Social Engineering Outgrows the Inbox
Portions of this article were previously published in the Travelers' Cyber Threat Report
The evolution of social engineering in cyber security
We’re now decades past when email scams became common knowledge. But even as other cybercrime tactics have come and gone, social engineering attacks remain one of the most common ways threat actors gain initial access to an organisation’s systems. Once inside, threat actors can explore the network, exfiltrate (steal) data, deploy ransomware or do further social engineering to defraud the victim.
Social engineering has remained a common attack vector because it’s adaptable: threat actors can adjust their strategies to account for new defence technologies and changes in user awareness of their tactics.
Recently, we’ve seen threat actors moving beyond email inboxes and instead leveraging voice calls, QR codes, mobile messaging and collaboration platforms to bypass traditional defences and exploit new environments. These alternate platforms will require new defence measures to be layered on top of existing practices around email.
Types of social engineering
In the past year, several documented cases have emerged of attackers utilising collaboration software, such as common chat-based platforms that include voice or video calling, to help gain system access.
In the most recent edition of the Travelers Cyber Threat Report we describe a real-life example of how these campaigns can work. The situation began with the threat actor setting off a flurry of spam emails to an individual to manufacture an IT “issue,” then posing as IT support staff and contacting the victim through chat messages and through collaboration software. Using this tactic, the threat actor succeeded in convincing the victim to install a remote-access tool that enabled the threat actor to install malware and enable further intrusion.
In other campaigns threat actors have invited victims to spoofed meetings that mimic the look of common video conferencing software products. If the victim clicks through to join, the threat actor can gain unauthorised access to the victim’s computer or phone through a remote access trojan (RAT). Attackers have also used shared links or bots to insert malicious messages that resemble internal communications.
These examples illustrate how threat actors have expanded their social engineering "playbook" by adding multiple communication channels to attack a single target. It’s key to note that most of these tactics hinge on how a business’ settings are configured. The software can be set to allow for calls or messages from outside of the organisation to reach employees, or that ability can be limited to varying degrees. The takeaway should not be that collaboration tools are uniquely dangerous, but rather that, being relatively new, not every organisation may have thought through the setup and configuration of every tool, or trained employees sufficiently of the potential dangers of having those settings enabled.
Just as it took many years for email security best practices to spread to organisations of all shapes and sizes -- something that’s still happening today -- organisations should expect that their approach to integrating other forms of communication software will need to evolve in response to attack trends.
Is vishing social engineering? What about deepfake attacks?
A complement to the use of collaboration software to perform phishing exploits is the use of voice calls on various platforms, be it a conventional phone call or app-based voice call. This “vishing” (voice phishing) tactic is rapidly evolving thanks to Artificial Intelligence (AI)-generated deepfake voices that are capable of real-time conversation. This technology breaks down barriers that threat actors previously faced in attempting to use voice calls as part of their scheme, namely being able to converse in the victim’s native language fluently and without any phrasing that might raise suspicion on the part of the victim.
In one of the most striking cases to date, an employee at an international engineering firm was duped into transferring over €21 million after participating in a video call with what appeared to be multiple company executives, including the CFO. The meeting was fabricated using deepfake avatars and voices. Similarly, last year executives from large, publicly traded companies were targeted through common messaging platforms using deepfaked voice notes—another sign that threat actors are blending generative AI with high-trust channels in their efforts to defraud companies.
Researchers have shown how easily scammers can now clone voices from short audio clips. In one demonstration, an AI-generated caller was able to access bank account information using personal information that would be easily obtained on dark web marketplaces.
For better or worse, this technology isn’t just evolving in a shadowy corner of the dark web. New tools that are widely and publicly available make it possible to synthesise realistic voice impersonations in seconds, and the volume of deepfake-enabled phishing continues to rise. In fact, CrowdStrike’s 2025 Global Threat Report revealed that between the first and second halves of 2024, vishing rose by 442%.
Digital threats meet the physical world
In February 2025, organisations began receiving physical letters claiming to be from the threat actor BianLian. These letters stated that a ransom payment was required to prevent the exposure of data that had supposedly been exfiltrated from the targeted organisation. Upon investigation, none of the targeted organisations found any evidence of actual data theft or system breaches, which limited the impact of the letters – although the novelty of the attack style generated widespread interest. Recently physical mail has also been used to target individuals, with fake letters sent impersonating governmental agencies and packages supposedly coming from national retailers, in each case containing a malicious QR code. These types of attacks are not as common, but due to the widespread publication of the fake BianLian letters, organisations should be aware of the threat. It is crucial for people to understand the importance of not accessing links or scanning QR codes of unknown origin.
These attacks may not represent a major new avenue for threat actors, but they underscore the extent to which any means of communication with an organisation’s employees is now “in play” as a potential social engineering exploit.
Defensive measures for a broader threat surface
To respond to this new landscape, organisations should expand security awareness training beyond email. Companies should train their employees to recognise social engineering attempts across collaboration platforms, video calling software and even their own private text messages. IT teams should audit their settings and configurations for all communication software — especially those that allow external contact – and should implement a call-back verification process for sensitive requests.
Attackers are no longer just targeting the inbox. Companies must evolve their defences to help address these new threat vectors.
Cyber insurance as a critical risk mitigation strategy
As Irish businesses grapple with these sophisticated and evolving social engineering threats, cyber insurance has become an essential component of a comprehensive risk management strategy. The Irish market, with its significant concentration of multinational technology companies, pharmaceutical and life sciences firms, and financial services companies, presents an attractive target for cybercriminals employing these advanced tactics.
Our cyber insurance policies provide policyholders with crucial financial protection against the substantial costs associated with successful social engineering attacks, including business interruption losses, forensic investigation expenses, legal fees, and regulatory fines under GDPR and other data protection regulations. Additionally, our Any One Claim (AOC) Crime coverage offers enhanced protection against cybercrime, such as fraudulent funds transfers, ensuring that if a loss occurs, the sublimit for that coverage is fully restored for future incidents, subject to the overall remaining policy limit.
Beyond coverage, Travelers offers proactive risk management services, including employee training programmes specifically designed to address the multi-channel social engineering threats described above, helping your clients stay ahead of rapidly evolving attack vectors.
To support your clients with this essential protection, quoting and binding cyber policies is simple: brokers can use MyTravelers for clients with turnover up to €100 million and limits of indemnity up to €3 million. For larger risks or higher limits, our cyber underwriting team is available to provide tailored support.
The information provided is for general informational purposes only. It does not, and it is not intended to, provide legal, technical, or other professional advice, nor does it amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. Furthermore, laws, regulations, standards, guidance and codes may change from time to time, and you should always refer to the most current requirements and take specific advice when dealing with specific situations. In no event will Travelers be liable in tort, contract or otherwise to anyone who has access to or uses this information.
Travelers operates through several underwriting entities in the UK and Europe. Please consult your policy documentation or visit the websites below for full information.
