2024's Social Engineering: Evolving Threats and How to Stay Safe

As we move further into the digital age, social engineering remains one of the most effective tools in a cybercriminal’s arsenal. Far from fading away, these manipulative schemes have only grown more sophisticated, leveraging new technologies and exploiting emerging trends. In 2024, the landscape of social engineering is evolving rapidly, and the threats that await individuals and organizations are more subtle, targeted, and technologically advanced than ever before. Understanding these latest techniques is crucial for anyone looking to stay one step ahead of the cybercriminals.

Social engineering is the art of exploiting human psychology to gain access to confidential information or systems. Classic techniques like phishing emails and pretexting phone calls still exist, but in 2024, social engineers have refined their approaches using data analytics, artificial intelligence, and insights gleaned from our increasingly digital footprints.

According to the Verizon 2023 Data Breach Investigations Report, 74% of breaches involved the human element, primarily through social engineering attacks. This trend is set to continue, with attackers now using more personalized and context-driven schemes. For example, instead of sending generic phishing emails, cybercriminals are now able to craft highly convincing messages tailored to individual targets, using publicly available data from social media profiles and data leaks.

Attackers also leverage deepfake technology to mimic voices and even create realistic video calls, tricking users into believing they are communicating with a colleague or superior. In 2023, Europol warned that deepfake-enabled scams had risen by 25% year-on-year, a number expected to increase further in 2024 as the technology becomes more accessible.

Artificial intelligence has revolutionized many industries, but it’s also provided powerful tools for cybercriminals. AI-powered social engineering attacks can analyze massive datasets, identify patterns, and automate the crafting of convincing scam messages. These attacks are not only faster but also more effective, thanks to their ability to mimic natural language and adapt to the responses of targets.

One of the most notable advancements is the use of AI chatbots for spear phishing. Unlike traditional phishing emails, which might contain grammatical errors or generic content, AI bots can engage in real-time conversations that feel authentic. For example, a 2024 case in the financial sector involved an AI-driven chatbot impersonating an IT technician, successfully tricking employees into revealing their credentials during a simulated test. The chatbot adapted its questions based on the responses, making the deception even more convincing.

AI also plays a role in reconnaissance. By scraping social media, public records, and breached data, AI can build detailed profiles of potential victims. This allows attackers to craft messages that reference recent events, personal interests, or even professional milestones—making their scams far more believable.

Emerging Threats: Deepfakes and Synthetic Media

Deepfakes use AI to create hyper-realistic audio, video, or images that convincingly mimic real people. In social engineering, deepfakes are used to impersonate executives, family members, or trusted contacts, often in urgent or high-pressure scenarios.

In 2024, the use of deepfakes has expanded beyond simple voice spoofing. Now, attackers can generate live video feeds that appear indistinguishable from genuine video calls. According to a report from Cybersecurity Ventures, incidents involving deepfake technology are projected to cost businesses over $2.5 billion globally in 2024, up from $1.3 billion in 2022.

A notable example occurred in early 2024, when a multinational company’s finance department received a video call from what appeared to be the CFO, authorizing a fraudulent wire transfer. The deepfake was so convincing that even long-time employees were deceived, resulting in a loss of $1.6 million before the scam was uncovered.

While email phishing remains a significant concern, attackers are increasingly turning to other communication channels. Smishing (SMS phishing) and vishing (voice phishing) attacks are on the rise, taking advantage of the trust people place in their mobile devices.

According to Proofpoint’s 2024 State of the Phish report, smishing attempts increased by 69% in the past year. Attackers use SMS messages to deliver malicious links, impersonate service providers, or request urgent action. With the proliferation of mobile banking and two-factor authentication codes, a compromised phone can be the gateway to a trove of sensitive information.

Vishing attacks, often powered by AI-generated voices, have also surged. In 2023, the FBI’s Internet Crime Complaint Center (IC3) reported a 50% increase in vishing complaints over the previous year. Hybrid attacks, which combine multiple communication methods (such as a phishing email followed by a vishing call), are becoming more common and harder to detect, exploiting the fact that people are less suspicious when a communication is “verified” through more than one channel.

