Stop asking “Would my team fall for phishing?” Start asking “What if every employee gets a bespoke pretext built from their public footprint — and it’s updated daily?”

AI is shifting initial access from generic blasts to high-conversion targeting:
– Role-specific lures that mirror real workflows (finance, HR, IT, legal)
– Language and tone matching pulled from public posts, bios, podcasts, press
– Business-context hooks based on vendors, tools, hiring, funding, org changes
– Synthetic voice/video for “quick calls” and realistic meeting invites

This means the control plane has to assume messages, calls, and calendar events can be convincingly synthetic.

Practical controls founders and operators can implement now:
1) Move approvals out of inboxes: payments, bank changes, vendor onboarding require in-app workflows and enforced separation of duties.
2) Add a verification lane: a written callback policy using known-good numbers, plus “no exceptions” for urgency.
3) Lock down identity: phishing-resistant MFA (FIDO2/passkeys) for email, VPN, admin, finance systems.
4) Harden email and domains: DMARC enforcement, domain monitoring, strict external sender labeling.
5) Reduce public exhaust: limit org charts, direct emails, tooling details; tighten who can post what.
6) Instrument detection: alert on new inbox rules, OAuth app grants, suspicious calendar invites, and mailbox forwarding.
7) Train for pretexts, not links: scenarios around vendor change requests, recruiter outreach, “CEO needs this now,” and calendar hijacks.

Initial access is becoming a precision sales funnel. Your defenses need the same level of intent.

#cybersecurity #security #AISecurity #socialengineering #phishing #CISO #founders