7 Types of Social Engineering Attacks — Real Examples from 2025 and 2026
7 Types of Social Engineering Attacks — Real Examples from 2025 and 2026
A threat group called Muddled Libra (also tracked as Scattered Spider) has infiltrated over 100 companies since 2022 — airlines, retailers, financial firms. Their total toolkit? No zero-day exploits. No advanced malware. Just phone calls, convincing voices, and a playbook built entirely around manipulating people.
In one documented 2025 case, they went from a single phone call to a company's helpdesk to full domain administrator access in under 40 minutes.
This post maps every technique they — and attackers like them — use. Yesterday we covered what social engineering is and why it works. Today we go deeper: the 7 specific attack types, with real 2025–2026 examples for each.
1. Phishing — Still the Dominant Force
Phishing is the engine that powers most breaches. According to Unit 42's 2025 Global Incident Response Report, phishing alone accounts for 65% of all social engineering-driven cases.
The scale is almost hard to comprehend. Between January and April 2025, a single phishing kit called CoGUI sent over 580 million emails — impersonating Amazon, PayPal, Apple, and major banks. In January alone, 172 million emails went out across 170 separate campaigns. The kit used browser fingerprinting and geofencing to evade security scanners, showing victims a convincing fake login page while redirecting everyone else to the real site.
And that's just one kit, in one region. BEC (Business Email Compromise) — where attackers impersonate executives to authorise wire transfers — caused $2.77 billion in losses in 2024 in the US alone, according to the FBI's Internet Crime Report.
2. Vishing — The Phone Call That Bypasses Everything
Vishing is voice phishing. It's what Muddled Libra uses most.
The script is brutally simple: call the helpdesk, claim to be an employee who's locked out of their MFA device, sound frustrated and pressed for time. Helpdesk staff — trained to be helpful, conditioned not to challenge — reset the credentials. Game over.
Over 70% of phone numbers used by Muddled Libra in 2025 were Google Voice numbers — nearly untraceable, completely free. Vishing attacks surged 442% in the second half of 2024, per CrowdStrike. And with AI voice cloning now capable of replicating someone's voice from a short audio sample, attackers no longer even need to sound convincing themselves — they can sound exactly like your CTO.
Has your IT helpdesk been trained to handle a call like this? If you're not sure, that uncertainty is the gap.
3. Smishing — The Text Message Nobody Questions
Smishing is SMS phishing, and it works because people treat text messages as inherently more trustworthy than email.
"Your parcel couldn't be delivered — pay ₹35 to reschedule." You've seen these. They're CoGUI-linked campaigns that have been running across the US, UK, Australia, and India. The Darcula smishing kit (closely related to CoGUI) has specifically targeted India and Southeast Asia with fake toll and delivery notifications throughout 2025.
The reason smishing is especially dangerous for businesses: it bypasses your corporate email filters entirely. It lands on a personal phone, during off-hours, when the employee is relaxed and less guarded.
4. Pretexting — The Most Dangerous Technique Nobody Talks About
Pretexting overtook phishing in 2024 to become the most common social engineering method globally, accounting for 50% of all social engineering attacks, according to Verizon's 2025 DBIR.
This is the art of building a complete fake identity before making contact. Muddled Libra's playbook is instructive: they research target companies on LinkedIn, identify admin users, map the org chart, then call the helpdesk as a specific, named employee — with enough detail to pass every informal verification check a helpdesk associate might attempt.
The fake auditor requesting access to financial records. The "new vendor" who needs a system login for an integration. The "IT contractor" covering for someone on leave. Pretexting works because it's not just a lie — it's a story with enough true detail woven in that the target's brain fills the gaps automatically.
5. Baiting — Curiosity as a Weapon
You'd be surprised how many people plug in a USB drive they found in a car park.
In controlled tests by enterprise security firms, employees plug in found USB drives at rates between 45–98%, depending on how compelling the label is. "Salary Review 2025" beats "Backup Files" every time. Once plugged in, the device can silently install malware, establish a backdoor, or exfiltrate data — no internet connection required during the initial phase.
Digital baiting follows the same psychology: fake cracked software downloads, "exclusive" leaked documents, "free" tools that arrive pre-packaged with a keylogger. In 2025, ClickFix-style campaigns — fake CAPTCHA prompts and browser error messages that instruct users to paste malicious commands into their own terminals — became one of the fastest-growing baiting vectors across healthcare, retail, and government sectors.
6. Tailgating — The Attack Your Firewall Can't See
A person in a high-vis vest walks up to a secure door just as an employee is badging in. They're carrying something heavy. "Could you hold that? I keep forgetting my badge." The employee holds the door. The attacker is now inside your office.
Tailgating is embarrassingly effective and almost never tested. Physical access to a server room, an unattended workstation, or even a connected printer can be enough for a sophisticated attacker to establish persistence. In 2025, Kuboid Secure Layer's physical assessments found that most organisations with solid technical security have almost no process for challenging unfamiliar faces in shared areas.
Have you ever run a physical intrusion test on your own office? If the answer is no, would you know if someone already had?
7. Deepfake Impersonation — Where We Are Now
This is the one that changed everything.
In 2024, a finance employee at a Hong Kong multinational attended a video call with their CFO and several colleagues. Everyone spoke. Questions were asked. Instructions were given. $25.6 million was transferred. Every participant except the real employee was a deepfake.
This isn't science fiction anymore. Deepfake audio and video technology is now accessible, affordable, and good enough to fool people in real-time calls. In 2025, voice authentication systems at several banks were bypassed using AI-cloned audio. Muddled Libra has been documented using AI voice spoofing to impersonate employees during helpdesk calls.
The unit of trust we've relied on for centuries — recognising someone's face and voice — is no longer reliable as a standalone verification mechanism.
How These Techniques Combine Into a Single Attack
Here's what makes modern social engineering so dangerous: attackers chain these techniques.
A typical Muddled Libra attack in 2025 might look like this:
- Smishing — An SMS to an employee with a fake IT alert, establishing urgency
- Pretexting — Research-backed impersonation of a named admin user
- Vishing — A call to the helpdesk to reset MFA, citing the "IT alert"
- Baiting — A follow-up email with a "required security tool" download that installs an RMM agent
Four techniques. One coherent story. Domain administrator access in 40 minutes. No malware required until the very last step — after trust has already been established.
What This Means For Your Organisation
Understanding each technique individually is useful. Understanding how they combine is essential.
The organisations that defend well against these attacks aren't necessarily the ones with the biggest security budgets. They're the ones that have trained their people to pause, verify through a second channel, and report something suspicious without fear of embarrassment.
At Kuboid Secure Layer, we run social engineering simulations that test all of these vectors — phishing, vishing, physical tailgating — in a controlled, consequence-free environment. The results consistently reveal gaps that no technical audit would ever find.
Which of these 7 techniques do you think is most likely to succeed against your team? Drop a comment — I genuinely want to know what industries you're in and what you're seeing.
And if you want to find out how your team actually performs against a real simulation, we're here to help.
Kuboid Secure Layer provides social engineering simulations, human risk assessments, and penetration testing for businesses across India and beyond. Learn more at www.kuboid.in.
