Academy

Scams and Social Engineering experimental

Scams and Social Engineering Ontology, psychology, history and organisational defence against deception-based attacks. Prerequisite for VECTOR. Foundations: What Is a Scam? An Ontology of Deception. Builds the vocabulary the rest of the course reuses: scam, fraud, social engineering (SE), con, pretext, phishing, vishing, smishing, quishing, and business email compromise (BEC), placed on one taxonomy so later modules can be read as variations on a single deception grammar rather than unrelated incidents.. Explain the difference between a scam, a fraud, and a social engineering attack, and classify a given incident description onto the course taxonomy.. Draft a one-page ontology brief for a named organisation that maps its most likely deception channels (email, voice, SMS, in-person) onto the taxonomy.. Scam, fraud and social engineering: drawing the boundaries, The channel taxonomy: email, voice, SMS, physical, and hybrid, The actor taxonomy: opportunist, organised crime, and state-adjacent, Why an ontology matters operationally Module 0: Foundations: What Is a Scam? An Ontology of Deception Learning outcomes By the end of this module you will be able to explain the difference between a scam, a fraud, and a social engineering attack, and classify a given incident description onto this course's taxonomy. You will also be able to draft a one-page ontology brief for a named organisation that maps its most likely deception channels onto that same taxonomy. 1. Scam, fraud and social engineering: drawing the boundaries The three words scam, fraud, and social engineering (SE) are used almost interchangeably in everyday speech, and that looseness causes real problems once an organisation tries to build training, metrics, or incident reporting around them. This course fixes a precise grammar. Fraud is the legal wrong: an intentional deception made to secure an unfair or unlawful gain, a category that exists in statute and that a court can rule on. Scam is the colloquial umbrella for a deceptive scheme aimed at a victim, useful in everyday language but not a legal term of art. Social engineering is the technical umbrella that names the method: the manipulation of a person, rather than a machine, to obtain access, information, or funds. Under this grammar a single incident can be all three at once. A fraudulent wire transfer obtained by impersonating a chief executive officer (CEO) is a fraud in law, a scam in common usage, and a social engineering attack in technique. Keeping the three separate lets an organisation ask three different, useful questions about the same event: was it unlawful, was someone deceived, and what manipulation technique made the deception work. This course, and its Cyber Security Body of Knowledge (CyBOK) grounding, treats the third question, technique, as the analytical spine, because technique is what training and controls can actually change. CyBOK version 1.1 places this material primarily under two knowledge areas (KAs): Human Factors (HF), which covers usable security and the psychology of compliance, and Adversarial Behaviours (AB), which covers the taxonomy of attacker technique and criminal business models. This course sits at the intersection of the two, and later modules will draw explicitly on both. 2. The channel taxonomy: email, voice, SMS, physical and hybrid Once the scam, fraud, and social engineering distinction is fixed, the next useful cut is by channel: the medium through which the deception is delivered. Phishing denotes the email channel. Vishing, a portmanteau of voice and phishing, denotes the telephone channel, whether a live caller or, increasingly, a synthetic voice. Smishing denotes the short message service (SMS) or text-message channel. Quishing denotes deception delivered through a scanned Quick Response (QR) code, a channel that has grown rapidly since 2022 as QR codes became a normal part of restaurant menus, parking payments, and delivery notices. Pretexting is not itself a channel but a technique, the construction of a fabricated scenario or identity, that can be delivered over any of the channels above, or in person. This course cross-references the MITRE ATT&CK knowledge base, an industry-standard catalogue of adversary techniques already used elsewhere in the CCICCS curriculum by the SENTINEL course on cyber threat intelligence, so that a social engineering incident can be tagged with the same technique identifiers a threat intelligence analyst would use. The relevant top-level technique is T1566, Phishing, with sub-techniques including T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), and T1566.004 (Spearphishing Voice), the technical name for vishing. Learning this shared vocabulary now means that later modules, and the companion VECTOR course, can describe a detection or defence measure once and have it apply consistently regardless of which channel a given scam happened to use. 3. The actor taxonomy: opportunist, organised crime and state-adjacent A third useful cut classifies the actor rather than the technique or channel. Opportunist actors run high-volume, low-cost scams (mass phishing, romance scams, lottery scams) against whoever responds, with no specific victim in mind at the outset. Organised crime crews run targeted business email compromise (BEC) and vishing operations against specific companies, often after reconnaissance, because the expected payoff justifies the investment of time. State-adjacent access brokers use social engineering as one tool among several to gain an initial foothold for espionage or pre-positioning, and are typically the most patient and best resourced of the three categories. This actor taxonomy previews the Diamond Model style of analysis, covering adversary, infrastructure, capability, and victim, that Module 10 develops into a full analytical framework, and that the SENTINEL course teaches in depth for threat intelligence purposes generally. 4. Why an ontology matters operationally It would be reasonable to ask why a course on scams opens with definitions rather than a dramatic case study. The answer is that a shared vocabulary is a precondition for everything the rest of this course and its companion course, VECTOR, try to do. Without a fixed taxonomy, an organisation cannot compare this quarter's phishing click-rate to last quarter's, cannot say with confidence whether a rise in reported incidents reflects more attacks or better reporting, and cannot brief a board using consistent, defensible language. Cambridge Cyber International's Cyber Value at Risk (cVaR) concept, introduced properly in Module 10, depends on being able to classify an incident consistently before its financial impact can be quantified at all. The ontology built in this module, then, is not academic throat-clearing. It is the load-bearing wall the rest of the course, and any resulting board report, stands on. Related CCI capabilities Cambridge Cyber International's GCIDB 1834 dataset, whose mantra is "cyber incidents did not start with the internet," is the incident corpus this course draws its historical and modern case studies from in Modules 3 through 9, and is a natural next stop for a learner who wants to explore incidents beyond the ones covered here (Cambridge Cyber International 2026a). The One-Audit All-Frameworks Mapping concept, which underpins consistent evidence classification across regulatory frameworks, illustrates the same operational point this module closes on: a fixed taxonomy is what makes comparison and audit possible at all (Cambridge Cyber International 2026b). References Cambridge Cyber International (2026a). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Cambridge Cyber International (2026b). One-Audit All-Frameworks Mapping. https://doi.org/10.5281/zenodo.20821217 MITRE ATT&CK (2026). Phishing, Technique T1566. https://attack.mitre.org/techniques/T1566/ Stajano, F. and Wilson, P. (2011). Understanding scam victims: seven principles for systems security. Communications of the ACM, 54(3), 70 to 75. https://doi.org/10.1145/1897852.1897872 The Psychology of Persuasion: Levers of Compliance. Introduces the compliance principles that make manipulation predictable rather than mysterious: authority, scarcity, social proof, liking, reciprocity, commitment and consistency, and unity, and connects each to a real scam mechanism used later in the case-study modules.. Describe each of Cialdini's principles of influence and give a scam example of each.. Analyse a transcript of a real or simulated social engineering attempt and tag every persuasion lever used, with justification.. Cialdini's six (plus one) principles of influence, Heuristics, biases and cognitive load, Emotional hijacking: fear, greed, romance and duty, Building a lever-tagging method for transcripts Module 1: The Psychology of Persuasion: Levers of Compliance Learning outcomes By the end of this module you will be able to describe each of Cialdini's principles of influence and give a scam example of each. You will also be able to analyse a transcript of a real or simulated social engineering attempt and tag every persuasion lever used, with justification. 