Cybersecurity solutions provider Palo Alto Networks reported in its 2025 Unit 42 Global Incident Response Report: Social Engineering Edition that 36% of incidents handled by its response team between May 2024 and May 2025 began with a social engineering tactic.
While phishing remains common, more than one-third of social engineering cases involved other techniques such as search engine optimization (SEO) poisoning, fake system prompts, and help desk manipulation.
“The biggest vulnerability in cybersecurity is not only about the technology; it is also about the exploitation of trust,” said Philippa Cogswell, vice president and managing partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks. “Attackers are now using AI to scale deception, taking advantage of gaps in identity management and human interactions.”
The report, based on more than 700 incident response cases globally, highlighted the fast evolution of these tactics. Unit 42 identified two main patterns: targeted, high-touch compromises and broad, large-scale deceptions.
Targeted compromises often involved impersonation of staff, manipulating help desks, and escalating privileges in real time using voice-based lures or stolen identity data. Large-scale deceptions relied on SEO poisoning, fake browser prompts, and schemes like ClickFix to trick users into compromising their own devices.
The study also noted that 13% of critical alerts went unnoticed or were misclassified, giving attackers room to exploit weaknesses in identity recovery and lateral movement. More than half of the incidents resulted in the exposure of sensitive data, while others caused service interruptions or wider operational disruption.
Generative AI was identified as a growing factor in attacks, with around 23% of cases involving voice-based or callback techniques. Financial gain remained the primary driver, with 93% of incidents motivated by profit. Attackers continue to prefer human-centered tactics because they are fast, effective, and inexpensive to execute.
The industries most affected were manufacturing, which accounted for 15% of cases, followed by professional and legal services at 11%. Wholesale and retail, as well as financial services, each represented 10% of incidents.
In the Philippines, threats such as identity-related fraud, illegal access, and data interference remain prevalent. Many are driven by phishing and scams, which the government’s National Cybersecurity Plan (2023–2028) wants to address through stronger emergency response teams, improved incident response protocols, and nationwide awareness programs.
The report emphasized that organizations should move beyond awareness training and focus on systemic resilience. It recommended strengthening identity security by detecting abnormal logins, preventing multi-factor authentication abuse, and using identity threat detection and response tools. It also urged the adoption of Zero Trust models to enforce least privilege access, apply conditional policies, and segment networks to contain intrusions.
Additional measures included protecting human workflows such as help desks and identity recovery processes with stronger verification and staff training, as well as expanding monitoring beyond email to include browsers, DNS activity, and collaboration platforms to stop fake prompts, SEO poisoning, and malicious links before they spread.
“The message is clear: Organizations must build resilience that protects not only their systems, but their people and processes too,” Cogswell said. “The progress we’re seeing is encouraging, but staying ahead of these human-focused threats requires a collective effort.”