# 2025 Update: Social Engineering Attacks Trigger Wave of New Criminal Prosecutions Worldwide
By Jonathan D. Steele | November 28, 2025
What should you know about # 2025 update: social engineering attacks trigger wave of new criminal prosecutions worldwide?
Quick Answer: Social engineering accounts for a staggering 98% of all cyberattacks, yet five dangerous myths continue to leave organizations defenseless—from the false belief that only naive users fall victim (when in reality, the 2020 Twitter breach compromised employees at a major tech company, leading to hijacked accounts of Obama and Musk) to the misconception that it's a "soft" crime (despite carrying up to 20 years imprisonment under the Computer Fraud and Abuse Act). The evolution of deepfake technology has made these attacks virtually undetectable, as demonstrated when a Hong Kong finance worker transferred $25 million after a video call where every participant, including the CFO, was an AI-generated fake—proving that neither technical sophistication, company size, nor employee vigilance can overcome attacks that exploit fundamental human psychology rather than software vulnerabilities.
— Jonathan D. Steele, Esq. (Security+, ISC2 CC, CEH)
Social Engineering in Cybercrime Myths Debunked: The Real Truth
Social engineering attacks account for 98% of all cyberattacks, according to Purplesec's cybercrime statistics. Yet dangerous misconceptions persist about how these attacks work, who they target, and what legal consequences perpetrators face. These myths leave individuals and organizations vulnerable while creating false confidence among would-be criminals who underestimate the serious legal ramifications. Let's dismantle the five most pervasive myths surrounding social engineering in cybercrime.
Stop leaving money on the table. AI automation that pays for itself.
Myth #1: Social Engineering Only Targets Naive or Technically Illiterate Victims
Why This Myth Persists
Popular culture portrays social engineering victims as elderly individuals falling for obvious scams or employees who click every suspicious link. This stereotype reinforces the belief that educated, tech-savvy professionals remain immune to manipulation tactics.
The Reality
Social engineering exploits fundamental human psychology—not technical ignorance. Research from Stanford University and Tessian reveals that 88% of data breaches stem from employee mistakes, with highly educated professionals among the most frequent victims. Spear-phishing campaigns specifically target executives, IT administrators, and security personnel because they possess elevated access privileges.
The 2020 Twitter breach demonstrates this reality starkly. Attackers used phone-based social engineering to manipulate Twitter employees—individuals working at a major technology company—into providing access credentials. The result: compromised accounts of Barack Obama, Elon Musk, Bill Gates, and other high-profile figures.
According to the FBI's Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) attacks, which rely heavily on social engineering, caused $2.7 billion in losses in 2022 alone. These attacks predominantly target finance departments and C-suite executives—hardly naive or technically illiterate populations.
Consequences of This Belief
Myth #2: Social Engineering Isn't "Real" Hacking and Carries Minor Legal Penalties
Why This Myth Persists
Because social engineering doesn't involve writing malicious code or exploiting software vulnerabilities, many perceive it as a "soft" crime. Some view it as merely clever persuasion rather than criminal activity deserving serious prosecution.
The Reality
Social engineering that facilitates unauthorized computer access violates the Computer Fraud and Abuse Act (CFAA) in the United States, carrying penalties up to 20 years imprisonment for repeat offenders. The CFAA specifically addresses obtaining information through fraud, regardless of whether technical exploitation occurred.
Beyond federal statutes, social engineers face prosecution under:- Wire fraud (18 U.S.C. § 1343): Up to 20 years imprisonment
- Identity theft (18 U.S.C. § 1028): Up to 15 years imprisonment
- Aggravated identity theft (18 U.S.C. § 1028A): Mandatory 2-year consecutive sentence
Graham Ivan Clark, the teenager behind the 2020 Twitter attack, received a three-year prison sentence despite being a minor. Adult co-conspirators faced federal charges carrying potential decades of imprisonment.
Consequences of This Belief
Aspiring criminals who underestimate legal repercussions discover harsh realities when federal prosecutors pursue maximum sentences. Meanwhile, organizations that view social engineering as a minor threat allocate insufficient resources to prevention and detection.
