No systems were breached. No credentials were stolen. No malware was involved. The attack was a phone call.
A VP at a financial institution received what appeared to be a call from the bank president. The request was straightforward. A client needed a funds transfer completed before end of day. The president had the authority to request it. The urgency was clear. The details were specific. Everything about the call felt legitimate.
It nearly worked.
The only reason it stopped was a chance conversation in a hallway. The CFO happened to cross paths with the VP and mentioned the transfer in progress. The CFO knew immediately something was wrong. The president was on vacation and unreachable by phone. Two people talking face to face stopped a transaction that could have bankrupted the institution.
What made the attack so effective
This was not a rushed or sloppy attempt. The threat actors had done significant preparation before making a single call.
AI had been used to scan publicly available information about the bank president. TED Talks. A high school student’s interview. Casual conversations that had made their way online. From that research, they assembled a detailed profile including answers to the most common security verification questions. First car. Childhood pet. Favorite color. The kinds of details that are supposed to confirm someone’s identity.
They also researched the bank’s client roster and identified which client would make the most convincing pretext for a large transfer request.
By the time the phone rang, the groundwork was already done. The call itself just had to hold up long enough for the transfer to go through.
It had everything a well-executed fraud attempt needs. A believable pretext. Established trust through a familiar authority figure. A clear deadline pushing the target toward action before they had time to think carefully.
Why this is harder to defend against than a technical attack
Most security tools are built to detect intrusions. Unusual login activity. Unauthorized access attempts. Suspicious traffic patterns. Those tools have no visibility into a phone conversation.
This kind of attack does not touch your systems. It targets your people. The goal is to manipulate someone into taking an action they believe is legitimate. When that manipulation is built on accurate personal details and delivered with the right level of authority and urgency, it is genuinely difficult to recognize in the moment.
The defense is not a technical one. It is procedural. Clear verification requirements for financial transactions. Established out-of-band confirmation steps for requests that carry authority and urgency. A culture where employees feel supported in pausing and checking before acting, even when the pressure to move quickly is real.
In this case, the control that worked was simple. Two people talked to each other in person. That conversation was not in the attacker’s plan.
What this means for your organization
AI is making social engineering attacks more personalized and more convincing. The preparation that used to require significant manual research can now happen faster and at greater scale. That changes the risk profile for this kind of attack across every industry, not just financial services.
The answer is not panic. It is process. Know what your verification requirements are for sensitive requests. Make sure your people understand them. Build in confirmation steps that do not rely solely on the person making the request to be who they say they are.
The fundamentals of fraud prevention have not changed. The tools available to attackers have.
Talk with our team
If you want to take a closer look at where your organization stands on social engineering risk and employee preparedness, we are glad to have that conversation.
