Filter-then-Verify: A Multiphase GNN and ModernBERT Framework for Social Engineering Detection in Email Networks

TL;DR

This paper introduces a two-phase framework combining GNNs and ModernBERT to detect social engineering attacks in email networks, achieving high recall and precision.

Contribution

It presents a novel multiphase approach integrating structural anomaly detection with content verification for improved email attack detection.

Findings

Achieved 86% recall in structural filtering.

Over 92% precision after BERT content analysis.

Effective detection of external and insider threats.

Abstract

Social engineering attacks exploit human trust rather than software vulnerabilities, making them difficult to detect using conventional filters. We propose a two-stage filter-then-verify framework combining inductive Graph Neural Networks (GNNs) for structural anomaly detection with a co-attention ModernBERT model for content verification. The GNN identifies anomalous sender-receiver patterns, while BERT analyzes message context to reduce false positives. Using the Enron dataset augmented with realistic synthetic campaigns, we show that the framework achieves 86% recall in structural filtering and over 92% precision after BERT refinement, effectively detecting both external attacks and insider threats. Our results demonstrate that combining structural and content analysis allows practical, scalable detection of multi-stage social engineering attacks in email networks.