1. Cialdini's six (plus one) principles of influence Robert Cialdini's research programme, summarised across four decades in Influence: Science and Practice and its expanded 2021 edition, identifies a small set of principles that reliably shift human decisions toward compliance, independent of the specific request being made (Cialdini 2021). Authority is the tendency to comply with instructions from a perceived expert or office holder, exploited whenever a scam impersonates a tax official, a police officer, or a chief executive officer (CEO). Scarcity is the tendency to value what appears limited or about to disappear, exploited by fake countdown timers and "last chance" framing. Social proof is the tendency to look to others' behaviour as a guide, exploited by fabricated reviews, fake queues, and claims that "everyone in your department has already done this." Liking is the tendency to comply more readily with people we find likeable or similar to ourselves, exploited by romance scams and by scammers who mirror a victim's own language and interests. Reciprocity is the tendency to feel obliged to return a favour, exploited by unsolicited small gifts or favours that precede a large request. Commitment and consistency is the tendency to honour a small prior commitment even as the stakes escalate, exploited by scams that start with a trivial request and grow it step by step. Unity, added in Cialdini's later work, is the tendency to comply more readily with those who share an identity we hold, exploited by scams that invoke shared nationality, religion, employer, or cause. None of these principles is exotic. Each is a generally adaptive shortcut for navigating everyday social life, which is exactly what makes it exploitable: a scam does not need to invent a new psychological weakness, only to stage a plausible trigger for an existing one. 2. Heuristics, biases and cognitive load Daniel Kahneman's distinction between System 1 and System 2 thinking, developed across a career in behavioural economics and popularised in Thinking, Fast and Slow, gives this module its second analytical tool (Kahneman 2011). System 1 is fast, automatic, and intuitive; System 2 is slow, effortful, and deliberate. Verification behaviour, checking a phone number against a directory, reading an email header carefully, pausing before a wire transfer, is System 2 work. Every one of Cialdini's levers, when deployed skilfully, functions in part by keeping a target operating in System 1: urgency compresses the time available for System 2 checking, authority discourages System 2 questioning of a superior, and social proof substitutes System 1 pattern-matching ("this looks like what everyone else is doing") for independent System 2 evaluation. Cognitive load matters here too. A target who is already busy, distracted, or emotionally activated has less System 2 capacity available even before a scam begins, which is why scams are disproportionately timed around quarter-end closes, public holidays, and known periods of organisational stress. 3. Emotional hijacking: fear, greed, romance and duty Four emotional registers recur across the case studies this course examines. Fear and duty to authority dominate CEO fraud and tax-authority impersonation, where the victim is made to feel that non-compliance carries immediate personal or professional consequence. Greed dominates lottery and investment scams, including the Ponzi scheme examined in Module 3, where the victim is offered a return that should trigger scepticism but instead triggers hope. Romance dominates long-running relationship scams, where liking and reciprocity compound over weeks or months of manufactured intimacy before a financial request is ever made. Duty, distinct from fear, dominates cases where a target complies not because they are afraid but because they believe complying is the responsible, helpful thing to do, which is precisely the register most help-desk vishing pretexts, examined in Module 8, are built to exploit. 4. Building a lever-tagging method for transcripts The competency outcome for this module asks you to tag every persuasion lever present in a transcript, with justification. The method taught here is deliberately minimal: for each sentence in the transcript, record the lever invoked, the exact sentence, and the mechanism, in one clause, by which that sentence exploits the lever. This three-part unit, lever, sentence, mechanism, is reused without modification in Module 10's full analytical framework, where it becomes one input alongside the ontology from Module 0 and the actor profile it introduces. Building the habit now, on short transcripts, is what makes the Module 10 synthesis tractable rather than overwhelming. Related CCI capabilities Cambridge Cyber International's GCIDB 1834 incident dataset supplies the primary-source transcripts and incident writeups this module's lab draws its lever-tagging exercises from, keeping the exercise grounded in documented incidents rather than invented dialogue (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Cialdini, R.B. (2021). Influence, New and Expanded: The Psychology of Persuasion. Harper Business. https://www.harpercollins.com/products/influence-new-and-expanded-robert-b-cialdini Kahneman, D. (2011). Thinking, Fast and Slow. Farrar, Straus and Giroux. https://us.macmillan.com/books/9780374533557/thinkingfastandslow The Psychology of the Victim: Why Competent People Comply. Uses Stajano and Wilson's seven principles of scam victimisation to explain why intelligence and expertise do not protect against scams, and separates victim-blaming framing from an evidence-based account of situational compliance.. Explain Stajano and Wilson's seven principles (distraction, social compliance, herd, dishonesty, deception, need and greed, time) and give a scam example of each.. Assess a training programme's framing for victim-blaming language and rewrite one passage to be situational rather than dispositional.. The seven principles of scam victimisation, Why expertise does not immunise, From blame to design: situational versus dispositional framing, Measuring susceptibility without shaming Module 2: The Psychology of the Victim: Why Competent People Comply Learning outcomes By the end of this module you will be able to explain Stajano and Wilson's seven principles of scam victimisation and give a scam example of each. You will also be able to assess a training programme's framing for victim-blaming language and rewrite one passage to be situational rather than dispositional. 1. The seven principles of scam victimisation Frank Stajano and Paul Wilson's 2011 paper in Communications of the ACM, "Understanding Scam Victims: Seven Principles for Systems Security," remains the single most cited academic treatment of why scams work on their victims, and this module builds directly on it (Stajano and Wilson 2011). The distraction principle holds that while a target's attention is deliberately diverted, their other senses become inattentive, exploited whenever a con involves two people, one engaging the mark while the other acts. The social compliance principle holds that society trains people not to challenge authority or perceived legitimacy, the same mechanism Module 1 calls the authority lever. The herd principle holds that a scheme appears safer when other people, real or apparently real, seem to be involved or to approve of it, exploited by fake customer testimonials and by scams staged to look like several independent people are vouching for the same claim. The dishonesty principle holds that victims who are themselves induced to act dishonestly, for example by agreeing to conceal a transaction, become less willing to report the scam once it unravels. The deception principle holds that things and people are not always what they seem, a general statement of the con artist's craft. The need and greed principle, sometimes rendered as the kindness principle, holds that a genuine desire or need, financial, romantic, or otherwise, is the lever a con artist locates and pulls. The time principle holds that when under time pressure to decide, people use a different decision strategy, one with much weaker verification, than when they have time to reflect. 