Frameworks

Over the course of sending more than 150 lookalike emails to world leaders, CEOs, and intelligence officials, I developed three frameworks to explain why social engineering works and how organisations can defend against it. These aren’t abstract theories — they come directly from watching real people fall for real attacks, and from the conversations I had with security teams trying to understand what went wrong.

Inbox Hypnotism

Inbox Hypnotism describes the trance-like state people enter when processing email. When you’re working through your inbox, you’re not thinking critically about each message — you’re pattern-matching, skimming, and responding on autopilot. Attackers exploit this by crafting messages that fit seamlessly into the flow of normal communication. The email looks right, the tone feels right, and the request seems reasonable, so you comply without stopping to question it. Traditional security awareness training tells people to “think before you click,” but Inbox Hypnotism explains why that advice fails: the whole point of the trance is that you don’t realise you’re in it. The framework maps the specific environmental and psychological triggers that create this state, and identifies intervention points where organisations can break the cycle before damage is done.

Ask&Do

Ask&Do is a model for understanding the behavioural mechanics of social engineering. Every successful attack follows the same basic structure: the attacker asks the target to do something, and the target does it. But what makes the “ask” effective isn’t the technical sophistication of the email — it’s the behavioural triggers embedded in the request. Authority, urgency, social proof, reciprocity, and contextual fit all work together to make the target feel that compliance is the natural, expected response. Ask&Do breaks down these triggers into a practical taxonomy that security teams can use to analyse real attacks, design better training, and build detection systems that look for behavioural patterns rather than just technical indicators.

BattlePhish

BattlePhish is a live social engineering exercise I run at conferences and corporate events. Instead of lecturing an audience about phishing, I show them one happening in real time. The audience watches as I construct and send a social engineering attack during the session, and they see exactly how the techniques work — the domain registration, the reconnaissance, the message crafting, the psychological triggers. Then we dissect it together. BattlePhish turns passive listeners into active participants who leave the room with a visceral understanding of how these attacks work and, more importantly, how to recognise the patterns before they fall for them. It’s the most effective security awareness format I’ve found, because it replaces abstract warnings with lived experience.