Social engineering is often described as manipulation.
In practice, it is closer to persuasion under pressure.
These attacks work not because people are careless, but because modern work depends on speed, trust, and constant communication. As those conditions change, social engineering changes with them.
Why social engineering keeps evolving
Technical defenses continue to improve.
Human workflows are harder to lock down.
As organizations adopt new tools and remote practices, attackers adapt quickly. They follow behavior, not technology.
Trends in social engineering usually mirror how people actually work.
Targeted impersonation of individuals is on the rise, while mass phishing continues to occur but has become less prevalent in terms of causing damage.
Other types of attacks are showing an increased reliance on:
1. Tailored messages based upon someone's professional title or position
2. Reference to real life projects or vendors
3. Use of company/organizational terminology and appropriate timings
4. Short messages asking for something legitimate/judicious
Attackers will not try to dupe everybody, but rather find the one person in a designated target pool of individuals.
Attackers are continuing to use legitimate forms of communication that people are familiar with in order to conduct attacks upon them.
The most common ways that attackers use communication platforms include:
1. Business email invitations and meetings
2. Instant Direct Messages (e.g., Slack, Teams) which facilitate collaboration with co-workers and team members as well as sending files,
3. File Sharing Apps e(g., Dropbox, Box, One Drive), and
4. SMS and Messaging Applications
Due to the familiarity people have with communication platforms/ways of communicating, any unusual requests will feel like routine actions on behalf of the receiving party.
Urgency without drama
Modern social engineering is quieter than it used to be.
Messages are often:
1. Polite and brief
2. Time-bound rather than threatening
3. Framed as routine follow-ups
“Can you take care of this before the meeting?” works better than panic.
Merging personal and work relationships
The distinction between professional and personal interactions is becoming less and less clear.
Real examples of this phenomenon include:
1. Corporate requests being sent to the individual’s personal email account or via a personal message application.
2. A false executive impersonating a real-life executive during after-hours hours.
3. Advertisement threads on social media eventually leading to work-related discussions.
Both attackers exploit switching contexts, not lack of knowledge.
Usage of information that is general, available to all
Social engineers use background searches for initial points of contact.
Social engineers obtain information through:
1. Publicly created social media accounts, job postings
2. Corporate announcements (press releases for new positions within a company, etc.)
3. Corporate correspondence via public forums or using social media
4. Information acquired in recent hacking incidents
This enables the perpetrator to produce a message that appears professional without causing further question on motivation.
Examples from real-life situations
Example 1 : Theft of Payment Information
An outsider posed as our legitimate vendor (supplier), which is how the fraud was executed. They sent an email requesting our bank account information and specified the updated banking information they wanted us to use for future payments.
How they did this:
1. They provided invoice numbers which we use.
2. They sent the email at a time that matched when we typically issue payments.
3. It seemed like an action that was administrative in nature, so it didn’t feel that urgent.
Example 2 : Tool and Software Access Request
An email from IT was sent requesting access verification.
How they did this:
1. The email used the same terms/phrases we typically use.
2. The email request was sent at a time when our company was performing a system upgrade.
3. The access verification was only needed temporarily.
Example 3 : Executive Messages Outside Business Hours
A text message was sent to a subordinate from a high-level executive seeking assistance on a “quick” project.
How they did this:
1. The message had the same tone and quality as messages this executive usually sent.
2. It was sent after normal approval hours.
3. The subordinate did not want to delay the executive’s ability to complete his task.
How Awareness Helps:
Generic governmental awareness campaigns regarding “phishing” have limited effectiveness. Much more effective means of creating awareness include focusing on:
1. Unexpected request to take actions that are not part of our established procedures.
2. Changes in the payment banking or access process.
3. Pressure to complete urgent requests without any means of external verification
4. Requests made through an unusual form of communication.
These signals are generally easier to recognize than technical phishing indicators.
Organizations effectively managing social engineering threats do so with trust rather than fear. In addition, they often:
1. Normalize verification rather than point fingers.
2. Maintain simple and transparent approval processes.
3. Encourage people to take a moment to reflect about requests that seem out of the ordinary.
4. Review incidents without focusing on the cause.
Doing so creates an environment where people can remain open about their activity and not be concerned that they will be penalized for making a mistake when verifying someone’s identity, thereby reducing their potential exposure.
What to take away
Social engineering works because it fits into normal work.
Understanding trends helps organizations adjust expectations and processes, not just training.
The goal is not to make people suspicious of everything.
It is to make unusual requests easier to question.