2. Why expertise does not immunise A recurring and comfortable myth holds that security-literate, senior, or otherwise competent people do not fall for scams. The documented record contradicts this directly: finance directors, information technology (IT) security staff, and senior executives appear throughout the case studies in this course, including the business email compromise cases in Module 6 and the help-desk vishing cases in Module 8. This module argues that situational and workload factors, not raw intelligence or expertise, dominate individual susceptibility. A target under genuine time pressure, operating in an unfamiliar process, or facing a plausible authority figure will use the same fast, low-verification decision strategy Module 1 describes regardless of how much security training they have received, because the scam is engineered to suppress exactly the checking behaviour that training tries to install. 3. From blame to design: situational versus dispositional framing A dispositional explanation attributes an outcome to a stable trait of the person ("they were careless," "they should have known better"). A situational explanation attributes the same outcome to the pressures and design of the moment ("the request arrived during a genuinely busy period, through a channel that looked legitimate, with a time pressure that discouraged verification"). This module argues, following usable-security research published by the United States National Institute of Standards and Technology (NIST), that dispositional framing is not only less accurate but actively counterproductive: it discourages honest, prompt reporting of near-misses, which is precisely the data a security programme needs most, and it does nothing to change the situational factors that will produce the same compliance in the next employee facing the next scam (National Institute of Standards and Technology 2021). 4. Measuring susceptibility without shaming If dispositional blame is unproductive, an awareness programme still needs some way to know whether it is working. This module closes by introducing non-punitive metrics: reporting rate (the proportion of real or simulated phishing attempts that are reported, rather than simply not clicked), time-to-report, and near-miss capture, as alternatives to a simple click-rate that implicitly shames whoever clicked. These metrics preview Module 11's treatment of audience-differentiated teaching, where different roles will need different metrics to reflect their different exposure and time budget. Related CCI capabilities Cambridge Cyber International's Measurable Cyber Assurance concept, whose mantra is "computed, not opined," is the platform-level analogue of this module's argument: assurance, like susceptibility, should be measured by defensible, repeatable metrics rather than by impression or blame (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). Measurable Cyber Assurance. https://www.cambridgecyberinternational.com/en/platform/ National Institute of Standards and Technology (2021). Phishing for User Context: Understanding the NIST Phish Scale. https://www.nist.gov/publications/phishing-user-context-understanding-nist-phish-scale Stajano, F. and Wilson, P. (2011). Understanding scam victims: seven principles for systems security. Communications of the ACM, 54(3), 70 to 75. https://doi.org/10.1145/1897852.1897872 A Brief History of the Con, Part I: Before the Wire. Traces confidence tricks from Victor Lustig's sale of the Eiffel Tower and the Ponzi scheme's namesake through to Frank Abagnale's cheque frauds, establishing that the psychological mechanics of Modules 1 and 2 long predate computers.. Describe at least three pre-digital confidence tricks and identify which persuasion levers each used.. Map a historical con onto the Module 0 ontology and Module 1 lever taxonomy in a short written brief.. Victor Lustig and the sale of the Eiffel Tower (1925), Charles Ponzi and the eponymous scheme (1920), Frank Abagnale and cheque fraud (1960s), What changed, and what did not, in the move to digital Module 3: A Brief History of the Con, Part I: Before the Wire Learning outcomes By the end of this module you will be able to describe at least three pre-digital confidence tricks and identify which persuasion levers each used. You will also be able to map a historical con onto the Module 0 ontology and Module 1 lever taxonomy in a short written brief. 1. Victor Lustig and the sale of the Eiffel Tower (1925) In 1925, the con artist Victor Lustig posed as a French government official and convinced a scrap-metal dealer that the Eiffel Tower had been condemned and was to be sold for scrap, with Lustig positioned as the official responsible for a discreet sale (Konnikova 2016). The scheme worked because Lustig combined the authority lever, a fabricated but plausible government office, with the scarcity lever, a one-time, confidential opportunity not open to competitors, and with a target selected for a specific vulnerability: a dealer eager to break into an elite circle of established industrial buyers. Remarkably, Lustig returned to Paris and ran the same scheme a second time on a different dealer, which illustrates a point this course returns to often: a working pretext is reused, not retired, once its mechanics are proven. 2. Charles Ponzi and the eponymous scheme (1920) Charles Ponzi's 1920 scheme promised investors a fifty per cent return within forty five days, ostensibly through arbitrage in international postal reply coupons, and paid early investors from the capital of later ones rather than from any genuine return (Zuckoff 2005). The scheme's persuasion mechanics combine social proof, early investors were paid promptly and became visible, vocal advocates, with greed, the promised return was implausible on reflection but attractive enough to suppress that reflection. The structural lesson, that a scheme paying old investors from new investors' capital must recruit exponentially or collapse, recurs under new branding roughly once a generation, most recently in cryptocurrency-denominated investment schemes, precisely because the underlying levers remain effective even when the specific asset class changes. 3. Frank Abagnale and cheque fraud (1960s) Frank Abagnale's cheque frauds and impersonations of an airline pilot, a physician, and a lawyer during the 1960s, later popularised in the memoir and film Catch Me If You Can, rested on a different mechanism: impersonation of high-authority professional roles that grant automatic deference and access without routine verification (Abagnale and Redding 1980). A uniformed pilot is waved through checks a member of the public would face; a physician's word is rarely challenged by administrative staff. This is the same social compliance principle Module 2 introduces through Stajano and Wilson's framework, applied here to institutional roles rather than individual authority figures, and it is the direct historical ancestor of the executive-impersonation pretexts examined in Module 6. 4. What changed, and what did not, in the move to digital Reading these three cases side by side against the ontology from Module 0 and the levers from Module 1 makes a claim available that is easy to state and easy to underestimate: the psychological core of a confidence trick, an authority or scarcity or social-proof trigger exploiting a genuine need, has not changed since Lustig, Ponzi, and Abagnale. What has changed is reach and speed. A pre-digital con required physical presence or a physical letter and could only ever target one victim, or a handful, per attempt. The digital channels catalogued in Module 0, email, voice, SMS, and QR code, let the same psychological mechanism be delivered to millions of targets simultaneously at near-zero marginal cost, which is the single most important fact this course asks you to carry from history into the modern case studies of Modules 5 through 9. Related CCI capabilities Cambridge Cyber International's GCIDB 1834 dataset extends its incident corpus back before the digital era specifically to support the kind of long-horizon historical comparison this module makes, rather than treating 2011 as the effective start of the record (Cambridge Cyber International 2026). References Abagnale, F.W. and Redding, S. (1980). Catch Me If You Can. Grosset and Dunlap. Cambridge Cyber International (2026). