Types of Social Engineering Attacks: What's New in 2026

Types of Social Engineering Attacks: How They Work and What's New in 2026

Social engineering attacks succeed because they exploit something no patch can fix: human trust. Instead of breaking into hardened systems, attackers manipulate people into handing over credentials, approving payments, or opening doors.

Social engineering sits at the heart of modern cybercrime, and the numbers reflect it. Reported cybercrime losses hit $16.6 billion in 2024, with phishing, a textbook social engineering tactic, generating more complaints than any other category. Human action or error, such as clicking a phishing link, mishandling data, or misusing credentials, factored into 60% of confirmed breaches in 2025.

This piece walks through the main types of social engineering attacks security teams encounter today, the emergent variants reshaping the threat in 2026, and how to defend across every channel attackers use.

Key Takeaways

• Social engineering attacks succeed by manipulating people into handing over credentials, approving payments, or granting access.
• Security teams should know the popular attack types and their variants, as they operate through different channels and lures, but all exploit the same human instincts.
• AI now makes it easier for threat actors to deploy four emergent attack types at scale: deepfake-enabled impersonation, MFA fatigue, callback phishing, and QR code phishing.
• Effective defense has to be multi-channel and continuous, mapping exposure, detecting attacker infrastructure, connecting isolated signals into full campaigns, and training employees as a single connected loop.

10 Types of Social Engineering Attacks You Should Know

Most social engineering attacks fall into three broad groups: messaging-based attacks that exploit inboxes, phones, and chat apps; relationship-based attacks that exploit human roles and rapport; and environment-based attacks that exploit physical or digital spaces the target already trusts.

Knowing which category an attack belongs to matters because the controls that stop one rarely stop the others. Email filtering does little against a tailgater at the loading dock, and badge policies do nothing against a watering hole campaign seeded on an industry forum.

1. Phishing

Phishing uses fraudulent messages, typically email, to trick recipients into sharing credentials, clicking malicious links, or downloading malware. Attackers imitate trusted senders, such as a bank, a SaaS vendor, or an internal system alert, then layer in urgency or curiosity to bypass the recipient's judgment. A successful phish hands attackers initial access to a corporate network, a SaaS account, or an inbox they'll use to launch the more targeted variants below.

2. Spear Phishing and Whaling

Spear phishing targets a specific individual or organization, while whaling aims the same approach at C-suite leaders and board members. Attackers tailor the message using details drawn from LinkedIn profiles, company announcements, or public filings, making the lure feel like normal business correspondence. When it works, a single message can authorize a wire transfer, expose privileged credentials, or open the door to a multi-stage intrusion.

3. Vishing (Voice Phishing)

Vishing uses phone calls or voicemails in which the caller impersonates a bank, IT help desk, government agency, or an internal colleague. The attacker manufactures urgency around fabricated triggers such as "suspicious activity on your account" or "your credentials have been compromised," then pressures the target into sharing information or granting remote access. Voice cloning and AI-generated speech now make vishing dramatically more convincing, and the consequences range from drained accounts to fraudulent executive transfers.

4. Smishing (SMS Phishing)

Smishing uses the same phishing tactics via text messages and mobile messaging apps. Attackers favor lures like package delivery alerts, account verification requests, and prize notifications, all engineered to prompt a quick tap. A typical smishing campaign might impersonate a parcel carrier with a "missed delivery" alert, prompting the recipient to reschedule via a link that loads a credential-harvesting page that mirrors the carrier's branding.

SMS and WhatsApp generate a stronger sense of urgency than email and tend to have weaker filtering, so successful smishing often leads to credential theft, malware installation, or fraudulent payments before the victim has time to second-guess the message.

5. Business Email Compromise (BEC)

BEC attacks spoof or compromise a legitimate business email account, allowing the attacker to redirect payments, request sensitive data, or authorize fraudulent transactions. Its power lies in subtlety. Attackers register lookalike domains (amazon[.]co vs. amazon[.]com) or burrow into real mailboxes, then insert themselves into existing conversation threads.

A common BEC scenario starts with a vendor's mailbox getting compromised through an unrelated breach. The attacker then sends routine-looking notices, such as an updated banking detail, an API key rotation, or a revised invoice, into existing customer threads, where recipients respond as if the message were part of a known business process. The losses tend to be large and direct: wire transfers, payroll redirects, and vendor payments rerouted to attacker-controlled accounts.

