
The attack was already inside. Training bought 30 seconds. Those 30 seconds bought everything.
Have you ever wondered why the smartest people in the room are the ones getting fooled?
Not the new hire who skipped onboarding. Not the distracted intern. The managing partner. The senior attorney. The executive who built the company from scratch. The person whose judgment everyone trusts. That person. Clicking. Falling. Losing.
And here is what nobody is saying about that: it is not a stupidity problem. It is a systems problem. And right now, most organizations are treating it like it is someone else's problem entirely.
Let me tell you what is actually happening out there.
Enjoy the full discussion here and let us know your feedback.
Social engineering is the art of manipulating people into doing things they would not otherwise do. It is not a technical hack. There is no sophisticated code. No elaborate zero-day exploit. Zero-day means a vulnerability nobody knows about yet. Social engineering skips all of that. It just talks to a human being. It creates urgency. It creates trust. And then it takes what it wants. And according to every major breach report covering the last several years, it is the number one way attackers get inside organizations. Not through the firewall. Through the inbox.
Dr. John Just with KnowBe4 has spent his career at the intersection of learning and security. Doctorate in Instructional Technology. Former Chief Information Officer for Pinellas County Schools, one of the largest school districts in Florida. Former senior executive at a healthcare software company. Now Chief Learning Officer at KnowBe4, the premier security awareness training and email security platform serving around 70,000 organizations across the globe. Millions of learners. Thirty-five languages. A mission driven directly from the top by a CEO who spent his career in the Secret Service protecting people before pivoting to protecting organizations.
When John talks about why training works, he does not reach for abstract theory. He reaches for stories. Real ones. With dollar amounts.
A True Crime Story
Here is one.
A law firm is in the middle of a settlement negotiation. The settlement is roughly a million dollars. Standard legal work. Emails going back and forth. Attorneys on both sides. Nobody panicking. Just business. What nobody in that firm knew was that an attacker had already gotten inside. Into the email system. Quietly. Watching every message. Reading every thread. Waiting for exactly the right moment to step in and redirect that money somewhere it was never supposed to go.
This is called a business email compromise attack. Business email compromise, or BEC, is when an attacker gets access to a legitimate email account or impersonates one so convincingly that the people on the other end believe they are talking to who they think they are talking to. The FBI has tracked billions of dollars in losses to BEC attacks annually. Not millions. Billions. And the reason it works so consistently is because it exploits the one thing no firewall can filter: human trust.
The attacker inside this law firm was patient. That is the detail people miss. These are not impulsive criminals. They are organized. Methodical. They operate with the patience and structure of any professional operation. They have roles. There are people who get in, people who monitor, people who execute the financial transfer, people who launder the proceeds. This is not one person in a hoodie. This is an organization. A criminal one. But an organization.
So the attacker waited. And then, when the settlement conversation was nearing completion, they introduced urgency. The tone of the emails shifted. The pressure went up. Move now. Transfer now. This needs to happen today. Classic playbook. Create a deadline. Shorten the decision window. Reduce the chance that anyone slows down to think.
Here is where this story starts to feel like it might be fine. The attorney on this side of the conversation had done security awareness training about thirty days earlier. KnowBefore training, specifically. And something in the back of her mind flagged. Not an alarm. A nudge. A few small things in those emails that felt slightly off. The urgency. The phrasing. The timing. She could not name exactly what was wrong. She just knew enough to pause.
So she picked up the phone.
That is all she did. She called the attorney on the other side instead of clicking or transferring or responding. One phone call.
The attorney on the other end of that call had been locked out of his own email all day. Could not get in. Had spent hours on the phone with his IT department trying to regain access. Somebody had changed his password. The attacker had been sending those urgent emails from inside his compromised account the whole time. He had no idea what was being sent in his name.
IT enabled MFA. Multi-factor authentication, which means that even if someone has your password, they need a second confirmation, usually a code sent to your phone, to actually get in. The attackers were locked out. The transfer never happened. One million dollars stayed where it was supposed to stay.
One phone call. Thirty days after training.
