Social Engineering, BEC, and AI-Assisted Impersonation

Social engineering exploits human psychology rather than a technical vulnerability in software. There is no patch for trust, urgency, or authority, which is exactly why social engineering remains effective against organisations with otherwise mature technical defences. Business email compromise, vishing, smishing, and deepfake-assisted impersonation are the fastest-growing vectors in current enterprise attack research.

This page focuses on the human-manipulation side of these attacks. For the email delivery mechanics specifically, see our dedicated Phishing Research page.

Business Email Compromise: The Costliest Category

Business email compromise (BEC) is a targeted, research-driven form of social engineering where an attacker impersonates an executive, vendor, or attorney to convince an employee to execute a fraudulent wire transfer or disclose sensitive information. Unlike broad phishing, BEC often involves no malware or malicious links at all — many attacks are pure social engineering delivered through a clean, unremarkable email.

The FBI’s IC3 2025 Annual Report recorded $3,046,598,558 in verified BEC losses from 24,768 complaints, making BEC the second-highest cybercrime category by financial loss in the US, trailing only investment fraud. Three-year trend: $2.94B (2023), $2.77B (2024), $3.046B (2025). Losses per complaint average over $122,000, and 86% of BEC funds move via wire transfer or ACH, making them fast-moving and often unrecoverable.

Source: FBI Internet Crime Complaint Center (IC3), 2025 Internet Crime Report, ic3.gov.

Deepfakes, Vishing, and Pretexting

AI voice cloning tools can reproduce a specific executive’s voice from a small sample of public audio, allowing an attacker to provide a convincing phone confirmation for a fraudulent request. This undermines the traditional advice to “verify by calling back,” since the voice on the call may itself be synthetic. Combined with an AI-drafted email matching that executive’s actual writing style, the traditional tells that used to expose BEC attempts are disappearing.

Pretexting, called out specifically in Verizon’s 2026 DBIR as a rising pattern, differs from a single cold phishing attempt in that it is built around an ongoing, seemingly legitimate conversation or relationship — the attacker impersonates a known vendor, IT team member, or business contact inside an existing communication thread, making the deception considerably harder to catch.

Prevention: Verify any request to change payment details using a phone number obtained independently of the email itself. Require dual approval for wire transfers above a defined threshold. Implement DMARC, SPF, and DKIM. Train staff specifically on pretexting patterns, not just obvious phishing red flags.

Social engineering is an attack technique that manipulates human psychology — exploiting trust, urgency, or authority — rather than a technical vulnerability. Business email compromise, vishing, smishing, and pretexting are all forms of social engineering.

BEC is a targeted social engineering attack where an attacker impersonates an executive, vendor, or attorney via email to convince an employee to execute a fraudulent wire transfer or disclose sensitive information. It is research-driven and personalised, unlike broad phishing campaigns.

The FBI's IC3 2025 Annual Report recorded $3,046,598,558 in verified BEC losses in the US from 24,768 complaints, making it the second-highest cybercrime category by financial loss. Losses per case average over $122,000.

AI voice cloning tools can reproduce a specific executive's voice from a small sample of public audio, allowing an attacker to provide a convincing phone confirmation for a fraudulent request, undermining the traditional advice to verify suspicious requests by calling back.

Contact your bank's fraud department immediately to request a wire recall, file a complaint at ic3.gov as soon as possible with complete wire transfer details, and ask specifically about the FBI's Recovery Asset Team and Financial Fraud Kill Chain process, since recovery odds drop sharply the longer funds have had to move.