Authority & Obedience
When technical defenses are too strong, attackers don't target the software. They target people. The most powerful tool they use is authority. We are wired to follow those above us: bosses, officials, experts, institutions. Attackers don't need to break your password when they can simply claim the right title.
The Teams Call from the CEO
Sarah was a senior HR and accounting coordinator at a fast-growing tech startup.
It was the final Friday of the fiscal quarter. Her desk was buried under high-priority forms. She was exhausted.
A Microsoft Teams notification appeared on her screen. Vikram Singhania, CEO was calling.
She accepted. Vikram's face filled the screen. His office background, his shirt, his face. It was him.
"Sarah, I have about a minute. We are closing a deal with our European vendor right now and I need you to move fast. Buy five Amazon gift cards, ten thousand each, and send the codes to this number. I will explain everything once we sign."
"Do not loop in Finance on this. It is commercially sensitive and I do not want it circulating before we sign. I am counting on you."
Sarah charged Rs 50,000 to her personal credit card, bought the gift cards, and sent the codes.
Two hours later, she mentioned it to the actual Vikram in the office breakroom.
He had no idea what she was talking about. He had been in internal budget meetings all morning.
The face Sarah saw was not Vikram. It was a video deepfake: an AI-generated likeness built from his public appearances and company videos, run live over the call. The Teams account had been spoofed to show his name and profile.
She looked at his face and still was deceived. That is how convincing this technology has become.
What Is Actually Happening: Authority Exploits the Hierarchy We Trust
Authority bias means we comply with instructions from perceived superiors before stopping to verify who they actually are.
$2.77B
lost to Business Email Compromise in 2024 - the top cybercrime category by financial loss for the sixth year running.
Every one of these attacks impersonated someone with authority. No technical break-in required.
Source: FBI Internet Crime Complaint Center (IC3) Annual Report, 202585% Bypass Approval
85% of employees bypass standard approval processes when a message appears to come from their CEO, without verifying through a separate channel.
3,000% Rise in 2024
AI-powered deepfake fraud attempts increased 3,000% in 2024, including live video calls impersonating executives. The Hong Kong case where a worker transferred $25 million to a deepfake CFO was not an outlier.
78% Include Silence Instruction
An instruction to "keep this secret" or "don't check with anyone" appears in over 78% of executive impersonation attacks. Verification is the one thing that would expose the scam, so attackers eliminate it first.
92% Don't Verify Officials
Over 92% of people do not challenge or verify the identity of someone who appears to represent a government or law enforcement body, even over a video call.
How Authority Signals Work
Titles, logos, uniforms, and profile photos are props, not proof. The brain processes them as evidence of legitimacy before logic has a chance to question the claim.
Attackers impersonate CEOs, IT staff, HR, government officials, and law enforcement by copying exactly these signals: a spoofed display name, an official-looking email header, a badge visible in a video background. None require technical access. They only require that you trust the signal before questioning it.
Real authority figures do not need to manufacture urgency or bypass their own organisation's approval process. When a request does either of those things, the authority claim itself is the red flag.
The Milgram Effect in Digital Workplaces
Psychologist Stanley Milgram found that ordinary people would follow instructions from an authority figure even when those instructions caused clear harm, simply because someone in charge told them to. The discomfort of questioning authority is greater than the discomfort of complying.
In a workplace context, this plays out constantly. A request appearing to come from a senior figure shifts responsibility: "The CEO asked me to do this" stops feeling like a personal decision. Attackers design requests specifically to trigger this shift, using seniority, brevity, and urgency to block the moment of questioning before it starts.
Authority Stacking: When Signals Combine
Look at what the fake Vikram did. He did not just claim to be the CEO. He added a high-stakes context, a time constraint, an isolation instruction, and a reason why normal channels were unavailable. Each layer made the authority feel more real.
This is authority stacking: combining multiple power signals so that questioning any single one feels like risking everything. The more elaborate the setup, the more suspicious the request should make you. Real requests from real people rarely need that much scaffolding.
Try It: The Milgram Desk
You are a new IT administrator. Director Marsh is your supervisor. Four directives will arrive - each one asks you to cross a line. You have a single choice: comply or refuse. If you refuse, Marsh will push back up to three times.
What That Just Showed You
1. Titles are props, not proof. The display name, the badge, the logo in the email header - none of these prove identity. Verification requires a separate channel you already trust, not any contact detail supplied by the message.
2. Isolation from internal checks is always the red flag. No real manager or official will ever ask you to skip your organisation's own finance or compliance approval. That instruction exists for one reason: to remove the check that would instantly expose the scam.
3. The Milgram effect is predictable - and interruptible. Questioning a senior figure feels uncomfortable. That discomfort is the mechanism. Naming it out loud - "this request is making me feel like I can't question it" - breaks the automatic response.
4. Real emergencies can survive 10 minutes of verification. If a request cannot wait for a callback through a number already saved in your contacts, it is not a real emergency.
Three Things Worth Doing
1. Confirm through a channel you already have. When a high-stakes instruction arrives, call back using a number saved in your own contacts or printed on official documentation - not any number in the message.
2. The "keep it secret" instruction is an automatic refusal. No legitimate authority inside your organisation needs you to hide a transaction from finance or compliance. That instruction is the scam revealing itself.
3. No government body will threaten you over a video call and demand an immediate transfer. Legitimate agencies send written notices through official channels. If this happens, end the call and contact your local police station directly.
One Question Before You Continue
In the story, the fake CEO told Sarah: 'Do not discuss this with anyone in HR or Finance.' What does this instruction actually reveal about the request?