Chief Executive Officer
Published: June 25, 2026
A social engineering attack is a cyberattack that manipulates people, rather than software, into giving up information, money, or access. Instead of breaking through a firewall, the attacker tricks a human being into opening the door. In 2026 these attacks are the dominant breach vector, and generative AI has made them faster, cheaper, and far more convincing. This guide covers the main types of social engineering attacks, recent real-world examples, why they succeed, and how to prevent them.
A social engineering attack is the psychological manipulation of a person to make them perform an action or reveal information that benefits an attacker. The objective is usually to deploy malware, harvest credentials, or move money. The common thread is that a human, not a machine, is the target.
This is what makes social engineering so effective. It sidesteps the technical controls that most security budgets are built around. An attacker does not need to find a software flaw if they can convince an employee to hand over a password or approve a transfer.
The human element is present in 62% of all breaches, and social engineering is the third most common breach pattern, per the Verizon 2026 Data Breach Investigations Report.
Email phishing is still the most common method, but 41% of social engineering breaches now use channels beyond email, and mobile-based attacks succeed about 40% more often than email.
AI has industrialized deception. Convincing deepfake voice and video can now be produced from a few minutes of publicly available reference material.
Real incidents in 2026 range from a $25 million deepfake wire fraud to vishing campaigns that breached identity platforms and dozens of companies through a single CRM.
Prevention requires layered defenses: real-time detection, hardened business processes, and training that reflects how attacks actually arrive today.
In This Article
Most social engineering attacks move through a recognizable lifecycle:
Research. The attacker studies the target using public sources such as social profiles, company sites, recorded calls, and leaked data.
Pretext. They build a believable scenario, often involving urgency, authority, or confidentiality, to lower the target's defenses.
Engagement. Contact is made through a trusted channel: email, phone, SMS, a messaging app, or a video call.
Exploitation. The target acts on the request, clicking a link, sharing credentials, resetting an account, or sending funds.
Exit. The attacker uses the access or money obtained, frequently before the victim realizes anything is wrong.
The Verizon DBIR notes that when an attacker is actively interacting with a victim in real time to push them toward an unsafe action, that live manipulation is classified as pretexting, and it is rising sharply as an entry point for ransomware.
Social engineering is a family of techniques, not a single attack. The most common types are below.
Fraudulent emails designed to steal credentials, deliver malware, or trick the recipient into a harmful action. Phishing remains the single most common social engineering method, and email is still the preferred delivery vector.
Targeted phishing aimed at a specific person. Spear phishing tailors the message to an individual, while whaling targets senior executives whose access and authority make them high-value marks.
The attacker poses as an executive or trusted vendor, often by hijacking a real email thread, to request a wire transfer or a change to banking details. These attacks are low in volume but high in financial impact.
Social engineering carried out over a phone call. Attackers impersonate IT, a bank, or a colleague, and increasingly use cloned voices. Phone-based attacks now succeed at higher rates than email.
Malicious text messages that reach users directly on mobile devices, frequently bypassing email security gateways. SMS campaigns against managed mobile devices are common and persistent.
The construction of a fabricated scenario to extract information or action, such as impersonating a help desk agent handling a password reset. Pretexting is a fast-growing initial access vector.
Luring a victim with something enticing, such as a free download or a USB drive left in a parking lot, that delivers malware when used.
Offering a service or benefit in exchange for information or access, for example an attacker posing as tech support who "fixes" a problem in return for login details.
Gaining physical access to a restricted area by following an authorized person through a secured door.
Compromising a website that a target group is known to visit, so that victims are infected simply by browsing a trusted site.
The newest and fastest-growing category. Attackers use AI-generated video and cloned voices to impersonate trusted people in real time, on the exact platforms employees use every day. This is where most traditional defenses break down.
Arup ($25 million deepfake wire fraud). A finance employee joined a video call with what appeared to be the CFO and colleagues. Every participant was a deepfake. The employee authorized 15 transfers totaling about $25.6 million before discovering the fraud. See CFO Dive's reporting on the Arup case.
Salesforce CRM compromise (dozens of companies). Attackers used IT impersonation via vishing to breach numerous organizations through their CRM.
Figure Technology (967,000 records). A vishing attack led to single sign-on credential theft.
Aura (900,000 records). A vishing attack targeted an identity platform.
MuddyWater campaign (37 countries). Microsoft Teams was used for credential harvesting at scale.
Carnival Cruises (6 million people). Social engineering contributed to a database theft.
The pattern across these cases is consistent. The initial break was a person, reached through a trusted channel, persuaded to take an action.
Three factors compound to make this the leading breach vector.
First, social engineering exploits trust and human psychology, which no patch can fix. Authority, urgency, and familiarity are powerful levers.
Second, the attack surface has widened. Attackers now reach people across email, phone, SMS, social media, and video, often combining channels in a single campaign. Defenses built for the email inbox alone leave the rest exposed.
Third, AI has collapsed the cost of convincing deception. Gartner's blunt summary, cited in Netarx's 2026 research, is that AI has brought organizations to a point where you can no longer trust anything on your screen.
The downstream consequences are significant:
Financial loss from fraudulent transfers and invoice redirection.
Data breaches and credential theft that enable deeper intrusion and ransomware.
Operational disruption when systems or funds are seized. The 2025 Jaguar Land Rover ransomware incident, which began with social engineering, is estimated to have caused losses around GBP 1.9 billion.
Reputational harm to brand and executive trust.
Regulatory exposure, especially in regulated sectors. In financial services, the human element is present in roughly 65% of breaches.
Most organizations have invested well, but the controls in place were designed for an earlier threat model. The table below shows the gap.
