Social engineering remains one of the most reliable ways adversaries gain initial access to secure environments, not because people are careless, but because attackers exploit trust and urgency, targeting staff operating under tight deadlines and routine business pressures.

Despite widespread security awareness training and increased adoption of defensive controls, attackers continue to bypass safeguards by targeting human behavior. Phishing emails are no longer generic messages riddled with typos. Vishing calls sound like legitimate IT requests. Smishing messages arrive at exactly the wrong moment, demanding quick action.

For organizations operating in high-consequence environments such as healthcare, utilities, and other critical infrastructure sectors, the question is no longer whether employees have completed phishing training or how many users clicked a simulated email, but what the potential business impact would be if a targeted, high-privilege user were successfully socially engineered and how systems, controls, and people respond under pressure.

What Modern Social Engineering Campaigns Actually Test

Recent social engineering campaigns conducted by RMC’s commercial team were designed to reflect real-world threat activity, not artificial “gotcha” scenarios or exercises focused solely on click rates. While user interaction is documented, the primary objective is to understand potential business impact, including what could occur if a successful social engineering attempt enables initial access, privilege escalation, or lateral movement toward a specific attacker objective. These campaigns assess how existing security controls perform under realistic conditions and how far an attacker could progress once access is gained.

To achieve these objectives, the campaigns incorporated a mix of phishing, vishing, and smishing techniques commonly used by sophisticated threat actors such as Scattered Spider. Rather than relying on obvious malicious links, scenarios were built around legitimate business context and urgent requests that mirrored daily workflows – often posing as a trusted IT service desk. Attempts to bypass Multi-Factor Authentication (MFA) included Adversary-in-the-Middle (AiTM) techniques, where attackers proxy the authentication flow to intercept credentials and MFA responses, capture valid session tokens, and reuse those tokens to access cloud services without requiring the victim’s credentials or second factor, while also exploiting push fatigue and social pressure.

The goal was to understand how an attack could progress using realistic APT techniques, where friction slowed an attacker down, how a successful campaign can impact the business, and where gaps in security controls or personnel training remained.

What the Results Revealed

One consistent finding across campaigns was that users are increasingly effective at identifying obvious phishing attempts. Basic awareness efforts are working.

Challenges emerged when attackers introduced urgency, authority, or routine business context. When users believed they were assisting IT, approving access, or resolving an operational issue, hesitation dropped. In some cases, MFA push notifications were approved simply to stop repeated prompts – a behavior attackers actively exploit known as MFA fatigue.

MFA significantly reduced risk, but it did not eliminate it. Like any control, its effectiveness depends on how it is implemented, monitored, and reinforced through process and training.

Reporting rates on phishing emails were generally strong, but delays and uncertainty around what to report or when to escalate created windows of opportunity for further compromise within the environment.

Why Live Visibility Changes the Conversation

A key differentiator in these engagements was close collaboration between RMC and client security teams during active campaigns.

Rather than delivering results only after completion, RMC provided live insight as social engineering activity occurred. Security operations teams were able to observe detection timing, user response patterns, and how technical controls performed as events unfolded.

This real-time visibility transformed assumptions into evidence. Instead of debating theoretical risk, organizations could see exactly how an attack might unfold – and where investments would have the greatest impact.

Turning Insight Into Practical Risk Reduction

The value of a social engineering assessment is not found in a failure rate or scorecard, but in understanding how people, processes, and controls interact during a realistic attack and using that insight to reduce exposure.

In these engagements, RMC worked closely with client teams to translate observed behavior into practical improvements – refining awareness around real decision points, implementing controls to limit the impact of a successful campaign, and clarifying reporting and response pathways so uncertainty did not slow action.

The focus remained on reducing real-world risk in ways that aligned with operational reality, rather than introducing unnecessary friction or reacting to isolated outcomes.

Social Engineering as an Ongoing Risk Discipline

Social engineering is not a one-time test, and it is not a problem that can be fully trained away. Attackers continue to evolve their tactics, blending technical methods with psychological pressure and legitimate business context.

For organizations operating in high-trust, high-impact environments, resilience depends on regularly validating how systems and people respond under realistic conditions. That validation requires more than awareness exercises – it requires visibility into the full lifecycle of a realistic social engineering campaign, how employees may be targeted, and what a successful attack could enable once access is gained. RMC’s assessments help organizations validate whether security controls and monitoring capabilities can effectively detect and mitigate these campaigns, while clearly demonstrating where gaps remain and the business impact those gaps could create if exploited.

RMC regularly supports organizations seeking to validate social engineering risk within complex operational environments.