Prompt injection is social engineering for AI Agents

BY: Kevin Smith

We spent a day at Startupfest in Montreal this month, pitching on stage and working a booth. The exhibitor floor was wall-to-wall AI. Agents that book meetings, agents that reconcile invoices, agents that answer support tickets. And almost every conversation at our booth, whatever it started with, ended up at the same question: what happens when an AI agent gets tricked?

It’s the right question. And the honest answer is that we already know what happens, because we’ve watched the human version of this attack play out for decades.

The oldest con in the book

Long before anyone wrote a line of malware, criminals were stealing money by talking their way past people. The con artist doesn’t break the lock. He convinces the person holding the key to open the door for him.

Security people call this social engineering, and it has never gone out of style because it works. The fake urgent email from the CEO asking finance to wire funds before end of day. The call from “IT support” that needs your password to fix an issue. The invoice from a supplier whose banking details changed last week. Year after year, industry breach reports put stolen credentials at or near the top of the list of how attacks begin, and a good portion of those credentials are handed over willingly, by people who believed they were talking to someone they could trust.

The pattern underneath every one of these attacks is the same. Establish false identity. Create urgency. Extract an action the victim would never take if they knew who was really asking.

Keep that pattern in mind. You’re about to see it again.

The same con, a new mark

Prompt injection gets described as a technical vulnerability, something for the security team to patch. I think that framing undersells the problem. Prompt injection is social engineering. The mark just changed.

An AI agent takes instructions in natural language and acts on them. That’s the whole value proposition. But it also means anyone who can get text in front of the agent can attempt to instruct it. A hidden line in an email the agent was asked to summarize. A block of white-on-white text on a webpage it was sent to read. A calendar invite, a support ticket, a shared document. To the agent, it’s all input, and the attacker’s instructions arrive through the same channel as the owner’s.

Now run the classic con through this new channel. If I can message your agent, convince it that I’m its owner, and then convince it to transfer money from your account to mine, how is that different from talking a bank teller into wiring funds? The mechanics changed. The crime didn’t. Establish false identity, create urgency, extract the action. Same con. New mark.

Why agents are softer targets than people

Here’s the uncomfortable part. In some important ways, the new mark is easier to fool than the old one.

People hesitate. Agents execute.

A seasoned employee has instincts. Something about the email feels off, the request is unusual, the timing is strange. She pauses. She picks up the phone and calls the CEO to verify. Decades of security awareness training exist precisely to sharpen that hesitation.

An agent doesn’t hesitate. It parses the instruction, evaluates it against whatever guardrails it has, and executes. It doesn’t get a bad feeling. It doesn’t call to verify. The single most valuable defense in the history of social engineering, the human pause, is the exact thing agents are built to remove.

The con now scales

Human social engineering is retail crime. Each mark takes effort: research the target, craft the pretext, work the conversation. That effort was a natural ceiling on the damage.

Agents remove the ceiling. A working injection technique can be aimed at thousands of agents at machine speed and near-zero cost. And unlike a human victim, a compromised agent often holds live credentials to email, banking, CRM, and internal systems, with standing permission to act in all of them. The blast radius of one successful con just got much larger.

Trust is the whole attack surface

Companies spent the last two decades hardening networks and endpoints, so attackers moved to the softest remaining layer: people. Agents add a brand new soft layer, one that is always on, never suspicious, and connected to everything. Attackers don’t abandon a playbook that works. They point it at the new mark.

The practice that holds up: a verified human in the loop

So what actually helps? At the booth we kept coming back to the answer that has always held up when the stakes are high: keep a human in the loop for risky actions.

But “human in the loop” has to mean more than it usually does. A confirmation dialog that gets clicked on autopilot is not a control, and an approval email is just another channel the attacker can spoof. For the human in the loop to matter, two things have to be true.

The human must be verified

Before an agent executes a risky action, the approval has to come from a strongly authenticated human, not from whoever happens to be able to reply to a message. If the approval channel itself relies on passwords or codes that can be phished, the attacker simply cons the approval step the same way they conned the agent.

The consent must be explicit

The verified human needs to see the specific action: this payment, this amount, this destination, this permission change, and consciously approve it. Blanket pre-approvals recreate the original problem. Explicit consent per risky action is what turns the human pause from a training aspiration into an enforced step in the workflow.

This specific person, strongly authenticated, approving this specific action before it executes. That’s the standard.

Where BlokSec fits

This is the problem we’ve been working on for years, just with a human mark instead of a digital one. BlokSec’s passwordless authentication was built to stop credential-based attacks by removing the thing attackers steal and replacing it with verified identity and explicit user consent. There’s no password to phish and no code to intercept, which means the approval step can’t be conned the way the agent was.

We’re now adapting that same technology for agentic workflows. When an agent reaches a risky action, moving funds, changing permissions, touching sensitive records, it stops and gets a verified yes from the actual human before anything executes. The agent keeps its speed for the 95% of actions that carry little risk. The human keeps control of the few that could cause real financial damage.

We’re in the middle of that work now, and the conversations at Startupfest told us the fear is real and widely shared. Everyone wants agents doing more work. Almost nobody has an answer for the day one gets conned.

Nobody has taught the agents yet

We spent two decades teaching employees not to trust an urgent message claiming to be the CEO. We ran the phishing simulations, mandated the training, built the reporting buttons. It worked, imperfectly, because humans can learn suspicion.

Nobody has taught the agents yet, and it’s not clear anyone can. Until someone does, the safest agent is the one that has to ask you first.

Recent Posts