Social Engineering Research
Research Hub
- AI & LLM Security Research
- SaaS Risk & Shadow IT Research
- Original Research & Reports
- AI & Cybersecurity Policy Tracker
- Cyber & AI Market Intelligence
- AI Model Benchmark Lab
- Security & AI Glossary
- Breach & Incident Timeline
- Ransomware Research
- Phishing Research
- Supply Chain Attack Research
- » Social Engineering Research
- Nation-State Threat Research
- Malware Analysis Research
- Cyber Insights Library
Contact Us
Independent cybersecurity and AI research — free to browse, updated as the threat landscape moves, with no vendor sponsorship influencing the coverage.
Social Engineering, BEC, and AI-Assisted Impersonation
Social engineering exploits human psychology rather than a technical vulnerability in software. There is no patch for trust, urgency, or authority, which is exactly why social engineering remains effective against organisations with otherwise mature technical defences. Business email compromise, vishing, smishing, and deepfake-assisted impersonation are the fastest-growing vectors in current enterprise attack research.
This page focuses on the human-manipulation side of these attacks. For the email delivery mechanics specifically, see our dedicated Phishing Research page.
Business Email Compromise: The Costliest Category
Business email compromise (BEC) is a targeted, research-driven form of social engineering where an attacker impersonates an executive, vendor, or attorney to convince an employee to execute a fraudulent wire transfer or disclose sensitive information. Unlike broad phishing, BEC often involves no malware or malicious links at all — many attacks are pure social engineering delivered through a clean, unremarkable email.
The FBI’s IC3 2025 Annual Report recorded $3,046,598,558 in verified BEC losses from 24,768 complaints, making BEC the second-highest cybercrime category by financial loss in the US, trailing only investment fraud. Three-year trend: $2.94B (2023), $2.77B (2024), $3.046B (2025). Losses per complaint average over $122,000, and 86% of BEC funds move via wire transfer or ACH, making them fast-moving and often unrecoverable.
Source: FBI Internet Crime Complaint Center (IC3), 2025 Internet Crime Report, ic3.gov.
- BEC losses: $3.046 billion from 24,768 complaints in 2025 (FBI IC3) — second-highest crime category by loss
- Average BEC loss per complaint: over $122,000
- 86% of BEC funds move via wire transfer or ACH — fast-moving and often unrecoverable
- FBI tracked AI-related crime as a formal category for the first time in 2025: 22,364 complaints, $893M in losses
- AI voice cloning and deepfakes now documented enterprise threat vectors for executive impersonation
- Verizon 2026 DBIR: mobile-based social engineering shows higher engagement than email-based attempts
- Pretexting (impersonation built around ongoing trust) flagged as a rising pattern in 2026 DBIR data
- 3-year BEC loss trend: $2.94B (2023) → $2.77B (2024) → $3.046B (2025)
Deepfakes, Vishing, and Pretexting
AI voice cloning tools can reproduce a specific executive’s voice from a small sample of public audio, allowing an attacker to provide a convincing phone confirmation for a fraudulent request. This undermines the traditional advice to “verify by calling back,” since the voice on the call may itself be synthetic. Combined with an AI-drafted email matching that executive’s actual writing style, the traditional tells that used to expose BEC attempts are disappearing.
Pretexting, called out specifically in Verizon’s 2026 DBIR as a rising pattern, differs from a single cold phishing attempt in that it is built around an ongoing, seemingly legitimate conversation or relationship — the attacker impersonates a known vendor, IT team member, or business contact inside an existing communication thread, making the deception considerably harder to catch.
Prevention: Verify any request to change payment details using a phone number obtained independently of the email itself. Require dual approval for wire transfers above a defined threshold. Implement DMARC, SPF, and DKIM. Train staff specifically on pretexting patterns, not just obvious phishing red flags.
Social engineering is an attack technique that manipulates human psychology — exploiting trust, urgency, or authority — rather than a technical vulnerability. Business email compromise, vishing, smishing, and pretexting are all forms of social engineering.
BEC is a targeted social engineering attack where an attacker impersonates an executive, vendor, or attorney via email to convince an employee to execute a fraudulent wire transfer or disclose sensitive information. It is research-driven and personalised, unlike broad phishing campaigns.
The FBI's IC3 2025 Annual Report recorded $3,046,598,558 in verified BEC losses in the US from 24,768 complaints, making it the second-highest cybercrime category by financial loss. Losses per case average over $122,000.
AI voice cloning tools can reproduce a specific executive's voice from a small sample of public audio, allowing an attacker to provide a convincing phone confirmation for a fraudulent request, undermining the traditional advice to verify suspicious requests by calling back.
Contact your bank's fraud department immediately to request a wire recall, file a complaint at ic3.gov as soon as possible with complete wire transfer details, and ask specifically about the FBI's Recovery Asset Team and Financial Fraud Kill Chain process, since recovery odds drop sharply the longer funds have had to move.