20.2.4. Social engineering with AI

2025.10.06.
AI Security Blog

The Automation of Trust Exploitation

Social engineering has always been the art of exploiting human psychology—our biases, our trust, and our tendency to follow authority. For decades, its effectiveness was limited by the attacker’s time, research ability, and capacity to scale. Generative AI fundamentally shatters these limitations, transforming a manual, bespoke craft into an automated, industrial-scale process. This isn’t merely an enhancement; it’s a paradigm shift in how trust can be weaponized.

Where a human attacker might craft a few convincing phishing emails a day, an AI system can generate thousands, each one hyper-personalized to its target. Where a vishing (voice phishing) call required a skilled actor, AI voice synthesis can now clone a CEO’s voice from a few seconds of audio. As a red teamer, you must understand that the future of social engineering is not about tricking a person with one clever message but about overwhelming organizational defenses with a persistent, adaptive, and scalable campaign orchestrated by a machine.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

The AI-Powered Social Engineering Kill Chain

To grasp the impact, it’s useful to map AI capabilities onto the traditional social engineering kill chain. Each stage is amplified, removing friction for the attacker and increasing the probability of success.

1. Reconnaissance Automated OSINT Data Synthesis Persona Modeling LLM-driven Profiling 2. Lure Crafting Hyper-Personalized Text Voice & Video Cloning Contextual Pretexts Generative Content 3. Engagement Adaptive Conversation Real-time Objection Handling Conversational AI 4. Exploitation Credential Harvesting Guided Execution Payload Delivery Action Orchestration

  1. Reconnaissance: An LLM can be tasked to scrape and synthesize vast amounts of public data (social media, company reports, news articles) about a target individual or organization. It can identify key relationships, recent projects, communication styles, and potential emotional triggers, creating a psychological profile far deeper than a human could compile manually.
  2. Lure Crafting: Using the synthesized profile, generative models create the attack vector. This could be a phishing email perfectly mimicking the target’s manager’s writing style, referencing a real, recent project. Or it could be a vishing call using a voice clone of a trusted colleague asking for an urgent password reset. The content is not just generic; it’s contextually aware and emotionally resonant.
  3. Engagement: This is where conversational AI shines. Instead of a static email, the attacker can deploy a chatbot over a messaging platform. This AI can engage the target in a real-time, adaptive conversation, handling objections, answering questions, and slowly building trust to guide the target toward the malicious action. It never gets tired, frustrated, or goes off-script.
  4. Exploitation: The final step is orchestrated. The AI can guide the user through a fake multi-factor authentication process on a phishing site it also generated, or persuade them to run a malicious script by providing step-by-step instructions, calming their fears in real-time.

From Manual to Machine-Generated Pretexts

The core of a successful social engineering attack is a believable pretext. AI elevates pretexting from an art to a science. Consider the difference in sophistication:

Aspect Traditional Social Engineering AI-Powered Social Engineering
Scale Limited by individual operator effort. Manual and slow. Massive. Thousands of personalized lures generated simultaneously.
Personalization Generic or based on limited, manual OSINT. Hyper-personalized based on deep, automated analysis of target’s digital footprint.
Modality Primarily text (email). Voice requires a human actor. Multimodal: text, cloned voice, deepfake video, and interactive chat.
Adaptability Static. An email is sent and the attacker waits for a response. Dynamic. AI can engage in real-time conversations, adapting its strategy based on target’s replies.
Attribution Human errors (grammar, cultural missteps) can reveal the attacker. Near-perfect grammar and style. Difficult to attribute to a specific actor or group.

Simulating the Threat: Red Team Implications

As a red teamer, your role is to simulate these advanced threats before a real adversary does. This requires moving beyond standard phishing templates and incorporating AI into your own toolkit.

Developing Your AI Social Engineering Toolkit

Your objective is to model the capabilities of a determined attacker. This doesn’t mean you need a sentient AGI; it means leveraging existing APIs and models to automate and enhance your process.

A simple proof-of-concept could involve a script that takes a target’s LinkedIn profile URL, feeds it to an LLM for analysis, and then uses that analysis to generate a targeted spear-phishing email. 

# Pseudocode for generating a targeted phishing email
import llm_api
import web_scraper

def generate_spearphish_email(target_linkedin_url, goal):
    """
    Generates a personalized phishing email using an LLM.
    """
    # 1. Automated Reconnaissance
    profile_data = web_scraper.scrape_linkedin(target_linkedin_url)
    
    # 2. AI-driven Synthesis and Analysis
    prompt = f"""
    Analyze this professional profile: {profile_data}.
    Identify key projects, recent job changes, and professional interests.
    Based on this, craft a convincing spear-phishing email with the goal: '{goal}'.
    The email should be from a plausible colleague or industry peer.
    Make it urgent but professional.
    """
    
    # 3. Lure Crafting
    email_content = llm_api.generate_text(prompt)
    
    return email_content

# Example usage for a red team engagement
target_url = "https://linkedin.com/in/jane-doe-cfo"
attack_goal = "Convince Jane to click a link to review a 'confidential M&A document'."
phishing_email = generate_spearphish_email(target_url, attack_goal)
print(phishing_email)

Defensive Recommendations

Your findings from these simulated attacks should drive concrete defensive improvements. Traditional defenses are necessary but insufficient.

  • Advanced Training: Employee awareness training must evolve. Instead of just spotting bad grammar, users must be taught to be skeptical of even well-written, contextually-aware messages that create a sense of urgency. The new mantra is “verify, then trust,” especially for unusual requests.
  • Technical Controls: Email gateways need to move beyond simple keyword and reputation filtering. Look for solutions using AI to detect stylistic anomalies, sender impersonation, and unusual language patterns that might indicate a generated message.
  • Process Hardening: Critical actions like wire transfers or credential resets must be tied to out-of-band verification that cannot be spoofed by AI (e.g., a callback to a registered phone number, not one provided in the email).

The era of easily-spotted, poorly-worded phishing emails is closing. The future adversary is an AI that writes better, researches faster, and manipulates more effectively than any human. Your job is to prepare your organization for that reality.

20.2.3 Cross-modal attacks

2025.10.06.

20.3.1 Self-healing models

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist