Social engineering represents the most dangerous attack vector facing organizations today. Unlike traditional hacking, which targets computer systems directly, social engineering exploits human psychology. It uses psychological manipulation, carefully crafted stories, and manufactured urgency to trick people into revealing sensitive information or granting unauthorized access to secure systems. The statistics are alarming: Social engineering shows up in a huge share of real-world attacks, and plenty of industry writeups cite figures as high as 98%—but that number is often repeated through secondary sources, so I treat it as directionally true rather than gospel.
The landscape of social engineering has transformed dramatically throughout 2025. Artificial intelligence now generates deepfake videos and voice clones so convincing that even security experts cannot distinguish them from reality. One finance employee at the global engineering firm Arup received what appeared to be a videoconference call from the company’s CFO and other executives in early 2024. In reality, every person except the victim was artificially generated. The worker transferred $25.6 million in what has been called the largest known deepfake fraud in history.
Organizations are finally recognizing this existential threat. According to the Verizon 2025 Data Breach Investigations Report, social engineering attacks were responsible for 22% of data breaches involving external threat actors. More critically, 36% of all incidents in professional incident response caseloads began with a social engineering tactic—making it the single most common initial access vector for attackers. This is not a technical problem that firewalls can solve. This is a human problem that requires human solutions.
Understanding Social Engineering: How It Actually Works
The Psychology Behind Social Engineering Attacks
Social engineering relies on six fundamental psychological principles that attackers exploit relentlessly. Authority makes people comply when they believe someone in power is asking. A fraudulent email purporting to come from your CEO requesting an urgent wire transfer elicits immediate compliance without verification. Intimidation uses threats or fear to force action. Attackers claim they will release compromising information unless you pay immediately. Scarcity capitalizes on limited availability. Consensus exploits social proof. Urgency forces hasty decisions without thinking. The attacker claims the security threat exists right now and action must happen immediately.
The final principle is pretexting—creating a compelling, believable story that causes people to help or reveal information. A caller claiming to be from your bank’s fraud department asks you to verify your account number. You believe the story is real, so you comply without questioning.
Understanding these principles is critical because attackers spend weeks researching their targets. They study social media profiles, monitor LinkedIn for job changes, observe office layouts via Google Street View, and track online behavioral patterns. Armed with this information, they craft attacks so personalized and specific that generic security awareness training fails to stop them.
The Six Types of Social Engineering Attacks
- Phishing remains the dominant attack type, accounting for 65% of social engineering attacks. Attackers send emails that appear to originate from trusted sources. Between May 2024 and May 2025, 1,003,924 phishing attacks were reported. In Japan alone, a sophisticated phishing kit called CoGUI unleashed over 580 million scam emails impersonating Amazon, PayPal, Apple, and government tax agencies.
- Pretexting has explosively surged to become the most common social engineering method overall. Pretexting now accounts for 50% of all social engineering attacks—almost twice the previous year’s proportion. In pretexting attacks, the attacker creates a false scenario with a fabricated identity.
- Business Email Compromise (BEC) targets executive-level employees and finance departments. In 2024, BEC attack volume soared by 103%. The average CEO receives 57 targeted attacks every year. In 2024 alone, more than $6.3 billion was transferred through BEC attacks.
- Vishing (voice phishing) uses phone calls rather than emails, with AI-generated voice clones impersonating executives. Vishing attacks skyrocketed 442% between the first and second halves of 2024.
- Smishing (SMS phishing) attacks mobile phones through text messages. These attacks have grown explosively, affecting 76% of businesses in 2024.
- Deepfakes represent the terrifying new frontier of social engineering. AI now generates videos and audio so convincing that visual and audio verification no longer protects you. The Arup deepfake case proved that seeing or hearing someone no longer means believing them.
