For a long time, email was the center of gravity for social engineering defense.
In fact, organizations built entire security programs around it. Phishing simulations, DMARC enforcement, link-scanning tools and layers of filtering that defined how risk was managed.
And for a while, that approach worked. Email was where attackers lived, and the industry responded accordingly.
But the threat terrain has shifted. Attackers have moved on, quietly and quickly.
And recent data makes this impossible to ignore.
Nearly 60% of breaches now involve a human element, yet fewer than a third start in email. The IBM Cost of a Data Breach Report 2025 found that the average breach has climbed to $4.4 million, with social engineering among the fastest-growing root causes. And according to Forbes Tech Council, impersonation-enabled scams have more than doubled year-over-year.
The threat has outpaced the defenses. And your inbox is no longer the only way in.
The modern attack surface has shifted
Today’s attackers understand how people work.
Teams are collaborating across Slack, Teams, Zoom, email, SMS, WhatsApp and internal ticketing systems – often simultaneously. Trust signals get stretched thin across all of them.
And attackers exploit exactly that.
Such as:
- A message in Teams that looks like a colleague asking for help.
- A Zoom call where someone says their camera “isn’t working today.”
- A Slack DM from a manager requesting a quick credential reset.
- A phone call claiming to be from IT, with a voice that sounds close enough.
None of these look like traditional phishing. There’s no suspicious link or malicious attachment. These interactions succeed because they feel normal.
The surface area has expanded far beyond email, and attackers have adapted their methods accordingly. DBIR highlights that third-party and supply-chain-related breaches now account for 30% of incidents and many of those initial points of contact occur in collaboration tools, not inboxes.
As organizations embrace hybrid work and digital collaboration, trust has become the new vulnerability. And it’s no longer a channel reserved for defenders in the SOC. Every employee, from finance to HR to the help desk becomes the first line of defense. Attackers don’t wait for the blue teams. They impersonate the people your teams already trust.
Why traditional defences don’t see it
Legacy defenses were built for a different era. They were designed to detect malicious content such as dangerous links, harmful code, unusual payloads or suspicious attachments.
But modern impersonation doesn’t rely on any of that.
Attackers no longer show up as suspicious strangers. They present themselves as real people inside your organisation, often sounding exactly like them. It doesn’t take sophisticated AI to make the impersonation believable. Just enough knowledge to feel familiar.
This is also why impersonation thrives in voice, video, and chat.
These channels exist outside traditional detection systems and don’t produce the kind of artifacts that filters can scan.
When attackers do choose to use AI, the barrier is low. A few seconds of speech can be enough to create a convincing mimic.
But the more important point is this: they don’t always need AI.
The impersonation already bypasses old defenses because there is nothing obviously malicious to flag.
Which means that the problem isn’t simply the message, but the identity behind it.
Trust is the real target
At its core, modern social engineering is a trust problem.
Attackers study how organizations communicate. They mimic tone, timing, emoji habits, message length, and informal language patterns. They align their requests with cultural norms, such as “quick question?”, “can you jump on a call?”, “are you at your desk?”
These micro-signals trigger familiarity. And familiarity opens doors. It’s a performance, designed to look and feel like a legitimate interaction.
The goal isn’t to prove someone is definitively who they say they are, as that’s an impossible standard in distributed digital work.
The real goal is to determine whether the person in this specific interaction shows signs of risk, concealment, inconsistency or impersonation.
If attackers are targeting trust, then defenders must protect trust – not just content.
From phishing detection to real-time risk analysis
Email-based phishing detection is built around the question of whether a message is dangerous.
But today’s environment means we need to be asking, is this conversation trustworthy?
This requires moving from content filtering to real-time identity assurance, an approach centered on the signals surrounding a live interaction.
imper.ai focuses on analyzing the digital and behavioral signals that are difficult for attackers to fully control, such as:
- Device fingerprint
Does the device match known patterns for this person, team, or environment? - Network diagnostics
Does the connection, network behaviour or location show signs of risk? - Behavioural metrics
Are there inconsistencies in how the person is communicating, interacting or presenting themselves?
Together, these signals form a real-time view of whether an interaction should be paused, escalated or allowed to continue.
Importantly, this is done in a privacy-first, frictionless way. Which means no intrusive scanning, biometrics or interruption to how people collaborate.
It comes down to clearer signals in the moments when trust is stretched thin. If trust is the target, then detecting impersonation risk in real time must be the defence.
Rethinking where the budget goes
Security budgets still reflect an older threat model, one where email is the dominant source of risk. But the data tells a different story.
DBIR shows that email now represents less than one-third of human-initiated breaches. Meanwhile, PhishingBox and other industry analyses have tracked a sharp rise in multi-channel impersonation, particularly through collaboration tools and voice-based attacks.
Which means that CISOs are facing unavoidable questions such as, are we defending the channels attackers are actually using?
And the truth is, most organizations aren’t. Investment still flows disproportionately toward email protections, while the actual risk has shifted to voice, video, chat and cross-channel interactions.
To stay ahead, organizations need to protect the conversations they’re having.
imper.ai’s positioning reflects this future with proactive, real-time identity assurance that spans the channels where work – and trust – now happen.
The bottom line?
Attackers have shifted their focus from inboxes to interactions.
They exploit human trust across every channel, blending into the steady flow of everyday communication.
Defending against this new reality requires recognizing that trust itself has become the new attack surface.
imper.ai brings prevention to the first moment of contact. By analyzing the digital and behavioral signals that reveal impersonation risk, we help organizations protect the conversations they’re having.
Because the question is no longer “Did the email look suspicious?”
It’s “Can I trust this conversation?”
And with imper.ai, organizations can answer that with clarity.
