From Phishing to Deepfakes: How Social Engineering Has Evolved

Social engineering - the practice of manipulating individuals to gain unauthorised access to systems or information - has evolved rapidly over the past two decades. What once consisted of poorly written scam emails now includes deepfake audio, SMS fraud, and AI-generated messages that closely mimic real people.

The rise of these techniques has made it increasingly difficult for even tech-savvy individuals to detect manipulation. In this article, we’ll explore the evolution of social engineering, the psychological tactics it exploits, and the practical steps organisations can take to stay protected.

Phase 1: The “Obvious” Phishing Email Era

In the early 2000s, phishing attacks were crude but widespread. They often featured:

• Poor spelling and grammar

• Generic greetings

• Promises of financial windfalls (e.g. the infamous “Nigerian prince” scams)

• Free email addresses such as banksecurity@hotmail.com

These emails were easy to spot and became the subject of widespread public ridicule. However, they marked the beginning of a broader trend: targeting the human element, not just the technical.

Phase 2: Spear Phishing – Personalised Attacks

By the 2010s, attackers had refined their methods. Instead of casting a wide net, they began researching specific individuals to craft more convincing messages.

Known as spear phishing, these attacks might reference:

• Recent business trips or events

• A company’s internal structure

• Specific individuals or projects

For example, an attacker might email a finance officer claiming to be the CFO, asking for an urgent wire transfer. The tone, language, and context often appear legitimate - making these scams much harder to detect.

Phase 3: Smishing and Vishing – The Mobile Shift

As awareness of email scams increased, attackers turned to mobile channels:

• Smishing involves fraudulent SMS messages, often impersonating delivery services, banks, or tech platforms:“Your account has been suspended. Tap here to verify.”

• Vishing (voice phishing) uses phone calls or recorded messages pretending to be from government bodies or tech support teams. These calls may request payment or remote access to a device.

These methods are effective because mobile devices feel more personal and immediate - and many users are less cautious when responding to texts or calls than emails.

Phase 4: Deepfakes and AI-Driven Deception

The latest - and most concerning - development in social engineering is the use of artificial intelligence to create deepfakes. These can include:

• Audio generated to match a person’s voice

• Video clips mimicking a real individual’s appearance and speech

• AI-written emails or texts that mirror an individual's tone or style

This allows attackers to impersonate CEOs, colleagues, or family members with alarming accuracy. For example, a fake voicemail from a line manager could request an urgent purchase or password reset. Some deepfakes have even been used to manipulate financial markets by impersonating executives in fabricated announcements.

Why Social Engineering Works: The Psychology Behind It

Successful social engineering attacks exploit universal human traits:

• Trust in authority - We’re conditioned to follow instructions from senior staff or institutions

• Sense of urgency - Phrases like “act now” reduce time for rational decision-making

• Familiarity and personalisation - Using names, references, or tone to build credibility

• Fear of consequence - Threatening account closures, job loss, or legal action

These emotional levers can override logic - even among experienced professionals.

Practical Steps to Protect Against Social Engineering

Organisations and individuals can take proactive measures to defend against these tactics:

1. Verify Requests via Known Channels

If you receive a request involving financial transactions, login credentials, or gift cards - verify it independently via a trusted method. Don’t reply directly or click embedded links.

2. Slow Down

Attackers rely on panic and urgency. Encourage employees to pause, evaluate, and question unexpected requests.

3. Strengthen Authentication

Use multi-factor authentication (MFA) wherever possible. Even if a password is compromised, MFA adds a critical layer of security.

4. Reduce Your Digital Footprint

Avoid oversharing online. Details such as job titles, contact info, or travel plans can be used to craft convincing attacks.

5. Train Your Team Regularly

Provide security awareness training that includes real-world examples of phishing, smishing, vishing, and deepfakes. Simulated phishing campaigns can help assess and improve readiness.

6. Protect Communication Tools

Ensure internal communication platforms (e.g. Teams, Slack, Zoom) are secured with strong credentials and access controls. These are increasingly being targeted.

7. Develop an Incident Response Plan

Establish clear protocols for reporting suspected phishing attempts or fraud. Early reporting can reduce damage.

Conclusion: In a World of AI-Enhanced Deception, Critical Thinking Is Your Best Defence

The methods of social engineering have changed, but the objective remains the same: exploit human trust to gain access, steal data, or cause disruption.

Businesses must not only invest in technical defences but also in human awareness and behavioural change. In a world where even voices and faces can be faked, vigilance is no longer optional - it’s essential.

Train your team. Test your systems. Question the unexpected. And always verify, no matter how real it seems.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).