An employee is working through a task that needs to be completed before the end of the day. It’s routine work, the kind that involves moving between emails, systems, and documents, keeping things progressing without delay. Messages are being processed, requests are being handled, and decisions are being made quickly enough to keep everything on track.
In the middle of that, something appears that fits exactly with what they are already doing.
The name is familiar. The request makes sense in the context of the task. The timing feels right, and responding to it now would keep things moving without interruption. There is no obvious reason to treat it differently from anything else they have already handled.
So they act.
From their perspective, the decision is straightforward. It aligns with the work in front of them, supports the outcome they are trying to achieve, and avoids unnecessary delay. Nothing about the situation signals risk strongly enough to interrupt that process or justify stepping outside of it.
What is not visible in that moment is that the situation has been constructed to produce exactly that response.
This is how most social engineering attacks begin.
Not with something that feels suspicious, but with something that feels entirely normal.
These situations don’t appear in just one form. They show up in different parts of the working day, shaped by the task in front of the person and the context around it. The detail changes, but the decision process remains the same.
When the Request Fits the Work
An accounts employee is midway through processing a batch of invoices. Several suppliers need to be paid before the end of the day, and they are working through them one by one, checking amounts, confirming details, and keeping everything moving so nothing is delayed.
One of the invoices matches a supplier they recognise. The amount is expected, the timing is right, and everything aligns with previous work. Alongside it is an email explaining that the supplier has recently changed their bank details and asking for the update to be applied before payment is processed.
Nothing about the request feels unusual. Updating payment details is a normal part of the role, and the message fits naturally into the task already in progress. Stopping to question it would interrupt the flow of work and potentially delay the payment, which is exactly what they are trying to avoid.
So they update the details and continue.
From their perspective, the decision is practical. It keeps the process moving, resolves the request, and aligns with what the situation appears to require. There is no clear signal that anything is wrong, and no obvious reason to treat it differently from any other routine change.
In reality, this is a phishing attack.
The effectiveness of the attack does not come from the message looking convincing in isolation. It comes from how closely it aligns with the work already being carried out. The request does not need to stand out if it already belongs.
When the Situation Explains the Request
A member of staff is in the middle of their day when a system they rely on starts behaving unexpectedly. Access is slow, something isn’t loading correctly, or a task they normally complete without thinking suddenly becomes difficult. It’s not unusual, just disruptive enough to notice.
They carry on working around it.
Shortly after, they receive a call from someone introducing themselves as part of the IT support team. The caller references the same issue, explains that it has been identified, and that they are working through affected accounts to resolve it.
The explanation fits immediately. The problem is already there, and this feels like the next step in fixing it.
The caller asks them to confirm their login details or approve a verification prompt so access can be restored properly.
At that point, the decision is straightforward. The request aligns with the issue, the person sounds like they know what they are talking about, and completing the step should resolve the disruption. Questioning it would feel unnecessary, and delaying it would mean continuing to work with a problem that already needs fixing.
So they comply.
From their perspective, the decision is practical. It helps resolve an issue, fits the situation they are experiencing, and comes from someone who appears to be responsible for fixing it. There is no obvious break in logic, and no clear reason to treat the request differently.
In reality, this is a pretexting attack.
The strength of the attack is not just in the role being impersonated, but in how well the situation explains the request. The problem exists first. The explanation follows. The action feels like the natural next step.
When Curiosity Feels Harmless
An employee is working through a project that requires pulling together information from multiple sources. They are switching between emails, shared folders, and documents, piecing things together as they go. It’s the kind of task where useful information can come from anywhere, and part of the job is knowing what’s worth opening and what can be ignored.
During that process, they come across a file that appears relevant. It might be an attachment forwarded as part of a longer email chain, a document sitting in a shared location, or a link presented as something useful to the task they are already working on.
The title suggests it contains something important. It fits closely enough with what they are doing that it doesn’t feel out of place.
Opening it feels like a sensible next step.
There is no urgency pushing the decision, and no authority figure applying pressure. If anything, the absence of pressure makes the action feel even safer. It’s just a quick check, a small step to see if the content is useful before moving on.
So they open it.
From their perspective, the decision is efficient. It takes seconds, it might help move the work forward, and there is no obvious downside. Nothing about the situation signals risk strongly enough to interrupt the flow of work or justify additional checks.
In reality, this is a baiting attack.
What happens next is not visible in that moment. The file may appear to open normally, or it may not open at all. But in the background, something else has already started.
Access to the device may be established quietly.
Credentials may begin to be captured as the person continues working.
The system may now be reachable in ways it wasn’t before.
Nothing changes immediately from the employee’s perspective. The task continues. The work moves on.
Which is exactly why the decision never gets revisited.
