The phishing email is no longer the only threat your team needs to worry about. The reality is that social engineering UK business threats are rapidly evolving. Social engineering attacks in 2026 are multi-channel: they start with a Teams message, follow up with a phone call from a spoofed number, and close with an email that references both previous contacts. The grammar is flawless. The caller sounds like someone your team recognises. The request feels urgent but reasonable.
Vishing (voice phishing) volumes surged over 440% between 2024 and 2025. IT helpdesks are the primary target in 42% of attacks. Finance departments account for over 30% of successful breaches. These are not mass-blast campaigns. They are targeted, researched and designed to exploit the way your team naturally responds to authority and urgency. Technical controls help, but they cannot catch a convincing phone call. What your team needs is a simple, repeatable process they can follow when something feels off. That process is three words: Stop, Verify, Escalate.
The 30-Second Script
This script works for reception staff, finance teams, office managers, anyone who handles incoming requests by phone, email or Teams.
Stop. Pause before acting on any request that involves money, credentials, access changes or sensitive information. Urgency is the attacker’s primary tool. A legitimate request can wait 60 seconds.
Verify. Contact the person who supposedly made the request using a known, trusted channel. Do not reply to the email, return the call to the number displayed, or respond to the Teams message. Instead, look up the person’s number independently and call them directly. If they confirm the request, proceed. If they do not, you have just prevented an attack.
Escalate. If you cannot verify the request, or if the caller pressures you not to check, escalate to your line manager or IT team immediately. No legitimate colleague or supplier will object to a verification step. Resistance to verification is itself a red flag.
Print this script. Pin it next to every phone. Include it in your onboarding pack. The value is in its simplicity: three steps that any member of staff can follow without needing technical knowledge.
What Multi-Channel Attacks Look Like
Understanding the pattern helps your team recognise it. Here is how a typical multi-channel social engineering attack unfolds in 2026.
Stage one: the setup. Your finance officer receives a Teams message from what appears to be the managing director’s account. The message says: “I need you to process a payment urgently. I will call you in five minutes to explain.” The message references a real project or client name, which the attacker found on LinkedIn or the company website.
Stage two: the call. Five minutes later, a phone call arrives. The caller ID shows the managing director’s mobile number (spoofed). The voice sounds plausible. The caller explains that a supplier payment needs processing today to avoid a penalty. They provide bank details and ask for immediate action.
Stage three: the follow-up. An email arrives from a slightly misspelled domain confirming the bank details “for your records.” The email includes a PDF invoice that looks legitimate. At every stage, the attack builds credibility by referencing the previous contact. Each touchpoint makes the next one harder to question. The entire sequence takes under 15 minutes.
The Stop, Verify, Escalate script breaks this chain at stage one. The finance officer pauses, calls the managing director on their known mobile number, and discovers they never sent the Teams message.
Where to Apply the Script
The script applies to any request that involves transferring money or changing bank details, resetting passwords or MFA, granting system access or sharing login credentials, sending sensitive files or client data externally, and making urgent changes to payroll or supplier records.
For payment and bank detail changes specifically, add a standing rule: no bank detail change is processed without a verbal confirmation from a known contact at the requesting organisation. This single control blocks the majority of business email compromise attacks.
Building a No-Blame Culture
The script only works if staff feel safe using it. If someone verifies a request and it turns out to be legitimate, they should never be criticised for checking. If someone escalates a suspicious call that turns out to be genuine, they should be thanked.
Attackers exploit hierarchy. A junior staff member is less likely to question a request that appears to come from a director. Make it explicit: everyone in the business has permission to verify any request, regardless of who it appears to come from. Include this in your security awareness training and reinforce it in team meetings.
Make It Part of Your Security Programme
The script is a starting point. For ongoing protection, pair it with regular security awareness training that includes simulated phishing and vishing exercises. Test your team with realistic scenarios so that Stop, Verify, Escalate becomes a reflex rather than something they have to remember under pressure.
If you want help rolling out the script, training your team, or setting up simulated exercises, contact The Unite Group. We deliver managed cyber security services across the North East, and staff training is a core part of how we protect your business.