Social engineering has been part of the attacker’s toolkit since long before anyone coined the term. What has changed in recent years is the sophistication of the tools available, the quality of the pretext’s attackers construct, and the speed at which campaigns can be deployed. In 2025, your employees are the target and the attacks are better than ever.
Technical controls stop technical attacks. They have limited impact on a well-crafted pretexting call that convinces a staff member to reset an account, transfer funds, or install software that ‘IT sent over.’ Understanding the current landscape helps security teams and employees recognise attacks before they succeed.
AI-Enhanced Phishing
The tell-tale signs of phishing poor grammar, generic salutations, implausible scenarios have largely disappeared from targeted campaigns. Large language models now produce fluent, contextually appropriate phishing content at scale. Attackers feed them LinkedIn profiles, company websites, and email chain samples to generate emails indistinguishable from legitimate business correspondence.
Voice cloning has raised the stakes further. Deepfake audio generated from a few seconds of source material can convincingly impersonate executives, suppliers, or IT staff. Vishing (voice phishing) calls using cloned voices have already been used in financial fraud cases. The technology is accessible and improving rapidly.
Business Email Compromise
Business email compromise (BEC) remains one of the highest-value attack categories. Attackers either compromise a legitimate email account or create convincing spoofs and use them to redirect payments, request gift card purchases, or manipulate internal processes.
The most effective BEC attacks involve a period of mailbox access during which the attacker monitors legitimate conversations, identifies payment requests, and times their intervention to match real business processes. By the time the fraud is discovered, the funds are gone.
Pretexting and Impersonation
Pretexting attacks create a fictional scenario an IT support call, a vendor onboarding process, a compliance requirement designed to extract information or gain access. The attacker researches their target thoroughly first, gathering names, job titles, and operational details from open sources.
Help desk attacks are particularly effective. Social engineers call as employees needing urgent account access lost tokens, locked accounts, travel emergencies. Understaffed, time-pressured help desks are vulnerable to well-constructed urgency narratives.
Web application penetration testing often incorporates a social engineering element that tests how well your authentication reset and account management processes hold up under pressure. These findings are often as important as the technical vulnerabilities discovered.
Building Effective Defences
Awareness training is necessary but not sufficient. Employees who understand social engineering tactics make better decisions. But training must reflect current attack patterns not dated phishing templates and must be reinforced regularly rather than delivered once a year.
Process controls reduce exposure. Payment authorisation processes that require out-of-band verification for new payees or changes to existing ones are one of the most effective controls against BEC. The verification call to a known number does not cost much; the fraud it prevents can run to hundreds of thousands.
Simulate to test. Running controlled phishing simulations and vishing exercises gives you data on where the vulnerabilities actually are. If you want to understand your human risk surface, getting a penetration test quote from a firm that includes social engineering testing provides that baseline.
The technical and human attack surfaces are not separate. Attackers move between them fluidly. The most resilient organisations defend both with the same rigour.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Social engineering has become dramatically more convincing with AI tooling. We have seen vishing and phishing campaigns that fool experienced security professionals. Organisations cannot rely on employees ‘just knowing’ what an attack looks like.”
