Cybercriminals have not targeted servers for a long time, they attack employees. According to cybersecurity companies (Positive Technologies, BI.Zone), and Central Bank, social engineering is the main vector of initial penetration into corporate networks. It accounts for at least 60-70% of all successful attacks on companies. If earlier cybercriminals were mainly interested in financial organizations and government agencies, then in 2025 industry, retail, IT companies and logistics came under attack.
Experts note a sharp increase in the so-called “hybrid phishing,” when technical methods (malware) are combined with deep social engineering (calls in support, fake leader’s voice). Criminals are less and less interested in quick profit, they are ready to wait for months, rubbing into employee trust. Moreover, often traditional protection methods and training courses do not work.
Modern phishing
A modern cyber attacker is a talented psychologist and analyst. It barely uses bulk mailings, focusing on point attacks. Consider popular methods that are used against employees of companies.
Pretexting, or attack under legend. This is not just a “script call.” It’s creating an elaborate script. The attacker collects information about the company, its internal processes and even about the slang used in advance. For example, according to a report by experts, in 2025 there was an active increase in targeted attacks via e-mail. The attackers used plausible domains and real corporate events.
Wishing and deepfake. AI technologies have taken vishing (voice phishing, “voice phishing” – telephone fraud in which attackers use calls and social engineering to steal money or personal data) to a completely new level. Previously, it was possible to distinguish a fraudster by accent, intonation or script. Today, neural networks are able to synthesize a person’s voice in just a few seconds. One of the main schemes is the use of deepfake audio to simulate the voices of top managers of companies. For example, a manager may receive several calls instructing them to transfer funds urgently “to close an important deal.” The voice, manner of speech and even a slight noise in the receiver (imitation of a busy office) can be so convincing that the victim does not always recognize deception. Such attacks even break two-factor authentication, since the employee himself, voluntarily, takes the necessary actions and provides all the data. Two years ago, we recorded a surge in such schemes, and during 2025, as experts note, every fifth Russian company faced a deepfake attack.
Targeted phishing through social networks. Attackers no longer guess where the victim works. They enter VK, MAX and even telegram channels, VK channels of the company. They study who is friends with whom, in which projects they participate, which conferences they attend, which webinars they hold. Based on the data obtained, they attack a specific person. For example, a marketing employee posts a post about launching a new product. An hour later, he receives a friend request from a “well-known industry analyst” who wants to take a comment for an article. During the correspondence, the “analyst” throws off the link to “own article” in Yandex Documents, where you need to log in through a corporate account for viewing. At this time, login and password go to the attacker.
So, according to F.A.C.C.T. in 2025, one of the largest phishing attacks by a cybercriminal group of TA558 on Russian enterprises was recorded. It consisted in sending phishing emails that contained an infected file: when downloaded, the Remcos RAT program was launched on the victim’s device, which allowed criminals to control the victim’s device.
How to recognize: from “click-or-not” to emotional intelligence
To combat phishing, most Russian companies conduct regular staff training. True, traditional tests, such as phishing simulation with “Change password urgently” emails, teach employees one thing: do not click on suspicious links. But how will such lessons make you prepared for a call with the deepfake voice of the chief? Obviously, no way. To be effective, training must shift focus from interface to context.
Let’s consider some effective techniques.
Scenario training. You need to stop showing slides and start playing “performances.” Personnel must be immersed in realistic situations. For example, simulate a situation in which an agitated colleague from a branch calls an employee. He has an urgent problem accessing the system, asking for a password to check quickly the report for the board. Many will probably get caught. The set of situations must be diverse. This does not train knowledge of the rules, but a behavioral reflex for an anomaly.
Deepfake recognition training. Employees need to be introduced to deepfake technology: show examples of synthesized voices, explain what to look for (sound artifacts, unnatural pauses, requests to repeat the phrase). And introduce a strict rule that any financial or critical operation, any request for money transfer or data change must be confirmed via an alternative communication channel (for example, call the manager back to a mobile phone that is personally known, and not to the one from which the call came).
Psychological stability. Cybercriminals put pressure on emotions using fear, haste, curiosity, and a desire to help. Training should include modules on stress resistance and the ability to say “no” or “I will call back later” to an authoritative person. It’s hard, but that’s what stops the attack.
All these techniques should be applied in combination to prepare employees for various scenarios of attacks by cybercriminals.
PoLP: Minimal access as a security mantra
Even if the psychological attack was successful, and the attacker gained access to the employee’s account, the system should open to him only the data that is needed for work, and not a bit more. According to the SOLAR study, the number of leaked databases of Russian companies in 2025 has significantly decreased, but still remains quite high. The principle of least privilege (PoLP – Principle of Least Privilege) is insurance in the fight with cybercrimes.
There is a need to implement this system without harming business. To do this, you should pay attention to:
- access to critical data is issued on request, for a limited time and with mandatory justification;
- role model of access control: clearly separate what the accountant needs and what the sales manager needs. Why does an intern need access to a 5-year deal archive? If an employee from the procurement department suddenly tries to read the HR base at night, the system should block this automatically, even if he has rights (possibly compromised);
- control of actions, not just entry: it is important to monitor not only who entered, but also what he does. You need to pay attention to behavioral anomalies. For example, downloading the entire customer base at 3 am is a clear marker of account compromise, even if the password was entered correctly.
Conclusion
The market for information security courses is crowded with offers today. The content of 90% of them is the same: standard video tutorials, presentations and tests that have long had nothing to do with real threats. They are capable of preparing the employee for the 2020 attack, but not for what will happen tomorrow.
AI should be used not only by cybercriminals, but also by information security specialists. Machine learning-based behavioral analytics systems are able to identify anomalies in communications (uncharacteristic style of correspondence, attempts to transfer money after hours) faster than a person.
Do not forget about psychology. It is better to build training not on prohibitions (“do not do that”), but on understanding the mechanisms of manipulation. An employee should become not just a small detail in the system, but a critical thinking link in the security perimeter. It is necessary to train personnel to recognize not only phishing links, but also attempts at psychological hacking.
By Ksenia Arkhipova, information security consultant, RTM Group