Episode #10

Email security filters have never been better… and yet attackers are still getting through.

In this episode, host Eliot is joined by Petri Kuivala
(CISO advisor) and David Badanes (Human Risk Management advisor) to break down what actually makes it past modern defenses, based on analysis of 400,000 real attacks reported by users – not simulations, not theory.

They unpack how generative AI didn’t invent new attack types, but dramatically scaled social engineering, why perfect grammar is now a warning sign, how MFA is being bypassed via session hijacking, and why humans remain one of the most effective detection layers when systems fall short.

What you’ll learn in this episode:

• Why phishing emails still get through secure email gateways and which attacks filters miss most often

• How AI is scaling social engineering through volume, personalization, and speed (not magic)

• Why “better language” and polished branding can now be stronger phishing signals

• How attackers bypass MFA using attacker-in-the-middle tooling and stolen session tokens

• Why QR codes, voicemail (vishing), and non-email channels are becoming more effective

• Real-world examples of deepfake voice and impersonation attacks — and where the risk is heading

• What 400,000 real attacks reveal about human detection versus automated controls

• Why good training works — and how reporting behavior changes the economics of attacks

• What security teams should focus on when filters, MFA, and signatures aren’t enough

Timestamps:

(00:00) Why do phishing emails still get through secure email filters?

(03:20) What do real-world phishing attacks actually look like today?

(06:40) How is AI changing phishing and social engineering attacks?

(10:10) How can you spot AI-written phishing emails?

(13:30) How do attackers bypass MFA and steal session tokens?

(17:40) What is quishing, and why do QR code attacks work?

(19:20) How does vishing work and why are voice phishing attacks increasing?

(21:10) How are deepfakes used in real cyber attacks?

(25:40) Can humans really detect phishing better than security tools?

(29:10) Does security awareness training actually work against modern phishing?

(33:00) What does the future of AI-driven spear phishing look like?

Resources:

• Threat Intelligence Report 2025: Tactics, Trends & Risks: https://hoxhunt.com/guide/threat-intelligence-report

Host links:

• Eliot Baker: ⁠https://fi.linkedin.com/in/eliotebaker⁠
• David Badanes: ⁠https://www.linkedin.com/in/dbadanes
• Petri Kuivala: https://www.linkedin.com/in/petrikuivala

****

All Things Human Risk Management is a Hoxhunt Original Podcast.

⁠⁠⁠⁠⁠⁠⁠Hoxhunt⁠⁠⁠⁠⁠⁠⁠⁠ is the Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk.

Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love.

Hoxhunt works with leading global companies such as Airbus, IGT, DocuSign, Nokia, AES, Avanade, and Kärcher and partners with leading global cybersecurity companies such as Microsoft and Deloitte.