Skip to main content
close search
site logo
Deep Dive

Social engineering gains ground as preferred method of initial access

Senior executives and high-net-worth individuals are increasingly at risk as hackers use deepfakes, voice cloning and other tactics for targeted attacks.

Published Oct. 21, 2025 Updated 4 hours ago
David Jones's headshot
Reporter
Humanoid robot works in a call center.
Humanoid robot works in a call center. Getty Images

Hackers are increasingly breaching corporate IT systems by exploiting age-old human behaviors with the help of sophisticated new technologies.

Threat actors are using deepfake videos, AI-powered voice cloning and other tools to launch targeted and increasingly personalized campaigns that target corporate executives, government officials and other high-profile people for impersonation, extortion and highly disruptive attacks against major industries.

Social engineering was the leading access vector for incident response cases from May 2024 to May 2025, Palo Alto Networks said in a report released in July.

Attackers used social engineering to breach systems in 36% of the incidents that Palo Alto Networks investigated during that time. In two-thirds of those cases, hackers targeted either privileged or executive accounts to access the targeted systems.

“With expansive privileges to both sensitive information and business critical systems, executives hold the keys to the corporate kingdom,” said Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42 team. “Attackers looking to maximize both damage and extortion profits know executives make lucrative targets.” 

In more than half of the social-engineering attacks, the hackers were able to access sensitive data, and in a growing number of cases, the attacks disrupted critical business functions or had a modest impact on companies’ operational performance. 

Impersonation bypasses safeguards

Threat groups are increasingly using voice cloning, deepfakes and other AI-based technologies to impersonate senior-level executives.

In some cases, hackers have directly targeted senior executives for extortion or cloned their voices for use in impersonation. Once attackers clone an executive’s voice, access their email contacts or copy their picture, they can make fake credential-reset requests to a help desk or send fraudulent demands to lower-level employees.

“In the age of AI, vocal or video spoofing of executives has become a legitimate risk,” Scott McCollum, principal intelligence analyst at Google’s Threat Intelligence Group, told Cybersecurity Dive. “When unsuspecting individuals receive a call or message requesting data or access from their executive, this creates real risk for company security.”

Hackers have used social engineering to conduct sophisticated attacks against a range of sectors in recent months, including companies in the retail, aviation and insurance industries. 

In one of the most high-profile attacks this year, the British retailer Co-op experienced an attack that led to $275 million (206 million pounds) in lost sales

Rob Elsey, the group chief digital and information officer at Co-op, told a House of Commons subcommittee that hackers breached company networks by impersonating an employee and answering several security questions, allowing them to reset the account’s credentials. 

“That activity happened about an hour before they started to use the account maliciously,” Elsey told the Business and Trade Subcommittee in a July hearing.

The company has since implemented additional identity measures to prevent such an attack and have “updated internal processes to remove that attack vector altogether,” a spokesperson told Cybersecurity Dive.

Like many other organizations, Co-op had prepared for such an incident through simulated attack and red-team exercises. But as in many of the attacks that the cybercrime gang Scattered Spider conducted during a months-long hacking spree, the pressures of the actual incident allowed the hackers to bypass many of the strategies the companies relied on to prevent or at least mitigate such attacks. 

The Co-op attack refocused attention on Scattered Spider, a cybercrime group made up of young, English-speaking hackers that works with various affiliates in a loosely knit underground network known as The Com.

In August, Workday confirmed that it experienced a social-engineering attack in which hackers impersonated IT and human-resources officials to trick employees into resetting their accounts’ passwords. The hackers were then able to access information from a third-party customer-relationship-management platform.

Evolving tactics

Cybersecurity and incident-response experts say social-engineering tactics have evolved in recent years. Threat actors traditionally focused on tricking people into downloading malware embedded in email attachments, but the increased use of multifactor authentication and other security measures forced attackers to adopt more creative — and personal — methods of gaining initial access. 

Researchers at Proofpoint say a major reason behind the change was Microsoft’s move to disable XL4 and VBA macros in its Office products, which hackers frequently abused.

“In response, threat actors pivoted to compressed executables, alternative file types, and increasingly complex attack chains,” Selena Larson, staff threat researcher and lead for intelligence analysis and strategy at Proofpoint, told Cybersecurity Dive.

Since 2024, threat groups have pivoted toward new initial-access methods, such as the widely used ClickFix technique for stealing credentials and conducting financial fraud.

High-value targets

In June, Ponemon Institute and BlackCloak released a report showing that social-engineering attacks against corporate executives and high net-worth individuals were on the rise, with about four out of 10 respondents reporting a deepfake-impersonation attack.

“The most common attacks involve impersonating trusted entities to demand payments or information, and a significant portion of executives fear that digital attacks could escalate to physical harm,” Brian Hill, head of security operations at BlackCloak, told Cybersecurity Dive. 

Social-engineering attacks have become increasingly more invasive as hackers have targeted family members and other personal contacts, according to Hill. 

Companies and senior executives can take a number of steps to better protect their systems from future attacks and improve their personal safety.

Those steps include:

  • Limit social media posts about personal activities, including travel. 
  • Avoid exposing information about family members to the public.
  • Use phishing resistant multifactor authentication.
  • Use out-of-band methods for changes to passwords, MFA resets and banking information.

“Executives are increasingly vulnerable to targeting based on information that can easily be aggregated online about themselves, their family, and their company,” Sam Lewis, manager of custom intelligence at Google Threat Intelligence Group, told Cybersecurity Dive.

Editor’s note: Updates with additional comments from Co-op. 

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
Global economies could recover more than $3.3 trillion USD annually by using AI to reducing il…
From Napier AI
October 21, 2025
New Report Reveals Consumers’ Distrust of Public Wi-Fi, Highlights Need for Secure Business Ne…
From Kinetic Business
October 16, 2025
Mindsprint strengthens its cybersecurity portfolio with Agentic AI-powered GuardianEye for pro…
From Mindsprint
October 16, 2025
Echelon Risk + Cyber Launches Dedicated Managed Security Services Provider Practice to Deliver…
From Echelon Risk + Cyber
October 14, 2025
Echelon Risk + Cyber logo
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.