Social Engineering Test Exposes Corporate IT: Asking Nicely Was Enough to Bypass Security

A penetration tester demonstrated how easily corporate security can be compromised through social engineering, revealing that simply calling IT support and impersonating a senior executive was sufficient to gain account access. The case highlights a persistent vulnerability that many organizations fail to address despite its well-known risks.

Brandon Dixon, now CTO and co-founder of AI security firm Ent, previously worked as a penetration tester conducting security assessments for clients. During one assignment, Dixon investigated how straightforward it would be to hijack an account using social engineering tactics. He telephoned the company's IT security department and posed as the head of security who had lost his password. When support staff asked him to answer challenge questions to verify his identity, he provided the correct responses—gaining access without needing any technical exploitation.

The incident illustrates how human-centered security controls often fail under social pressure, particularly when requests come from individuals perceived as authority figures within the organization. Security awareness training frequently addresses these scenarios, yet the real-world effectiveness of such measures remains inconsistent. Dixon shared this case to underscore that technical security infrastructure can be rendered irrelevant when internal staff bypass protocols for seemingly legitimate requests from colleagues or executives.