Introduction
For years, phishing emails drove most social engineering attacks. That has changed. According to Mandiant’s M-Trends 2026 report, based on over 500,000 hours of incident response work, voice phishing has overtaken email as the primary social engineering vector. Email phishing dropped to just 6% of confirmed initial access methods in 2025. Voice phishing rose to 11%, and in cloud-related compromises it reached 23%.
The shift matters. It means the attackers who succeed most often are not sending bulk emails. They are calling help desks, impersonating employees, and talking their way past identity checks in real time. Many of these intrusions leave no malware trace at all. They succeed because someone believed a request was legitimate.
Social engineering remains the attacker’s preferred starting point. Unit 42’s 2025 incident response data found that 36% of all cases began with a social engineering tactic. What makes it dangerous is not the technology behind it, but how easily it fits into everyday work. A password reset, a supplier payment update, a browser security prompt. Each looks routine. Each can be the start of a compromise.
This report covers how social engineering has changed in the past year, what the latest incident data reveals, and what leaders can do to reduce its impact. It includes real-world cases, process-level controls, detection metrics, and a 30-day action plan.
Behind almost every major breach, there is a human story. One decision, one call, or one moment of misplaced trust that changed everything.
How Social Engineering Works in 2026
Social engineering works because it does not look like an attack. It feels normal. A call from IT support, a supplier email, a browser prompt asking you to install a security update. Each seems routine. Each can be the start of a compromise.
Attackers use one clear advantage: human trust. They study how people work, the tools they use, and the habits they follow every day. Then they build stories that fit those patterns. The goal is to make a small request that seems harmless. Reset a password. Approve a login. Confirm a payment.
Once that trust is gained, everything else follows. Access is granted, credentials are harvested, and security alerts are often ignored because the activity looks legitimate. In many cases, no malware is deployed. The attackers use the same tools as the employees they impersonate: email, Teams, VPN portals, and identity platforms.
Three forms dominate in 2026:
High-touch manipulation. Attackers interact directly with staff, primarily by phone. They call IT help desks and finance teams, using real-time voice to reset MFA tokens, unlock accounts, or change payment details. Mandiant’s M-Trends 2026 report documents groups like Scattered Spider (UNC3944) escalating from a single help desk call to full domain admin access in under 40 minutes, using no malware at all.
Browser and search-based deception. Automated lures reach users through fake browser prompts, search engine poisoning, and fraudulent system messages. A growing category known as ClickFix attacks deserves particular attention. These campaigns present users with a fake error message or CAPTCHA page and instruct them to “fix” the problem by copying and running a command, often a PowerShell script. The user initiates the action themselves, which means endpoint controls and web filters may not catch it. The browser is replacing the inbox as the most exploited entry point.
Supply chain impersonation. Some groups now chain multiple tactics together. The ShinyHunters operation, documented extensively in Mandiant’s 2026 report, used voice phishing to compromise credentials at third-party SaaS vendors, then harvested OAuth tokens and session cookies to pivot into downstream customer environments. What began as a phone call to one organisation ended in data theft across many.
Each of these methods takes advantage of process, not code. They exploit how organisations manage identity, approve access, and respond to urgency. The weakness is not the system. It is the workflow itself.
Why Social Engineering Keeps Winning
Technical defences have never been stronger. Firewalls, endpoint protection, and advanced monitoring are now standard. Yet social engineering keeps breaking through. The reason is simple: technology can’t patch human behaviour.
Attackers don’t need to find software flaws when they can exploit trust, pressure, or routine. They focus on how people respond, not how systems work. That makes these attacks faster, cheaper, and often invisible to security tools.

Several factors explain why this tactic still dominates in 2026:
1. Alert fatigue and missed signals. Security teams face a flood of alerts every day. When thousands of notifications compete for attention, small anomalies get lost. Attackers know this. They mimic legitimate logins and user behaviour so their actions blend in. What looks like a normal access request can be a full compromise in progress. The window for response is shrinking fast. Mandiant’s M-Trends 2026 report found that the median time between initial access and hand-off to a second threat actor collapsed from over eight hours in 2022 to 22 seconds in 2025. By the time a SOC analyst reads the alert, the access may already have been passed to a ransomware operator.
