Palo Alto Networks’ latest Unit 42 Global Incident Response Report: Social Engineering Edition shows that social engineering remains the #1 initial access vector.
Among the more than 700 cases Unit 42 investigated between May 2024 and May 2025, 36% of all incidents began with social engineering. Of those:
- 65% were phishing
- 12% came from SEO poisoning or malvertising
- 1% involved smishing or MFA bombing
- The remaining 22%, listed as “other,” appear to involve predominantly vishing-style attacks, including phone-based impersonation, callback scams, and help desk pretexting.
More Stats from the Report
- 66% of social engineering attacks targeted privileged accounts
- 45% involved internal impersonation
- 23% used callback or voice-based lures (vishing)
- 60% led to data exposure
- ~50% were business email compromise (BEC), and 60% of those resulted in data loss
Additional Insights
- Threat actors are using GenAI to craft personalized lures using public information.
- Early Agentic AI usage was observed in chaining activities such as cross-platform reconnaissance and message distribution.
- Unit 42 urges defenders to move beyond user education and treat social engineering as a systemic vulnerability.
- Many attacks succeeded due to excessive permissions, weak MFA coverage, and over-burdened or undertrained frontline teams.
In addition to the mitigations recommended in the report, one of the most important controls for preventing targeted social engineering attacks is removing the exposed personal data that attackers use to impersonate, pretext, and deceive. This is a necessary proactive step to reduce the volume of attacks and the burden on security teams.
Read the full report here: https://lnkd.in/d82YuzSJ