The most expensive firewall in the world cannot stop an employee from clicking a link in a convincing email. Social engineering — the practice of manipulating people into handing over credentials, money, or access — remains the most reliable way into any organisation, and it does not require a single line of malicious code.
According to the 2025 Verizon Data Breach Investigations Report, the human element was a factor in roughly 60 percent of all breaches. Social engineering consistently ranks among the top three attack patterns across every industry, from finance to manufacturing to education.
Phishing: The Gateway Attack
Phishing is the most common form of social engineering. The attacker sends an email, text message, or instant message designed to look like it comes from a trusted source — a bank, an employer, a software vendor — and asks the recipient to take an action: click a link, open an attachment, or enter credentials on a fake login page.
The scale is staggering. An estimated 3.4 billion phishing emails are sent globally every single day. In the first quarter of 2025, over one million phishing attacks were observed in a single quarter alone, the highest figure since late 2023.
What makes phishing so effective is speed. Research shows that the median time for a user to click on a malicious link after opening a phishing email is just 21 seconds. Within another 28 seconds, they have entered their credentials on the attacker’s page. The entire compromise happens in under a minute — faster than most automated security systems can respond.
Beyond the Inbox: Vishing, Smishing, and Pretexting
Email phishing gets the most attention, but social engineering attacks have expanded far beyond the inbox. Voice phishing, or vishing, surged by 442 percent in the second half of 2024 alone, as attackers discovered that a well-timed phone call can be even more persuasive than an email. The caller impersonates IT support, a bank representative, or a government agency, creating urgency that pushes the target to act before thinking.
Smishing — phishing via SMS — exploits the trust people place in text messages. Fake delivery notifications, parking violations, and toll collection alerts are common lures. Because mobile screens display less context than desktop email clients, users have fewer visual cues to spot the deception.
Pretexting takes social engineering deeper. The attacker constructs a fabricated scenario — a story about an urgent audit, a payroll error, a security incident — and uses it to extract information over multiple interactions. Unlike a one-shot phishing email, pretexting builds a relationship of trust before making the actual request. Business email compromise, where an attacker impersonates a CEO or supplier to redirect wire transfers, is a form of pretexting that caused over $2.7 billion in reported losses in 2024 alone.
The AI Accelerant
Generative AI has fundamentally changed the economics of social engineering. What used to take a skilled attacker 16 hours — researching a target, crafting a personalised message, setting up infrastructure — can now be done in five minutes. AI-generated phishing emails are grammatically flawless, contextually aware, and free of the spelling mistakes that once served as warning signs.
The results are measurable. Research published in 2025 found that AI-crafted phishing emails achieved click rates of 54 percent compared to 12 percent for human-written ones. AI-powered phishing campaigns overall have a 42 percent higher success rate than conventional approaches. More than a third of social engineering incidents in early 2025 involved AI-generated content.
Deepfake technology adds another dimension. In one widely reported case, attackers used a deepfake video call to impersonate a company’s CFO, convincing an employee to transfer $25.6 million. Voice cloning, which can replicate a person’s speech patterns from just a few seconds of audio, enables attackers to conduct vishing calls that sound indistinguishable from the real person.
Why Technical Controls Are Not Enough
Social engineering succeeds because it exploits human psychology — authority, urgency, curiosity, fear — rather than technical vulnerabilities. No software patch can fix the human instinct to obey a request that appears to come from a boss or to click a link that appears to come from a trusted service.
This is why password security matters even more in the age of social engineering. A phished password is only the first step; if that password is unique to the compromised service and protected by multi-factor authentication, the damage stays contained. If it is reused across accounts, the attacker has the keys to everything.
Practical Defences
The most effective defence against social engineering combines scepticism with technical safeguards.
Verify requests through a separate channel. If you receive an email asking you to transfer money, change a password, or share credentials, confirm it by calling the sender directly using a known phone number — not one provided in the suspicious message.
Use unique passwords for every account. When a phishing attack does succeed in capturing one password, the blast radius is limited to a single service. A tool like Safe Pass Guru generates credentials that cannot be guessed, reused, or socially engineered out of you.
Enable multi-factor authentication everywhere. Hardware security keys and authenticator apps are phishing-resistant by design — they will not release a credential to a fake domain. SMS codes offer some protection but can be intercepted.
Slow down. Social engineering relies on urgency. Any message that demands immediate action — “your account will be locked,” “this invoice is overdue,” “your CEO needs this now” — should be treated with extra suspicion. Legitimate organisations do not pressure you into bypassing your own security instincts.
The attackers have learned that hacking a human is almost always easier than hacking a system. The goal is not to become unhackable — it is to become a harder target than the millions of users who still click without thinking.