Social Engineering Beyond Phishing: New Tactics and How to Combat Them

Social engineering is a manipulation technique that exploits human psychology to gain unauthorized access to systems, networks, or data, unlike cyberattacks that rely on technical vulnerabilities, social engineering preys on trust, fear, urgency, and other emotional triggers to deceive individuals into compromising security protocols. It remains one of the most effective tools in a cybercriminal’s arsenal, evolving constantly to stay ahead of traditional defenses.

In its simplest form, social engineering takes advantage of the weakest link in any security system: people. No matter how sophisticated an organization’s technical defenses might be, they can be rendered ineffective if employees are manipulated into granting access or divulging sensitive information. Understanding social engineering mechanisms and adopting robust countermeasures is essential for today’s cybersecurity landscape.

Emerging Social Engineering Tactics

While some methods, like smishing and pretexting, have been around for years, their use continues to adapt to changing technologies and societal behaviors. Here, we focus on newer tactics that pose a significant threat to organizations, especially in the context of audit, risk, and compliance challenges.

Deepfake Impersonation 

Deepfake technology leverages artificial intelligence to create hyper-realistic audio and video of individuals, making it nearly impossible to discern authenticity without advanced tools. For instance, a deepfake of a company’s CEO may be used to instruct an employee to authorize a fraudulent transaction under the guise of a “confidential” matter. Deepfake technology has progressed rapidly, with cybercriminals deploying it to bypass traditional verification processes. These attacks often exploit trust within organizations, particularly when employees are conditioned to comply with authority figures. In one case, a finance department wired significant funds to an external account following instructions from what appeared to be their CEO on a video call.

The Key Risk

Employees in siloed departments, who may not have direct relationships with executive leadership, are especially vulnerable. Additionally, industries with high turnover rates may struggle to establish the rapport necessary for employees to question the authenticity of such interactions.

AI-Powered Chatbots 

Cybercriminals are deploying AI-driven chatbots to simulate authentic conversations. These bots can engage with individuals over extended periods, gradually building trust to extract sensitive information or credentials. These bots—trained to mimic conversational patterns—often pose as customer support agents or recruiters. By simulating familiarity and professionalism, they can manipulate targets into sharing passwords, account details, or even personal identifiers. Organizations with decentralized customer support systems are particularly at risk.

The Key Risk Customer-facing teams, such as support staff, may unknowingly provide sensitive data to these bots, thinking they are assisting legitimate users. In larger enterprises, this risk multiplies due to the volume of interactions and the potential for oversight.

Augmented Reality (AR) Scams 

Emerging AR technologies are being used to create immersive environments that deceive individuals. For example, an attacker might simulate an IT troubleshooting session through AR glasses, convincing employees to disclose login details or plug in compromised hardware. The sophistication of AR scams lies in their ability to blend the virtual with the physical. Attackers can exploit unfamiliarity with AR devices to create convincing scenarios. For example, an attacker might claim to be an external consultant troubleshooting a system failure, leveraging AR visuals to build credibility.

The Key Risk

Organizations leveraging AR for training or operations are particularly susceptible, as attackers can exploit unfamiliarity with this technology. Employees in technical roles, such as IT support, are at the forefront of such risks.

IoT Exploitation 

As Internet of Things (IoT) devices proliferate, they become attractive targets for social engineers. For example, attackers may impersonate a smart device technician to gain physical or network access. With IoT devices often lacking robust security measures, attackers can exploit weak entry points to infiltrate broader networks. This tactic becomes particularly concerning in industries like healthcare, where IoT devices are used for critical functions.

The Key Risk

Facilities management or IT teams tasked with maintaining IoT devices may inadvertently grant access, believing they are working with legitimate vendors. The interconnected nature of IoT networks means a single compromised device can have far-reaching consequences.

Defending Against Social Engineering

Organizations can mitigate the risk of social engineering by implementing robust defenses and fostering a security-first culture. Below are actionable steps tailored for audit, risk, and compliance professionals:

Conduct specialized training and go beyond generic awareness programs to include:

• Real-life case studies demonstrating the impact of newer tactics.
• Role-specific training for departments like finance, HR, and IT to address their unique risks.
• Simulation exercises, such as mock deepfake calls or phishing drills.

Effective training programs should also incorporate behavioral psychology principles to make employees more aware of their susceptibility to manipulation. For example, highlighting common emotional triggers—such as urgency and fear—can help employees recognize and resist such tactics.

Adopt multi-layered authentication to ensure that sensitive processes require more than just passwords. MFA has proven to be a robust countermeasure, significantly reducing the likelihood of successful credential theft. However, organizations must ensure that employees understand its importance and consistently adhere to authentication protocols.

• Use multi-factor authentication (MFA) with biometric or hardware-based tokens.
• Implement voice recognition software to counteract vishing and deepfake audio threats.
• Require physical confirmation for high-value transactions, such as two-party verification.

Establish verification protocols to create clear, enforceable policies for verifying identities. Verification protocols are particularly effective when coupled with tools that flag anomalies, such as unusual request patterns or deviations from standard communication channels.

• Require employees to cross-check any urgent or unusual requests with an independent channel.
• Maintain an internal directory with verified contact methods for key personnel.
• Develop escalation procedures for high-risk scenarios.

Building a cohesive security culture requires active participation from leadership. When executives prioritize cybersecurity, it sets a tone that permeates the organization, making it harder for attackers to exploit gaps in responsibility.Social engineers often exploit silos where security and compliance are perceived as “not my job.” Overcome this by:

• Encouraging cross-departmental communication and collaboration.
• Embedding security liaisons within non-technical teams to foster local accountability.
• Conducting regular interdepartmental reviews of security practices.

Leverage advanced technology and deploy tools designed to detect and mitigate social engineering attempts. Technology can complement human vigilance, providing a safety net that catches threats employees might overlook. However, tools are only as effective as the policies and training that support them.

• AI-driven software that flags anomalies in communication patterns.
• Endpoint detection systems capable of recognizing spoofed devices or links.
• Real-time monitoring tools for social media to identify potential reconnaissance activities.

Audit social media practices, as many attacks originate from overshared personal or organizational information. Social media hygiene should be a core component of any security strategy, as attackers often rely on publicly available information to craft convincing pretexts.

• Conduct regular audits of employees’ public-facing profiles.
• Provide guidance on limiting exposure, such as setting profiles to private and avoiding posts about internal projects.
• Monitor organizational social media channels for signs of impersonation.

Looking Ahead

Social engineering is constantly evolving. With advancements in AI, AR, and IoT, attackers are finding new ways to exploit human and technological vulnerabilities. The next frontier may involve even more seamless integrations of technology and psychology, such as AI chatbots capable of adapting in real-time based on user responses.

Organizations must recognize that staying ahead of these threats requires a commitment to continuous learning, collaboration across departments, and investment in advanced security solutions. Cybersecurity is not a static discipline; it evolves alongside the threats it seeks to mitigate. By fostering a culture of vigilance, prioritizing education, and leveraging both human and technological defenses, organizations can empower themselves to counter even the most sophisticated social engineering attacks.

Ultimately, the battle against social engineering is a collective effort. It requires everyone—from entry-level employees to executive leadership—to embrace their role in safeguarding organizational security. By adopting proactive measures and staying informed, organizations can transform their weakest link into their strongest defense.