Social engineering: how to recognise CEO fraud and vishing?

Not every attack arrives via email. Phone, SMS, LinkedIn message — modern social engineering uses every channel. Three patterns and how to counter them.

Phishing is email. Vishing is phone. SMishing is SMS. Social engineering is the umbrella term — manipulating people into doing something they normally wouldn't.

CEO fraud

"This is the CEO. Urgent — I need gift cards for a deal, €5,000, right now. Keep it quiet until tomorrow, PR moment." Always fake. Always.

Counter: process — vouchers/expenses above a threshold must go through approval via an official channel. No exceptions, no urgency.

Vishing CEO fraud

A phone call (which may use a deepfake voice by 2026). "This is [company]'s bank — we've spotted suspicious transactions, could you confirm your login details?" Banks never ask for this.

Counter: hang up, call back on the official number. Never give login credentials over the phone.

LinkedIn / help request

"I just joined [your company] — can you help me log in? My onboarding email never arrived." Could be a former employee or a competitor simply having a go.

Counter: verify through HR. Never help without verification.

Invoice fraud

"Your supplier has a new bank account number. Please transfer the outstanding invoice there." Usually sent via a spoofed — or compromised — email from the supplier's actual mailbox.

Counter: always verify a change of bank account by phone, using a number you already have on file (not one taken from the email).

Training

See recognising phishing — but run simulations by phone and SMS too, not just email.

See also: security pillar.