2. Over-permitted accounts: Many employees have more access than they need. When one of those accounts is compromised, the attacker inherits all its privileges. That single mistake can give them control over email systems, shared drives, or cloud dashboards.
3. Inconsistent identity verification: Help desks and approval processes are often built for speed, not scrutiny. If a request sounds urgent or convincing, it is easy to bypass normal checks. Attackers exploit this by pretending to be executives, suppliers, or even auditors.
4. The pressure to respond quickly: Modern business moves fast. Messages marked as “urgent” get priority. Criminals use this to push employees into decisions before they have time to verify. A payment request, a password reset, or a new meeting link, all can look routine under pressure.
5. AI-enhanced deception, but not in the way most people think. Artificial intelligence is now part of the attacker’s toolkit for social engineering. Criminals use AI tools to personalise phishing lures, clone voices, and build more convincing pretexts. Purpose-built criminal platforms, not consumer tools like ChatGPT, are being commercialised for this. Phishing-as-a-service kits with AI-generated templates now cost as little as $200 per month on criminal forums.
However, the picture is more nuanced than the headlines suggest. Mandiant’s assessment in M-Trends 2026 is clear: 2025 was not the year where breaches were the direct result of AI. The vast majority of successful intrusions still stem from human and systemic failures, things like weak identity verification, over-permitted accounts, and inconsistent MFA. AI makes social engineering faster and more convincing, but the underlying weaknesses it exploits are the same ones that existed before AI entered the picture.
This matters for how you invest. The answer is not to panic about AI-generated deepfakes. The answer is to fix the process gaps that attackers, with or without AI, continue to walk through.
The New Tactics and Trends of 2026
Social engineering is evolving. The channels are changing, the speed is increasing, and the line between criminal and state-sponsored activity is harder to draw. Below are the five clearest shifts we see heading into 2026, drawn from incident data rather than speculation.
1. Voice phishing overtakes email
For the first time, voice phishing has displaced email as the dominant social engineering method in confirmed incidents. Mandiant’s M-Trends 2026 report records email phishing at just 6% of initial access vectors, down from a much larger share in previous years. Voice phishing rose to 11% overall, and 23% in cloud-related compromises.
Separately, CrowdStrike recorded a 442% increase in vishing attacks in the second half of 2024 compared to the first half.
This is not a small shift. It means that organisations whose detection, training, and verification processes are built around email are increasingly misaligned with how attacks actually arrive. Phone calls bypass spam filters, email authentication, and most endpoint controls. They exploit trust in the moment, not through a link someone can inspect later.
What to watch: Unexpected calls requesting MFA resets, password changes, or device registrations. Callers who know your internal process language. Any helpdesk interaction that results in a privilege change.
2. ClickFix and browser-based attacks
A growing category of social engineering now targets users through their browser rather than their inbox. ClickFix campaigns present victims with a fake error message, CAPTCHA page, or “security update required” prompt. The page instructs the user to copy a command and paste it into a system dialog, typically PowerShell on Windows.
The user initiates the action themselves. Because there is no malicious attachment or link to scan, many web and endpoint controls do not flag it early. The user becomes the execution engine for the attacker’s payload.
Security researchers at Red Canary and elsewhere have identified the browser as overtaking email as phishing’s most exploited entry point in 2026. These campaigns use search engine poisoning, look-alike download pages, and social media distribution to reach targets.
What to watch: “Click to fix” browser popups, search results leading to unfamiliar download pages, and any prompt asking a user to run a command or script they did not initiate.
3. AI as a force multiplier, not a root cause
AI is now embedded in attacker workflows for social engineering. Criminals use large language models to write personalised lures, generate convincing pretexts, and shift from mass campaigns toward rapport-building conversations tailored to individual targets.
Purpose-built criminal AI tools are more concerning than misuse of consumer AI products. Platforms like SheByte, a phishing-as-a-service kit available on the criminal underground, automate the creation of phishing sites using AI-generated templates. Deepfake voice and video tools are increasingly woven across entire attack chains rather than used as standalone tricks.
