Today, Palo Alto Networks Unit 42 released the 2025 Unit 42 Global Incident Response Report: Social Engineering Edition. This report explores the top initial attack vector we observed over the past six months – social engineering. During this period, over a third of all Unit 42 Incident Response cases began with a social engineering tactic.
The report analyzes how attackers are exploiting trust to breach organizations, leading to business disruption and financial loss. Insights are derived from Palo Alto Networks telemetry, over 700 incident response case studies, and Unit 42 threat research.
Social engineering is the most common initial access vector observed by Unit 42, with phishing accounting for 65% of social engineering-driven cases. These attacks often target privileged accounts (66%), utilize impersonation of internal personnel (45%) and involve callback or voice-based techniques (23%), which are becoming more sophisticated as attackers leverage AI.
The success of social engineering stems from exploiting human behavior and weak controls, rather than technical vulnerabilities. Our data reveals several key patterns driving the success of these social engineering attacks:
AI has the power to reshape social engineering threats. While traditional methods persist, attackers are now using AI tools for speed, realism and scale. Unit 42 has observed three levels of AI-enabled tooling in incidents:
This indicates a shift where AI components support conventional social engineering, increasing the scale, pace and adaptability of attacks.
In the report, Unit 42 outlines two top observed social engineering models, both designed to bypass controls by mimicking trusted activity:
High-touch compromise targets specific individuals in real time. Threat actors impersonate staff, exploit help desks and escalate access without deploying malware. This often involves voice lures, live pretexts and stolen identity data, as seen in Muddled Libra and various nation-state activities. These white glove attacks are highly targeted and tailored, employing help desk impersonation, voice spoofing and technical reconnaissance to achieve deep access, broader system control and higher potential for monetization.
At-scale deception includes ClickFix-style campaigns, SEO poisoning, fake browser prompts and blended lures that trigger user-initiated compromise across multiple devices and platforms. Large-scale ClickFix campaigns trick users into executing malware through fraudulent system prompts and CAPTCHA tests. We’ve observed these attacks across healthcare, retail and government sectors, often resulting in widespread credential compromise and operational downtime.
Social engineering persists due to over-permissioned access, gaps in behavioral visibility and unverified user trust in human processes. Threat actors exploit identity systems, help desk protocols and fast-track approvals by mimicking routine activity. To counter this, security leaders must shift beyond user awareness, recognizing social engineering as a systemic threat. This requires:
As technology evolves, attackers exploit human trust and productivity. The nature of trust, verification and defense is changing. This report reflects trends and attacker innovations observed over the past six months. By contextualizing these findings, security leaders gain tools to recalibrate defenses, protect business continuity and maintain an edge in an evolving threat environment.
For a deeper dive into these evolving tactics and Unit 42's comprehensive analysis, download the full report here.
To discover how Unit 42 can empower your organization, visit our website.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like |
| User | Likes Count |
|---|---|
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
