Social engineering attacks have long been a critical concern for institutions, with email-based phishing dominating headlines and incident reports. However, as online collaboration tools and processes evolve, attackers are increasingly leveraging new channels to target users and compromise institutions. Recognizing and addressing social engineering threats beyond email—such as voice phishing, collaborative work tool exploits, and other emerging vectors—is essential to safeguarding institutional assets and reputation.
Voice phishing, commonly known as vishing, involves attackers using phone calls or voice messages to manipulate employees into revealing sensitive information or performing unauthorized actions. Modern vishing campaigns often employ the following:
to build trust and urgency. Attackers may impersonate IT staff, executives, or vendors, requesting password resets, wire transfers, or confidential data. Recent trends show an uptick in vishing incidents targeting remote workers, whose reliance on phone-based verification has increased.
With widespread adoption of platforms like Microsoft Teams, Slack, and Zoom, attackers have discovered new avenues for social engineering. Threat actors may infiltrate channels through:
to solicit confidential information. The collaborative nature of these tools can create a false sense of security, making employees more susceptible to manipulation.
SMS-based phishing (smishing) uses text messages to deliver malicious links or instructions, often exploiting urgent financial or security concerns. Social media platforms present additional risks, as attackers gather intelligence or contact employees directly under the guise of networking or support.
Combatting social engineering begins with empowering employees through targeted training and ongoing awareness campaigns. Effective programs use real-world scenarios, role-playing exercises, and regular simulated attacks to reinforce recognition of suspicious behaviors across all channels—not just email. This can be achieved through your regular campaigns and included in penetration testing exercises.
Encourage staff to verify unusual requests through secondary channels, report suspected incidents promptly and understand the broader context of social engineering risks. Training should be tailored to job roles and updated regularly to reflect emerging threats.
Technology plays a vital role in detecting and mitigating social engineering threats. Deploy caller authentication tools to verify inbound calls, integrate advanced threat protection into collaboration platforms, and monitor for anomalous activity across communication channels. Automated alerting and incident response systems can reduce the impact of incidents, while multi-factor authentication and endpoint protection safeguard against unauthorized access. Regular audits and penetration testing help identify gaps in existing defenses.
Administrative controls underpin a resilient security posture. Strong security culture is important to ensure all users understand that everyone plays a role in securing institution information and systems. Support from the Board of Directors and Executive Management is vital to setting this tone across the institution.
Additionally, establish clear policies governing acceptable communication practices, verification procedures, and escalation paths for suspicious requests. Review access regularly and remove unnecessary access as promptly as possible, maintain up-to-date contact lists and third-party directories to facilitate rapid verification.
Develop and test incident response plans specific to social engineering scenarios, ensuring all staff understand their roles in containment and reporting. Periodic plan reviews and cross-functional tabletop exercises keep defenses agile and effective.
While many of these mitigation measures are not new, to stay ahead of these emerging threats, we need to ensure that we are including these emerging channels in our security program. Add vishing, smishing, and collaboration tools into your training, monitoring, and testing programs so your users and systems are prepared to respond to these threats!
Sources:
Microsoft. (2025). Copilot [Large language model]. https://copilot.microsoft.com/