Social Engineering in Cybersecurity: Latest Threats and Protection Methods

Explore the Rise of Social Engineering Attacks and the Strategies to Stop Them

Technical defenses keep evolving but attackers have learned that people are often the weakest link. Social engineering has quietly outpaced many technical intrusions because it reliably targets human behavior rather than firewalls or intrusion detection systems. 2025 Verizon Data Breach Investigations Report highlights that social engineering remains one of the top three breach patterns, with phishing and pretexting consistently leading incident categories. Meanwhile, the FBI’s Internet Crime Complaint Center reported phishing and spoofing as the top cybercrime complaints in 2024, driving billions in losses.

This article explains what social engineering is, how attacks typically unfold, the most common and emerging techniques and the protections that organizations need today.

What is Social Engineering?

Social engineering is a technique that uses psychological manipulation to trick people into giving up access, data, or money. Instead of hacking systems, attackers exploit cognitive biases such as authority, urgency, scarcity, reciprocity, liking, and consistency. These shortcuts help people make decisions quickly, but in the wrong hands, they create vulnerabilities.

In 2025, Verizon DBIR data placed social engineering among the three dominant breach categories. The FBI IC3 reported that cybercrime losses reached $16.6 billion in 2024, with business email compromise (BEC) schemes alone accounting for a large share of financial fraud.

What’s new is how technology amplifies these tactics. In 2025, deepfake voice and video fraud cases increased dramatically by convincing finance departments and executives to authorize fraudulent payments. Attackers are also attaching QR codes in emails and redirecting users to credential theft portals which traditional email security misses.

How Social Engineering Works

Attackers rarely improvise. Most social engineering campaigns follow a structured playbook designed to maximize credibility and minimize detection.

Reconnaissance and Targeting

Open source intelligence or OSINT provides the foundation. Attackers scrape LinkedIn for job titles, scan organization charts for finance contacts, analyze vendor relationships, and even observe team jargon or meeting schedules. The goal here is to understand who controls payments, credentials or sensitive access.

Pretext and Setup

Armed by intelligence, attackers develop plausible situations such as a CEO who has gone on a trip overseas asking for an urgent transfer, a follow-up on an invoice sent by a reliable supplier or a benefits claim by the human resource department. The pretext is designed to feel ordinary enough to pass through it and simultaneously make it difficult to delay.

Initial Contact Channels

Email remains dominant, but not alone. SMS (smishing), phone calls (vishing), Slack/Teams messages, LinkedIn DMs and even QR codes in posters or PDFs expand the attack surface. The Anti-Phishing Working Group (APWG) reported that QR-based phishing campaigns are now launched at scale with millions of QR emails observed per quarter.

Manipulation Tactics

Classic psychological triggers drive action like

• Authority – spoofing executives or regulators.
• Urgency – fake payment cut-offs or contract deadlines.
• Empathy – HR or benefits scams targeting concern for coworkers.
• Curiosity – shared document links or project invites.

Bypassing Technical Controls

Modern attackers also know how to bypass defenses such as

• AiTM phishing kits steal session cookies to hijack accounts even with MFA enabled.
• MFA fatigue/push bombing floods users with login prompts until they approve one.
• Callback phishing tricks employees into calling attackers who then extract one-time passcodes.
• OAuth consent phishing persuades users to grant malicious app permissions, giving attackers access to mailboxes without passwords.
• AI deepfakes simulate voices or video feeds of executives. The 2024 Hong Kong case, where scammers faked an entire video conference to authorize a HK$200M transfer, is now a cautionary tale.

Monetization

At the end comes monetization, fraudulent wire transfers (BEC), cryptocurrency theft, or stolen data are resold on dark markets.

Types of Social Engineering Attacks

Social engineering can be in various forms and each one of them uses trust in various ways. The most common and emergent attacks are listed below.

1. Phishing via Email

   Attackers lure via links or attachments and what’s changed is sophistication. Multi-stage phishing is used in many campaigns today as the first step in a PDF whose QR code links to a credential harvesting page. Attackers are using more and more authorized applications such as Dropbox, Google Docs or project management boards to host phishing payloads, increasing their delivery and trustworthiness.

2. Spear Phishing and Whaling

   Unlike bulk phishing, spear phishing targets individuals with tailored messages, often CFOs or finance managers. Whaling goes after the executives or board members. Recent trends show vendor and payroll redirection schemes dominate with attackers intercepting invoice chains and swapping in fraudulent banking details. Abnormal Security notes that BEC continues to drive the largest financial losses across industries.

3. Smishing via SMS

   Text-message lures have surged with mobile-first workforces. Fake delivery notices, bank alerts, and MFA code requests trick users into clicking shortened links or responding to fraudulent prompts. The bring-your-own-device model expands exposure as personal devices may lack enterprise security controls.

