Social engineering attacks surged this past year, Palo Alto Networks report finds | CyberScoop<\/title> <meta name=\"description\" content=\"Unit 42 said social engineering \u2014 the method of choice for groups as diverse as Scattered Spider and North Korean tech workers \u2014 was the top initial attack vector over the past year.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/social-engineering-top-attack-vector-unit-42\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Social engineering attacks surged this past year, Palo Alto Networks report finds\"> <meta property=\"og:description\" content=\"Unit 42 said social engineering \u2014 the method of choice for groups as diverse as Scattered Spider and North Korean tech workers \u2014 was the top initial attack vector over the past year.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/social-engineering-top-attack-vector-unit-42\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-08-01T18:10:23+00:00\"> <meta property=\"article:modified_time\" content=\"2025-08-01T18:10:26+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1752617955g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1750115417g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85420\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85420\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsocial-engineering-top-attack-vector-unit-42%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsocial-engineering-top-attack-vector-unit-42%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85420 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/social-engineering-top-attack-vector-unit-42\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.710264900662\">\n<div class=\"single-article__header-content\" readability=\"34.591304347826\">\n<p> Unit 42 said social engineering \u2014 the method of choice for groups as diverse as Scattered Spider and North Korean tech workers \u2014 was the top initial attack vector over the past year. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85420\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Palo Alto Networks headquarters in Silicon Valley; Palo Alto Networks, Inc. is an American multinational cyber security company. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.76844372644\"><body readability=\"71.368683718029\"><\/p>\n<p>Social engineering \u2014 an expanding variety of methods that attackers use to trick professionals to gain access to their organizations\u2019 core data and systems \u2014 is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. <\/p>\n<p>More than one-third (36%) of the incident response cases Palo Alto Networks\u2019 Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its <a href=\"https:\/\/unit42.paloaltonetworks.com\/2025-unit-42-global-incident-response-report-social-engineering-edition\/\">global incident response report<\/a>. <\/p>\n<p>Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as <a href=\"https:\/\/cyberscoop.com\/scattered-spider-social-engineering-cybercrime\/\">Scattered Spider<\/a> and nation-state operatives, including <a href=\"https:\/\/cyberscoop.com\/north-korea-cybercrime-dtex-research-center-227\/\">North Korean technical specialists<\/a> that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data. <\/p>\n<p>Scattered Spider, a threat group Unit 42 tracks as Muddled Libra, has infiltrated more than 100 businesses since 2022 \u2014 including more than a dozen this year \u2014 to extort victims for ransom payments. \u201cWe\u2019re constantly engaged with them. It\u2019s just been one after another is what it feels like to us,\u201d Michael Sikorski, chief technology officer and VP of engineering at Unit 42, told CyberScoop.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Attacks and intrusions linked to Scattered Spider and the vast North Korean tech worker scheme composed a high percentage of the incident response cases Unit 42 worked on last year, accounting for roughly an equal number of attacks, Sikorski said.<\/p>\n<p>North Korean nationals have gained employment at <a href=\"https:\/\/cyberscoop.com\/north-korea-workers-infiltrate-fortune-500\/\">hundreds of Fortune 500 companies<\/a>, earning money to send their salaries back to Pyongyang.<\/p>\n<p>While the North Korean insider threat is linked to a nation state, it is a financially motivated social engineering attack, he said. This forked attribution and objective underscores how boundaries between geopolitical and financial motivations are blurring.<\/p>\n<p>Other nation-state threat groups are using social engineering, too, but a financial payout was the primary driver in 93% of social engineering attacks in the past year, Unit 42 said in the report.<\/p>\n<p>Social engineering attacks are also the most likely to put data at risk. These attacks exposed data in 60% of Unit 42 incident response cases, 16 percentage points higher than other initial access vectors, the report found.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Attackers are focused on accessing the data they want, and oftentimes this makes help desk staff, administrators and employees with system-wide access a key target. \u201cThose people often have the privileges to everything that the attacker wants \u2014 the cloud environment, the data, the ability to reset someone\u2019s multifactor so they can reset it and register a new phone,\u201d Sikorski said.<\/p>\n<p>Scattered Spider has consistently engaged in \u201chigh-touch social engineering attacks against those specific individuals,\u201d he said.<\/p>\n<p>Unit 42\u2019s annual study includes data from more than 700 attacks that the incident response firm responded to in the one-year period ending in May, spanning small organizations and Fortune 500 companies. Nearly three-quarters of the attacks targeted organizations in North America.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5236686390533\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/08\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/social-engineering-top-attack-vector-unit-42\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Social engineering attacks surged this past year, Palo Alto Networks<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,302,1156,647,2911,715,46,256,953,2533,288,183],"tags":[286,86,306,1168,240,2913,720,54,262,958,2536,294,207],"class_list":["post-7856","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-geopolitics","category-incident-response","category-north-korea","category-north-korean-it-workers","category-palo-alto-networks","category-ransomware","category-research","category-scattered-spider","category-social-engineering","category-threats","category-unit-42","tag-cybercrime","tag-cybersecurity","tag-geopolitics","tag-incident-response","tag-north-korea","tag-north-korean-it-workers","tag-palo-alto-networks","tag-ransomware","tag-research","tag-scattered-spider","tag-social-engineering","tag-threats","tag-unit-42"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/incident-response\/\" rel=\"category tag\">incident response<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korean-it-workers\/\" rel=\"category tag\">North Korean IT workers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/scattered-spider\/\" rel=\"category tag\">Scattered Spider<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/social-engineering\/\" rel=\"category tag\">Social engineering<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a>","tag_info":"Unit 42","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7856","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7856"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7856\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7856"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7856"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7856,"date":"2025-08-01T13:10:23","date_gmt":"2025-08-01T18:10:23","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85420"},"modified":"2025-08-01T13:10:23","modified_gmt":"2025-08-01T18:10:23","slug":"social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/08\/01\/social-engineering-attacks-surged-this-past-year-palo-alto-networks-report-finds\/","title":{"rendered":"Social engineering attacks surged this past year, Palo Alto Networks report finds"},"content":{"rendered":"