The Human Firewall: How Trained Employees Can Stop Phishing and Social Engineering Before It Starts
by Chetan Anand, Associate Vice President – Information Security and CISO, Profinch Solutions; ISACA Emerging Trends Working Group Member
Introduction to Social Engineering Threats
Social engineering has been described as one of the most inventive methods of gaining unauthorized access to information systems and obtaining sensitive information.
Attacks such as phishing, smishing, vishing, and whaling involve tricking users into revealing their login credentials by posing as legitimate entities. Phishing involves attackers sending emails or creating fake websites that closely resemble trustworthy services, tricking users to enter their credentials. Attackers capture these credentials once the user enters them. Such a form of social engineering is highly effective as it exploits weakness in people rather than technical vulnerabilities, making them a persistent threat to both individuals and organizations.
The key themes of social engineering are creativity and deception. Successful social engineering schemes are well orchestrated, with the aim of establishing inviolable trust between the attacker and the target without generating any suspicion whatsoever during execution.
The Complexity of AI-powered Cybercrime
With the emergence of artificial intelligence (AI), the threat of social engineering is getting more complex. We right now live in the AI-powered cybercrime era! Social engineers use a variety of tricks such as impersonation, voice-cloning and video-morphing to making employees believe in such malicious media.
As indicated in ISACA’s 2026 Tech Trends and Priorities Pulse Poll, we could expect cybersecurity risks to intensify: One of the most significant cyber threats organizations expect to face is AI-driven social engineering. 75% of India-based respondents expect AI-driven social engineering to be the most significant cyber threat that organizations face next year.
Common Manifestations of Social Engineering
Today, we are seeing different ways in which social engineering gets manifested. Apart from traditional phishing emails, phishing calendar invites are sent that appear to be legitimate, whereas they are not. Phishing emails containing invoices to renew a Microsoft license are sent to the organization’s Microsoft 365 administrators. Another form of social engineering that has gained popularity is a form of phishing that spoofs emails and sends realistic-looking messages on work-related topics, such as changes in benefits or gift card rewards for jobs well done and increment in salary. Employees may click on such links because the emails look completely legitimate, but the result is that unauthorized outsiders gain access to the enterprise’s network.
Expanding Attack Surface: Smishing and Personal Devices
The social engineering attack surface has also increased. Employees are reporting receipt of smishing WhatsApp messages on their personal devices, often impersonating their organization’s leader. Such deceptive messages create a sense of urgency and don’t provide any room for doubt. If the employees are not careful enough, this can land them in trouble.
Humans and The Human Firewall: The Weakest or Strongest Link in Cybersecurity?
A common belief states that “humans are the weakest link in cybersecurity” because people are susceptible to errors and manipulation, which attackers can exploit. Factors like human error, weak password practices, and susceptibility to social engineering attacks, such as phishing and deepfakes, are significant vulnerabilities. An employee may simply try to catch up with work, but prying eyes can observe the applications the employee accesses and use that information to craft an email that might lead the busy employee to click on an embedded malicious link.
One of the human vulnerabilities that leads to successful social engineering is that some employees are not aware that their online behaviour or thought processes might be flawed; therefore, they take little to no precautions. The complacency mindset that ‘a cyberattack won’t happen to me’ adds to the risky behaviour. Threat actors can more easily exploit those who do not have heightened awareness.
Building the Human Firewall Through Training
However, humans can also be the strongest layer if properly trained and made aware. This needs to be a continuous process of educating, training and making aware of ongoing threats, emerging trends in cyber-attacks, newer variation of cybercrimes and how to prevent oneself from becoming a victim. A single annual security awareness session is not likely to correct employees.
The Best Firewall is an Aware Mind
A “human firewall” is the metaphorical concept of employees acting as a strong line of defence against cyber threats by being vigilant, educated, and following security best practices. Unlike a technical firewall, it relies on human awareness to identify and prevent attacks like social engineering, and malware that bypass traditional security systems. The staff can be vigilant only if they are aware of the dangers that might arise because of their own flawed behaviour in response to cyberthreats in the environment.
Trained employees can stop phishing and social engineering attacks by staying vigilant, verifying information, and following security protocols. This includes training on how to identify suspicious requests, being cautious with emails, messages and links, using strong and unique passwords with multi-factor authentication, and knowing how to report incidents to the appropriate function within the organization. Continuous and consistent training is crucial to keep employees aware of evolving threats.
Best Practices To Recognize and Resist Phishing
Providing regular training on recognizing phishing tactics, social engineering methods, and malware to employees can be very effective. As an example, awareness on how to spot a phishing mail would help in understanding the characteristics of the phishing mail. The sense of urgency the phishing email creates, the typographical errors, the too-good-to-believe ideas, and, in some cases, the spoofed email, misuse of logo, the fake domain, or redirected website are all good ways to explain the intricacies of phishing.
Continuous Awareness and Reporting
Making cybersecurity a continuous topic of conversation during daily standup meetings, through newsletters, regular emails with scenarios, and posters help keep employees informed and alert. Encouraging employees to report suspicious behaviour, threats, events and incidents is useful both for analysis and prevention. Cybersecurity professionals may pursue training and certifications in AI, such as ISACA’s Advanced in AI Security Management (AAISM), to better equip themselves to protect against specific AI threats..
Navigating AI-driven Misinformation in the Workplace
AI technology risks spreading both misinformation and disinformation when misused. It is hard to believe what is genuine and what is fake, what is real and what is not. Our present-day work environment requires all of us to verify and then trust information that we receive.
Author Credentials and Disclaimer
Author: Chetan Anand, CDPSE, National Cyber Security Scholar, CAISP, CCIO, ICBIS, ICCP, ICOSA, CPISI, CPDPO, OneTrust Fellow of Privacy Technology, IRAM2, ISO 42001 LA, ISO 27001 LA, ISO 22301 LA, ISO 27701, ISO 31000, ISO 9001 LA, Lean Six Sigma Green Belt, NLSIU Privacy and Data Protection Laws, SQAM and Agile Scrum Master
Associate Vice President – Information Security and CISO, Profinch Solutions, ISACA Global Mentor and Emerging Trends Working Group Member.
Disclaimer: The views expressed by the author are solely the author’s and do not reflect the views and beliefs of Profinch Solutions and ISACA; their affiliates, or employees.