Real-Life Social Engineering Incidents: When Trust Becomes a Weapon
The $25.6 Million Deepfake Heist: Arup Engineering (February 2024)
In early February 2024, a finance worker at global engineering firm Arup received a phishing email claiming to be from the UK office CFO requesting a “secret transaction.” The employee initially suspected phishing. Within hours, he received an invitation to a video conference call with multiple participants. The call included what appeared to be the company’s CFO, other senior executives, and a known client. The video quality was perfect. The executives discussed details only real leadership would know. The employee felt confident and authorized the $25.6 million transfer immediately through 15 separate transactions.
Only after the transaction did colleagues realize something was wrong. Every person on the call, except the victim, was an artificial intelligence deepfake. This represents the single largest known deepfake fraud in history. The investigation is still ongoing.
The Marks & Spencer £300 Million Disaster: Social Engineering Meets Ransomware (April 2025)
In February 2025, attackers began reconnaissance on Marks & Spencer, the iconic British retailer with 300+ stores. The initial attack didn’t involve malware or technical exploits. Instead, an attacker made a phone call to M&S’s IT help desk, claiming to be an employee who had forgotten their password. The help desk employee asked security questions. The attacker provided plausible answers and requested a password reset. The help desk obliged, granting the attacker legitimate access to M&S’s corporate network.
With valid employee credentials, the attacker quietly moved through the network for two months, mapping systems and escalating privileges. By late April, when the Easter weekend arrived and security staff were minimal, the attack went live. Ransomware deployed across hundreds of systems simultaneously on April 22, 2025. Within hours, M&S customers could not make contactless payments. By April 25, the company suspended all online clothing and home orders. The damage was catastrophic—M&S lost approximately £300 million and took 46 days to resume online ordering.
The attack was attributed to Scattered Spider, a loose network of sophisticated social engineering attackers who exploit help desk procedures and management trust. What makes this attack remarkable is that a simple phone call to the help desk—using only social engineering, no malware—gave attackers the keys to the kingdom.
Coinbase Insider Bribery: May 2025
On May 15, 2025, cryptocurrency exchange Coinbase disclosed a data breach affecting nearly 70,000 customers—approximately 1% of their user base. However, this was not a technical breach. Cybercriminals had bribed overseas customer support agents working for TaskUs, a third-party vendor contracted by Coinbase. These agents exfiltrated sensitive personal data, including names, dates of birth, Social Security numbers, financial data, and government-issued IDs.
The attackers then used this stolen data to conduct highly targeted social engineering attacks against Coinbase customers. One victim lost over $2 million. The attacker demanded $20 million in ransom from Coinbase itself. Coinbase refused to pay and instead offered a $20 million bounty for information identifying the perpetrators. The SEC launched investigations into Coinbase’s internal controls. This incident demonstrates that social engineering doesn’t always target employees—it targets contractors and third-party vendors who may have weaker security awareness.
LexisNexis GitHub Breach: December 2024 Discovery (April 2025)
On December 25, 2024, an unauthorized actor accessed LexisNexis Risk Solutions’ GitHub repositories through social engineering tactics targeting developers. The attacker compromised a developer’s GitHub account, gaining access to third-party development platforms tied to LexisNexis. The breach exposed personal data belonging to approximately 364,000 individuals.
What makes this incident notable is that it wasn’t discovered until April 1, 2025—more than three months after the initial compromise. This demonstrates that sophisticated social engineering attacks can remain undetected for extended periods.
Philip Murray: When a Security Expert Falls Victim
Philip Murray worked in cybersecurity for years. He understood the dangers. Yet in summer 2019, an email arrived claiming to be from his boss requesting an urgent favor. The boss was onsite with a customer and needed Amazon vouchers purchased immediately. Philip didn’t hesitate. He walked to the shops, purchased £800 in gift cards, and emailed them to the attacker.
Only the next morning did doubt creep in. Philip realized he had fallen for the attack. “If that can happen to me,” Philip wrote, “then it can happen to anyone who isn’t thinking about this all day, every day.” Philip’s story proves that knowledge is not immunity. Fatigue, distraction, and the human capacity for trust can defeat even an expert’s defenses.