6. Pretexting

Pretexting is the craft of constructing a fabricated identity and scenario to manipulate a target, often posing as an IT administrator, HR representative, auditor, or vendor with a plausible reason to ask. The pretext gives the request a believable cover story, which is what allows the rest of the attack to land. It feeds vishing, BEC, and in-person social engineering, and shows up most often in help desk impersonation and credential reset schemes that hand attackers privileged access.

7. Baiting and Quid Pro Quo

Baiting dangles something attractive, like a free download, a USB drive labeled "Q3 Salary Review," or a public QR code promising a reward. Quid pro quo works the same way but adds an exchange, such as a fake IT support agent who'll "fix" a problem in return for login credentials. Both rely on the target's willingness to engage with something that looks helpful or rewarding. Once the target takes the bait, the result tends to mirror a phish: malware on the endpoint, harvested credentials, or a foothold inside the environment.

8. Honey Trapping

Honey trapping uses romantic or personal interest as the manipulation lever. An attacker builds a relationship with the target through social media, dating apps, or professional networking platforms, then exploits that trust to extract credentials, proprietary data, or financial transfers. Because the relationship can develop over weeks or months, the resulting losses often involve sensitive intellectual property, privileged access, or large sums of money, and the technique is prominent in espionage-oriented operations.

9. Tailgating and Physical Social Engineering

Tailgating (or piggybacking) is the physical counterpart to digital social engineering. An attacker follows an authorized employee through a secured door, often while carrying boxes or claiming a forgotten badge. Once inside, they can install rogue devices, access unattended workstations, or collect documents. A related technique, dumpster diving, mines discarded materials for account numbers and credential-adjacent information. These physical events often feed downstream digital attacks, which is why awareness programs limited to email miss a meaningful slice of the threat.

10. Watering Hole Attacks

A watering hole attack compromises a website the target audience already visits and trusts, such as an industry forum, news site, or professional community page, and seeds it with malicious code. Because the victim opens the site voluntarily, the attack bypasses the skepticism a cold email or unknown link would trigger.

A representative scenario: attackers compromise the official download page of a niche developer tool with a strong following in a particular regional or professional community, replacing the legitimate installer with a trojanized version that quietly delivers a payload to anyone who updates that week. The payload that lands on a visitor's device can range from credential stealers to remote access trojans, and attackers often aim for a small subset of visitors from a specific company or sector.

4 Social Engineering Attacks Defining the 2026 Threat Landscape

The attacks above are well-known, and most security programs are built to defend against them, even if imperfectly. The four below aren't all strictly new techniques, but they're the ones hitting enterprise scale right now, exploiting surfaces and workflows that traditional controls weren't designed to cover.

The barrier to running these types of social engineering attacks has also dropped sharply. Any determined adversary can now access the tooling without nation-state resources or backing, which is why the four attacks below appear well outside the advanced persistent threat (APT) profile.

1. Deepfake-Enabled Impersonation

Deepfake attacks use AI-generated audio, video, or imagery to impersonate real people in real time, typically inside a Zoom, Teams, or phone call. 62% of organizations experienced a deepfake-related social engineering incident in the 12 months prior to mid-2025.

Real-world cases include a Zoom call that impersonated a CFO and other executives at a Singapore multinational, a multimillion-dollar loss at Arup through a deepfake video conference convincing enough to fool multiple participants, and AI voice clones of an Italian defense official used to extract funds from business leaders.

2. MFA Fatigue and Prompt Bombing

MFA fatigue attacks flood a user with push notification login requests until they accept one out of frustration or confusion. The technique itself isn't new, but what's changed is the context around it: push-based MFA is now the default at most enterprises, and threat actors have started pairing fatigue with adversary-in-the-middle (AitM) phishing kits like Evilginx and Tycoon, plus help desk social engineering, to bypass MFA at scale.

The practical implication is the gap between push MFA, which is vulnerable to fatigue attacks, and phishing-resistant FIDO2/passkeys, a distinction that matters for any enterprise still leaning on the former.

