Social engineering trends and the impact of AI

The architecture of contemporary social engineering

The landscape of social engineering has shifted from primitive, isolated attempts to highly coordinated, multi-channel engineering projects. The integration of Artificial Intelligence (AI) into the attacker lifecycle has optimized the delivery and success rate of these campaigns. Data indicates that social engineering is no longer a peripheral threat but the central mechanism for breaching hardened perimeters. The technical barrier for entry has lowered while the precision of attacks has reached industrial levels.

The role of AI in offensive workflows

AI serves as a force multiplier for deception. Generative AI allows a single operator to execute hundreds of simultaneous, customized campaigns tailored to the specific digital footprints of individual targets. According to academic research published in 2024, AI-generated spear-phishing emails achieve a click-through rate of 54%, compared to just 12% for conventionally written messages - a performance gap that underscores how thoroughly AI has disrupted the economics of social engineering. This is largely due to the elimination of linguistic errors and the ability to maintain consistent, emotionally intelligent personas across long-form interactions.

Technical analysis of phishing traffic between September 2024 and February 2025 reveals that 82.6% of all analyzed phishing emails utilized AI in some capacity - a 53.5% year-on-year increase. These systems are used to build high-fidelity deepfake video calls and voice clones, targeting human trust rather than hardware vulnerabilities. Voice cloning is particularly efficient; attackers can replicate a specific individual's voice using as little as 10 seconds of captured audio. The danger is no longer theoretical. In 2020, a branch manager of a Japanese company received what he believed to be a voice call from his parent company's director; the audio had been cloned using AI, and the manager subsequently authorized a $35 million wire transfer. In early 2024, a separate Hong Kong incident demonstrated the next evolution of the threat: a finance employee was deceived during a deepfake video conference call featuring AI-generated likenesses of multiple colleagues, leading to a $25 million loss.

Multi-channel coordination and the decline of email dominance

Traditional defense strategies focused heavily on email security. However, empirical data from 2025 shows a significant shift in initial access methods. According to Mandiant's M-Trends 2026 report, email phishing dropped to 6% of confirmed intrusion cases, while voice phishing (vishing) rose to 11% overall and 23% in cloud-related compromises. Modern campaigns utilize a layered approach, weaving context across multiple platforms including SMS, Microsoft Teams, Slack, and direct voice calls.

Layered attack vectors

One documented tactic involves a high-volume email 'bombing' where a target's inbox is flooded with thousands of legitimate subscription confirmations. While the target is distracted by the noise, the attacker initiates a voice call posing as IT support to 'assist' with the issue. This creates a high-pressure environment where the victim is more likely to surrender credentials or grant remote access. In 2026, over one-third of social engineering incidents involve these non-email vectors.

Specific technical exploits have also seen rapid adoption:

• ClickFix attacks: These involve tricking users into copying and pasting malicious commands into their browsers via fake CAPTCHA or security prompts. According to ESET's H1 2025 Threat Report, this vector surged by 517% between the second half of 2024 and the first half of 2025, accounting for nearly 8% of all blocked attacks during that period.
• Swipe-up mobile exploits: Attackers use mobile UI behavior to hide address bars. A user clicks a trusted shortened link, but after scrolling, the malicious URL remains hidden, making the site appear legitimate.
• Tokenized access blocking: Phishing pages now use tokenization to identify and block security scanners and researchers, ensuring the malicious site remains active longer.

Targeting IT infrastructure and identity management

A primary objective in 2026 is the bypass of multi-factor authentication (MFA). Attackers have shifted focus toward IT helpdesk staff and system administrators. By impersonating internal support personnel, attackers convince employees to reset MFA tokens or share session cookies. The group Black Basta has been identified using legitimate Microsoft Teams sessions to establish rapport and impersonate internal agents. In Q1 2025, 60.7% of failed phishing simulations involved impersonation of internal teams, with 49.7% specifically targeting Human Resources (HR) departments.

The professionalization of the criminal ecosystem

The industrialization of social engineering is supported by a robust Phishing-as-a-Service (PhaaS) economy. Platforms such as SheByte provide subscription-based kits for approximately $200 per month. These services provide templates, fake website builders, and voice spoofing tools that were previously the domain of nation-state actors. This professionalization allows for surgical targeting of high-value individuals with privileged access, particularly in manufacturing, healthcare, and biotech. Manufacturing remains the most targeted sector, representing 26% of all incidents.

Statistical analysis of impact and behavior

The financial consequences of social engineering continue to escalate. The FBI's Internet Crime Complaint Center recorded $16.6 billion in losses in 2024, a 33% increase over the previous year. Business Email Compromise (BEC) remains one of the most lucrative vectors, generating $2.77 billion in reported losses in 2024 alone. At the breach level, IBM's 2024 Cost of a Data Breach Report found that phishing and BEC rank among the costliest initial attack vectors, with the global average cost of a data breach reaching $4.88 million - the largest year-on-year increase since the pandemic.

User behavior metrics suggest a persistent gap in defensive capabilities:

• Only 20% of users successfully recognize and report phishing attempts in simulation environments.
• The median time to click a malicious link is 21 seconds.
• 71% of users admit to engaging in risky security actions they know to be dangerous.
• 60% of successful social engineering attacks result in data leaks.

As of 2024, the global average cost of a data breach stands at $4.88 million, while the United States recorded an average of $9.36 million per breach - the highest of any country surveyed. These figures highlight the fiscal necessity of moving beyond human-centric trust models toward technical architectures that assume identity compromise as a baseline condition. The engineering challenge for the coming years lies in developing automated detection systems capable of matching the speed and sophistication of AI-driven deception.