How Social Engineering Attacks Succeed Against Modern Defenses
Why Technical Controls Cannot Stop Social Engineering
Organizations invest billions in firewalls, intrusion detection systems, and advanced endpoint protection. Yet 36% of all incident response cases begin with social engineering. This reveals a fundamental truth: technical controls protect the network, but social engineering protects the attacker by using human trust as the security perimeter. A firewall cannot stop someone authorized to access the system if that authorization was obtained through deception.
The Marks & Spencer attack illustrated this perfectly. No malware was needed for the initial breach. No zero-day exploits were used. A single phone call to the help desk—exploiting normal business procedures—granted legitimate access to the entire corporate network. Traditional security controls were completely irrelevant because the attacker was already inside, authenticated as a legitimate employee.
The median time to click on phishing simulation links is just 21 seconds, with credentials being entered after only 28 seconds. This proves that human psychology moves faster than conscious thought.
The AI Amplification: How Artificial Intelligence Made Social Engineering Exponentially More Dangerous
In 2025, artificial intelligence has transformed social engineering from an art requiring human skill into an industrial-scale operation. AI-generated phishing emails now have a 42% higher success rate than conventional email-only scams. AI voice clones can sound exactly like your CEO. AI video deepfakes can show executives in situations they never appeared in.
The Arup deepfake case demonstrated what happens when AI removes the verification mechanisms humans traditionally relied upon. For decades, a video call with your CEO was considered sufficient proof of identity. That security assumption is now mathematically invalid.
Social Engineering Prevention: A Multi-Layer Defense Strategy
Layer 1: Security Awareness Training That Actually Works
Effective training teaches judgment—how to verify suspicious requests through independent channels, how to recognize that urgency is an attacker’s tool, and how to understand that normal verification procedures should never be bypassed.
Layer 2: Verify Everything Through Independent Channels
If you receive an urgent email from your CEO requesting a wire transfer, do not reply asking for verification. Instead, call your CEO’s direct line using a number you know is real. This single practice—verification through independent channels—defeats most social engineering attacks because attackers cannot intercept a phone call to a number not provided by them.
Layer 3: Implement Rigorous Help Desk Identity Verification
The Marks & Spencer attack proved that help desk procedures are critical attack vectors. Organizations should implement multi-factor verification for help desk requests. A simple password reset should never occur based solely on a phone call. Organizations should require physical ID verification, callback procedures using verified contact information, multiple verification questions not publicly available on social media, manager approval for privileged access changes, and notification to the affected employee when account changes are made.
Layer 4: Contract and Vendor Risk Management
The Coinbase incident demonstrated that attackers will target third-party vendors with weaker security practices. Organizations should implement strict background checks for vendors with access to sensitive data, require regular security training for all third-party staff, monitor vendor access logs for unusual activity, and conduct surprise audits of vendor compliance.
Layer 5: Executive Communication Channel Security
Executives and finance employees should use separate communication channels for sensitive requests than for routine communication. The cost of implementing separate channels for financial authorization is negligible compared to the cost of a single $25 million fraud.
Layer 6: Rapid Detection and Response
Organizations should implement systems to detect unusual behavior immediately. If an employee who typically accesses systems during business hours suddenly connects at 3 AM from a different country, this should trigger immediate verification. The speed of detection determines whether an attack stops at one compromised account or propagates through the organization.
Conclusion: Social Engineering as the Permanent Security Reality
Social engineering is not a problem that will be solved by technology. It is a permanent feature of modern security because it exploits human nature itself. The incidents in 2025 have demonstrated that even large, well-resourced organizations (Arup, Marks & Spencer, Coinbase, LexisNexis) cannot eliminate social engineering risk—they can only manage it through rigorous procedures and rapid response.
The only effective defense is human vigilance, organizational processes that verify before acting, and a culture that celebrates the person who says, “wait, let me double-check.” Every person in your organization is a potential target. Every interaction could be an attack. The difference between survival and catastrophe is whether people verify requests through independent channels and whether the organization responds with speed and determination.