A Lesson in Social Engineering: How a “Security-aware” Organization Was Completely Duped