In January 2024, a finance employee in the Hong Kong office of the engineering firm Arup received an email from the company's UK-based chief financial officer asking him to arrange a confidential transaction. He was suspicious. The request had the shape of the fraud every employee is trained to spot, and he did not act on it.
Then the attackers put him on a video call. The CFO was there. So were several colleagues he recognised. They looked and sounded exactly as they should, because the faces and voices on the call were deepfakes built from the executives' own public conference footage. The suspicion dissolved. Over a single day he authorised fifteen transfers totalling about 25 million US dollars to five Hong Kong accounts. The fraud surfaced only when he later raised the “secret transaction” with headquarters and was told no such meeting had taken place.
The interesting part of that case is not the deepfake technology. It is the gap between the moment the employee was suspicious and the moment he complied. Something happened in that gap, and the frameworks most organisations use to model attacks have no name for it.
What MITRE ATT&CK leaves out of social engineering
MITRE ATT&CK is the reference map for adversary behaviour, and it is very good at what it covers: the technical techniques an attacker uses once code is running or credentials are in hand. The Lockheed Martin Cyber Kill Chain serves a similar purpose. Both acknowledge that social engineering happens, then move on.
A 2025 paper in IEEE Access by Wojciech Nowakowski of Poland's NASK National Research Institute put a number on the omission. Of roughly 200 techniques in the MITRE ATT&CK Enterprise matrix, about six refer directly to social engineering. The trust-building stage that defeated the Arup employee — the part where an attacker turns initial contact into compliance — is absent from the matrix entirely.
Nowakowski's response is a framework that treats social engineering as a process rather than a single event, with its own six phases and its own catalogue of techniques for each. It is built the way ATT&CK is built, from real incident decomposition and red-team work, and it is meant to sit alongside ATT&CK rather than replace it. The six phases are worth walking through, because each one is a place where an organisation either has visibility or does not.
Phase 1: Reconnaissance
Every social engineering attack starts with information about the target. The attacker's goal here is a profile — enough detail to know who reports to whom, what an internal request normally looks like, and which person can be reached with which pretext.
Nowakowski breaks the sources into open-source intelligence (the searchable web), social media intelligence (LinkedIn org charts, Instagram travel patterns), data leaks (credentials and personal records from prior breaches), public records (company registries, property and vehicle filings), dumpster diving, and the dark web — the same market where corporate access and stolen data are bought and sold. Each feeds the same picture from a different angle. The CFO whose face appeared on the Arup call had appeared in online conferences and company videos; that footage was the raw material.
This is the phase where most organisations have the least visibility, and it is the phase that decides how precise everything downstream can be. The paper names the defence for it plainly: limiting online presence and the scope of information available about the organisation and its people. That is the same surface a digital footprint audit measures and reduces. An attacker working from a thin profile has to guess; an attacker working from a rich one writes a message the recipient has no reason to question.
Reconnaissance is the only phase that happens entirely outside your perimeter, on infrastructure you don't control. A Corporate Audit maps what an attacker can assemble about your executives and staff before any contact is made.
Talk to an AnalystPhase 2: Preparation and weaponisation
With a profile in hand, the attacker builds the apparatus. That can mean a fabricated identity, fake email and social accounts to make that identity look lived-in, or access to a genuine account obtained through leaked credentials so that messages arrive from a trusted sender. It includes impersonation of a real person or brand, lookalike domains and typosquatting, sender-number spoofing for calls and texts, and, in the physical world, props and uniforms.
For the Arup attack, preparation meant generating convincing video and audio of named executives. The technique is new; the phase is old. An attacker assembling a fake delivery uniform and a forged ID badge in 1995 was doing the same work — building the materials that make a cover story hold.
Phase 3: Initial contact
This is the first interaction with the target, and the first test of the preparation. Email remains the most common channel because it is cheap, scalable, and now easily personalised at volume by language models. Voice and video calls cost the attacker more effort and carry more risk, but they buy something email cannot: real-time pressure that denies the target time to think. Text messages, social media, and in-person approaches each carry their own trade-offs between reach and credibility.
The Arup email was phase three. On its own it failed — the employee was suspicious, which is exactly what awareness training intends. Had the attack consisted only of that email, it would be a training success story.