4. Vishing and Deepfake-Assisted Vishing

   Traditional phone scams are evolving. In 2025, AI-cloned executive voices are increasingly used to “approve” urgent wire transfers. For example, a finance clerk receiving a late-night call from what sounds like their CFO is unlikely to challenge authority. The American Bar Association has flagged deepfake-enabled fraud as one of the fastest-growing legal and compliance risks.

5. Quishing via QR-Phishing

   Attackers embed malicious QR codes in emails, invoices, or even printed posters. Employees scan them on mobile devices, where controls are weaker, leading directly to credential theft pages. APWG recorded millions of QR phishing emails per quarter in 2025, marking quishing as a mainstream threat.

6. Adversary-in-the-Middle (AiTM) MFA Bypass

   Reverse proxy kits capture both credentials and session tokens in real time. Microsoft reported a 146% increase in AiTM phishing activity in 2024, with many campaigns specifically targeting Microsoft 365 logins. These kits effectively neutralize traditional Multi-Factor Authentication, forcing organizations to adopt phishing-resistant alternatives.

7. OAuth Consent Phishing

   Instead of stealing passwords, attackers ask victims to grant permissions to a malicious third-party app such as “read and send mail” scopes. Once consent is granted, attackers maintain persistent access without needing credentials.

8. SIM Swapping and Account Recovery Abuse

   SIM Swapping is a method of hijacking a victim’s mobile number. Attackers can intercept SMS based MFA codes or exploit password reset processes. These tactics remain highly effective, particularly against individuals with crypto wallets or financial accounts.

9. Pretexting, Tailgating, and Physical Baiting

   Physical social engineering hasn’t disappeared. Attackers still gain facility access by flashing fake badges, posing as delivery staff, or dropping infected USB drives in office spaces. In industries with sensitive infrastructure like healthcare, manufacturing, or energy, these methods remain surprisingly successful.

10. Social Media Impersonation and Support Scams

    Attackers impersonate brand accounts or fake “support reps,” luring victims into private chats or phone calls. This tactic often targets consumers but is increasing in B2B, where fraudsters impersonate SaaS vendors or IT helpdesks.

Social Engineering Prevention Techniques for Organizations

Defending against social engineering requires a layered strategy across people, process and technology.

 People

• Role-based training – Move beyond generic phishing tests. Simulate BEC, invoice fraud, QR-based phishing and MFA-bypass scenarios that employees might actually face.
• Verification rules – Any request to change vendor payment details or execute an urgent wire transfer must be verified through an out-of-band channel. Dual approval for payments should be non-negotiable.
• Call-back code words – Use shared secrets to validate executives or vendors during voice or video calls, especially when urgent requests are made.
• Communication hygiene – Discourage scanning arbitrary QR codes and train staff to validate meeting invites, sender domains, and OAuth consent prompts.

Process 

• Payment and vendor SOPs – Establish mandatory second-channel verification before updating financial details.
• App consent governance – Limit who can authorize third-party OAuth apps. Regularly review and revoke high-risk consents.
• Incident playbooks – If an AiTM phishing campaign may have stolen session tokens, then have a rapid-response process to force sign-outs, revoke refresh tokens, reset passwords, and invalidate app-specific credentials.
• Executive protection – Reduce public exposure of executive travel or contact details. Provide PR/HR teams with guidelines to avoid oversharing exploitable information.

Technology 

• Phishing-resistant MFA – Adopt FIDO2 or WebAuthn hardware keys or passkeys for high-risk apps. Try to avoid SMS and push-only authentication which are vulnerable to AiTM and push bombing.
• Token binding and continuous access evaluation – Make sure session tokens are tied to specific devices and locations which limits their reuse if stolen.
• Email authentication and anomaly detection – Enforce DMARC, SPF and DKIM. Deploy computer vision and QR-scanning controls to detect malicious QR codes and sandbox PDF attachments.
• Brand and lookalike monitoring – Identify and take down spoofed domains, fake social media profiles, and fraudulent support pages.
• User and Entity Behavior Analytics – Monitor for anomalies such as unusual wire transfers, impossible travel logins, or abnormal OAuth grants.
• Browser isolation – Use isolated environments for high-risk categories of links to minimize exposure.

Metrics to Track

• Percentage of privileged accounts enrolled in phishing-resistant MFA.
• Phish report rates and false-negative detection rates.
• Average time-to-verify vendor banking changes.
• Number of OAuth app consents granted and revoked monthly.
• Detection and block counts for QR-phishing attempts.

Final Thoughts

Social engineering is no longer just about spam emails and fake invoices. Attackers are now combining AI-generated voices and videos, AiTM phishing kits and QR campaigns to bypass both technical and human defenses. The key to resilience is human-centric security. Codified verification processes, phishing-resistant MFA, consent governance and executive safeguards create the safety nets needed to blunt these attacks. Organizations that treat social engineering as a core business risk rather than a mere IT problem will be best positioned to prevent tomorrow’s multimillion dollar frauds.