That said, Mandiant’s frontline assessment in M-Trends 2026 provides an important corrective to the hype: AI is not yet the root cause of most breaches. The majority of successful intrusions in 2025 still stemmed from fundamental human and systemic failures. Weak identity verification, excessive permissions, and poor logging remain the primary reasons social engineering works.
AI raises the ceiling of what attackers can do. But the floor, the basic process gaps that most attacks exploit, has not changed.
What to watch: Highly personalised voice calls or messages that reference real internal details. Lures that adapt tone and context mid-conversation. Synthetic media used to impersonate executives or trusted contacts.
4. Industrialised access brokering
Social engineering incidents are no longer standalone events. In a growing number of cases, the group that gains initial access is not the same group that carries out the follow-on attack.
Mandiant’s M-Trends 2026 report documents a clear division-of-labour model: one cluster gains access through social engineering, then hands it to a separate cluster for data theft, ransomware, or fraud. This pattern appeared in 9% of 2025 investigations, up from 4% in 2022. The median hand-off time between initial access and transfer to a second group has collapsed from over eight hours to 22 seconds.
Groups like ShinyHunters exemplify this model. Using vishing campaigns, they compromise credentials at SaaS vendors, harvest OAuth tokens and session cookies, then use those secrets to pivot into downstream customer environments for large-scale data theft. Victims later receive extortion notes.
The practical implication is important: a social engineering incident at a single employee’s account is no longer contained to that account. It can be the entry point for a chain of compromises across connected systems and organisations.
What to watch: Any social engineering attempt, even one that appears to fail, should be treated as a potential precursor to a broader operation. Monitor for credential reuse, unusual OAuth consent grants, and lateral movement into connected platforms.
5. Recovery denial as the new endgame
Ransomware groups have moved beyond encrypting files and demanding payment. In 2025, Mandiant documented a systematic shift toward what analysts now call recovery denial: attackers deliberately destroy the infrastructure organisations need to recover before deploying ransomware.
This includes targeting backup systems, identity services, virtualisation management planes, and credential vaults. In documented cases, attackers wiped millions of backup objects from cloud storage, encrypted datastore files at the hypervisor level, and forced password changes on privileged accounts to lock defenders out of emergency access.
The connection to social engineering is direct. The initial foothold that enables these operations is often a vishing call to a help desk, a compromised set of credentials obtained through impersonation, or an OAuth token harvested after a social engineering campaign against a SaaS vendor.
When social engineering leads to credential compromise, and that compromise leads to the destruction of recovery capability, the business impact is no longer a data breach. It is an operational crisis.
What to watch: Any social engineering attempt targeting accounts with access to backup systems, identity infrastructure, or virtualisation management. Unusual activity on break-glass accounts or credential vaults.
What This Looks Like in Practice
The trends above are not theoretical. Below are three incidents from 2025 that illustrate how social engineering drives real compromise, and how the business impact extends far beyond the initial phone call or message.
Coinbase: bribed insiders, targeted social engineering
In May 2025, Coinbase confirmed that cybercriminals had bribed overseas support staff to leak sensitive customer data, including names, dates of birth, email addresses, and partial Social Security numbers. The attackers then used this data to run highly targeted social engineering campaigns against Coinbase customers.
When the attackers demanded a $20 million ransom, Coinbase refused and instead offered a bounty for information leading to their arrest. The estimated cost of customer reimbursements ran into hundreds of millions of dollars.
The lesson is uncomfortable but clear: the insider threat and the social engineering threat are not separate problems. One enables the other.
ShinyHunters: vishing into the SaaS supply chain
Throughout 2025, a cluster tracked by Mandiant used voice phishing to compromise credentials at third-party SaaS vendors. Once inside, the attackers harvested OAuth tokens, session cookies, and hard-coded access keys. They then used these secrets to pivot into downstream customer environments, including major enterprises.
