Hackers use social engineering, often through high-touch identity attacks, to steal data and cost companies millions.
Cybercriminals target the weakest link to breach a system, which increasingly is the human element. The 2025 Unit 42 Global Incident Response Report: Social Engineering Edition from Palo Alto Networks reveals that social engineering accounted for 36 percent of all investigated incidents last year.
Human as the most Popular Exploit
Thus, social engineering in its broadest sense is by far the most common access route. People are exploited more often than technical exploits. More than a third of these attacks involved non-phishing methods such as SEO poisoning, fake browser alerts, and manipulation of helpdesk teams. These attacks contrast with classic phishing techniques like fake emails.
Notable is the rise of so-called high-touch and identity-based attacks. High-touch attacks are targeted and interactive social engineering attacks. According to Unit 42, attackers can quickly gain domain admin rights by deceiving employees or helpdesk procedures. The Q2 2025 Ransomware Report from Coveware confirms this trend: identity-based social engineering has become mainstream and is used by groups like Scattered Spider, who target large, recognizable brands for maximum impact.
Annoying Spider
Scattered Spider, also known as Muddled Libra, is considered a prime example of modern social engineering groups in both reports. According to Coveware, the group deliberately targets large, recognizable brands in sectors such as retail, aviation, and insurance to build maximum operational pressure. The group is currently most active in the UK and the US.
Unit 42 describes how Scattered Spider employs high-touch techniques. Members of the group pose as internal employees, deceive helpdesks to reset multifactor authentication, and sometimes gain domain admin rights in less than forty minutes.
Legitimate Processes
Both Coveware and Unit 42 note that criminals increasingly misuse legitimate processes and tools. Stolen login credentials, often obtained via info-stealers or vishing (voice phishing – via phone), are used to access external services or third-party accounts, such as IT service providers.
Criminals increasingly misuse legitimate processes and tools.
In such cases, criminals do not install malware in breached environments. They strike using legitimate data and tools. Unit 42 points out that missed security alerts, excessive access rights, and the absence of multifactor authentication enable many of these attacks.
Stealing Data
The attackers’ goal is increasingly data exfiltration instead of or alongside encryption. Coveware notes that in 74 percent of ransomware and extortion cases, data was stolen, sometimes without systems being encrypted. More than half of the social engineering incidents in the Unit 42 study led to exposure of sensitive information or disruption of business processes.
The impact is significant. Coveware reports a doubling of both the average ($1.13 million) and median ($400,000) ransom amounts compared to the previous quarter. Although only 26 percent of victims actually pay, this shows that successful social engineering attacks can be not only technically but also financially and operationally devastating.
Zero Trust, MFA, and Patching
Companies should enhance the cyber awareness of all employees. Furthermore, the right defense is essential. Properly assigned rights (for example, through zero trust), segmentation within the environment, and MFA can prevent or significantly reduce the impact of social engineering attacks and subsequent breaches using legitimate data.
Finally, we note that social engineering is the main but not the only vector. Anyone who fails to timely install a security patch for a known vulnerability in a software system can certainly expect attacks.