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Konnikova, M. (2016). The Confidence Game: Why We Fall for It Every Time. Viking. https://www.penguinrandomhouse.com/books/219898/the-confidence-game-by-maria-konnikova/ Zuckoff, M. (2005). Ponzi's Scheme: The True Story of a Financial Legend. Random House. https://www.penguinrandomhouse.com/books/294630/ponzis-scheme-by-mitchell-zuckoff/ A Brief History of Social Engineering, Part II: Phreaking to Mitnick. Covers the computer-era origin of social engineering as a named discipline: phone phreaking, John Draper ('Captain Crunch'), and Kevin Mitnick's pretexting career, closing the historical arc that Module 3 opened.. Describe the transition from phone phreaking to computer-era social engineering and name at least two of Mitnick's documented pretexting techniques.. Distinguish, with justification, which of Mitnick's techniques would and would not succeed against a modern organisation with call-back verification in place.. Phone phreaking and the 2600 Hz tone, Kevin Mitnick's pretexting career, The Art of Deception as a teaching text, From Mitnick to the modern help desk Module 4: A Brief History of Social Engineering, Part II: Phreaking to Mitnick Learning outcomes By the end of this module you will be able to describe the transition from phone phreaking to computer-era social engineering and name at least two of Kevin Mitnick's documented pretexting techniques. You will also be able to distinguish, with justification, which of Mitnick's techniques would and would not succeed against a modern organisation with call-back verification in place. 1. Phone phreaking and the 2600 Hz tone Before social engineering had a name, it had a subculture. Phone phreaking, documented in detail in Phil Lapsley's Exploding the Phone, exploited the fact that the mid-twentieth-century American telephone network used in-band signalling: control tones travelled down the same line as the voice call itself (Lapsley 2013). A tone at 2600 hertz (Hz), the frequency of a toy whistle once famously given away in a breakfast cereal box, could tell a switch that a call had ended and free the line for a new, unbilled connection. John Draper, who took the nickname Captain Crunch from that cereal, became the most publicised figure of this subculture. Phreaking is included in this course's history not because it is social engineering in the strict sense, it exploited a technical signalling weakness more than a human one, but because its subculture, its ethos of understanding a system well enough to talk your way around its rules, fed directly into the earliest computer-intrusion culture from which modern social engineering as a named discipline emerged. 2. Kevin Mitnick's pretexting career Kevin Mitnick's activities through the 1980s and 1990s, against telecommunications carriers and technology companies, are the best documented pretexting career in the field, not least because Mitnick later wrote about his own methods at length. Two techniques recur across his own accounts. First, impersonating internal information technology (IT) staff, calling an employee, using the internal jargon and organisational chart details gathered from an earlier, apparently unrelated call, and requesting a password reset or remote access "to fix an urgent problem." Second, the incremental build of legitimacy across multiple calls to different people within the same organisation, each call gathering a small piece of information (an employee's name, a system's internal nickname, a manager's typical working hours) that made the next call more convincing, a technique that anticipates the reconnaissance-then-request pattern examined again in Module 8. 3. The Art of Deception as a teaching text Mitnick and William Simon's 2002 book, The Art of Deception: Controlling the Human Element of Security, deserves to be read in this course as the first mainstream, first-person social engineering training manual, not merely as a memoir (Mitnick and Simon 2002). Read across its case narratives, a single repeatable pattern emerges: pretext (establish a plausible reason for the contact), rapport (build trust quickly, often through shared jargon or a claimed shared acquaintance), request (make the actual ask, usually smaller than it could be, to avoid triggering suspicion), and exit (end the contact before the target has time to verify independently). This four-step pattern is a useful diagnostic: any transcript that can be cleanly segmented into pretext, rapport, request, and exit is very likely a social engineering attempt, regardless of channel or era. 4. From Mitnick to the modern help desk The pretext-rapport-request-exit pattern is not a historical curiosity. It reappears, essentially unchanged, in the 2022 and 2023 help-desk vishing cases examined in Module 8, where attackers call a support desk, establish rapport by referencing real internal details gathered from reconnaissance, request a password or multi-factor authentication (MFA) reset, and exit before the target organisation can complete verification. The single most important modern control against this pattern is one Mitnick himself has since advocated in his post-conviction consulting career: mandatory call-back verification, calling the requester back on a number drawn from a pre-registered directory rather than any number the caller supplies, before acting on any request involving credentials or access. Related CCI capabilities Cambridge Cyber International's GCIDB 1834 dataset includes documented pretexting-era incidents alongside its modern case load, letting a learner trace the pretext-rapport-request-exit pattern across six decades in primary-source material rather than in summary form alone (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Lapsley, P. (2013). Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell. Grove Press. https://groveatlantic.com/book/exploding-the-phone/ Mitnick, K.D. and Simon, W.L. (2002). The Art of Deception: Controlling the Human Element of Security. Wiley. https://www.wiley.com/en-us/The+Art+of+Deception:+Controlling+the+Human+Element+of+Security-p-9780471237129 Case Study: The 2011 RSA SecurID Breach. Dissects the spear-phishing email carrying an Excel attachment with an embedded Flash zero-day that led to the compromise of RSA's SecurID seed database, using the Module 10 framework in embryonic form.. Describe the sequence of events in the 2011 RSA breach from the phishing email to seed-database compromise.. Identify which single control point, had it existed, would most plausibly have broken the attack chain, with justification.. The pretext: '2011 Recruitment Plan', From macro to zero-day to backdoor, From foothold to SecurID seed exfiltration, Lessons for attachment handling and segmentation Module 5: Case Study: The 2011 RSA SecurID Breach Learning outcomes By the end of this module you will be able to describe the sequence of events in the 2011 RSA breach, from the phishing email to the compromise of the SecurID seed database. You will also be able to identify which single control point, had it existed, would most plausibly have broken the attack chain, with justification. 1. The pretext: "2011 Recruitment Plan" In March 2011, employees of RSA, the security division of EMC and the maker of the widely deployed SecurID two-factor authentication token, received an email with the subject line "2011 Recruitment Plan" carrying an attached spreadsheet (Threatpost 2011). The email was unremarkable enough, and targeted narrowly enough, that at least one recipient opened the attachment despite the message having been automatically routed to a junk folder. RSA's own public account of the breach, published by Uri Rivner under the title "Anatomy of an Attack," is unusually candid for a vendor describing its own compromise, and this module draws on it directly because first-person breach disclosures of this quality remain rare (Rivner 2011). 2. From macro to zero-day to backdoor The spreadsheet attachment carried an embedded Adobe Flash object exploiting a then-unknown, or zero-day, vulnerability. Opening the file triggered the exploit silently, installing a variant of a remote access tool that gave the attacker a persistent foothold on the employee's workstation with no further action, and critically no further suspicious email, required from the victim. This is a materially different attack shape from the courier-fraud or cheque-fraud pretexts examined in Modules 3 and 6: the human decision that mattered, opening one attachment, happened once, after which the rest of the intrusion proceeded through purely technical means. 