No malware was deployed. No software vulnerability was exploited. The entire operation ran on phone calls, trust, and the persistent access that SaaS tokens provide. Victims received extortion notes branded under the ShinyHunters name.
This case illustrates why third-party risk assessments must account for social engineering, not just technical controls. The weakest link was not a firewall or an unpatched server. It was a person who answered the phone.
UK retailers: Scattered Spider and DragonForce
In 2025, the group known as Scattered Spider (tracked by Mandiant as UNC3944) compromised multiple well-known UK retailers. Initial access was gained through social engineering of help desk staff, a pattern this group has used consistently since its attacks on Las Vegas casinos in 2023.
Once inside, the group deployed DragonForce ransomware. The attacks caused significant operational disruption and attracted national media coverage.
The pattern is now well documented: social engineering of the help desk, followed by MFA bypass, lateral movement, and ransomware deployment. These are not sophisticated technical exploits. They are process failures that repeat because the underlying verification gaps have not been closed.
How Attackers Exploit Human Processes
Social engineering works best when it looks like business as usual. Attackers copy how your teams already work, then slip into the gaps. Here are the most common weak points, and why they fail.

1) Identity recovery and MFA resets
- The pretext: “I’m locked out. I’m travelling. Please add my new device.”
- Weak point: helpdesk flows built for speed, not proof.
- What happens: the caller passes basic checks, gets an MFA reset, and walks in with a clean session.
- Why it matters: once inside, they look like a normal user; alerts are easy to miss.
- Guidance: the UK NCSC stresses strong, phishing-resistant MFA and careful rollout for corporate services. Mandiant’s M-Trends 2026 report documents this pattern in detail: groups like UNC3944 (Scattered Spider) continue to target IT help desks specifically, impersonating employees to bypass MFA and gain access to SaaS environments. Once inside, they harvest OAuth tokens and session cookies that persist even after password changes.
2) Payment changes and fast approvals
- The pretext: “Supplier bank details have changed. Payment is urgent.”
- Weak point: no verified call-back, single approver, and no timed hold before release.
- What happens: funds move via authorised push payments (APP). It looks legitimate to the bank because it is the account holder pressing send.
- Why it matters: losses are large and fast, often cross-border. Evidence: UK Finance reports £629.3m stolen in H1 2025; APP fraud losses were £257.5m, up 12% year-on-year.
3) Inbox trust and executive impersonation
- The pretext: “From the CFO – approve the invoice. From the CEO – share the file.”
- Weak point: inbox authority and thread-hijack trust.
- What happens: criminals buy stolen credentials or whole mailboxes, then run payment, data, or gift-card fraud.
- Why it matters: it bypasses malware checks; the message is from a real account. Evidence: Microsoft notes the industrialisation of BEC – access brokers sell credentials and inboxes to fraud operators.
4) Browser prompts, ClickFix, and search “fixes”
- The pretext: “Security update required. Click to fix.” Or: “Verify you are human. Run this command.”
- Weak point: users trust familiar logos and urgent language in the browser, not only email. ClickFix campaigns exploit this by presenting fake error messages or CAPTCHA pages that instruct the user to paste a command into PowerShell or a system dialog.
- What happens: the user initiates the action, so web and endpoint controls often do not flag it. The attacker’s payload runs with the user’s own permissions.
- Why it matters: these lures work entirely outside the inbox. Security researchers have identified the browser as overtaking email as the most exploited social engineering entry point heading into 2026. Detection strategies built around email scanning and link analysis do not cover this attack path.
5) Supplier and recruiter impersonation
- The pretext: “We are your vendor / auditor / recruiter – please review and log in.”
- Weak point: third-party trust, indirect identity checks, off-platform messaging.
- What happens: attackers move conversations to private channels, collect just enough detail to pass future checks, then request access or payment.
- Why it matters: blends procurement, HR, and IT workflows; easy to miss. Context: EU agencies report rising use of AI for scalable impersonation and fraud across sectors.
6) “Exception” culture
- The pretext: “We have board pressure, a regulator deadline, a customer outage.”
- Weak point: exceptions bypass normal checks; no record of why risk was accepted.
