Unit 42 has released its 2025 Global Incident Response Report: Social Engineering Edition, revealing that social engineering was the #1 initial access vector observed over the past year — accounting for more than one-third of all incidents.
Drawing from Palo Alto Networks telemetry, over 700 incident response cases, and Unit 42 threat research, the report explores how cybercriminals and nation-state actors are exploiting human trust — not technical flaws — to disrupt business and inflict financial damage. It also outlines how AI is accelerating and scaling these attacks.
Key insights include:
- Phishing dominates: 65% of social engineering attacks used phishing, often targeting privileged accounts (66%) and impersonating internal personnel (45%).
- High data exposure risk: 60% of social engineering incidents led to data loss — 16 percentage points higher than other attack vectors.
- AI on the offensive: Generative and agentic AI are being used to create personalized lures, voice clones, and synthetic identities
- Beyond phishing: While phishing still dominates, 35% of attacks now rely on malvertising, SEO poisoning, smishing, and MFA bombing.
- Financial motivation reigns: 93% of social engineering cases were driven by profit — from BEC to ransomware and extortion.
The report also outlines two social engineering models observed:
- High-touch compromises mimicking staff and exploiting help desks — as seen in Muddled Libra and nation-state campaigns.
- At-scale deception like ClickFix, fake browser prompts, and blended lures — seen across healthcare, retail, and government sectors — often resulting in credential theft and operational downtime.
