With the digital landscape continuously evolving, cybercriminals are finding new, innovative ways to gain access to sensitive information. A common technique on the rise, social engineering uses human emotion to trick targets into performing an action, such as sending money, divulging sensitive information or disclosing authentication credentials. 

Social engineering currently includes tactics, such as phishing (mass and spear), business email compromise, vishing and deepfake-assisted impersonation. This year, the human element is involved in a very high percentage of breaches. Verizon’s 2025 Data Breach Investigations Report claims over 22,000 incidents and 12,195 confirmed breaches, with phishing and stolen credentials among the top initial access vectors. One single victim can wreak havoc on an entire organization.

Explore the top social engineering techniques, as Doeren Mayhew’s IT advisory and cybersecurity pros highlight the most common attacks and what your business can do to safeguard it from falling victim. 

Phishing

While phishing scams are commonly heard about, it’s still one of the most frequently used techniques to gain quick access to data. Attackers leveraging phishing have gotten smarter and more sophisticated, which makes defending your business from them harder. Normally in the form of an email, it typically appears as if it is from a legitimate source. Some attackers look to coerce the victim into giving away credit card information or other personal data, while others are sent to obtain employee login information or other details to trigger an attack against their company. Ransomware often starts with a random phishing attempt and escalates into a larger attack. More recently, many attackers are even targeting Microsoft 365, sending emails that appear to be from Microsoft and requesting for the user to reset their password.

Business Email Compromise Attacks

Fraudsters are now masking themselves as C-level executives and attempting to trick key employees into performing a business function, such as wiring money or other risky actions. These types of attacks can be especially dangerous as they appear legitimate from one employee to another.

USB Baiting

While USB drives are not used as frequently as they used to, they are still a target for cybercriminals. Criminals are installing malware on the USB sticks hoping someone will retrieve it and plug it into a corporate environment unleashing malicious code. 

Safeguarding Your Business

Awareness is key when it comes to cyber attacks. Companies can mitigate the risk of social engineering by simply training employees. Your organization should have clearly set security policies to support employees in making the best decisions when social engineering attempts are made. Effective mitigation requires a layered approach:

• Password management – Be sure employees are using strong passwords. Educate them on what classifies as a strong password and best practices surrounding password security.
• Multi-factor authentication – Establish multi-factor authentication throughout the organization to safeguard data. This protects access to data and systems by requiring two or more identity verification factors to log in – typically something you know and something you have.
• Email security with anti-phishing defenses – Multiple layers of email defenses can minimize attacks. Some email security tools already have anti-phishing measures built in. Email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication Reporting and Conformance (DMARC), can be used to block spoofed emails.
• Regular, realistic phishing simulations – Recent research shows many traditional anti-phishing training programs have limited effectiveness in reducing click rates under more difficult or deceptive lures. According to IBM, approximately 16% of breaches involved attackers using artificial intelligence, especially for crafting phishing or impersonation content. Deepfake voice/video scams and imitators are rapidly growing as well. Combining sophisticated tests with threat aware training can increase effectiveness.
• Strong verification controls - Protocols for wire transfers, vendor account changes or any request to move funds — phone verification via known numbers, dual approval, etc. — can significantly decrease these attacks.

Here to Help

Cybersecurity can be intimidating and daunting to tackle alone. Partnering with credentialed, experienced advisors can help relieve the burden and provide insight into the strength of protection of your company’s data. Doeren Mayhew’s cybersecurity pros stand ready to help. Rely on us to take a deep dive into your current security position and provide a strong action plan to combat current and future threats.