The effectiveness of the attack comes from how little it demands. There is no need to convince or pressure. The situation only needs to feel plausible enough that opening the file becomes part of normal behaviour.
When Social Norms Override Security
An employee is arriving at the office or moving between areas of the building as part of their normal day. Access is controlled, but the environment itself feels routine. People are coming and going, conversations are happening, and movement through the space is constant.
As they reach a secured door, someone approaches behind them carrying equipment or a stack of boxes. The person looks like they belong there. They’re dressed appropriately, they move with purpose, and nothing about them stands out as unusual.
The door is already open.
Holding it for a second feels like the natural thing to do.
Refusing would mean stopping, questioning them, and creating a moment that feels unnecessary in what appears to be a normal situation. It would interrupt the flow, and potentially make the interaction awkward for no clear reason.
So they let them through.
From their perspective, the decision is reasonable. It keeps things moving, aligns with expected behaviour in a shared space, and avoids creating friction where none seems needed. There is no obvious signal that the situation requires anything different.
In reality, this is a tailgating attempt.
What follows is not immediately visible. The person does not need to act suspiciously or do anything that draws attention. They are now inside an environment they should not have access to, moving in the same spaces as everyone else.
Access points that should have been restricted are now reachable.
Workstations, documents, or unattended devices can be approached without challenge.
Information that would normally require credentials can be observed, photographed, or taken.
Nothing changes in the moment the decision is made. The interaction is brief, the door closes, and the day continues as normal.
Which is exactly why it is never reconsidered.
The effectiveness of the situation comes from how closely it aligns with expected behaviour. It is not framed as a security decision, but as a social one. The response feels appropriate, and that is what makes it reliable.
Why These Decisions Continue to Happen
Across all of these situations, the tactics may look different, but the decision process is remarkably consistent. The person is not identifying the interaction as a security event. They are responding to what appears to be a normal part of their role, using the same judgement they rely on throughout the rest of their work.
That judgement is rarely slow or deliberate. In most working environments, decisions are made while multiple things are happening at once. Emails are being processed, systems are being navigated, conversations are taking place, and tasks are being completed under time constraints. Stopping to analyse every interaction in detail would make the work unmanageable, so people rely on quicker forms of assessment.
In practice, this means matching what they are seeing to what they expect. If a message, request, or situation aligns closely enough with previous experience, it is accepted and acted on without further scrutiny. The process is efficient, and most of the time it works.
The difficulty is that this same process does not distinguish between something that is genuine and something that has been designed to appear genuine. If the situation fits, the decision follows.
This is why these moments rarely feel like mistakes. At the point of action, there is no clear signal that anything is wrong. The request makes sense, the timing feels right, and the response supports the task that is already underway. From the inside, the decision is coherent.
Because of that, these situations do not stand out once they have passed. The task continues, the outcome appears complete, and there is nothing obvious that would prompt the person to revisit what they have just done. The decision blends into the rest of the day’s activity.
This is also why the same patterns repeat.
A payment detail is updated because it fits the workflow.
Access is granted because the request aligns with a known issue.
A file is opened because it appears relevant.
A door is held because it feels appropriate.
Each decision is made for a reason that holds up in the moment. None of them feel significant enough to interrupt, and none of them are treated as exceptions.
Over time, these small, reasonable decisions accumulate. Not in a way that feels dramatic or obvious, but in a way that quietly increases exposure across different parts of the organisation. The risk is not created by a single event, but by the consistency of the pattern.
Nothing about these situations forces a change in behaviour, because nothing about them appears to require one.
How Social Engineering Has Changed
The way social engineering works has not fundamentally changed. What has changed is how closely it now aligns with the environments people operate in every day.
In the past, there were often small signals that something didn’t fully belong. A message might have felt slightly out of place, the wording might not have quite matched expectations, or the situation itself might have seemed unusual enough to question. Those signals were not always obvious, but they were often just enough to create hesitation.
That distinction has gradually disappeared.
Today, most work takes place across multiple systems at once. Emails sit alongside instant messages, shared documents, project platforms, and external communications, all moving at pace and often overlapping. Conversations are continuous rather than isolated, and tasks rarely exist in a single place. Information flows between people quickly, often without a clear pause point where something is formally checked or verified.
In that environment, messages do not need to stand out to be effective. They need to fit.
A request that continues an existing email thread does not feel new. It feels like part of the same conversation. A message that references a real project does not feel suspicious. It feels informed. A call that mentions a known issue does not feel intrusive. It feels helpful.
Consider a situation where an employee receives a message from a senior colleague about a piece of work already in progress. The timing is right, the request is reasonable, and the language matches how that person normally communicates. The tone, phrasing, and level of detail all feel consistent with previous interactions.
