Nickel Digital Case Study: Practical Phishing & OSINT Awareness

Modern Phishing and Social Engineering: A Practical Awareness Session

Supporting Nickel Digital’s Team with Practical Phishing & OSINT Awareness

The Context

Nickel Digital operates in a high-trust, high-value digital environment, working closely with financial services and digital asset organisations where speed, professionalism, and discretion are part of everyday work. Staff handle sensitive information, client communications, and platform access in situations where requests often need to be dealt with quickly and confidently.

A message arrives that appears to come from a trusted contact. The tone is consistent with previous communication. The request fits the context of ongoing work. Responding quickly feels like the right thing to do, both professionally and practically, because that is often how good client-facing work is carried out.

At the same time, nothing appears obviously wrong. There is no dramatic warning sign and no clear reason to stop. In that moment, the decision is not experienced as a cybersecurity decision. It is whether to act on something that looks legitimate or pause and question something that fits expectations.

That is what made the environment significant. The pressure was not explicit. It came from trust, from professional standards, and from the expectation to respond quickly and confidently in a fast-moving setting. This creates a very specific risk profile, because modern phishing and social-engineering attacks are designed to blend into normal business activity. They use research, impersonation, and increasingly sophisticated techniques to mirror real workflows closely enough that the interaction feels entirely appropriate while it is happening.

Nickel Digital wanted a session that reflected that reality properly. The aim was not to slow decision-making down with fear or suspicion, but to help staff recognise where risk can sit within everyday work when something still appears professionally sound.

The Challenge

In environments like this, cybersecurity rarely presents itself as an obvious problem. It appears in situations that feel routine, particularly where trust, speed, and polished communication are already expected. Requests arrive that are plausible, well-structured, and aligned with ongoing work. The language feels right. The timing makes sense. The action being asked for often feels like the next reasonable step.

That is what makes the challenge different. Attackers are no longer relying only on poor grammar, strange links, or messages that feel out of place. They invest time in understanding organisations, relationships, and workflows, which means malicious activity can be shaped to fit the surface of legitimate business communication. In practice, there is often no immediate reason to question what is in front of you. The request fits. The tone is right. Acting quickly feels efficient and professionally appropriate.

Within a team made up of both technical and non-technical roles, that creates a gap that traditional awareness often does not fully address. The issue is not simply recognising what phishing looks like in theory. It is understanding how modern attacks actually work in real environments and why they succeed even where people are experienced, capable, and aware that cyber threats exist.

Nickel Digital were therefore not looking for generic awareness or abstract advice. They needed an approach that would resonate across the team and feel directly relevant to the way decisions are made in their own environment, where access, trust, and timing all carry weight.

Our Approach

The session was designed around the reality that, in high-trust environments, risk rarely looks suspicious at first. Rather than centring the discussion on warning signs or generic reminders, the focus stayed on how modern phishing and social-engineering attacks are built to feel legitimate. This included how attackers use publicly available information, existing relationships, and professional context to make requests appear credible enough to act on.

A central part of the session focused on how information is gathered and then used. Through a live OSINT demonstration, participants could see how easily publicly available data can be used to build a convincing picture of an individual, a team, or an organisation. That mattered because it shifted the discussion away from abstract threat language and into something much more recognisable. It showed that the credibility of an attack is often built long before the message itself arrives.

From there, the session moved into how these techniques translate into real-world scenarios, particularly in financial and digital asset environments where trust, access, timing, and professional credibility all shape behaviour. The discussion stayed close to the kinds of situations staff could realistically encounter, so that the focus remained on how decisions are made in practice rather than on theory alone.

The emphasis throughout was on judgement rather than rules. The session explored how to recognise when something deserves a second look, how to verify requests without disrupting workflow, and how to question situations that do not quite align even when they still appear professionally sound. Because the session was conversational and example-led, both technical and non-technical staff could engage with the same core ideas from their own perspective. That helped build a shared understanding of how risk appears across the organisation rather than confining the issue to one type of role.

The Outcome

The most noticeable shift was in how legitimacy began to be assessed. Before the session, decisions were often shaped by whether something looked professionally sound. If the tone, context, and request aligned with expectations, that was often enough for the interaction to be accepted at face value.

Afterwards, there was a clearer awareness of how easily that sense of legitimacy can be constructed. The shift was not towards hunting for obvious threats or becoming suspicious of everything. It was towards recognising when a situation carried risk even when nothing appeared immediately wrong.

That change became most visible in the way participants described their thinking. What might previously have been reduced to “it looked fine” became something closer to “it looked right, but I wanted to verify it independently.” That is a meaningful difference because it shows a movement away from surface-level trust as the main basis for action and towards a more deliberate form of judgement that still fits professional work.

The OSINT demonstration gave the team a shared reference point for that shift. It made clear how much information is already available and how that information can be used to support convincing impersonation or phishing attempts. As a result, verification began to feel less like an interruption and more like part of professional responsibility, especially in situations involving access, financial activity, or subtle changes to normal process.

Importantly, this understanding did not sit only with technical staff. It helped align technical and non-technical roles around the same interpretation of risk, so cybersecurity no longer felt like something owned by a particular part of the business. Instead, it became more clearly embedded within everyday decision-making across the organisation.

What changed, then, was not simply awareness of phishing techniques. It was the quality and consistency of judgement in high-trust situations. The team left with greater confidence in questioning what felt legitimate, a clearer basis for independent verification, and a stronger understanding of how small decisions can have wider consequences in a fast-moving, client-facing environment.

Client Feedback

“Andy was engaging throughout the session, and the real-world examples were particularly powerful. The practical approach made the risks feel relevant and easy to understand, rather than theoretical.”
— James Walker, Nickel Digital