Social Engineering in 2025: Modern Tactics, Old Tricks
π Social Engineering in 2025: Modern Tactics, Old Tricks Cyberattacks have evolved, but one element remains unchanged: humans are the weakest link. Even as organisations deploy firewalls, AI-based monitoring, and zero-trust controls, attackers continue to bypass everything by targeting people-not systems. Social engineering now combines age-old psychological manipulation with modern tools like AI-generated phishing, deepfake impersonation, and multi-channel deception. This breakdown explores how attacks are evolving and how organisations-especially SMEs and startups-can protect themselves.
Srinivasan Mahalingam
November 26, 2025
In 2025, attackers donβt break in - they log in using human weakness, deepfakes, and deception.
π‘ 1. Why Social Engineering Is Rising in 2025
According to the latest Unit 42 Incident Response Report, 36% of breaches between May 2024βMay 2025 began with social engineering.
What changed:
β Attackers are scaling with generative AI and LLMs
β Deepfake audio, video & text impersonation is becoming mainstream
β Traditional awareness training is no longer enough
π Reference: Unit 42, CrowdStrike, KPMG, arXiv
π§ 2. Latest Phishing Methods
Phishing still accounts for nearly 65% of all social engineering attacks in 2025.
Key trends:
β Legitimate platforms used as delivery vectors (cloud links, not attachments)
β Brand impersonation and targeted C-suite spear phishing
β AI-crafted emails that bypass filters
π Reference: KnowBe4, Hoxhunt, ZeroThreat
π± 3. Rise of Vishing, Smishing, & Voice Impersonation
Vishing attacks grew by 449% in 2025. Attackers call employees posing as IT, vendors, or leadership, requesting credentials or access.
Example:
β Fake IT support requesting remote-desktop installation.
π Reference: KnowBe4
π 4. Pretexting & Impersonation
Attackers craft believable scenarios-CEO requests, vendor updates, payroll changes-to manipulate employees into taking action.
π Reference: Verizon DBIR
π 5. Deepfake-Driven Attacks - The New Frontier
Deepfake audio, video, and live impersonation now make social engineering nearly indistinguishable from legitimate communication.
Examples:
β Deepfake CTO instructing access changes
β AI-generated video calls impersonating executives
β Fake social profiles powered by GenAI
π Reference: Reality Defender, CrowdStrike, KPMG
π§ 6. Old Tricks Still Work - Hereβs Why
Attackers continue exploiting core human biases:
β Authority (βThis is the CFO. Approve this now.β)
β Urgency (βYou must act immediately.β)
β Familiarity (βWe spoke last week-please confirm.β)
β Social proof (βOthers already approved this.β)
Despite tech advances, people remain the primary vulnerability.
π‘οΈ 7. Prevention Strategies - Technical Controls
β Enforce MFA across all accounts
β Use behavioural-based anomaly detection for phishing
β Implement Zero Trust & least privilege
β Deploy deepfake detection & voice biometrics
β Run regular simulations (phishing, vishing, deepfake scenarios)
π 8. Governance & Process Controls
β Mandatory verification steps for financial approvals
β Incident response playbooks for social engineering
β Vendor risk management & supply chain checks
β Regular cybersecurity assessments aligned with transformation projects
π₯ 9. People & Culture
β Replace annual training with ongoing awareness
β Encourage reporting suspicious calls/emails
β Run red-team or tabletop simulations
β Provide SME/startup-specific training modules
π’ 10. Tailored Controls for SMEs & Startups
SMEs are increasingly targeted due to weaker controls and smaller teams.
Recommendations:
β Use cost-effective managed security services
β Adopt vCISO for governance & gap analysis
β Prepare for deepfake call scenarios
β Implement basic but strong verification workflows
π 11. Mapping Key Services to Social Engineering Risks
β Managed Security Services β Detect human-layer threats
β Cybersecurity Assessment β Identify weak points in processes
β vCISO β Strategic oversight for SMEs/startups
β Data Privacy & Protection β Prevent unauthorized access to personal data
β GRC & ISO Audits β Strengthen governance & compliance
β Incident Response β Reduce impact of social engineering breaches
β Cloud Security β Prevent misconfigurations exploited through human vectors
β Security Awareness Training β Build resilience
π 12. Your 90-Day Action Plan
β Conduct a social engineering risk assessment
β Roll out verification procedures for key actions
β Train employees on vishing, smishing & deepfake scenarios
β Run phone, video & email simulations
β Review cloud access, MFA & vendor controls
β Conduct IR drills for impersonation events
β Engage vCISO or MSSP if you're an SME/startup
β Align risk assessments with ISO 27001 & GDPR
β Track KPIs: click rates, reporting rates, detection rates
π Conclusion
In 2025, attackers use sophisticated AI tools to exploit timeless human weaknesses. Organisations cannot rely solely on firewalls or compliance documents. A modern defence must combine technology, governance, culture, and verification.
Strengthening social engineering resilience requires a human-centric approach-and partnering with experts like Habilesec can accelerate that journey.
