Unlike traditional cyber threats that exploit system vulnerabilities, social engineering manipulates human psychology to bypass even the most sophisticated technical defenses. The human element is, unfortunately, often the weakest.

Over the years, the prevalence and sophistication of social engineering attacks have escalated. Threat actors are employing increasingly sophisticated techniques to target both individuals and organizations for financial gain, espionage, and operational disruption.

This article explores high-profile cases from recent years, identifies evolving attack patterns, and outlines actionable strategies to mitigate social engineering.

What Is Social Engineering?

Social engineering involves manipulating individuals into disclosing confidential information or compromising the security of their accounts and platforms. These attacks take many forms, including phishing (also spear phishing and whaling), vishing (voice phishing), pretexting, baiting, and quid pro quo schemes. What they all share is a reliance on human error, convincing someone to click a link, open a document, or share sensitive data.

Emerging Social Engineering Trends in 2025

The challenge of social engineering comes from its ever-evolving nature. Hackers are constantly developing new ways to trick people into cooperating… and, since people aren’t machines with rigid rules and boundaries, these new tactics can often gain a foothold before experts recognize the threat in the wild. When you throw in growing innovations in AI, it’s getting more than a little out of hand.

Deepfakes: Cybercriminals increasingly use AI-generated voices and videos to impersonate executives or IT staff. In 2023, several financial firms reported fraudulent fund transfers following video calls with executives who were later revealed to be deepfakes.
Cross-Channel Attacks: Attackers are combining email, SMS (smishing), voice calls, and social media to validate their identities. For example, an employee might receive a phishing email followed by a confirming phone call from an impersonator. This multi-channel validation can even convince the most skeptical users.
AI-Enhanced Phishing: Generative AI has made phishing emails harder to detect. Attackers can now craft grammatically correct, contextually relevant messages that mimic internal communication patterns, making it more challenging to detect and respond to them. AI also enables dynamic content personalization, making scams more convincing.

Building Resilience Against Social Engineering

The human factor is the most crucial factor of social engineering, but that doesn’t mean you can’t support your teams with best practices to empower them with the right information and guidelines.

Some of these include:

Security Awareness Training: Educate employees about common social engineering tactics and ensure they recognize the red flags, such as unexpected requests, urgent deadlines, and unverified identities. Training should be interactive, scenario-based, and updated regularly to reflect emerging threats.

Zero Trust Architecture: ZTA assumes no entity inside or outside the network is trustworthy by default. Implementing ZTA principles—such as least privilege access and continuous verification—can limit the damage from compromised credentials.

Multi-Factor Authentication (MFA): MFA is a non-negotiable defense against credential-based attacks. Ensure it is used universally, including for third-party access and privileged accounts.

Secure Communication Protocols: Sensitive communications—especially financial approvals—should require independent verification through secure channels. Implement dual confirmation protocols for large transactions.

Phishing Simulations and Red Teaming: Simulations and penetration testing can prepare your teams by exposing common weak spots, such as poor email controls or a lack of training on phishing tactics.

Incident Response Planning: Organizations must have predefined protocols for detecting and responding to suspected social engineering incidents. Employees should know whom to notify and how to report suspicious activity.

Recent High-Profile Social Engineering Attacks

Marks & Spencer Cyberattack (2025)

In April 2025, British retail giant Marks & Spencer suffered a cyberattack linked to the group Scattered Spider, notorious for targeting global corporations. The attackers exploited social engineering tactics by impersonating internal IT support to manipulate employees into resetting credentials. Once inside, the attackers moved laterally through the network, gaining access to sensitive systems.

This breach exposed customer data, halted operations, and caused a reported £300 million loss in operational profits. M&S had invested in modern cybersecurity infrastructure, but the attack exposed a critical gap: insufficient employee awareness and verification procedures.

Twitter Account Hijacking (2020)

A textbook example of a coordinated social engineering assault occurred in July 2020, when Twitter suffered a breach that compromised 130 high-profile accounts. Attackers masqueraded as Twitter IT support, using phone-based social engineering (vishing) to manipulate employees into providing access credentials.

The breach enabled attackers to post messages from accounts, including those of Barack Obama, Elon Musk, and Apple, directing followers to send Bitcoin to fraudulent addresses. Although the financial impact was modest (just over $100,000), the reputational damage was significant.

MGM Resorts & Caesars Entertainment Attacks (2023)

In late 2023, threat actors from the group ALPHV (BlackCat) used social engineering to breach MGM Resorts and Caesars Entertainment. By targeting the IT help desk via vishing (voice phishing), they tricked employees into resetting MFA credentials, gaining access to internal systems. Caesars paid a ransom to prevent data leaks; MGM faced extended service outages and exposure of customer data.

Revolut Hack (2022)

Fintech firm Revolut was breached through a social engineering attack, in which an unauthorized third party gained access to its internal systems. The attacker used phishing tactics to compromise an employee’s credentials. Data of over 50,000 users was exposed.

Mailchimp Breach (2022)

Hackers used phishing tactics to target Mailchimp employees and contractors, ultimately gaining access to internal tools and accounts to disrupt operations and steal sensitive information. They exploited this access to steal data from cryptocurrency and finance-related customers, allowing them to launch follow-up phishing campaigns.

Organizational Culture Is the Most Important Defense

Culture plays a critical role in defending against social engineering. A culture of transparency, safety, and proactive security awareness empowers employees to question anomalies, report suspicious requests, and admit errors without fear of reprisal.

Leaders must model secure behavior and prioritize cybersecurity as a shared responsibility, not just an IT issue. Regular executive communications, cross-functional collaboration, and incentives for security best practices can reinforce the message that every employee is a potential target and a possible line of defense.

Close the Door on Social Engineering with Continuum GRC

Cybersecurity is no longer just about guarding data centers. It’s about protecting human interactions from external threats. With the right information and training, anyone can spot a phishing attack. But it’s up to you to prepare them.

Continuum GRC is a cloud platform that stays ahead of the curve, including support for all certifications (along with our sister company and assessors, Lazarus Alliance).

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

[wpforms id= “43885”]

Call +1 (888) 896-7580 for Proactive Cyber Security© Services and Solutions