- What happens: emergency approvals, ad-hoc access grants, or off-policy payments.
- Why it matters: attackers time pretexts to business peaks and regulatory cut-offs. Regulatory view: the FCA warns firms about weak controls around new fraud threats, including deepfake scams, and expects stronger oversight.
What this means for leaders
- These intrusions do not need malware. They rely on trust in people and process.
- Controls must prove who is asking, what is being requested, and why it must happen now.
- The fix is procedural: call-backs, dual control, time-boxed holds, and strict identity recovery checks – with evidence recorded every time.
Business Impact and Regulation
Why it hurts
- Money lost: In the first half of 2025, UK Finance reports losses of £629.3m to fraud. Authorised push payment fraud made up £257.5m, up 12 percent year on year.
- Operational disruption: Social engineering drives account takeovers and payment changes that stall services and drain teams. ENISA’s 2025 threat work highlights phishing and related social lures as leading initial vectors.
- Trust and reputation: The UK Financial Conduct Authority has warned firms about emerging fraud, including deepfake scams, and expects stronger governance and oversight.
What EU and UK regulators expect
NIS2: Clear governance over risk, identity, and incident handling. That includes access control, phishing-resistant MFA, monitoring, and rapid reporting. Social engineering that leads to a network or information system compromise falls squarely within scope.
DORA: Treat ICT and third-party providers as critical. Test controls, keep evidence, classify incidents, and report within set timelines. The SaaS supply chain compromises documented in 2025, where vishing at a vendor led to data theft across customer environments, are exactly the kind of scenario DORA is designed to address.
GDPR and sector rules: If social engineering leads to personal data exposure, you may face breach notification obligations and fines. Evidence of due diligence matters. Organisations that can demonstrate scripted verification processes, dual approval controls, and auditable identity recovery workflows are in a stronger position than those that cannot.
UK Government Counter Fraud Strategy: The UK Government’s Counter Fraud Functional Strategy 2025-2026 progress review, published in March 2026, reported £7.5 billion saved through fraud prevention and enforcement. The direction of travel is clear: regulators expect proactive, evidenced controls, not reactive responses.
Controls That Work
Keep it simple and procedural. Make fraud harder, slower, and visible.
Verify the person
- Call back using a number from the directory, not the message.
- Use multi-channel checks for high-risk requests.
- Add challenge-response questions that only the real user would know.
Control the action
- Dual approval for payments, bank detail changes, and privilege grants.
- Time-boxed payment holds with a second check before release.
- Use least privilege and just-in-time elevation for admin work.
Harden identity recovery
- Fixed scripts for MFA resets and unlocks. No ad-hoc steps.
- Restrict who can perform resets. Record every action.
- Sample and QA a percentage of resets weekly.
Reduce easy paths
- Remove standing admin rights. Rotate break-glass credentials.
- Block self-install of software. Allow-list installers and update sources.
- Require vendor change requests to use a known portal, not email.
Train for the real thing
- Run micro-drills for helpdesk, finance, and exec assistants.
- Use clear escalation trees and response prompts.
- Measure pass rates and feed lessons back into scripts.
Defend beyond the inbox
Most social engineering controls were designed for email-based attacks. That is no longer sufficient. Detection and verification processes must now extend to voice calls, messaging platforms, browser-based vectors, and collaboration tools like Teams and Slack.
For voice calls, this means enforcing callback verification using directory numbers, not numbers provided by the caller. For browser-based threats, it means restricting users’ ability to execute system commands from prompts and maintaining allow-lists for software installations. For collaboration platforms, it means treating messages from external contacts with the same scrutiny as external email.
The principle is simple: if an attacker can reach your staff through a channel, your verification controls must cover that channel.
What to implement this quarter
- Publish a one-page verification policy that covers phone, email, and messaging channels, not just email.
- Switch on dual approval and time-boxed holds for payments and bank detail changes.
- Enforce scripted MFA resets with full audit trails. No ad-hoc steps.
- Convert standing admin access to just-in-time elevation.