Control already in place | What it stops | What it does not stop |
|---|---|---|
Phishing-resistant MFA (FIDO2) | Credential phishing, push bombing, account takeover from stolen passwords | An authenticated user acting on a deepfake instruction. MFA confirms the device, not the intent. |
Security awareness training | Static phishing templates and obvious pretexts | Real-time synthetic voice or video the employee has no trained pattern to recognize |
Callback verification on wires | Single-channel impersonation by email or voice alone | A live multi-party video call where the callback target is itself the deepfake |
Each control quietly assumes the person on the other end is real. Modern social engineering breaks that assumption.
A strong defense combines technology, process, and people.
Deploy real-time, multi-channel detection. Verify authenticity across video, voice, email, SMS, and files during the interaction, not after the damage is done.
Harden high-risk processes. Require out-of-band approval for wire transfers, banking changes, and credential resets, and add friction to anything labeled urgent or confidential.
Strengthen the help desk. Give agents identity assurance signals so a confident caller cannot talk their way into a reset.
Modernize awareness training. Teach employees that a familiar face or voice is no longer proof of identity, and run simulations on phone and SMS vectors, not just email.
Extend visibility to mobile. Manage and monitor the mobile devices employees actually use for work, since many attacks now arrive there.
Verify identity continuously. Build trust from a verified history of interaction rather than assuming it at the start of a conversation.
Integrate with your SOC. Feed alerts and forensic evidence into existing incident response workflows.
For a deeper framework on closing this gap, see why a dedicated detection layer is now a baseline requirement.
Netarx is a trust operations platform built to defend the human attack surface that social engineering targets. Rather than relying on a single signal, it analyzes more than 75 metadata signals alongside multimodal voice and video AI models, correlating them in real time across every communication channel. At the center is the Netarx Identity Key, a device-installed passkey that travels with every communication and grows more accurate as a verified relationship builds. The result for the end user is a single, simple traffic light. Green means trust, yellow means caution, red means stop. There are no dashboards to interpret and no alerts to triage. Capabilities relevant to social engineering defense include:
All-media coverage across video, voice, email, SMS, file, and image, so multi-channel campaigns are not missed.
Real-time alerts delivered inside the workflow as the interaction happens.
Injection and replay resistance that flags virtual cameras and pre-recorded video used to fake live calls.
Continuous identity verification that extends assurance beyond a single call.
An inference marketplace that adds new models as attack techniques evolve.
Explore the full capability set on the Netarx product page.
SOURCES & REFERENCES
Verizon. (2026). 2026 Data Breach Investigations Report. verizon.com
CFO Dive. (2024). Scammers Siphon $25M From Engineering Firm Arup via AI Deepfake 'CFO'. cfodive.com
Salesforce Ben. (2025). ShinyHunters 'Breach 400 Companies' via Salesforce Experience Cloud. salesforceben.com
SecurityWeek. (2026). Nearly 1 Million User Records Compromised in Figure Data Breach. securityweek.com
Cybersecurity Dive. (2025). Jaguar Land Rover Extends Production Delay Following Cyberattack. cybersecuritydive.com
VerifiedChief Executive Officer
CEO/Founder of Netarx LLC, Real-time detection of deepfake and social engineering threats via enterprise video, voice and email. Managing Partner of Koach Capital, a Private Equity firm managing a multitude of commercial real estate (CRE) funds whose focus is retail sale-leasebacks. Sandy's entrepreneurial success began by founding a network integration and services provider that served large enterprises. We focused on advanced technologies including Business Intelligence (BI), Network & Information Security, Virtualization, Storage Area Networks, Unified Communications and Data Center Services. In 2009, Netarx acquired the VAR business of Analysts International (including Sequoia and Entree Systems). In 2011 Netarx was acquired by Logicalis (a division of Datatec - Symbol LSE: DTC) and stayed on as its Chief Technology Officer. He continued to build by founding Verge.io (Formerly Yottabyte) and Service.com. Also, Sandy served as a General Partner of Ludlow Ventures, a venture capital fund focusing on investments in early-stage tech companies. Sandy contributes to the community via lectures, publications and developing new technologies - he currently holds 8 Patents.
Email phishing remains the most common method. However, attackers are rapidly expanding into phone, SMS, and video, and these mobile and live-interaction vectors often succeed at higher rates than email.
blog
Impersonation attacks are cyberattacks in which a threat actor pretends to be a trusted person, brand, or system to manipulate a target into transferring money, sharing credentials, or granting access. In 2026, generative AI has turned these attacks from clumsy email spoofs into real-time deepfake video and cloned voices that are nearly impossible to detect by eye or ear. This guide explains how impersonation attacks work, the main types, why traditional defenses miss them, and how to prevent them.
blog
TrustOps, or trust operations, is a strategic discipline for protecting an organization's trustworthiness, reputation, and information integrity, and digital identity verification is its foundation. As generative AI makes it possible to fake a voice, a face, or a document in real time, organizations can no longer assume that a familiar person on a call or an authenticated login is genuine. TrustOps closes that gap by combining real-time detection, strong digital identity verification, and cross-functional governance. This guide explains what TrustOps is, why it matters now, and how digital identity verification anchors the whole model.
blog
Human defense is the discipline of protecting people, not just systems, from social engineering, phishing, and AI-driven impersonation. It combines human risk management (HRM), behavior analytics, and identity controls with the layer most programs are still missing in 2026: live deepfake and impersonation detection across voice, video, and email. Sometimes called human-centric cybersecurity or the human firewall, it turns employees from the weakest link into a continuously verified, actively defended layer.