They read it, recognise it, and act.
From their perspective, the decision is straightforward. The message sounds like the person they know, fits the work they are already doing, and aligns with how communication usually happens. There is no friction in the interaction, and no clear reason to question it.
What has changed is how easy it is to create that level of alignment.
Messages no longer need to be written by someone who understands the organisation in depth. They can be constructed to match tone, structure, and context with a high degree of accuracy. Access to real conversations, publicly available information, and increasingly, generated content that mirrors natural communication all contribute to making interactions feel complete.
Language, which once acted as a subtle signal of legitimacy, is no longer a reliable indicator. Consistency in communication can now be replicated closely enough that it reinforces trust rather than raising doubt.
As a result, the decision is no longer influenced by whether something looks slightly wrong. It is influenced by how completely it appears right.
This is a more difficult judgement to make.
When something appears unusual, there is a natural reason to pause. When something appears entirely consistent with expectation, that reason disappears. The interaction moves through the same mental process as any other routine communication and is handled in the same way.
This is where modern social engineering operates.
It does not rely on introducing something that feels out of place. It relies on removing anything that would normally create doubt. The closer an interaction mirrors real work, the less visible the decision becomes.
The behaviour has not changed. People are still responding to what is in front of them in a way that makes sense at the time. What has changed is the precision with which those situations can now be constructed, and the environments in which they appear.
That precision means the decision rarely feels like a risk decision at all.
What Changes in Practice
When people begin to recognise how these situations form, the work itself does not slow down and it does not become obstructive. The same tasks still need to be completed, the same systems still need to function, and the same expectations around responsiveness and efficiency remain in place.
What changes is much more specific than that.
The same accounts employee is still processing invoices at pace, but when a request to update payment details appears within that workflow, it no longer passes straight through. The task continues, but there is a brief pause where the request is treated separately from the process it arrived in. The details are checked through a known contact, rather than being accepted as part of the email itself.
Nothing about the workload changes, but the decision point becomes visible.
In a similar way, when a call comes through claiming to resolve an issue, the response is no longer driven solely by how well the situation is explained. The issue may still be real, and the request may still sound correct, but the action is no longer taken within the same interaction. The verification happens outside of it, using a channel that is already trusted rather than one that has just appeared.
The conversation continues, but the decision moves.
When a file or link appears during normal work, it is no longer opened purely because it feels relevant. The context is still recognised, but relevance alone is not enough to act. There is a moment where the source is considered before the content, and where opening it is treated as a decision rather than a continuation of the task.
Again, the work continues, but the behaviour shifts slightly at that point.
Even in physical spaces, the same pattern applies. Movement through the building remains the same, but when access depends on individual judgement, the response is no longer automatic. Holding a door or allowing someone through is no longer treated purely as a social interaction. There is a brief recognition that the situation carries a different kind of responsibility, even if nothing about the person or the request appears unusual.
Across all of these examples, the change is not about introducing new rules or adding friction to every action. It is about recognising the specific moments where decisions are being made inside normal work, and handling those moments differently.
The task does not stop. The systems do not change. The pace of work remains.
But the decision no longer passes unnoticed.
Seeing Social Engineering for What It Is
Social engineering is often described in terms of tactics, techniques, or types of attack. Those descriptions are useful, but they sit slightly outside of how these situations are actually experienced while they are happening.
In practice, these moments do not appear as clear threats. They appear as part of the work itself.
A message arrives that fits an ongoing task.
A request aligns with what needs to be done.
A situation makes sense within the flow of the day.
The decision to act is not made in isolation. It is made within that context, using the same judgement that is relied on to keep everything else moving.
That is why these situations are so difficult to recognise in the moment. There is no clear boundary between normal activity and something that should be treated differently. The interaction does not stand apart from the work. It sits inside it.
Because of that, the decision rarely feels like a security decision.
It feels like responding appropriately, staying efficient, and doing what the role requires.
This is where most explanations stop. They focus on identifying suspicious behaviour or recognising known patterns. But the difficulty is not only in spotting what looks wrong. It is in recognising when something looks entirely right, and understanding that this may be the point where a decision needs to be handled differently.
That shift is subtle, but it changes how these situations are approached.
The focus moves away from trying to identify every possible threat, and towards recognising the moments where a response feels automatic. Where something fits so well that it passes without question. Where the decision is made quickly because there is no reason, on the surface, to do anything else.
Those are the moments where social engineering succeeds.
Not because people are unaware, or careless, or untrained, but because the situation has been constructed to align with how work normally happens.
Seeing social engineering for what it is means recognising that it does not sit outside of day-to-day activity. It is built into it.
And once that becomes clear, the decision is no longer invisible.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