- Review whether your detection and alerting covers vishing indicators: helpdesk calls followed by MFA changes, privilege escalations after phone-based identity verification, and unusual OAuth consent grants.
5 Questions for the Board
Social engineering is not a technical problem that can be delegated to the security team alone. It is a business risk that depends on how your organisation verifies identity, approves changes, and responds to urgency. These are questions that leadership should be able to answer.
1. Can your helpdesk verify identity without relying on information an attacker could find online? If your verification process depends on name, date of birth, employee number, or email address, it is vulnerable. Attackers routinely gather this information from LinkedIn, corporate websites, and data breaches. A process that feels thorough but relies on publicly available facts is not verification. It is theatre.
2. When did you last test your team’s response to a voice call, not just a phishing email? Most phishing simulations test email. The data now shows that voice phishing is more likely to succeed, harder to detect, and growing faster. If you have never tested whether your help desk, finance team, or executive assistants can spot a convincing vishing attempt, you do not know your actual exposure.
3. Do you have dual approval and time-boxed holds for payment changes and bank detail updates? A single approver under time pressure is the most common point of failure in payment fraud. Dual approval with a mandatory hold period, even 24 hours, is one of the simplest and most effective controls available. If your process allows one person to change supplier bank details and release a payment on the same day, that gap is likely to be exploited.
4. How quickly would you detect a compromised identity being used across cloud platforms? Attackers who gain credentials through social engineering often move laterally into SaaS platforms, email, and collaboration tools within minutes. If your monitoring does not cover OAuth consent grants, session anomalies, and cross-platform access patterns, compromised accounts can operate undetected for days or weeks.
5. Do your incident response plans account for multi-channel social engineering? If your IR playbook assumes a phishing email as the starting point, it may not cover scenarios that begin with a phone call, a Teams message, or a browser-based lure. The attack surface for social engineering has widened. Response plans should reflect that.
If your leadership team cannot answer these questions with confidence, it is worth reviewing whether your current controls match your actual risk.
Detection and Metrics
Detection should focus on behaviour. You are looking for signs that a person or a process is being misused, especially after identity changes or helpdesk activity.
What to surface
- Identity events: new MFA factor added, multiple re-enrols, device joins from new locations.
- Session risk: rapid country hops, logins from hosting ASNs, sudden admin portal access.
- Consent and API use: high-scope OAuth approvals, directory or SharePoint enumeration after a reset.
- Mailbox signals: external forwarding rules, disabled safety prompts, mass replies.
- Finance triggers: supplier bank change followed by a first-time large payment.
- Helpdesk flags: repeat callers failing checks, deviations from the reset script.
Keep evidence. Log who approved what, when, and why. Store MFA changes, device joins, consent grants, role assignments and the start and end of any privileged session. In finance, record the callback, the verifier and the hold release time. For helpdesk activity, capture artefacts reviewed and challenge questions used. This gives incident responders and auditors a clear trail.
Metrics to manage
- Callback adherence rate: percentage of high-risk requests verified by callback.
- Reset defect rate: percentage of MFA resets that fail post-audit.
- Time to validate: median minutes to confirm identity for high-risk requests.
- Privileged minutes per user: total elevated time, managed by just-in-time access.
- First-time payee hold pass rate: proportion that complete the full hold window.
Review these weekly. If any indicator drifts, adjust scripts, training and ownership before it becomes a pattern.
30-Day Action Plan
This is a short, practical plan to raise your defences quickly. Keep the scope tight. Prove the controls work. Capture evidence as you go.
Week 1: Set the rules
- Publish a one page verification policy for high risk requests.
- Turn on dual approval and a 24 hour hold for first time or high value payments.
- Freeze ad hoc MFA resets. Use a scripted flow only.
Week 2: Tighten identity and access
- Remove standing admin rights. Enable just in time elevation for admins.
- Restrict who can perform resets. Add challenge response questions.
- Start weekly sampling of 10 percent of all resets and approvals.
Week 3: Make detection useful
- Add alerts for new MFA factors, out-of-hours resets, and consent to high-scope apps.
