Social Engineering Attacks: What You Need to Know

Cybercriminals have always targeted people, not just systems. Social engineering attacks use deception to manipulate individuals into handing over sensitive information, clicking on malicious links, or transferring money. These tactics often arrive by email or phone and appear to come from a trusted source.

Attackers are using generative AI to create fake messages and identities that look more convincing. They launch large-scale phishing campaigns, impersonate senior executives using deepfake audio, or combine email and phone scams to pressure their targets into making mistakes.

It’s working. According to Verizon’s 2025 Data Breach Investigations Report, the human element played a role in 60% of breaches last year. Fighting back requires security teams to understand how AI is reshaping these threats and take practical steps to strengthen defenses, train employees, and reduce the risk of compromise.

GenAI Raises the Stakes

Attackers increasingly use large language models to write convincing phishing emails, mimic writing styles, and adapt messages to specific roles or industries. That means attackers can launch high-quality, targeted campaigns with little effort or expertise.

The rise of phishing-as-a-service (PhaaS) platforms has made matters worse. These kits bundle everything a cybercriminal needs: prebuilt phishing sites, templates tailored to impersonate brands, and tools that bypass two-factor authentication. In early 2025, more than one million PhaaS attacks were detected in just two months. One platform, Tycoon 2FA, accounted for nearly 90% of those attempts and used advanced obfuscation to hide malicious code.

AI also helps attackers avoid detection. Some tools use encryption or uncommon language characters to evade filters. Others can generate thousands of variations of a phishing message to test which ones reach inboxes.

These capabilities don’t just increase the volume of attacks but also the success rate. Social engineering has always relied on urgency, authority and emotional triggers. AI makes those tactics more scalable, convincing and precise.

Real or Fake?

Many AI-driven social engineering attacks still start with a phishing email. But the tactics and payloads have evolved. Instead of sloppy messages filled with typos, employees now receive well-written emails referencing real people, projects, or business tools. Some even include voice or video components created using deepfake technology.

Some attacks now unfold in multiple stages. In one recent case, attackers first sent several employees a wave of spam emails, just enough to seem like background noise. A few days later, the same employees got phone calls from people claiming to be from IT. The callers spoke fluent English and may have used deepfake voice tools to sound more convincing. They said they could stop the spam if the employees granted access to their machines. The scam might have worked, but the employees spotted the red flags and shut it down, relying on the training they had received.

Barracuda’s 2025 Email Threats Report highlights two fast-growing tactics attackers use to bypass defenses. Nearly one in four HTML attachments are malicious, often leading users to spoofed login pages that steal credentials. QR codes embedded in Microsoft Office and PDF documents are another rising threat. The report found that 83% of malicious Microsoft documents and 68% of malicious PDFs contained QR codes that redirect users to phishing websites. Because people often scan these codes with personal devices, the attacks can bypass corporate security tools and are harder to detect.

Attackers also exploit trust by compromising legitimate accounts. Once inside a mailbox, they can monitor email conversations, learn internal language patterns, and launch convincing messages from a trusted address. According to the report, about 20% of organizations experience at least one attempted or successful account takeover each month.

These examples all have one thing in common: they target people, not technology. They focus on the human inbox to slip through even well-defended perimeters. That means defense starts with awareness, education, and simple, repeatable habits.

How to Defend Against AI-Driven Social Engineering Attacks

First, train employees to recognize the signs of phishing and impersonation. Use real-world examples in simulations. Focus on red flags like unexpected file types, QR codes, login requests, and urgent messages involving money or passwords. Ensure employees know how to report a suspicious message, and reinforce that it's always better to double-check than assume.

Just as important, give employees a clear, trusted way to verify unexpected outreach, especially messages that claim to come from IT or company leadership. Whether it’s confirming over Slack, calling IT directly, or using another approved channel, a second step for validation can stop impersonation attacks before they do damage.

Second, implement technical controls that reduce risk even when someone makes a mistake. For example, multifactor authentication (MFA) helps block account takeovers even if hackers manage to steal credentials. Email filtering that can detect malicious attachments, spoofed domains, and unusual behavior patterns adds another critical layer of protection.

Third, tighten your domain security. Too many organizations still haven’t configured DMARC, SPF and DKIM to prevent spoofing. Nearly half of all email domains still lack proper authentication settings like DMARC, which makes it easier for hackers to spoof legitimate senders and impersonate trusted brands or colleagues.

Finally, don’t let security awareness stop at a one-time training for new hires. Reinforce good habits regularly. Use bite-sized updates, internal newsletters, or quick-check exercises to keep people on the alert. Social engineering attacks thrive on distraction and pressure, so employees are prepared to pause, verify, and think critically when something feels off.

People Are Foundational to Cybersecurity

AI has given cybercriminals powerful new tools, but their end goal is still tricking people into helping them slip past your organization’s defenses. That’s why you must center your defenses around human behavior. While every employee is a potential target, with the proper education, safeguards, and support, they become a strong first line of defense.