The explosion of smart devices and the Internet of Things has created new opportunities for social engineers. According to Statista, by the end of 2024, there will be more than 17 billion connected IoT devices worldwide. Many of these devices are poorly secured and can be exploited for social engineering attacks.

For example, attackers might compromise a smart home assistant and use it to eavesdrop on conversations, gather sensitive information, or even impersonate household members. In the workplace, IoT devices such as smart printers, security cameras, or conference systems can be hijacked to gain initial access or to launch social engineering campaigns within an organization.

A 2024 study by Kaspersky found that 27% of IoT-related incidents involved some form of social engineering, often starting with phishing emails targeting administrators or end users responsible for device management.

To understand the scope and impact of the latest social engineering techniques, it’s helpful to compare them side by side. The table below highlights key differences among several popular attack methods in 2024:

Technique	Main Vector	Typical Target	Success Rate (Estimated)	Notable Example (2024)
AI-Powered Spear Phishing	Email, Chat	Corporate Employees	35%-45%	AI chatbot impersonating IT staff at a bank
Deepfake Video Calls	Video Conferencing	Executives, Finance Teams	30%-40%	Fake CFO authorizing wire transfer
Smishing	SMS, Messaging Apps	General Public	20%-25%	Fake bank verification SMS
Hybrid Attacks	Email + Phone	All Employees	40%-50%	Follow-up vishing after phishing email
IoT-Based Social Engineering	Smart Devices	Households, Offices	15%-20%	Compromised smart assistant in home

What Organizations and Individuals Should Watch For

With these advanced techniques on the rise, both organizations and individuals must stay vigilant. It is no longer enough to be suspicious of poorly worded emails or unexpected phone calls. Modern social engineering attacks are well-researched, highly personalized, and often technologically advanced.

For organizations, it’s crucial to update security policies to address threats beyond email phishing. This includes training employees to recognize deepfakes, verifying requests through multiple channels, and monitoring unusual activity on IoT devices. Multi-factor authentication, while essential, should not be viewed as a cure-all—attackers are increasingly targeting the channels used for verification codes.

Individuals should be cautious when sharing personal details online, as attackers use this information to build convincing pretexts. Scrutinize unexpected requests, especially those that convey urgency or secrecy, and always verify identities through independent means.

As technology advances, so too do the tactics of social engineers. In 2024, the combination of AI, deepfakes, and the proliferation of connected devices means that everyone is a potential target. The best defense is a proactive and adaptive approach to security that combines education, technology, and vigilance.

According to Gartner, by 2025, 60% of organizations will consider human-centric security design as critical to their cybersecurity strategy—up from just 15% in 2021. This underscores the growing recognition that people, not just technology, are at the heart of effective defense against social engineering.

While the threats may seem daunting, awareness is the first step toward resilience. By understanding the latest techniques and staying informed, we can all play a part in thwarting the next wave of social engineering attacks.

FAQ

▸ What is the most dangerous social engineering technique in 2024?

Deepfake-enabled video calls combined with AI-driven spear phishing are considered the most dangerous, as they can convincingly impersonate trusted individuals and adapt to real-time interactions.

▸ How can I recognize an AI-powered phishing attack?

Look for subtle cues such as unusual requests, a sense of urgency, or messages that reference information you haven't shared with the sender. Cross-check requests through separate channels whenever possible.

▸ Are IoT devices really a significant risk for social engineering?

Yes, as more devices become internet-connected, they offer new entry points for attackers. Poorly secured devices can be exploited to gather information or impersonate users.

▸ Has the success rate of social engineering attacks increased?

Yes. With the use of AI and data analytics, the success rate of targeted social engineering attacks has risen, with some sophisticated hybrid attacks achieving up to a 50% success rate.

▸ What should organizations focus on to counter these new threats?

Organizations should invest in employee training, deploy advanced threat detection tools, regularly update security protocols, and emphasize the importance of verifying identities—especially for sensitive transactions or unusual requests.