Think multi-factor authentication (MFA) and phishing training are enough to keep your company safe? Think again.
Attackers don’t need to ‘hack in’ anymore; they can simply log in to a compromised account. Between deepfake impersonations and rampant credential theft, cybercriminals now rely more on manipulation than malware, with 60% of recent breaches involving the human element.
We’ve spent our careers on opposite sides of the same problem. Rachel Tobac as the ethical hacker who breaks into companies by exploiting human behavior, and Shai Gabay as the security leader building technology to stop those exact attacks in real time.
Coming from offense and defense, we’ve reached the same conclusion: the most exploited vulnerabilities aren’t technical, they’re human.
Here are five steps every organization should take to protect its people, processes and payments from the modern era of impersonation and fraud.
Polite Paranoia
There’s a crucial mindset shift that everyone needs to make, don’t just trust, verify first.
An ethical hacker, like Rachel, or any cybercriminal, can impersonate a CFO using a $1 caller-ID spoofing app. Familiarity can no longer be treated as proof of authenticity, so employees must pause and double-check before taking sensitive actions, especially when money or credentials are involved.
If someone reaches out with a sensitive request, confirm it through a second, trusted channel before taking action. Hang up and call back using the number you have on file or send a message through your corporate chat system.
Yes, it may feel awkward to double-check your boss or vendor. But that brief moment of ‘polite paranoia’ can prevent a multimillion-dollar loss.
Fortify Logins
Many professionals believe they’ve solved the problem of securing logins. They haven’t. Most organizations still don’t use a password manager and continue to apply MFA inconsistently. And as Rachel often demonstrates in live hacks, dropping an email into a breach-search tool like Dehashed can reveal 10-15 breached passwords in milliseconds, making it all too easy for an attacker to slip in.
Here’s what we recommend:
- Use long, random, and unique passwords for every login
- Use a password manager or passkey system instead of attempting to memorize them
- Regularly check if credentials appear in known breach databases
- Extend MFA to every system with business value or involvement in sensitive activity
MFA and password managers are now baseline defenses, yet many companies still only secure email while leaving critical business systems – ERP, CRM, payroll, payment approval, and vendor creation – unprotected. As Shai sees daily, attackers deliberately target these secondary systems because they’re often overlooked, using them to gain footholds, move laterally or collect data for impersonation attacks.
Password management and MFA may not be glamorous, but they close one of the oldest doors attackers still exploit.
Risk, Not Role-Based Defenses
Most companies focus their strongest defenses on the C-suite or a single department, but attackers are targeting anyone in a position of trust. This includes finance, customer support, IT, procurement, and operations teams, all groups that handle sensitive requests and execute processes that can be manipulated.
For example:
- A ‘customer’ calls to change their phone number
- An ‘IT technician’ requests a password reset
- A ‘vendor’ asks to update payment details
Each of these seems routine, and that’s exactly what attackers exploit.
To defend against this, verification must be built into every high-risk workflow. That means implementing identity validation steps beyond simple security questions, using secondary channels or cross-team confirmations before changes are made.
Every team needs clear, codified protocols for verifying identity before acting on requests that could impact data or money. Protect based on risk, not role.
Connect the Dots
Seventy percent of attacks span multiple systems, which means many warning signs go unnoticed simply because they’re scattered. Shai routinely sees fraud quietly unfold this way: A new vendor profile may look harmless on its own, a slight bank account change may not trigger alarms, and other anomalous behavior may appear normal in a vacuum. But together, the pattern becomes unmistakable: something isn’t right.
Here’s the simple fix:
- Make sure teams share what they see. Small anomalies should be passed along, not handled alone
- Centralize key alerts. When signals land in one place, patterns stand out
- Look at sequences, not single actions. Fraud builds step by step
Attackers count on blind spots. When you connect the dots, you spot issues earlier, act faster, and stop fraud before it becomes a loss.
Detecting Behavior Is A Necessity
Strong passwords and MFA matter, but they’re not enough. Hackers are using AI to get in, and you need AI to keep them out.
That’s why Shai’s current work focuses on behavioral AI because the real signal isn’t who someone says they are, but what their actions reveal. Are they sending payments to new countries? Approving invoices outside normal workflows? Downloading data at odd hours? Behavioral detection catches these subtle deviations even when everything else looks normal.
Rachel has experienced that firsthand on the offensive side. Even after she’s successfully taken over an account during an ethical hack, behavioral AI has flagged her actions and stopped the attack cold. It’s one of the few defenses that consistently disrupts modern social engineering in real time.
Both the offensive and defensive sides of the equation agree: fraud today is behavioral, not technical. In an era where criminals are attacking with AI, arming your organization with the same isn’t simply a luxury; it’s a critical defense.
Conclusion
Coming at this problem from opposite sides, one of us testing how people can be deceived, the other building systems to stop that deception, we’ve both learned that modern fraud hinges on behavior as much as technology.
Attackers now use AI to mimic trusted people, exploit trusted processes, and slip into workflows that look legitimate on the surface. The most reliable response is pairing human judgment with defenses that understand context and notice when something doesn’t align with normal behavior.
Our advice, shaped by both offense and defense, is simple: Encourage polite paranoia. Equip teams with behavioral AI. And don’t rely on any single control to keep you safe.