3. From foothold to SecurID seed exfiltration From the initial foothold, the attacker moved laterally through RSA's network, escalating privileges and locating systems associated with the SecurID product line, eventually exfiltrating data associated with the token seed values used to generate one-time codes for RSA's customers. Because SecurID tokens were deployed by defence contractors, financial institutions, and government agencies specifically to provide strong two-factor authentication, the compromise of seed material had a downstream blast radius far beyond RSA itself: several defence contractors were subsequently targeted using authentication material derived from the stolen seeds, and RSA ultimately replaced tokens for a large share of its customer base. 4. Lessons for attachment handling and segmentation Read against this course's emerging framework, the RSA case illustrates a lesson that recurs across nearly every technical case study: the human decision a social engineering pretext needs is often small, one click, one opened file, and does not need to be repeated for the resulting compromise to become severe, because everything after that single decision is a technical, not a human, problem. This argues for controls that do not depend on the human decision being perfect. Attachment sandboxing or detonation, opening a suspicious attachment automatically in an isolated environment before it reaches a user, would have identified the exploit without depending on any user's judgement. Network segmentation and least privilege would have limited how far a single compromised workstation could reach even after the exploit succeeded. Faster patching of the underlying Flash vulnerability, once it became known elsewhere, would have closed the same door pre-emptively. Module 10's analytical framework returns to this case explicitly as the clearest available example of why outcome-focused analysis, asking which control point would have interrupted the chain, is more useful than simply narrating what happened. Related CCI capabilities Cambridge Cyber International's GCIDB 1834 dataset includes the RSA case in its incident corpus with source citations matching those used in this lesson, and is the recommended next stop for a learner who wants the full technical writeup rather than this module's summary (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Rivner, U. (2011). Anatomy of an Attack. RSA Speaking of Security blog, April 1, 2011. https://community.rsa.com/t5/rsa-securid-blog/anatomy-of-an-attack/ba-p/542073 Threatpost (2011). RSA SecurID Attack Was Phishing Via an Excel Spreadsheet. https://threatpost.com/rsa-securid-attack-was-phishing-excel-spreadsheet-040111/75099/ Case Study: Business Email Compromise, Ubiquiti and Toyota Boshoku. Compares two large business email compromise (BEC) frauds, Ubiquiti Networks (2015, 46.7 million United States dollars) and Toyota Boshoku (2019, approximately 37 million United States dollars), to extract a repeatable BEC pattern targeting finance and treasury staff.. Describe the sequence of impersonation and urgency used in both the Ubiquiti and Toyota Boshoku frauds.. Design a payment-verification control (a callback or dual-approval step) that would have interrupted either fraud, and justify the design against operational friction.. The Ubiquiti Networks fraud (2015), The Toyota Boshoku fraud (2019), The repeatable BEC pattern, Why treasury and finance staff are the preferred target Module 6: Case Study: Business Email Compromise, Ubiquiti and Toyota Boshoku Learning outcomes By the end of this module you will be able to describe the sequence of impersonation and urgency used in both the Ubiquiti and Toyota Boshoku frauds. You will also be able to design a payment-verification control, a callback or dual-approval step, that would have interrupted either fraud, and justify the design against operational friction. 1. The Ubiquiti Networks fraud (2015) In 2015, the networking equipment manufacturer Ubiquiti Networks disclosed that it had lost approximately 46.7 million United States dollars to what it described as employee impersonation fraud, reported in detail by security journalist Brian Krebs (Krebs 2015). Attackers impersonated senior company executives and, in some accounts, outside legal counsel, instructing finance staff in a subsidiary to execute a series of wire transfers to accounts controlled by the attackers, framed as a confidential acquisition requiring unusual speed and discretion. The fraud was not detected until after multiple transfers had been completed, though the company later recovered a portion of the funds through law enforcement cooperation. 2. The Toyota Boshoku fraud (2019) In 2019, Toyota Boshoku Corporation, a supplier within the Toyota Group, disclosed a loss of approximately 37 million United States dollars to a business email compromise (BEC) fraud in which attackers impersonated a business partner to alter payment account details for a legitimate, expected transaction. This case matters alongside Ubiquiti precisely because the impersonated party was not an internal executive but an external supply-chain relationship, demonstrating that BEC's reach extends wherever a payment relationship and a plausible pretext for urgency can be constructed, not only within a single company's internal hierarchy. 3. The repeatable BEC pattern Read together, the two cases yield a pattern documented at scale by the United States Federal Bureau of Investigation's Internet Crime Complaint Center, whose most recent public service announcement puts cumulative global BEC losses at approximately 43 billion United States dollars since the technique was first tracked (Federal Bureau of Investigation, Internet Crime Complaint Center 2024). The pattern has four steps: impersonate a trusted party, whether an internal executive, outside counsel, or an external supplier; invoke urgency and confidentiality to discourage the target from raising the request with colleagues; request a change to payment instructions or an unscheduled transfer; and exploit the absence of a verified callback, so that the only checks performed are checks against information the attacker themselves supplied. 4. Why treasury and finance staff are the preferred target BEC targets treasury and finance staff specifically, and disproportionately, because these roles combine two properties no other role in an organisation combines: the authority to move money, and a professional culture that trains them to be responsive to executive urgency rather than to question it. A pretext that would fail against a receptionist, who has no ability to authorise a payment regardless of how convincing the caller is, succeeds against a treasury manager precisely because the treasury manager can act on the request, and is professionally conditioned to do so quickly when asked by someone who appears to hold authority. Module 11 returns to this observation directly when it designs training specifically for the treasury audience. Related CCI capabilities Cambridge Cyber International's Cyber Value at Risk (cVaR) concept, whose mantra is "risk registers rank; cVaR prices," is the natural tool for stating the exposure a BEC-style fraud represents in the same currency terms a treasury manager already thinks in, rather than as a qualitative risk rating (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). Cyber Value at Risk (cVaR). https://www.cambridgecyberinternational.com/en/products/cvar/ Federal Bureau of Investigation, Internet Crime Complaint Center (2024). Business Email Compromise: The 43 Billion Dollar Scam. Public Service Announcement. https://www.ic3.gov/PSA/2024/PSA240911 Krebs, B. (2015). Tech Firm Ubiquiti Suffers $46M Cyberheist. Krebs on Security, August 6, 2015. https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ Case Study: The 2020 Twitter Bitcoin Hijack and the Rise of Vishing. Examines the July 2020 Twitter (now X) account hijacking, in which attackers vished Twitter employees to obtain internal tool access and hijacked high-profile verified accounts to run a Bitcoin scam, as documented in the New York State Department of Financial Services report.. Describe how vishing was used to obtain credentials and internal tool access in the 2020 Twitter hijacking.. Assess the New York Department of Financial Services report's recommended controls against this course's lever taxonomy from Module 1.. The attack sequence, The Bitcoin scam payload, The regulator's findings, Vishing as a 2020s inflection point Module 7: Case Study: The 2020 Twitter Bitcoin Hijack and the Rise of Vishing Learning outcomes By the end of this module you will be able to describe how vishing was used to obtain credentials and internal tool access in the 2020 Twitter hijacking. You will also be able to assess the New York State Department of Financial Services report's recommended controls against this course's lever taxonomy from Module 1. 1. The attack sequence In July 2020, attackers gained access to Twitter's internal administrative tools by telephoning employees and posing as internal information technology (IT) staff experiencing a technical problem, a vishing (voice phishing) pretext catalogued in Module 0 under MITRE ATT&CK sub-technique T1566.004, Spearphishing Voice. The New York State Department of Financial Services subsequently published a formal investigation report, an unusually detailed regulatory account of a social engineering incident, which forms the primary source for this module (New York State Department of Financial Services 2020). Having obtained employee credentials through the vishing pretext, the attackers used Twitter's internal account-management tooling to take over a large number of high-profile, verified accounts. 