AI-Powered Social Engineering

What is AI-Powered Social Engineering?

AI-powered social engineering refers to the use of generative AI technologies — including large language models, deepfake video generation, voice cloning, and autonomous agents — to create and execute social engineering attacks with higher realism, lower cost, and greater scale than was previously possible. Over 80% of social engineering activity is now AI-assisted according to Abnormal Security's 2025 research, and AI-generated phishing emails achieve click rates of 54% compared to 12% for traditional campaigns. The combination of AI lowers the technical barrier for sophisticated attacks while raising the quality bar that defenders must meet.

Description

AI has transformed every stage of the social engineering attack chain. In the reconnaissance phase, AI agents can automatically harvest and synthesize organizational data from LinkedIn, company websites, job postings, and social media to build highly specific targeting profiles. In the lure creation phase, LLMs generate grammatically perfect, contextually appropriate phishing and spear phishing emails that lack the typos and awkward phrasing that trained users are taught to spot. In the delivery phase, AI enables new attack formats: voice cloning can impersonate executives from as little as three seconds of audio, with deepfake-enabled vishing surging 1,633% in Q1 2025. Deepfake video calls have been used to impersonate CFOs and authorize fraudulent wire transfers — including a documented case where attackers cost engineering firm Arup $25.6 million through an AI-generated video conference. Business email compromise (BEC) attacks are increasingly augmented with AI-generated correspondence that precisely matches the writing style of the impersonated executive. These capabilities compound the risk of adversary-in-the-middle (AiTM) attacks when attackers use stolen sessions to send AI-crafted messages from legitimate accounts.

Usage and Examples

A cybercrime group targeting financial services uses the following AI-augmented attack chain: first, an LLM summarizes publicly available information about the target CFO's communication style from LinkedIn posts and media interviews. Second, voice cloning software trains on audio from an earnings call recording. Third, a vishing call is placed to the CFO's assistant using the cloned voice, instructing them to process an urgent wire transfer. The assistant hears the familiar voice, recognizes the communication style, and complies — no malware, no phishing link, no technical exploit required. For defending against AI-powered social engineering, organizations need layered controls: robust verification procedures for financial transactions (voice is no longer sufficient authorization), regular phishing simulation training that includes AI-generated scenarios, and security awareness training that explicitly addresses deepfake and voice cloning threats.

How Does This Relate to Penetration Testing?

Social engineering testing has evolved alongside the threat. Evolve Security's red team engagements incorporate AI-augmented social engineering techniques — including AI-crafted pretexting scenarios, targeted spear phishing using OSINT-enriched profiles, and vishing exercises — to test whether employees and processes would withstand attacks representative of the current threat landscape. The gap between what organizations train employees to spot (poorly written generic phishing) and what attackers actually use (AI-crafted, personalized, multi-channel campaigns) has never been wider. Red team exercises that reflect real attacker capability provide the accurate baseline needed to design relevant training and process controls. Evolve Security's Red Team engagements test your organization's resilience against advanced social engineering — including the AI-augmented techniques that current threat actors use in real attacks.