> Social engineering won't work on a human security expert who knows and understands the implications of the information they are giving away

Social engineering, like prompt injection, is a context attack — easy to spot if you're ready for it, but harder in different circumstances (rushed, panicked, tired, having a bad day, etc.).

Troy Hunt (security consultant, creator of HaveIBeenPwned) and Cory Doctorow have both been successfully phished [0][1]. They're both tech- and security-savvy people who "should have known better" but it happened to them anyway. But maybe you're different... you'd never fall for an online scam, right? [2]

[0] https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail...

[1] https://doctorow.medium.com/https-pluralistic-net-2025-04-05...

[2] https://news.harvard.edu/gazette/story/2024/09/youd-never-fa...

Sure they are, if the human expert follows instructions from a manager or a client, if they are of utility to anybody, then they are vulnerable to social engineering and malicious input. An attack may be easy or hard depending on the expert's training, but nobody is flawless.