2. The Bitcoin scam payload The hijacked accounts, including those of prominent public figures, companies, and cryptocurrency exchanges, were used to post a cryptocurrency doubling scam: a message promising that any Bitcoin sent to a specified wallet address would be returned doubled, a scarcity and social-proof pretext made suddenly plausible by appearing to come from an account the victim already trusted. Public reporting indicates the scam netted attackers over 100,000 United States dollars in the roughly two hours before Twitter suspended the affected accounts and regained control. 3. The regulator's findings The Department of Financial Services report's most significant finding, for this course's purposes, is not the vishing pretext itself but what it exposed once it succeeded. The report identified excessive administrative tool privileges, insufficient segregation of duties, and inadequate monitoring of internal tool usage as contributing root causes, meaning that a single successful vishing call against a single employee was sufficient to take over accounts the employee in question had no ordinary business reason to touch. This is the same pattern already observed in the RSA case in Module 5: the human decision needed was small and singular, and everything that followed was enabled by technical permissiveness rather than by any further social engineering. 4. Vishing as a 2020s inflection point This incident is widely regarded, including within the regulatory report itself, as a turning point in how large technology platforms treat voice-channel social engineering: a risk that had previously been discussed mainly in relation to call centres and telecommunications carriers was, after mid-2020, treated as a top-tier risk to any organisation with internal administrative tooling reachable by a phone call. That reassessment set the stage directly for the help-desk vishing incidents examined in Module 8, which show the same fundamental pretext, succeeding again two and three years later against different organisations. Related CCI capabilities Cambridge Cyber International's VOLTAIC INTELLIGENCE dataset, whose mantra is "every shock the electron ever carried," profiles adversary infrastructure and behaviour patterns of the kind documented in the Department of Financial Services report, and is the relevant capability for an analyst who wants to extend this case study into infrastructure-level threat intelligence (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). VOLTAIC INTELLIGENCE. https://www.cambridgecyberinternational.com/en/products/voltaic-intelligence/ MITRE ATT&CK (2026). Phishing: Spearphishing Voice, Sub-technique T1566.004. https://attack.mitre.org/techniques/T1566/004/ New York State Department of Financial Services (2020). Twitter Investigation Report. https://www.dfs.ny.gov/Twitter_Report Case Study: MFA Fatigue and Help-Desk Vishing, 2022 to 2023. Examines the 2022 Uber breach (multi-factor authentication (MFA) push-notification fatigue combined with a Slack-based social engineering follow-up, attributed to Lapsus$-linked actors) and the September 2023 MGM Resorts and Caesars Entertainment breaches (help-desk vishing attributed to the group tracked as Scattered Spider).. Describe how MFA fatigue and help-desk vishing were used as initial access techniques in the Uber, MGM Resorts and Caesars incidents.. Design a help-desk identity-verification procedure that would resist both pretext types, and justify each step.. MFA fatigue: the Uber breach (2022), Help-desk vishing: MGM Resorts and Caesars Entertainment (2023), The shared pattern: exhaust, then ask a human, Designing help-desk verification that resists both Module 8: Case Study: MFA Fatigue and Help-Desk Vishing, 2022 to 2023 Learning outcomes By the end of this module you will be able to describe how multi-factor authentication (MFA) fatigue and help-desk vishing were used as initial access techniques in the Uber, MGM Resorts and Caesars Entertainment incidents. You will also be able to design a help-desk identity-verification procedure that resists both pretext types, and justify each step. 1. MFA fatigue: the Uber breach (2022) In September 2022, Uber disclosed a breach that began when an external party, having obtained a contractor's corporate password, likely through a prior credential-theft campaign, repeatedly triggered MFA push notifications to the contractor's phone (Bleeping Computer 2022). MFA fatigue, sometimes called MFA bombing, exploits the fact that a push-based second factor asks a simple accept-or-deny question; enough repeated prompts, especially late at night or during a busy period, eventually produce one accidental or exasperated acceptance. Once one prompt was accepted, the attacker, subsequently linked by Uber to the Lapsus$ extortion group and operating under the alias TeaPots per Cambridge Cyber International's GCIDB 1834 incident record for this case, contacted the same contractor over the internal collaboration platform Slack, posing as Uber's information technology (IT) department, and used that fabricated authority to obtain further access, illustrating that MFA fatigue and vishing are frequently chained rather than used alone. 2. Help-desk vishing: MGM Resorts and Caesars Entertainment (2023) In September 2023, MGM Resorts International suffered an intrusion, widely attributed to the actor cluster tracked as Scattered Spider, that reportedly began when attackers, having identified a privileged information technology employee through reconnaissance on a professional networking site, called MGM's help desk impersonating that employee and talked a help-desk agent into resetting the employee's password and multi-factor authentication enrolment (Wikipedia contributors 2026). The ALPHV, also known as BlackCat, ransomware operation claimed responsibility for the resulting deployment, and the intrusion led to a multi-day operational outage affecting hotel and casino systems across MGM's properties, corroborated in Cambridge Cyber International's GCIDB 1834 incident record for this case. Caesars Entertainment disclosed a related intrusion around the same period, attributed by GCIDB 1834 and by multiple United States state attorney general breach notifications to the actor cluster tracked as Scattered Spider, also known as UNC3944 and 0ktapus, and reportedly paid a ransom rather than sustain a comparable operational outage; over a dozen independent state notifications confirm the Caesars breach specifically resulted from a social engineering attack on an outsourced information technology support vendor, matching this lesson's account exactly. Together, the two 2023 cases are among the most consequential help-desk vishing incidents on public record, precisely because the pretext used, a plausible employee identity plus a request that falls within a help-desk agent's normal job function, requires no technical exploit at all. 3. The shared pattern: exhaust, then ask a human Placed side by side, the Uber and MGM cases share a two-stage structure this module names exhaust, then ask a human. The first stage is either a technical nuisance, repeated MFA prompts, or an open-source reconnaissance step, identifying a specific privileged employee by name and role, that lowers the cost of the second stage. The second stage is a low-friction request to a human support function, a help-desk agent or a contractor, that is specifically trained and incentivised to be responsive and helpful under pressure, which is exactly the professional disposition the pretext weaponises. 