2025 Learnings from 100,000+ Attacks for Your 2026 Defense

January 29, 2026

Social engineering attacks are becoming more sophisticated, personalized, and dangerous than ever before. After analyzing over 100,000 security simulations across multiple organizations, including more than 10,000 vishing simulations, we've identified four critical trends reshaping the cybersecurity landscape in 2025.

1. Voice cloning: The fastest-growing high-impact attack vector

Vishing has evolved from simple automated calls into one of the most dangerous social engineering techniques. Modern voice cloning tools can now convincingly replicate someone's voice using just a few seconds of publicly available audio, like a video from social media or a recorded call. Our data reveals a stark reality: AI-powered voice attacks achieve interaction rates more than twice as high as generic voice-based attempts. When attackers impersonate familiar voices - colleagues, executives, or trusted vendors - employees naturally lower their guard and engage more readily.

Why voice cloning works so well

  • Organizational size matters: In smaller companies, employees know colleagues personally, making impersonation harder to sustain. In larger organizations, limited personal familiarity creates opportunities for attackers to exploit partial recognition.
  • Perceived authority amplifies compliance: Calls appearing to come from senior leadership or management trigger immediate compliance, especially under perceived urgency.
  • Familiarity without daily interaction: The most effective attacks target individuals who are familiar by role or name but not part of regular daily interaction, reducing the likelihood of detecting unusual behavior.

Real-world impact: The €1 Million deepfake vishing case

A notable example involved attackers impersonating Italy's Defence Minister Guido Crosetto using voice cloning technology. They targeted members of billionaire Beretta and Bugatti-Rimac families, resulting in a confirmed loss of €1 million. The attackers created elaborate scenarios involving fake kidnapped journalists, exploiting trust and urgency to pressure victims into transferring funds.

2. Personalization over volume: The new phishing strategy

Generic "spray-and-pray" phishing is dead. Attackers have shifted to highly contextualized, targeted lures that resemble legitimate business communications. Approximately 50% of phishing emails now use spear-phishing techniques, leveraging open-source intelligence (OSINT), organizational context, and leaked information from darknet sources. This allows attackers to construct credible, workflow-relevant narratives targeting specific individuals with messages that include well-crafted signatures and closely follow routine workflows:

  • Document and task-related simulations: 39% interaction rate
  • Communication invites: 25% interaction rate
  • Task management alerts: 20% interaction rate

Employees click because everything "looks right" and routine urgency reinforces that behavior. In contrast, generic, non-contextualized messages average only about 1% interaction - users have become familiar with typical phishing templates and are far more cautious.

3. Multi-channel attacks: Engineering trust through coordinated campaigns

Attackers are no longer limiting themselves to a single communication channel. Instead, they're orchestrating sophisticated campaigns across email, SMS, collaboration tools, messaging apps, and voice calls. In a typical multi-channel attack:

  1. An initial phishing email establishes contact
  2. A message or calendar invitation follows
  3. An SMS adds legitimacy
  4. A voice or video call reinforces credibility+

Each touchpoint builds on the previous one, creating a sense of legitimacy that's extremely difficult to detect. Our data shows dramatic results: Simulations using more than two communication channels increase the likelihood of non-protective user actions by up to ten times compared to single-channel scenarios. Agentic AI and modern automation enable attackers to easily coordinate these multi-channel campaigns, building credibility through reinforcing touchpoints that make attacks nearly indistinguishable from legitimate communication.

4. Beyond email: Social media and encrypted messaging as attack vectors

Another clear trend in 2025 is the expansion of phishing beyond email. Attackers actively seek less monitored and more trusted channels to reach targeted employees. Encrypted messaging apps like Signal, WhatsApp, and Telegram provide direct, private access with limited security controls. These platforms deliver messages instantly to mobile devices, encouraging quick responses. According to CISA alerts, threat actors are using phishing lures, malicious links, and mobile-focused exploits to compromise users of these communication apps.

Social media platforms account for approximately 22.5% of phishing incidents. Meta recently confirmed the takedown of more than 6.8 million WhatsApp accounts linked to criminal scam operations, while LinkedIn reported removing over 116 million accounts following spam or scam activity detection in 2025 alone. While platform providers actively work to combat this abuse, the scale of the problem is evident in transparency reporting, and many attacks succeed before detection.

The bottom line: Technical controls aren't enough

The 2025 threat landscape represents a structural shift in social engineering. Attackers are orchestrating sophisticated, multi-channel campaigns that exploit human psychology across various platforms simultaneously. What makes this particularly dangerous: When a deepfake call is followed by a WhatsApp message and a shared document, the multi-channel reinforcement dramatically increases success rates. Technical controls alone are insufficient to mitigate these threats. Organizations must fundamentally rethink their security posture with:

  • Comprehensive awareness training that reflects real-world attack patterns
  • Stronger verification protocols across all communication channels
  • Regular realistic simulations including vishing, multi-channel attacks, and social media scenarios

We are entering a period where social engineering is becoming more personal, more convincing, and harder to recognize, pushing organizations to reinforce verification habits and strengthen their overall security awareness.

Ready to Activate Your Human Firewall?

Download our complete Human Attack Surface: Threat Trends 2025 Report for deeper insights into the data, real-world case studies, and actionable recommendations to protect your organization against these evolving threats.

It's never too late to activate your human firewall. Start in 2026!

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Last published articles
Leading Security Beyond Compliance: Lessons from Dr. Daniel Schatz
ConsentFix Emerges: Abusing OAuth Trust to Bypass Modern Defenses
Messaging Apps have become a Prime Channel for Phishing and Spyware
‍When AI calls: In-call Training for Maximum Awareness
Activate Your Human Firewall

revel8 GmbH
Merantix AI Campus
Max-Urich-Straße 3
13355 Berlin, Germany

© 2025 Company Shield. All rights reserved.

Privacy PolicyImprintTerms and ConditionsCookies Settings