Palo Alto Networks, the global cybersecurity leader, recently released its 2025 Unit 42 Global Incident Response Report: Social Engineering Edition. The report highlights how attackers have been increasingly turning to social engineering, exploiting trust rather than technology to gain initial access and move inside organizations.
Drawing from more than 700 incident response cases globally between May 2024 and May 2025, the report reveals that 36% of all incidents in the IR caseload began with a social engineering tactic. These tactics are increasingly diverse, with more than one-third of social engineering incidents involving non-phishing methods such as search engine optimization (SEO) poisoning, fake system prompts, and help desk manipulation.
What stands out in this year’s findings is the speed at which these social engineering methods are advancing. Unit 42 has observed two clear patterns: targeted, high-touch compromise and broad, at-scale deceptions. The former involved impersonation of staff, manipulation of help desks and privilege escalation in real time using voice lures and stolen identity data. The latter, such as ClickFix, SEO poisoning and fake browser prompts, involved tricking users into compromising their own devices across multiple platforms.
Other key findings from the report include:
-
Low Detection Coverage and Alert Fatigue Enable Attacks: 13% of critical alerts went unnoticed or misclassified, giving attackers an opening to exploit weak points such as identity recovery workflows and lateral movement paths.
-
Escalating Business Disruption: Over 50% of social engineering incidents led to sensitive data exposure, while others caused service interruptions or broader operational impact. These fast-moving attacks maximize financial returns while requiring minimal infrastructure or risk.
-
Artificial Intelligence Accelerates Threats: Threat actors are leveraging generative AI to craft personalized lures. In fact, 23% of social engineering incidents already involved callback or voice-based techniques.
-
Profit Remains the Primary Driver: 93% of social engineering intrusions were financially motivated, highlighting that attackers continue to choose human-centered tactics because they are fast, effective, and cost little to execute.
-
Industries Most Impacted by Social Engineering Attacks: Manufacturing (15%) topped the list, followed by professional/legal services (11%), wholesale/retail (10%), and financial services (10%).
In the Philippines, risks such as identity-related fraud, illegal access, and data interference remain prevalent. Many of these are enabled by human-centered tactics like phishing and scams, which the National Cybersecurity Plan (2023–2028) addresses through stronger emergency response teams, incident response protocols, and nationwide cyber awareness programs
“The biggest vulnerability in cybersecurity is not only about the technology; it is also about the exploitation of trust. Attackers are now using AI to scale deception, taking advantage of gaps in identity management and human interactions. The message is clear: Organizations must build resilience that protects not only their systems, but their people and processes too. The progress we’re seeing is encouraging, but staying ahead of these human-focused threats requires a collective effort,” said Philippa Cogswell, Vice President and Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks.
The report underscores that defending against social engineering requires a shift from relying on awareness alone to building systemic resilience, and recommends organizations to:
-
Strengthen identity security: Detect abnormal logins, multi-factor authentication (MFA) abuse, and credential misuse early with identity-based analytics and Identity Threat Detection and Response (ITDR) capabilities.
-
Adopt Zero Trust access: Enforce least privilege, apply conditional access policies, and segment networks to contain intrusions under a comprehensive Zero Trust security model.
-
Secure human workflows: Protect help desks and identity recovery processes with stronger verification, and train frontline staff to recognize impersonation, pretexting, and voice-based scams.
-
Expand visibility beyond email: Monitor browsers, Domain Name System (DNS) activity, and collaboration platforms to stop fake prompts, SEO poisoning, and malicious links before they spread.
To download the full report, please visit: https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/