4. Designing help-desk verification that resists both This module's competency outcome asks you to design a help-desk identity-verification procedure resisting both pretext types. The design taught here layers three independent checks, so that defeating any single one is insufficient: manager attestation, requiring a separate, out-of-band confirmation from the requester's manager before a privileged reset; callback verification, calling the requester back on a number drawn from a pre-registered directory rather than any number the caller supplies, directly reusing the control introduced in Module 4's discussion of Mitnick-era pretexting; and a mandatory cooling-off period for any reset request received outside standard working hours, when fatigue and reduced scrutiny are most likely on both sides of the call. This module's technical companion, VECTOR, develops detection engineering for the same failure mode, specifically rate-limiting and anomaly detection around MFA push notifications and help-desk reset volume, in its Module 7. Related CCI capabilities Cambridge Cyber International's CySSURANCE platform, whose mantra is "model it, compute it, govern it," is the natural home for codifying a help-desk verification procedure as a governed, auditable control rather than an informal practice that varies by shift (Cambridge Cyber International 2026). References Bleeping Computer (2022). Uber links breach to Lapsus$ group, blames contractor for hack. https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/ Cambridge Cyber International (2026). CySSURANCE. https://www.cambridgecyberinternational.com/en/platform/ Cambridge Cyber International (2026). GCIDB 1834: Cyber incidents did not start with the internet. https://www.cambridgecyberinternational.com/en/products/gcidb-1834/ Wikipedia contributors (2026). Scattered Spider. https://en.wikipedia.org/wiki/Scattered_Spider The Voice Channel in 2026: Robocalls, Predictive Dialers and AI Cold-Calling. Brings the historical arc into the present, examining how predictive dialing and AI voice-cloning cold-calling tools, built for legitimate sales and support use, are repurposed for scam calls at a scale and polish that outstrips 2011-to-2023 vishing, using the four sources supplied for this course's design brief.. Explain how predictive dialers and AI cold-calling platforms work and describe how each capability is repurposed offensively.. Assess a silent or unknown-number call pattern against the module's indicator checklist and recommend a response.. Silent calls are not random, Predictive dialing, then and now, AI cold-calling and voice cloning, The fake-recruiter vishing pattern Module 9: The Voice Channel in 2026: Robocalls, Predictive Dialers and AI Cold-Calling Learning outcomes By the end of this module you will be able to explain how predictive dialers and AI cold-calling platforms work and describe how each capability is repurposed offensively. You will also be able to assess a silent or unknown-number call pattern against this module's indicator checklist and recommend a response. 1. Silent calls are not random A call from an unknown number that connects and then immediately disconnects, with no voice on the line, is one of the most common and most misunderstood signals in modern telephone-based scam activity. As Bitdefender's consumer security research explains, this pattern is very rarely a genuine wrong number; it is far more often the signature of a predictive dialer confirming that a line is live before deciding whether to route it to a human agent at all (Bitdefender 2026). Recognising this pattern matters because it reframes what looks like a nuisance, a hang-up call, into a precursor signal worth logging, particularly for staff who will later receive a follow-up call built on the same reconnaissance. 2. Predictive dialing, then and now Predictive dialers are a legitimate call-centre technology, built to maximise the proportion of an agent's time spent talking to a live person rather than waiting through rings, voicemail greetings, and unanswered calls. As Retell AI's technical explainer describes, a predictive dialer achieves this by placing more outbound calls than there are available agents, on the statistical expectation that a predictable fraction will go unanswered, and dropping or silently disconnecting the calls that do connect once all agents are occupied (Retell AI 2026). This is precisely the mechanism that produces the silent-call signature described above: the call was real, the dialer was real, but no agent was free to take it at the moment a human answered. Legitimate telemarketing and debt-collection operations use predictive dialing under regulatory constraints on abandonment rates; scam operations use the identical technology with none of those constraints, at a scale a single scammer working a handset could never achieve alone. 3. AI cold-calling and voice cloning Where predictive dialing scales the number of calls, conversational artificial intelligence (AI) cold-calling platforms scale the quality and personalisation of each individual call. Synthflow's 2026 overview of the AI cold-calling market describes platforms built for legitimate sales outreach that can hold a fluent, context-aware conversation, adjust their script based on the callee's responses, and operate around the clock without agent fatigue (Synthflow 2026). Every one of these legitimate capabilities is directly repurposable for scam calls: a synthetic voice cloned from a short public sample of a real executive's or family member's speech can deliver a pretext with a familiarity that a generic scam script could never achieve, escalating the authority and unity levers from Module 1 from merely plausible to apparently verified by the victim's own ears. 4. The fake-recruiter vishing pattern A well-documented and currently active pattern, described in a French-language consumer advisory from Annuaire Inverse, involves fraudulent calls impersonating recruiters, often referencing a real job posting or a real professional networking profile, that request personal data, bank details for an ostensible background check fee, or an upfront payment for training materials, under the plausible cover of a hiring process (Annuaire Inverse 2026). This pattern is worth including alongside the technology-focused sources above because it illustrates that the same voice-channel scale technologies are being applied to an entirely ordinary, low-suspicion pretext, a recruiter call, that most people have no institutional training to be sceptical of at all. Related CCI capabilities Cambridge Cyber International's VOLTAIC INTELLIGENCE dataset tracks adversary infrastructure, including telephony and calling-platform abuse patterns, of direct relevance to an analyst extending this module's indicator checklist into a monitored detection programme, a task this course's technical companion, VECTOR, develops fully in its Module 6 (Cambridge Cyber International 2026). References Annuaire Inverse (2026). Appel d'un faux recruteur: reperer l'arnaque au telephone. https://annuaireinverse.net/appel-dun-faux-recruteur-reperer-larnaque-au-telephone/ Bitdefender (2026). Got a Silent Call From an Unknown Number? It's Not Random, It's a Scam. Bitdefender Hot for Security blog. https://www.bitdefender.com/en-us/blog/hotforsecurity/silent-call-unknown-number-its-a-scam Cambridge Cyber International (2026). VOLTAIC INTELLIGENCE. https://www.cambridgecyberinternational.com/en/products/voltaic-intelligence/ Retell AI (2026). What Is Predictive Dialing and Does It Still Work in 2026? https://www.retellai.com/blog/what-is-predictive-dialing Synthflow (2026). AI Cold Calling: What It Is and How It Works in 2026. https://synthflow.ai/blog/ai-in-cold-calling A Framework for Dissecting Scams: Levers, Channels, Outcomes. Synthesises Modules 0 through 9 into one reusable analytical framework combining the ontology (Module 0), the lever taxonomy (Module 1), a Diamond-Model-style actor and infrastructure lens, and outcome quantification, so any new scam can be dissected the same way rather than treated as a one-off story.. Explain each stage of the levers-channels-outcomes framework and how it draws on Modules 0, 1 and the case studies.. Apply the framework to dissect a scam not covered elsewhere in the course, producing a one-page structured analysis.. Why a framework, not a list of stories, Stage one: ontology and channel, Stage two: levers and actor profile, Stage three: outcome quantification Module 10: A Framework for Dissecting Scams: Levers, Channels, Outcomes Learning outcomes By the end of this module you will be able to explain each stage of the levers-channels-outcomes framework and how it draws on Modules 0, 1 and the case studies. You will also be able to apply the framework to dissect a scam not covered elsewhere in the course, producing a one-page structured analysis. 1. Why a framework, not a list of stories Modules 3 through 9 taught eight case studies in enough depth to remember individually. That depth is valuable, but it is not, by itself, the point of the course. A learner who can recite the RSA breach or the Ubiquiti fraud in detail has not yet demonstrated the ability to analyse the ninth case they will actually encounter in their own organisation, the one no course could have anticipated. This module exists to make that transfer explicit by assembling a single, reusable framework out of components already introduced separately: the ontology and channel taxonomy from Module 0, the persuasion-lever tagging method from Module 1, an actor and infrastructure lens borrowed from cyber threat intelligence practice, and an outcome-quantification step that turns the analysis into something a board can act on. 2. Stage one: ontology and channel The first stage of the framework applies Module 0's taxonomy directly: classify the scam type (phishing, vishing, smishing, quishing, or a hybrid), the channel or channels involved, and, where applicable, the corresponding MITRE ATT&CK technique identifier, the same identifier scheme the CCICCS course SENTINEL teaches in full for cyber threat intelligence purposes. This stage produces a short, consistent header for the analysis that follows, the same header format used in every case study module in this course, so that a learner who has worked through Modules 5 through 9 has already completed this stage eight times before reaching this module. 