Most people picture social engineering as a clumsy phishing email: a bank warning with a misspelled URL, a sender nobody has heard of. The model is: send enough, and someone will click.
That describes the bottom of the market. The attacks that produce the largest losses are different: they are built on research, and they are launched at a specific moment.
The patience problem
A threat actor who has identified a high-value target (a CFO with wire-transfer authority, a legal partner with client trust accounts, a family office principal with significant liquid assets) does not attack on day one. They have assembled a picture: your name, role, employer, direct reports, the names of your accounts team. They know your assistant's name and the language you use in professional communications.
Even a complete picture is not enough to act on. What is missing is a moment.
A cold approach carries friction. The target is in normal operating mode, alert, routined, sceptical of the unusual. The attacker needs to find them at the point when their analytical, verification-capable cognition is occupied with something else.
Those moments are predictable. A 2025 longitudinal study examining over 13,000 simulated phishing events found susceptibility directly correlated with self-regulation capacity, which degrades under workload and emotional pressure. Tsauri's 2025 systematic review of 39 peer-reviewed studies found cognitive fatigue and emotional state among the five dominant patterns of victimisation: under high workload, people make errors they would not otherwise make. The attacker does not need to be more sophisticated; they need to arrive when those conditions apply. In most cases, what tells them when is public data.
What the footprint reveals
LinkedIn is the most extensively documented reconnaissance surface for social engineering, but its value extends beyond mapping organisational structure. Posting cadence and timing reveals working hours. A gap in activity following a company announcement signals disruption. A burst after a leadership change signals stress and adjustment.
Position changes carry particular weight. A departure or new appointment marks a transition period: trust has not yet been established, verification paths are uncertain, and the person involved is operating under elevated cognitive load. They are still learning who calls them with what kind of request, and they are not yet embedded in the informal security norms of the organisation. A pretext targeting this period finds the target at their most receptive.
A 2023 Mandiant advisory on UNC3944 (the group behind the MGM Resorts breach and the 2025 M&S attack) documented a specific tactic: out-of-office reply harvesting. The group sent emails to employees across target organisations not to deliver a payload, but to trigger auto-replies. An out-of-office message confirms the absence window, names the covering contact, and often provides a mobile number and the reason for absence. The absent employee cannot be easily reached to verify a credential reset request. The covering contact has less context. The attacker now has a confirmed timing window and a ready-made pretext. UNC3944's broader source list, from the same advisory: LinkedIn, SEC filings, investor relations pages, conference schedules, and speaker bios. An impersonation profile assembled from those sources takes under fifteen minutes to build.
The timing choices in those two incidents were not incidental. The MGM breach unfolded over a weekend in September 2023. The M&S breach was activated over Easter weekend 2025. Both represent a documented, deliberate choice of when to move, periods when staffing is reduced, oversight is lighter, and a help-desk call is least likely to be challenged.
Quarter-end and earnings windows operate on the same logic. Finance teams under deadline pressure process payment requests differently than they do mid-cycle. An M&A announcement creates a period of internal uncertainty, changed authorisation structures, and new payment instructions, each of which maps to a pretext an attacker can use. The FBI's IC3 2025 Annual Report recorded $3.046 billion in BEC losses from 24,768 complaints, an average of $123,000 per case, with incident data from that period pointing to business events and executive travel as primary timing vectors.
The life event layer
Professional signals follow a calendar. Life events are less structured but carry greater psychological weight.
A bereavement announcement, on LinkedIn or in a local newspaper that remains digitally indexed, positions the target precisely. The grieving person is managing high emotional load alongside normal responsibilities, dealing with institutions in ways that fall outside their routine, and receiving a volume of unfamiliar communications. A fake debt collection call, a bank account verification request, or an estate administration notice carries credibility in that context it would not have in a normal week.
AARP and the Identity Management Institute have documented the consumer-facing version of this extensively: criminals harvest death notices for survivor names, relationships, addresses, and associated financial institutions, then make contact while the family is still in the immediate aftermath of loss. At the corporate level, an executive who has publicly announced a bereavement has also announced a period of reduced cognitive capacity. The real situation provides the pretext.
Birth announcements and new parent out-of-office replies mark a different window: disrupted sleep, fragmented attention, the cognitive pattern of someone managing competing urgent demands. A relocation post signals transition, new home, unfamiliar services, changed bank details, administrative backlog. A job departure post signals the specific period when access is being revoked and credentials handed over. Each event type carries its own susceptibility profile, and in most cases the event is publicly announced.
Trusona's analysis of Scattered Spider's target selection found that 95% of executive profiles on data broker sites contain information about family members and colleagues. The professional and life event layers draw from the same pool.
If you want to see what a reconnaissance effort like this returns about you — the work rhythm signals, the life event records, the absence data — a Mirror investigation maps the exposure before someone else does.
Talk to an AnalystWhy training reaches its limit here
The standard organisational response to social engineering is training: teach people to recognise manipulation, run phishing simulations, build awareness. Those measures have real value against generic, untimed, mass-delivery attacks. Against the timed, contextual approach described here, they reach a structural limit.
Security training works when people have cognitive capacity to apply it. A CFO at quarter-close, processing a payment request that references correct account details, arrives with a plausible pretext, and comes from what appears to be a known counterparty is not failing because they lack training. They are failing because the attacker chose the moment when that training cannot fire. Tsauri's review found that social engineering attacks “do not occur randomly, but rather often follow a systematic and planned manipulative scheme.” The reconnaissance is what makes that planning possible.
What a timing model looks like
A patient threat actor building a timing profile draws from the following:
Work rhythm signals: LinkedIn post cadence and active hours; conference speaker listings and schedules; earnings announcement dates; board meeting calendars disclosed in governance documents; NIS2 and SEC reporting windows; audit cycle disclosures.
Absence signals: Out-of-office autoreplies triggered by reconnaissance emails; conference check-ins; LinkedIn geographic updates; travel posts on personal social accounts; hotel rewards programme data, which has appeared repeatedly in breach corpora and contains granular travel history.
Transition signals: Job changes and leadership announcements; organisational restructuring disclosures; management change entries in company filings; new board appointments.
Life event signals: Bereavement announcements in LinkedIn posts and local news; birth and family announcements; relocation posts; property transfer records, which are public in many jurisdictions; court records including financial proceedings.
Each category comes from open-source collection.
The reduction argument
If the attacker cannot determine that you are travelling, the travelling-executive pretext loses its credibility signal. If your life events are not publicly indexed, the grief window is not legible. If your professional stress periods are not visible from public signals, the timing advantage goes with them.
The intervention is footprint reduction, limiting the data available to construct a timing model. An attacker without access to your work rhythm, your absence calendar, and your life event signals is working without the instrument that converts a generic social engineering attempt into a precisely timed attack. The data that makes you findable is the same data that makes you schedulable.