3. Callback Phishing

Callback phishing (also known as telephone-oriented attack delivery, or TOAD) reverses the phishing flow. An email claims a subscription is auto-renewing and cancellation requires calling a phone number. The victim calls, reaches a social engineering operator, and follows the operator's instructions to install remote access software.

Current variants impersonate Microsoft, DocuSign, and enterprise document workflow brands, and the technique has now moved into collaboration tools, including documented attacks spreading the DarkGate RAT through Microsoft Teams vishing sessions.

4. QR Code Phishing (Quishing)

Quishing embeds malicious URLs in QR codes that attackers place in emails, physical locations, or documents, effectively hiding the destination from email gateways and the user.

There is a documented case of North Korean Kimsuky actors deploying malicious QR codes in targeted spear-phishing campaigns aimed at think tank advisors and embassy employees. In a separate campaign, Russian APT Void Blizzard combined a QR code with adversary-in-the-middle infrastructure to harvest session cookies and bypass MFA entirely. Quishing increasingly serves as the first step in a longer post-click attack chain that goes well beyond basic credential harvesting.

How to Defend Against Social Engineering Attacks

Social engineering campaigns span multiple channels, adapt in real time, and target identity because it's the fastest path to access. A defense built around a single surface, whether email filtering, domain monitoring, or an annual phishing quiz, misses most of the kill chain. Defense has to be as multi-channel and continuous as the attack itself.

1. Map Your Exposure Across Every Channel

Catalog where your brand, executives, and employees show up across corporate domains, lookalike domains, social profiles, paid ads, app stores, telco numbers, dark web forums, and messaging apps, so you know which surfaces an attacker can plausibly weaponize against you.

2. Continuously Detect Impersonation and Attacker Infrastructure

Once you know the surface, monitor it. Spoofed domains, fake social profiles, scam ads, malicious QR codes, and impersonation accounts make up the raw materials of every campaign in this guide. Detection has to run continuously, because attackers spin new infrastructure daily, and a weekly scan misses most of it.

3. Connect Signals into Full Campaigns

Isolated alerts like "a lookalike domain" or "a fake LinkedIn profile" undersell the threat. The same attacker often registers a domain, sets up a fake profile, buys an ad, and provisions a phone number for a single campaign. Connecting those signals into one view tells you which alerts belong to the same operation and which are noise.

4. Dismantle Malicious Assets Quickly

Detection without takedown leaves you with a richer alert queue. Effective defense includes the operational muscle to kill spoofed domains, fake profiles, fraudulent ads, and impersonation accounts across registrars, platforms, ad networks, telcos, and messaging apps, with takedowns measured in hours.

5. Train Employees on the Tactics They Actually Face

Every social engineering attack starts and ends with a human decision. Awareness programs that mirror real, current campaigns across email, voice, SMS, Microsoft Teams, Zoom, and collaboration tools meaningfully outperform once-a-year video modules. Training on the actual lures hitting your industry this quarter is the closest you can get to inoculation.

Building a Multi-Channel Defense Against Social Engineering Attacks with Doppel

The five steps above work together as a single connected loop. Detection feeds takedowns, takedowns feed training, and training reduces the click-through rate on the next campaign. The harder question for most security teams is how to run all of them at once, continuously, and across every channel an attacker might use, without setting up five separate tools and five separate workflows.

Doppel delivers that multi-channel defense in a unified platform. As an AI-native platform for Social Engineering Defense (SED), it brings Digital Risk Protection (DRP) and Human Risk Management (HRM) into a single intelligence layer, so detection and training no longer run as separate programs.

The Doppel platform detects impersonation campaigns across domains, social media, paid ads, telco, dark web, and messaging apps. The Doppel Threat Graph connects spoofed domains, fake profiles, scam ads, phone numbers, and malicious messaging into a single campaign view, so teams can act on connected activity rather than drowning in isolated alerts. From there, the underlying attacker infrastructure is dismantled across registrars, platforms, ad networks, telcos, and messaging apps before it can convert. When a live attack does land, one-click threat-to-simulation conversion turns it into an employee training scenario in minutes, closing the loop between what attackers are doing and what your people train to recognize.

Request a demo of the Doppel platform to see what multi-channel defense looks like in a single workflow.