3. Stage two: levers and actor profile The second stage applies Module 1's lever-tagging method, lever, sentence, mechanism, to every persuasion attempt visible in the incident, then profiles the likely actor using a lens adapted from the Diamond Model of intrusion analysis, developed by Caltagirone, Pendergast, and Betz for the threat intelligence community and taught in full within SENTINEL (Caltagirone, Pendergast and Betz 2013). The Diamond Model examines four axes: the adversary (who), the infrastructure (what technical or logistical resources they used), the capability (what technique or tooling they deployed), and the victim (who was targeted and why). Applying this lens to a scam, rather than only to a technical intrusion, is a deliberate methodological choice this course makes: it treats social engineering as a first-class object of threat intelligence analysis rather than as a soft, unanalysable prelude to the "real" technical attack. 4. Stage three: outcome quantification The third and final stage quantifies the incident's outcome, not as a qualitative severity rating but in the same currency terms a board or a treasury function already uses for every other risk on its agenda, following the approach behind Cambridge Cyber International's Cyber Value at Risk (cVaR) concept (Cambridge Cyber International 2026). This means estimating direct financial loss where one occurred, operational downtime cost where an outage resulted, and regulatory exposure where a reportable breach was triggered, and expressing all three on a comparable scale. This stage is what makes the framework's output usable in the boardroom conversations Module 11 goes on to design training for: a one-page analysis that states, in currency terms, what a given scam pattern would cost this specific organisation if it succeeded, is a fundamentally more persuasive input to a resourcing decision than a narrative case study alone, however compelling that narrative might be. Related CCI capabilities Cambridge Cyber International's Cyber Value at Risk (cVaR) concept, whose mantra is "risk registers rank; cVaR prices," is the direct capability behind this module's third stage, and the CCICCS course SENTINEL is the direct source for the Diamond Model lens used in the second stage for any learner who wants the full threat intelligence treatment (Cambridge Cyber International 2026). References Caltagirone, S., Pendergast, A. and Betz, C. (2013). The Diamond Model of Intrusion Analysis. Center for Cyber Intelligence Analysis and Threat Research. https://www.threatintel.academy/wp-content/uploads/2020/07/diamond_paper.pdf Cambridge Cyber International (2026). Cyber Value at Risk (cVaR). https://www.cambridgecyberinternational.com/en/products/cvar/ MITRE ATT&CK (2026). Phishing, Technique T1566. https://attack.mitre.org/techniques/T1566/ Teaching Different Audiences: CEOs, Treasury, Engineers and Receptionists. Closes the course by treating audience-differentiated delivery as a design problem in its own right: the same underlying framework must be taught differently to a chief executive officer (CEO), a treasury manager, an engineer, and a receptionist, because each faces a different pretext, a different time budget, and a different relationship to organisational authority.. Distinguish the pretext, time budget, and authority relationship that differentiate CEO, treasury, engineering, and reception audiences.. Design a 20-minute training session outline for one named audience, selecting content from Modules 0 through 10 and justifying every inclusion and omission.. The chief executive officer: whaling and board-level urgency, The treasury manager: BEC and payment-instruction fraud, The engineer: help-desk vishing and MFA fatigue, The receptionist: physical pretexting and tailgating Module 11: Teaching Different Audiences: CEOs, Treasury, Engineers and Receptionists Learning outcomes By the end of this module you will be able to distinguish the pretext, time budget, and authority relationship that differentiate chief executive officer (CEO), treasury, engineering, and reception audiences. You will also be able to design a twenty-minute training session outline for one named audience, selecting content from Modules 0 through 10 and justifying every inclusion and omission. 1. The chief executive officer: whaling and board-level urgency A CEO occupies an unusual dual position in this course's audience analysis: they are both a prime target of highly tailored phishing, commonly called whaling in reference to the size of the target, and, as Module 6 showed in the Ubiquiti and Toyota Boshoku cases, the identity most frequently impersonated to defraud someone else. Effective training for this audience must cover both directions in a format that respects a severe time budget: a fifteen-minute session, at most, focused on two or three concrete indicators (an unexpected request framed as urgent and confidential, a request to bypass a normal approval step) rather than a comprehensive tour of the course's full case-study library. 2. The treasury manager: BEC and payment-instruction fraud Treasury and finance training builds directly on Module 6's business email compromise (BEC) pattern, but should be delivered as a checklist integrated into existing payment-approval procedure documentation, rather than as a standalone awareness session, because this audience already works from procedures and will retain a checklist item embedded in a familiar document far better than a separate training memory. The single highest-value piece of content for this audience is the callback-and-dual-approval control introduced in Module 6: it is concrete, procedural, and directly actionable within an existing workflow. 3. The engineer: help-desk vishing and MFA fatigue Engineers and system administrators, who typically hold privileged access, are the direct targets of the multi-factor authentication (MFA) fatigue and help-desk vishing pretexts examined in Module 8, and training for this audience can and should go deeper technically than for any other group covered in this module: explaining the mechanics of push-notification fatigue, the reconnaissance sources attackers use (professional networking sites, prior breach data), and the specific verification procedure Module 8 designs, rather than a simplified version of the same content. This audience is also the natural bridge to the companion VECTOR course, which teaches the detection-engineering side of the same problem. 4. The receptionist: physical pretexting and tailgating Receptionists and front-of-house staff face a different pretext family entirely: an ostensible courier, a claimed contractor requesting building access, or a caller asking to be transferred as though the receptionist were an internal directory service, exploiting the physical and hybrid channels this course's ontology in Module 0 explicitly includes alongside the digital ones. This module observes, based on the training-coverage patterns documented in the European Union Agency for Cybersecurity's threat landscape reporting, that this audience typically receives markedly less formal security training than treasury or engineering staff, despite facing meaningful and recurring exposure, and this module treats that gap as itself a finding worth reporting to a board (European Union Agency for Cybersecurity 2025). The recommended format for this audience is short, frequent, scenario-based refreshers, five minutes at a shift changeover, rather than an annual session, matched to a role defined by constant interruption and little discretionary time. Related CCI capabilities Cambridge Cyber International's CISO as a Service offering, whose mantra is "one of them has sat where you sit," is a natural resource for an organisation that wants an experienced practitioner to design and roll out the audience-differentiated programme this module outlines rather than building it entirely in-house; the companion CCICCS course VECTOR is the recommended next step for the engineering audience specifically (Cambridge Cyber International 2026). References Cambridge Cyber International (2026). CISO as a Service. https://www.cambridgecyberinternational.com/en/services/ciso-as-a-service/ European Union Agency for Cybersecurity (2025). ENISA Threat Landscape 2025: Social Engineering. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 Federal Bureau of Investigation, Internet Crime Complaint Center (2024). Business Email Compromise: The 43 Billion Dollar Scam. Public Service Announcement. https://www.ic3.gov/PSA/2024/PSA240911