What Will It Take to Reduce Social Engineering Risk In 2025?

Social engineering risk is growing so fast that nearly 1 in 2 organizations reported experiencing phishing and social engineering attacks last year. 

• Social engineering is a manipulation technique criminals use to exploit human behavior to deceive individuals into revealing sensitive information, granting access to systems, or performing actions that compromise security.

Criminals invest in social engineering because it allows them to bypass technical security defenses and requires minimal resources compared to technical hacking, yet can produce massive results (e.g., access to corporate networks or financial accounts).   

However, social engineering campaigns still rely on criminals getting access to one core input – personal data. 

Unfortunately for anyone who is not a cybercriminal, the existence of data brokers (read more about these companies below) means that this dangerous social engineering data risk source is not difficult to find. 

Now, with access to large language models and artificial intelligence tools easier than ever, targeted social engineering attacks have never been simpler or less resource-intensive to carry out at scale.

DeleteMe has helped dozens of household name companies, public sector agencies, and high-risk individuals fight back against social engineering. 

Based on our experience and understanding of the current social engineering threat landscape, here’s what we’d recommend organizations do to reduce their social engineering risk in 2025. 

Effective Social Engineering Hinges on Personal Data

In a Reddit post titled “What is the best phishing email you have seen?” one of the most popular responses was:

“David has shared a folder with you.”

As the commenter later explained, the phishing email came from an attacker who “used the manager’s name to make the click happen.”   

Because the email included the target’s manager’s name (someone the employee knew in a work context), it was more believable. 

Lucky for the organization, the employee reported the email for investigation. 

That may not always be the case, as proven by another commenter in the Reddit thread, who said, “I did one [phishing email] that was a fake OneDrive email. I made it look like it came from a C-level whose last name was Martin, but I spelled it Martian. Got a bunch of people with that one.”

It’s not always email – social engineering by phone is also popular and can be made more effective with personal data. 

Social engineering attacks don’t strictly require personal data (beyond the targets’ email addresses/phone numbers/etc.), but as demonstrated by the above anecdotes, information on a social engineering target seriously increases the likelihood of success. 

That’s why many criminals do extensive research on their victims.

This process of finding out as much information as possible about social engineering targets is often called open-source intelligence (OSINT). Partially, OSINT means gathering intelligence from publicly available tools and sources. 

Criminals use data brokers as OSINT tools. 

We know from leaked criminal group chat logs that attackers use OSINT tools like data brokers to find social engineering targets and contacts to “name drop” within social engineering campaigns to make them look more believable. 

How Data Broker Information Fuels Social Engineering Attacks

Data brokers are companies that gather personal information about individuals from various sources, compile this information into comprehensive reports, and share or sell these reports to more or less anyone. 

There are two main types of data brokers:

1. B2B data brokers. 
2. People search sites. 

B2B data brokers publish people’s professional data, as well as information about organizations. For example, a person’s education and employment history, past and current roles, org charts, and more.

On the other hand, people search sites focus on people’s personal information. Things like their personal phone numbers, home addresses, family member names, links to personal social media profiles, etc. 

Either one of these sources can give criminals a lot of information to work with when crafting social engineering campaigns. 

Combine the two, and you have a gold mine of data. 

AI Is Making Social Engineering Faster & Easier 

Artificial intelligence (AI) makes gathering information about social engineering targets even easier. 

In a report on generative AI in social engineering and phishing, researchers say that: 

“With its mastery of language and analytical abilities, Generative AI can scrutinize the digital footprints of targets. This provides insights into a target’s specific interests, affiliations, or behaviors.”

In other words, AI can quickly pull relevant information about a person from hundreds of sources. 

In a recent Harvard study on large language models’ capability to launch fully automated spear phishing campaigns, AI models were able to collect accurate and useful data on people in 88% of cases. 

AI can also help write the actual content of the emails (or texts, social media messages, etc.) 

As per the above-mentioned report on generative AI in social engineering and phishing: 

“This gathered intelligence can subsequently be used to develop the attack strategy—referred to as pretexting. Pretexting is a broad stage that encapsulates the creation of a story, scenario, or identity that an attacker uses to engage with the target. […] This enables context-aware phishing, where AI crafts malicious content that resonates with the target’s communication patterns, making the story or scenario highly believable. This might include emails that sound like they’re from colleagues, friends, or familiar institutions.” 

It’s perhaps unsurprising that AI-generated phishing emails saw a 54% click-through rate in the Harvard study – the same as emails crafted by human experts and much higher than arbitrary phishing emails (which had a 12% click-through rate). 

Removing Employee Personal Information from Online Sources Can Significantly Reduce Social Engineering Risk

The most effective step any organization that wants to reduce its social engineering risk can take is to minimize the amount of personal information available about its employees online. 

This should encompass regularly auditing the organization’s public-facing information (including on corporate social media profiles and company websites) to identify and mitigate unnecessary exposure and provide training to employees on safe online behaviors. 

Data broker exposure should also be taken into account and dealt with. 

Though it’s possible to remove employees’ personal data from data brokers and people search sites manually, it’s a time-consuming process and one that needs to be repeated periodically as data brokers are known to republish information once they find more of it online, even if a person has previously “opted out.” 

A better solution is to enroll employees, starting with those most exposed to social engineering risk, into a continuous service that proactively removes their personal data across hundreds of websites.