The value of social training

June 23, 2026

A sophisticated deepfake operation may cost a criminal gang no more than $10,000, and often considerably less. Free tools, greater AI power, and a worldwide shortage of cybersecurity professionals raise the risk of an attack succeeding.

Cases such as the $35 million fraud targeting a Japanese company in 2020 or the $25 million theft from Arup in 2024 expose poor verification procedures and organisational preparedness. These conditions create vulnerabilities to social engineering attacks, for example phishing (where scammers send fraudulent communications, including attempts at ‘business email compromise’ or BEC).

FBI guidance on preventing BEC fraud warns that attacks are more likely when employees have not been trained in verification, organisations permit a weak anti-fraud culture, and there is an absence of escalation procedures. The FBI recommends organisations train staff to recognise a spoof email, verify payment requests, and use secondary confirmation channels.

Researchers at Carnegie Mellon (2009) found that anti-phishing training effectively cuts the chances of an attack succeeding. The study noted that “participants in the 18-25 age group were consistently more vulnerable to phishing attacks.”

Trainees are more likely to retain information through social learning – participating with a facilitator and other people, in Q&A sessions, group exercises, and feedback and practise. This is active learning, which is a better bet than passive learning – for example e-learning or a lecture (without follow-up sessions), both of which might include either a few questions or else none of the above.

When trainees have tuned out and are disengaged, they are unlikely to retain useful information, certainly not for any useful length of time.

Developing habits such as pausing before clicking, questioning the origin of an email, and challenging unusual requests, involves more than passively sitting through a video. Learning a behavioural response requires developing new mental architecture. Two things help with this:

stories help to organise facts, particularly when they include a personal element that trainees can relate to – adding emotional impact and making the details easier to remember than accurate but dull explanations.
Knowledge (ideally shared through a story) is best cemented in place through opportunities to use it, i.e. through active Q&A sessions, exercises, and practise under pressure.

In 2018, cybersecurity experts at Michigan State University found that people were less likely to click on risky email links when given advice from an expert. Stories and personal examples (rather than facts) also led to lower click rates especially when given by peers rather than experts.

Learning with other people succeeds for many reasons including the way we manage cognitive load – the demands imposed on working memory during learning. Well-structured group learning can help manage cognitive load, particularly when supported by techniques such as peer instruction.

Effective learning requires a dose of emotional impact. This helps to concentrate the mind, for example when hearing the consequences of mistakes, answering questions in front of peers, or practising under pressure. Engaged learning protects organisations from attack, particularly when later reinforced with additional sessions or messaging. For information on training sessions specifically tackling cybercrime, talk to us about our Psychological Self-Defence programme. We’re Working Voices, and we’re ready to help: wvpsd.com

Read part three in the series.