Now. You are thinking something right now. You are thinking your employees are already careful. You are thinking your IT team monitors this. You are thinking this is the kind of thing that happens to other organizations, not yours. That is the exact thought pattern John Just describes as the greatest obstacle he faces in this work. He calls it the stigma of getting tricked. Nobody believes it will be them. And that belief is not based on evidence. It is based on ego. And ego does not block email.
Here is what the data actually shows. When KnowBefore rolls out its simulated phishing platform at a new organization, the first round of tests reveals that around 30 percent of employees click on the fake phishing email. Phishing is when an attacker sends a deceptive email designed to trick someone into clicking a link, entering credentials, or taking an action that benefits the attacker. Thirty percent. Nearly one in three. In organizations that consider themselves reasonably protected. In some cases higher. That is not a small number. That is a significant fraction of your workforce, right now, today, likely to hand over credentials, wire money, or open a door that was supposed to stay closed.
After consistent training over less than a year, that number drops to around five percent. The platform tracks it. The data is empirical. Not a feeling. Not anecdotal. Measurable organizational behavior change over time.
But here is the part that changes the conversation entirely. Lowering that click rate matters. But it is not the only goal. And this is the part nobody is talking about.
The most important number is not how many people click. It is how many people report.
KnowBefore built a tool called the Phish Alert Button. It sits directly inside email clients like Outlook, visible from desktop and mobile. When an employee sees something suspicious, they press it. One click. The suspicious email gets flagged, routed to the security team, triaged, pulled from other inboxes if necessary, and investigated. Every employee becomes a sensor in the network. Not the weakest link. An active part of the defense.
The UK Government Communications Headquarters did a case study on an attack that was stopped specifically because employees used a reporting tool to alert their IT team. The IT team pulled the malicious email from inboxes across the organization and identified everyone who had already interacted with it before further damage occurred. The attack was contained. Not because of a firewall. Because people reported.
That is a fundamentally different model. It accepts that some percentage of people will always click. Humans under pressure make mistakes. The managing partner on his phone, reading quickly between meetings, will occasionally miss a red flag. That is not a character flaw. That is being human. The model that works does not demand perfection from every human. It builds a system where imperfection gets caught.
The platform also tracks what KnowBefore calls super clickers. A super clicker is an employee who fails simulated phishing tests repeatedly. Common assumption is that these are low performers, disengaged workers, maybe people who should not be trusted with anything sensitive. The data says something different. At law firms, John has seen the managing partners be the super clickers. At healthcare organizations, it is often senior administrators. The people who are most distracted. Most overwhelmed. Moving fastest. They are not gullible. They are busy. And busy people, on phones, scanning quickly, are exactly who attackers design these attacks for. Training has to account for that reality, not pretend it does not exist.
One More Thing
AI has now entered this attack chain. Attackers are using artificial intelligence to write phishing emails that are grammatically clean, contextually appropriate, and tonally convincing. The old tell of the poorly written email is mostly gone. The grammar is fine. The tone is professional. In some cases, AI is being used to clone voices for phone-based attacks and to personalize emails at scale using information scraped from LinkedIn and company websites. KnowBefore responded by deploying AI agents on the defensive side, using the same class of technology to monitor, detect, and respond at a speed no human team can match alone. Because if attackers get to use it, defenders need it too.
Seventy thousand organizations use this platform right now. From household brands to small nonprofits running on thin margins and good intentions. The pricing scales down for smaller organizations. This is not enterprise-only protection. A small business with twenty employees that pays for this platform and runs it consistently will have measurable, documented evidence that its people are getting better at identifying attacks. That is not a promise. That is what the data shows.
The one thing you can do this week, if you run or manage any organization that handles money or data, is this: find out your current phish-prone percentage. KnowBefore offers free tools to run that baseline assessment. You will get a number. That number will probably be higher than you expected. And then you will know exactly what you are working with. Because you cannot fix what you refuse to measure.
The attack is already patient enough to wait for you.
David Dean Mauro | Cyber Crime Junkies YouTube | VP of Strategic Growth, NetGain Technologies, LLC | CyberCrimeJunkies.com | Author, Moving Target Trilogy Book Series (Audiobooks too)
Be a moving target.
