call just-in-time provisioning — or deprovisioning — of access is powerful. When a user sees the consequence immediately and their manager says "you were offline for two hours because of this, what are we going to do to rectify it?" — that creates real accountability. It also makes the HR conversation easier because you can address it right then and there.
David DellaPelle: Dan, I think a lot of the innovation and investment in security coming out of places like the NSA or Israel's Unit 8200 has been in identity, network, or endpoint security. We have not seen enough investment or innovation in the human layer. What we are ultimately trying to do is dynamically move the castle walls around employees based on more or less real-time risk profiles.
A question from the audience: what are the key components to effective remediation and continuous monitoring?
Dan Glass: It starts with understanding your environment — knowing what good looks like, having a solid asset management database, knowing what is supposed to be there versus what is not. Same goes for identity. You cannot spot an anomaly unless you know what normal looks like. I advise people: define what good looks like first, and then instead of putting sniffers on the network and trying to back into it, say this is the approved behavior and these are the approved systems — everything else is considered rogue.
Ben Corll: I will steal a good answer from someone who posted it in the chat: culture, and a combination of culture and effective business processes. Both of those are great ways to tackle effective remediation and continuous monitoring.
If you know what normal looks like, you can spot the abnormal. If you know what normal behavior and traffic patterns look like for Dan, and you suddenly see a large volume of unusual connections coming from Singapore, you want to alert on that and reach out: are you on holiday? Are you traveling? That contextual question — why are your connections coming from Singapore now? — is where the value is. Shout out to Abnormal Security, a great product and likely a good future partnership for us.
David DellaPelle: Great point. There is also a question from the audience about smishing — it is clearly on the rise, and there is obviously a phish report button in tools like KnowBe4 and Proofpoint for email. But for smishing, if people are getting attacks on their personal devices, how do you report that? What have you seen?
Dan Glass: We ask our people to screenshot on their phone and send it to our security inbox.
Bradley Schaufenbuel: Exactly the same procedure here.
Ben Corll: Not great, but it is what is available. People have reported false positives that way too — I once sent out a security newsletter and people reported it as phishing. But at some point, people are your best sensors. They have intuition, and they are going to take action and report things even if the process is imperfect.
David DellaPelle: The Vishing situation is wild too. And on the smishing testing question — if you have to test people across all attack vectors, how do you test via smishing if they do not have company-owned devices? Should we be sending smishing tests to people's personal cell phones?
Dan Glass: You would have to check privacy regulations, especially internationally. We are an international company, so that would be difficult. If the company is not paying for the phone, it is a personal number, and I do not think I could get that past our legal department. On the other hand, we know our employees get smished. We see the reports. For every one person who reports it, I probably have 50 who do not, because they think it was just a random bad text message.
Ben Corll: If it is a personal device and there is no corporate information on it, from a risk-based perspective testing that device is probably not high on the priority list. Do standard training and awareness, but if there is no corporate data there, the risk calculus is different.
Dan Glass: We actually try to preach holistic security — security at home. We encourage people to think about their home networks because we do have software on work computers that can see what else is on the network when they are working from home. We have seen malware coming from other machines on employees' home networks, and sometimes trying to do the right thing and alert someone that their spouse's or child's computer may have malware gets complicated very quickly. People do not always want to hear that we have that level of visibility.
David DellaPelle: We are almost at time. Any closing thoughts, or shall I wrap up?
Any advice for the group? No? All right. Dan, Ben, Brad, thank you so much for your time. I know you are all extremely busy protecting massive enterprise organizations, and Ben, advising other CISOs on top of that. Really appreciate your time today and it has been an excellent conversation. We will make the recording available to our panelists and the audience. Thank you everyone for attending today.
Dan Glass: Thanks for having us.
Bradley Schaufenbuel: Thank you.
Ben Corll: Appreciate it. Thanks, all.
Social engineering is evolving faster than any defensive playbook written in the last decade. Phishing remains the top attack vector, but out-of-bound impersonation across smishing, vishing, AI-generated voicemails, deepfaked video calls, and more is climbing fast – and generative AI has made every campaign higher volume and higher quality.
Dan Glass (CISO & VP, NTT DATA North America), Ben Corll (CISO in Residence, Zscaler), and Bradley Schaufenbuel (VP & CISO, Paychex) walk through how generative AI is reshaping attack sophistication across every channel, why IT service desks have become a primary target, and how just-in-time, user-specific interventions – including training, alerts, and controls – are replacing annual modules as the standard for reducing real-world social engineering risk.
Key Takeaways
- AI has erased the old red flags. Generative AI removes the misspellings and clunky grammar defenders used to teach employees to look for. Volume is up, quality is up, and detection is harder across email and out-of-bound channels.
- The service desk is a structural vulnerability, not just a soft target. IT help desks are rewarded for speed: first-call resolution is the metric, so closing tickets fast is the incentive. When social engineers call and pressure staff to reset a password or bypass a process, that incentive structure works against security. Rebalancing it so process adherence matters as much as resolution time changes the attack surface.
- Just-in-time intervention has to be automatic. Threat actors have compressed dwell time from days to hours to minutes, which makes manual response too slow to matter. Automatically locking accounts, resetting credentials, or applying dynamic controls the moment suspicious behavior is detected, without waiting for a human to act, is where the industry is heading.
- Simulation programs have to match the actual attack surface. If your awareness program only tests phishing links in email, you are missing the fastest-growing share of threats your users now face. Realistic vishing, pretexting, and out-of-bound channel simulations reveal the specific gaps in your environment and surface which users need targeted intervention before a real social engineer calls.
- Culture, incentives, and accountability are part of the stack. Make security part of every job description, measure service desks on process adherence as well as resolution speed, model norms from senior leaders, and reduce risk for repeat-offender users before escalating to performance management.
Stay Updated
Get the latest threat intelligence, research, and product updates from Dune Security.
Photo Gallery
Step into the atmosphere of our past event — watch the recap and relive the moments where cybersecurity, innovation, and community came together.
Our Latest Insights


Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security




Hitachi Digital future-proofs security training for a global workforce with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security




Phishing Didn't Leave the Inbox. It Expanded Around It.
Mobile-centric phishing carries a 40% higher success rate than email. Vishing is up 442%. Deepfake fraud is projected to hit $40 billion by 2027. The attack surface didn't shift, it expanded. Here's what that means for enterprise defense.


Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.




The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.




The Future of Social Engineering
Dune Security CTO Michael Waite joins the Cyber Security Matters podcast to discuss how AI-driven social engineering is evolving, why legacy security awareness training no longer works, and how behavior-based risk quantification can better protect users from emerging threats.




The Future of Social Engineering
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.




The Future of Social Engineering
Dune Security CEO David DellaPelle joins the Cyber Security America podcast to explain how AI-driven social engineering is outpacing traditional security awareness training and why organizations need a behavior-driven approach to identifying and reducing user risk.




Philadelphia Area Cyber Technology Showcase & Golf Outing
Dune Security sponsored GuidePoint Security's Philadelphia Area Cyber Technology Showcase and Golf Outing, a regional gathering of cybersecurity professionals and technology partners.
.avif)
.avif)


Controlled Chaos: Enabling Innovation While Ensuring Safety & Security
GRC and security leaders from UiPath, Yugabyte, and CXD Consulting on enabling rapid innovation without losing the controls that keep the business standing.





.avif)