- Add monitoring for vishing indicators: any helpdesk interaction that results in a privilege change, MFA reset requests following phone calls, and device registrations from unfamiliar locations.
- Link bank detail changes to a payment hold and report any attempt to bypass it.
- Create a simple dashboard for the five KPIs you track.
Week 4: Test and fix
- Run a 60-minute micro tabletop across helpdesk, finance and security.
- Review all exceptions made in the month and remove any that linger.
- Close gaps found in sampling. Update scripts and training where needed.
Finish line
Write a short memo to the leadership team with three items: the verification policy link, this month’s KPI snapshot, and the top three fixes you made. This builds trust and keeps the work funded.
Wrapping Up
Social engineering thrives because it looks like normal work. A call to the helpdesk. A supplier message. A browser prompt that seems routine.
What has changed is where these attacks arrive. Voice calls, messaging platforms, and browser-based lures now carry as much risk as email, and in some cases more. The controls that matter, verification, dual approval, time-boxed holds, and auditable evidence, are the same regardless of channel. But they must be applied consistently across every path an attacker can use to reach your staff.
The defence is not complicated. Verify the person using a number you already trust. Slow any high-risk change with a second approver and a short hold. Keep evidence of every reset, approval, and exception. When these habits are in place, most attempts fail quietly. The ones that slip through leave a clear trail you can act on.
Leaders set the tone. Publish one page of simple rules. Sample a small percentage of resets and payments every week. Track a handful of KPIs so everyone sees whether controls are working. When exceptions are needed, record them and close them quickly. This is the work that reduces loss, shortens investigations, and strengthens your position with regulators.
If you want to test whether your current controls match your actual risk, speak with our team. We can help you align policy and practice across identity recovery, approvals, and monitoring, with attention to measurable outcomes and regulatory expectations.
Curated with purpose, delivered with precision – The ThreatScene Team

References
- Fraud: Half-Year Update 2025 • UK Finance • 2025-10 • https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps600-million-stolen-fraudsters-in-first-half-2025
- Fraud: Half-Year Update 2025 (Report, PDF) • UK Finance • 2025-10 • https://www.ukfinance.org.uk/system/files/2025-10/Half%20Year%20Fraud%20Report%202025_0.pdf
- ENISA Threat Landscape 2025 • ENISA • 2025 • https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
- ENISA Threat Landscape 2025 (Booklet, PDF) • ENISA • 2025 • https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025%20Booklet.pdf
- Regulatory perspective and priorities 2025 (speech) • FCA • 2025 • https://www.fca.org.uk/news/speeches/regulatory-perspective-and-priorities-2025
- Microsoft Digital Defense Report 2025 • Microsoft • 2025 • https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025
- Infosecurity Europe findings: social engineering and impersonation (PDF) • KnowBe4 • 2025 • https://www.knowbe4.com/hubfs/Infosecurity-EU-2025-Findings.pdf
- Mandiant M-Trends 2026 — Google Cloud blog, March 2026. Primary source for vishing data, hand-off times, recovery denial, AI assessment.: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
- Unit 42 Global Incident Response Report: Social Engineering Edition — Palo Alto Networks, 2025. 36% of incidents began with social engineering.: https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/
- UK Finance Half Year Fraud Report 2025 — £629.3m stolen in H1 2025, APP fraud £257.5m (+12% YoY).: https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/half-year-fraud-report-2025
- SecurityWeek: Cyber Insights 2026 — Social Engineering — Expert commentary on AI-powered social engineering evolution.: https://www.securityweek.com/cyber-insights-2026-social-engineering/
- Symantec/Carbon Black: Five Cyber Predictions for 2026 — ShinyHunters, Scattered Spider, UK retailer attacks.: https://www.security.com/feature-stories/five-cyber-predictions-2026
- NCSC (UK) — MFA guidance and identity verification best practices (existing reference, still current). UK Government Counter Fraud Strategy 2025-2026 Progress Review — Published 30 March 2026: https://www.gov.uk/government/publications/the-government-counter-fraud-functional-strategy-2025-2026-progress-review