Socially engineered attacks are becoming the go-to method for sophisticated threat groups. In June, UNC3944, also known as Scattered Spider, pivoted from attacking major retailers to targeting insurance providers. And recent alerts from Check Point and the FBI confirm the group is extending its social engineering campaigns into aviation and enterprise sectors.  

Shared indicators include phishing domain names mimicking login portals (e.g. victimname‑sso.com) and voice phishing via caller impersonation. These tactics signal the group’s increasing sophistication and opportunistic scope. They’re using fake email threads, MFA fatigue, and helpdesk impersonation to gain access. 

These tactics work because they exploit how people and teams operate. A missed verification, a delayed escalation, or a moment of trust can open the door. 

When attackers count on speed and confusion, response plans that look good on paper often fall apart in practice. The question isn’t whether your team has a plan. It’s whether your plan can hold up to socially engineered attacks. 

What If You’re the Last to Know? 

An employee at a company received an email that looked like it came from their president. She replied. That reply triggered an automatic withdrawal. The attackers were in. 

But it wasn’t the company that noticed. It was their bank. 

Carson & SAINT was brought in as part of the incident response. Our team was tasked with identifying how the attacker got in, understanding how far the breach went, and what went undetected. 

It was a socially engineered attack. One that blended in with normal communications until real money was on the move. The attackers had been inside for a while, learning about the president’s email habits and tone. This is how they gained the employee’s trust to respond. 

A moment of trust is how all socially engineered attacks start. A missed verification. A routine response. And a response plan that hasn’t been tested recently or doesn’t spell out how communication should happen when every second counts. 

If your team is caught off guard, the damage can happen fast. 

When Plans Aren’t Practiced, They Don’t Work 

A documented response plan is only the beginning. Without practice, teams often hesitate, lines of responsibility blur, and communication breaks down when a breach happens. 

Socially engineered attacks, like those initiated by UNC3944, thrive on uncertainty. One confused response or a handoff that never happens can expand the opening that the attacker has already found.  

Check Point researchers have identified hundreds of active phishing domains tied to Scattered Spider targeting login portals across technology, aviation, retail, financial services, manufacturing, medical technology, and more. This infrastructure is actively used to bypass authentication and exploit trusting workflows. 

According to the 2025 Verizon Data Breach Investigations Report, 60 percent of breaches involve a human element such as error, miscommunication, or manipulation. IBM’s 2024 Cost of a Data Breach Report confirms the impact. Organizations with weak cross-functional coordination face higher breach costs and longer recoveries. 

Unless your plan has been tested in the last year, it may not reflect how your team actually works today. 

Testing your response plan at least once a year gives your team the practice to perform well when a breach occurs.  

When plans are untested, teams are unprepared. And when a socially engineered attack hits, hesitation is the enemy. You can’t afford to guess or be confused about who’s supposed to act next or what the next step should be. 

A well-tested incident response plan is your best defense when attackers strike. 

Don’t Wait for a Wake-Up Call 

It doesn’t take a complex attack to create chaos. One reply to a fake email, one missed check, or one unclear handoff can be enough. 

That’s why Carson & SAINT helps organizations test their incident response plans. With experience supporting insurance providers, financial institutions, retailers, and federal agencies, we know what it takes to move fast across roles and departments in the heat of an incident. 

We offer: 

• Incident Response Plan Testing
  Annual reviews and simulation-based testing verify that your plans, responsibilities, and escalation paths actually work when it counts. 

• Penetration Testing
  Our pentests go beyond technical exploits to include socially engineered attack scenarios, like phishing and spoofed email threads. These can be delivered through our VRM platform or as part of a broader engagement. 

• Risk-Driven Advisory
  We connect system vulnerabilities to business risk so your leadership can make faster, smarter security decisions 

• Email Social Engineering Testing
  With SAINT VRM, you can simulate targeted email attacks to uncover user vulnerabilities and test response procedures.  

Don’t wait until a breach forces the test. Let’s make sure your plan holds up before attackers put it to the test.