Phase 4: Establishing rapport
This is the phase ATT&CK does not model, and the phase that decides most attacks. Once contact is made, the attacker works to build enough trust or urgency that the target performs the requested action. It is where the psychology lives: authority, urgency, the reluctance to challenge a senior colleague, the instinct to be helpful. Which of those levers works, and on whom, is its own body of evidence — we cover it in why people fall for phishing.
The Arup video call was rapport. Seeing and hearing the CFO and known colleagues did what the email could not. A person can hold a suspicious email at arm's length; it is far harder to distrust a meeting where familiar people are looking back at you and asking for something routine-sounding. The control that would have stopped the fraud — verifying the request through a separate, known channel — is a phase-four control. An organisation that models attacks only through ATT&CK has no slot to put that control in, because it has no representation of the phase the control defends.
Phase 5: Exploitation
This is the action the whole process was for: the wire transfer, the credential entered into a façade page, the attachment opened, the door held. By the time exploitation occurs, the decisive work is already done. The fifteen Arup transfers were the easy part for the attacker, because the hard part — converting a suspicious employee into a compliant one — had already succeeded on the call.
Treating the click or the transfer as the attack is what leads organisations to concentrate defences at this single moment, where the human is already committed and the room for intervention is smallest.
Phase 6: Post-exploitation
After the action, the attacker either ends contact cleanly or uses the access to go further — exfiltrating data, establishing a foothold, or pivoting toward the next target. The process can loop: information gathered in a successful attack becomes reconnaissance for the next one. A compromised mailbox is both a prize and a tool for impersonating its owner against the next victim down the chain.
How the Arup deepfake attack used all six phases
The case reads as a clean run through the framework. Reconnaissance harvested public video and audio of the CFO and colleagues and mapped enough of the reporting structure to make a confidential-transaction request plausible. Preparation turned that footage into deepfakes and assembled the impersonation. Initial contact was the email. Rapport was the video call that converted doubt into trust. Exploitation was fifteen transfers in one day. Post-exploitation was the dispersal of 25 million dollars across five accounts before anyone at the real headquarters knew a meeting had supposedly occurred.
Map the same incident through ATT&CK and the most consequential step — the call — has no technique to attach to. The employee's initial suspicion shows the email defences worked. The loss shows that the phase after the email is where the organisation was undefended.
Why reconnaissance is the phase to defend
Most security programmes work on the wall. Awareness training, email filtering, and endpoint tools all harden the target at the point of contact — they make the employee harder to fool and the payload harder to land. That work matters, and the Arup employee's initial suspicion shows it pays off. The wall is only half the problem, though, and it is the half defended at the worst possible moment: phase five, when the human is already engaged and the room to intervene is smallest.
The other half is the attacker's ammunition. Every later phase is loaded from phase one. The impersonation, the timed request, the named colleagues, the deepfaked face — all of it is assembled from material gathered during reconnaissance. An attacker working from a thin profile has to guess and improvise; one working from a rich profile writes a message the recipient has no reason to question. Reducing what reconnaissance can collect depletes the arsenal the attacker brings to every later phase, and it does that before they ever reach the wall.
That material is not inside the perimeter. It sits in public data brokers, breach corpora, social platforms, and registries — outside the reach of internal tooling, which is why it is the most neglected phase and the one that does most to weaken the rest. It is the same blind spot that separates an organisation's threat surface from its attack surface, and the same identity layer that attack-surface management tools were never built to see. The same exposure reaches past the organisation to the people around its executives, which is its own attack path — covered in why social engineers target the family. Measuring what an adversary can learn about your people, and cutting it down, is the one defence that acts before contact is ever made.
If your defences concentrate on training and filtering while your executives' details, relationships, and credentials sit exposed in public sources, you are defending one phase and leaving the first one open. A Corporate Audit maps your reconnaissance exposure the way an attacker would.
Talk to an AnalystSources
- Nowakowski, W. “Social Engineering Analysis Framework: A Comprehensive Playbook for Human Hacking.” IEEE Access, vol. 13, pp. 18827–18849, 23 January 2025. DOI 10.1109/ACCESS.2025.3532999. Licensed CC BY-NC-ND 4.0.
- CNN Business, “Arup revealed as victim of $25 million deepfake scam involving Hong Kong employee,” 16 May 2024.
- Hong Kong Police Force public statements on the Arup case, February 2024.
- Verizon, 2025 Data Breach Investigations Report — human element present in 60% of breaches.