Here is how the new generation of social engineering is bypassing one of the world’s premier security awareness platforms. Terranova’s simulations excel at teaching users to scrutinize sender addresses, check for misspellings, and hover over links. Attackers have responded with compromised internal accounts .
Instead of sending a phishing email, they send a Teams message, a Slack DM, a LinkedIn InMail, or even a voicemail (vishing). They know that many organizations’ security awareness training is email-centric. By shifting to collaboration tools or phone calls, the attacker exploits a training gap. The user has been conditioned to suspect strange emails but has no framework for the urgent SMS from “IT Support” asking for their MFA code. This channel outflank renders the entire email simulation library irrelevant. A core tenet of Terranova training is: Don’t click links in unsolicited emails. Attackers now craft lures with no links at all . outflank terranova security
Instead, the email says: “Please reply to this message to confirm your approval for invoice #4421.” The user replies. The attacker then engages in a conversational, low-and-slow confidence scam, eventually extracting credentials or payment details via a clean, manually typed URL. Because there was no initial malicious link, the simulation never happened. The attacker didn’t need to trick the click; they tricked the conversation. Perhaps the most elegant outflank of Terranova’s desktop-focused training is the rise of QR code phishing . Here is how the new generation of social
In a positive-reinforcement environment, users are less afraid of making mistakes. They are encouraged to report, not to fear. Attackers exploit this by creating highly urgent, emotional lures (e.g., "Your payroll has been canceled—click here to fix"). The user, knowing that clicking a simulation won't get them fired, clicks without a second thought. In a high-trust, low-fear culture, the attacker’s job becomes easier, not harder. Outflanking is not defeat; it is a call to evolve. Terranova Security has begun integrating adaptive, AI-driven simulations that include voice, SMS, and QR code scenarios. But organizations relying solely on the legacy method are exposed. Instead of sending a phishing email, they send
When a C-suite executive’s legitimate email account is hijacked via token theft (not a password phish), the resulting malicious email comes from a known, trusted sender. It passes the "Terranova test." No spoofed domain, no odd grammar—just a real email from a real boss asking for an urgent gift card purchase or wire transfer. The training never triggers because the user did everything correctly. The flank succeeded because the trust was legitimate, not simulated. Terranova’s core metric is the email click rate. Attackers have simply moved the battlefield.