Social Engineering Is Rewriting the Fraud Playbook
Training the Human Layer of Defense
📅 July 8 ,2026
📅 July 8 ,2026
In February 2024, an employee at British multinational design and engineering company Arup’s Hong Kong office logged into a video call with the firm’s UK-based CFO and a handful of familiar colleagues. The topic was a confidential transaction. He hesitated at first; something about it didn’t quite sit right. But everyone onscreen looked and sounded exactly like the people he worked with every day, so he went ahead. Over the next several days, he wired fifteen separate transfers to five local bank accounts. The total came to roughly $25.6 million.
Not one person on that call was real.
This case has become a cautionary tale and for good reason. It captures how far the ground has shifted. Fraud used to be a problem you solved with better systems. Increasingly, it’s a problem you solve with better-trained people.
For years, “social engineering” meant a poorly spelled email asking someone to verify their password. That’s not what institutions are up against anymore. Business email compromise attacks today often contain no malware and no malicious link at all, which means the email security tools institutions have invested millions in simply have nothing to flag. The attacker isn’t hacking a system, they’re impersonating a senior executive, and they’ve done their homework (e.g. the org chart, travel schedule, even identifying who’s new on the team and therefore less likely to question an unusual request).
Meanwhile, the person behind an “urgent” email has one objective: get the target to act before they think. Authority (“this is the CEO”), urgency (“the deal closes today”), and secrecy (“don’t mention this to anyone”) are deployed deliberately to short-circuit careful consideration that would typically be warranted with such a request.
Layer generative AI on top of that. Cloned voices, real-time deepfake video, chatbots that can hold a convincing conversation. The result is a class of attack that would have sounded like science fiction a decade ago. Deloitte estimates generative AI could push fraud losses in the US alone to $40 billion by 2027. That figure should be read as a floor, not a ceiling.
In case after case, the difference between a near-miss and a multi-million-dollar loss comes down to one variable: whether someone paused to verify. Not whether they were senior enough, technical enough, or naturally skeptical. Whether they paused. That is what effective training should be designed to produce: an automatic instinct to verify before acting, especially where money or sensitive data is involved.
While it’s best practice to ensure all employee training is updated regularly, it’s even more crucial for programs on the topic of fraud to ensure your staff are aware of the latest threats. To move beyond awareness, fraud training should be complemented by phishing tests, mock vishing calls, and scenarios tailored to the specific pressures different teams face. This needs to be underpinned by a no-blame reporting culture. The moment employees fear punishment for raising a false alarm, they stop raising alarms altogether, including the real ones.
These elements don’t replace technical controls, they complement them. Institutions that hold up best against emerging threats treat human judgment and automated detection as a single integrated system. And they continue investing in their human layer of defense year after year through training that incorporates real scenarios, regular practice, and a culture where people feel comfortable raising a hand when something looks off.
Fraud prevention isn’t just a control on paper. It depends on whether employees can recognize manipulation in the moment, whether it’s a deepfake video call, an urgent wire request, or a customer being coached through a scam.
IFI’s Foundations of Anti-Fraud course gives employees across the organization the practical knowledge to identify, escalate, and help prevent fraud before it causes harm. Through real-life case studies, red flag exercises, and emerging threat modules covering AI-enabled fraud, business email compromise, and authorized push payment schemes, the course builds the judgment that technology alone can’t provide. Paired with IFI’s broader library of role-based training across AML/CFT, sanctions, anti-bribery and corruption, and more, institutions can strengthen every line of defense, starting with their people.
This checklist explains why and shows what high-performing institutions are doing differently by connecting culture to behavior, modernizing training design, developing meaningful user experiences, and proving real effectiveness.
Inside the guide, you’ll find the key cultural shifts, design elements, and readiness questions every institution should review as they evaluate their training effectiveness.
✔ Actionable insights on cultural and strategic readiness
✔ Practical considerations for functional excellence in program design
✔ Built for CCOs and training leaders

The training industry has come a long way in terms of technology and tools available. However, employees report they suffer from training fatigue while organizations aren’t sure how to best measure results and ROI.
The reality is training requirements have risen over the years alongside an increasingly complex regulatory and threat landscape across global markets. Most compliance teams are overwhelmed and understaffed, resulting in the release of more training programs that check a box but don’t influence behavior. Rolled out broadly across organizations, they’re often off-the-shelf courses built for coverage and completion rates.
In this webinar, we walk through the best practices we follow to optimize training for effectiveness.










This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.
Accept settingsHide notification onlySettingsWe may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
You can read about our cookies and privacy settings in detail on our Privacy Policy Page.
Privacy Policy