SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Netarx
#
Ransomware
#
Phishing
#
Email Security

The New Face of Social Engineering

Tue, 18th Nov 2025
By Sandy Kronenberg, CEO, Netarx

The quickest way into a business today isn't through a firewall, it's through people. Attackers have learned that it is often easier to manipulate trust than to break into a system. This shift has turned email, text messages, and phone calls into some of the most dangerous frontlines in cybersecurity.

Phishing, smishing and vishing, three longstanding methods of deception, are evolving into highly coordinated, AI-driven campaigns. Phishing alone remains the most common cause of breaches, contributing to more than 90 percent of successful cyberattacks. Smishing incidents have grown nearly 700 percent year over year, while vishing, supercharged by AI voice cloning, has been tied to multimillion-dollar losses. More than $1 trillion globally was lost to scammers in 2024, according to a World Economic Forum report, and analysts estimate that deepfake-enabled fraud could cost organizations $40 billion annually by 2027.


The End of Single-Channel Attacks


Not long ago, phishing emails were largely standalone events. A suspicious message might trick someone into clicking a malicious link or sharing credentials. Today's attackers don't stop there. A fraudulent email is now just the opening move. It might be followed by a text message reinforcing the request, or a phone call from an AI-generated voice that sounds exactly like a trusted executive. In some cases, attackers even appear on video calls, their faces convincingly cloned, to finalize the deception.

This multi-channel approach makes scams far more challenging to detect. Traditional tools still treat email, text, and voice as separate domains. Security software that scans inboxes won't see the follow-up text, and fraud filters on mobile devices won't connect the dots to a suspicious video call. By isolating each communication stream, organizations lose sight of the bigger picture -- the consistency across channels is precisely what makes the attack so believable.


Why Training Alone Falls Short


Over the years, enterprises have leaned on employee education as the first line of defense. Training sessions, simulated phishing emails and awareness campaigns remain common. While these measures can help, they are no longer enough. Attackers are now using generative AI to produce flawless messages in any language, free of the spelling errors and awkward phrasing that once gave them away. AI tools can also scrape publicly available data to tailor messages so specifically that even the most vigilant employee may believe they are genuine.

The result is a new reality: people can no longer be expected to distinguish between authentic and fraudulent communications on their own reliably. In fact, research shows that one in four people still click on links in smishing texts, despite years of awareness campaigns. The sophistication of AI-powered attacks erodes the very foundation of trust that traditional training tries to reinforce.


Why Enterprises Are Especially at Risk


The financial and reputational stakes for enterprises are enormous. A single successful attack can result in the theft of sensitive intellectual property, large-scale data breaches or fraudulent wire transfers that cost millions. In early 2024, the multinational engineering company Arup fell victim to a sophisticated fraud scheme involving deepfaked videos and AI-generated voices, resulting in a loss of approximately $25 million. The scheme began with a phishing email posing as the company's CFO, followed by a video conference where scammers used deepfake technology to impersonate senior executives. The visuals and voices were convincing enough to deceive an employee into making 15 separate transfers, totaling HK$200 million (about $25.6 million), to fraudulent bank accounts. This case illustrates how rapidly AI-driven impersonation has evolved beyond phone calls, with video and voice now working in tandem to circumvent human skepticism and traditional security checks.

The average cost of a social engineering incident has now reached roughly half a million dollars and those figures are only climbing. 

The real danger shows up in large-scale cases. When Ascension was hit by ransomware in 2024, the disruption drove its annual operating loss to $1.8 billion, fueled by delayed patient care, stalled revenue cycles and massive remediation costs. The financial impact was staggering, but the reputational damage may prove just as lasting. Patients and partners suddenly questioned the reliability of one of the country's largest health systems, a reminder that in healthcare as in banking and critical infrastructure, the consequences extend well beyond balance sheets and threaten both public safety and trust.


The Need for Cross-Channel Resilience


Enterprises need to recognize that these threats are not isolated nuisances but coordinated, AI-powered campaigns designed to exploit human behavior. The old paradigm of training people to spot red flags cannot keep pace with adversaries who can fake not only text and email, but also the voice and face of a trusted colleague.

The path forward is resilience built on verification and cross-channel awareness. Enterprises need systems that no longer take any single communication at face value but instead verify identity across multiple dimensions: device metadata, location patterns, timing anomalies, and behavioral context. Just as importantly, organizations must adopt processes that require independent validation for sensitive actions like financial transfers, no matter how convincing the request appears.


A New Model of Trust


The rise of AI-powered phishing, smishing, and vishing makes clear that the traditional model of trust, believing what we see, hear, or read, is no longer safe. For enterprises, this is more than an IT problem. It is a business risk that cuts across finance, operations, compliance, and reputation.

Phishing campaigns that once relied on clumsy emails now exploit a seamless blend of communication channels. Attackers have industrialized deception, and they are scaling it at speed. Education remains essential, but it is not enough to ensure success. The only sustainable response is to build ensemble security strategies that treat trust itself as a vulnerability and replace it with systems of verification where no trust is required.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Keeper Security named Overall Leader in non-human identity management
ATEN unveils secure KVM switches with 5K video for defence use
BT launches UK-based sovereign platform for secure cloud & AI
Teleport wins AWS award for securing high-growth infrastructure
Cyber-extortion incidents surge as criminals target small firms

Top stories

DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification
Dynatrace expands AWS integrations & wins LATAM partner award
Informatica expands AWS integration to boost enterprise AI agents