CISOs Struggle to Keep Pace with Expanding Social Engineering Threats Across Multiple Channels

New York City, New York Sep 4, 2025  – Enterprises are failing to adequately prepare users for the evolving landscape of social engineering attacks, which now exploit encrypted messaging, SMS, collaboration platforms, and voice communications. They remain primarily focused on email threats, according to new data from Dune Security. This disconnect leaves organizations exposed, despite the increasing visibility of high-profile breaches.

Dune Security’s 2025 Insider Threat Intelligence Report, which includes survey data from leading CISOs and behavioral telemetry from its simulation engines, reveals that concern about these threats is not translating into action. For example, 71% of CISOs are worried about SMS phishing (smishing), yet only 27% simulate such attacks. Similarly, 59% are concerned about voice phishing (vishing), but only 15% test for it. Testing for threats through collaboration tools and encrypted messaging is even lower, despite 38% expressing concern about attacks via these channels.

Key findings include:

• Only 12% of CISOs believe their current Security Awareness Training (SAT) programs are adequate.
• No surveyed enterprises simulate threats in encrypted messaging apps, even though 64% confirmed social engineering attacks via encrypted or informal channels in the past 12 months.
• Only 18% of organizations tailor phishing simulations based on both role and behavior, although 91% recognize its importance.
• While 100% test for email phishing, only 15% simulate vishing and 27% test smishing.
• AI-personalized phishing generates 300% more user interaction compared to traditional, templated versions.

“Attackers are taking advantage of the vulnerabilities that enterprises are not addressing,” stated , CEO and Co-Founder of Dune Security. “Outdated SAT programs focus solely on email threats, while actual breaches now originate in channels with high trust and low visibility, such as encrypted messaging, SMS, voice calls, and deepfake-based impersonation.”

Progressive security teams are moving away from routine training toward behavior-based simulation, real-time monitoring, and adaptable remediation strategies. Dune’s recent data confirms that legacy awareness programs are ineffective not because of insufficient effort, but because the underlying technology fails to identify where the real risk lies: in untested channels and unmonitored user behavior.

“Traditional solutions cannot keep pace with the current threat environment or how people work today,” said Dune Security Senior Manager of Engineering and AI, .

“Our platform proactively assesses our customers’ organizations, employing the same social engineering tactics used by real hackers. We highly personalize testing, training, and security measures to each employee’s role, level, industry, strengths, and weaknesses, empowering them to protect themselves and their organizations in real time.”

The 2025 Insider Threat Intelligence Report is based on survey responses from leading enterprise CISOs, combined with proprietary simulation and behavioral analytics from Dune Security’s platform. The report provides details on attack channel trends, readiness gaps, and the behavioral indicators that are most likely to lead to compromise.

About Dune Security

Dune Security assists enterprises in quantifying and mitigating user cyber risk. Dune’s User Adaptive Risk Management solution automatically prevents insider threats and social engineering by simulating attacks across multiple channels, scoring user risk, and adapting remediation in real time. Dune is a trusted provider for Fortune 1,000 companies, including Hugo Boss, Warner Music Group, and Culligan.

Learn more at .