Myth #3: Strong Technical Security Makes Social Engineering Irrelevant
Why This Myth Persists
Organizations invest millions in firewalls, intrusion detection systems, and endpoint protection. This investment creates false confidence that technological barriers eliminate human-factor vulnerabilities.
The Reality
Social engineering specifically circumvents technical controls by targeting the human element. Verizon's 2023 Data Breach Investigations Report confirms that 74% of breaches involve human elements, including social engineering, errors, and misuse.
Kevin Mitnick, perhaps history's most famous social engineer, repeatedly demonstrated that no technical security withstands determined human manipulation. His attacks against Digital Equipment Corporation, Pacific Bell, and numerous other organizations succeeded despite robust technical defenses because he targeted employees rather than systems.
The 2022 Uber breach illustrates this principle. Despite Uber's substantial security infrastructure, an attacker gained access by bombarding an employee with multi-factor authentication requests until fatigue led to approval—a technique called "MFA fatigue" that exploits human psychology rather than technical vulnerabilities.
Consequences of This Belief
Organizations focusing exclusively on technical controls create security programs with critical blind spots. Attackers consistently choose the path of least resistance, which increasingly means manipulating humans rather than defeating sophisticated technical defenses.
Myth #4: Social Engineering Attacks Are Easily Recognizable
Why This Myth Persists
Awareness campaigns often highlight obvious phishing indicators: misspellings, suspicious sender addresses, and urgent requests for gift cards. This training creates confidence that vigilant individuals can spot all manipulation attempts.
The Reality
Advanced social engineering campaigns employ extensive reconnaissance, creating highly personalized attacks that reference real colleagues, ongoing projects, and legitimate business processes. Proofpoint's 2023 State of the Phish report found that 84% of organizations experienced successful phishing attacks despite awareness training.
Deepfake technology has amplified this threat exponentially. In 2024, a Hong Kong finance worker transferred $25 million after attending a video conference where every participant—including the company's CFO—was a deepfake creation. The attack exploited trust in visual and auditory verification that humans have relied upon throughout history.
Business Email Compromise attacks frequently involve weeks of email monitoring before attackers strike, allowing them to perfectly mimic communication styles, reference ongoing conversations, and time requests during legitimate transaction periods.
Consequences of This Belief
Overconfidence leads to reduced vigilance. Employees who believe they can recognize all attacks let their guard down against sophisticated campaigns that don't match their mental model of "obvious" scams.
Myth #5: Only Large Enterprises Face Serious Social Engineering Threats
Why This Myth Persists
Media coverage focuses on breaches at major corporations, creating the impression that attackers exclusively target organizations with substantial assets worth stealing.
The Reality
The National Cyber Security Alliance reports that 43% of cyberattacks target small businesses, with social engineering representing the primary attack vector. Small and medium businesses often lack dedicated security personnel, formal verification procedures, and comprehensive training programs—making them easier targets.
Furthermore, small businesses frequently serve as entry points into larger supply chains. The 2013 Target breach, which compromised 40 million credit cards, began with a social engineering attack against an HVAC contractor with network access to Target's systems.
The FBI's IC3 received 800,944 complaints in 2022, with victims across every organization size. Average losses for small businesses exceeded $120,000 per incident—often representing existential financial damage.
Consequences of This Belief
Small businesses that consider themselves beneath attacker notice implement minimal protections. This complacency creates easy targets and potential vectors into larger partner organizations.
Protecting Against Social Engineering
Understanding these realities demands comprehensive responses:
- Implement continuous security awareness training that addresses sophisticated attacks, not just obvious scams
- Establish verification procedures for sensitive requests, regardless of apparent source legitimacy
- Create reporting cultures where employees face no punishment for flagging suspicious communications
- Conduct regular simulated attacks to identify vulnerabilities and measure improvement
- Develop incident response plans that address social engineering specifically
Stop hoping you won't get breached.
Get the 15-point Security Audit Checklist that attackers don't want you to have. Plus weekly intel briefs - no fluff, no vendor pitches.
No spam. Unsubscribe anytime. We don't sell your data - we protect it.