Social engineering attacks are rising as employee data becomes easier to exploit

A new enterprise cybersecurity survey from Optery argues that targeted social engineering has become a high-pressure, multi-channel threat for large companies, with attackers increasingly relying on publicly available employee identity data to personalize attacks, impersonate workers, and compromise credentials.

The report, The Data Behind the Deception: Optery 2026 Enterprise Social Engineering Survey Report, is based on a survey of 421 cybersecurity professionals conducted by TrendCandy on behalf of Optery.

The central finding is that social engineering attacks are increasing, becoming more personalized, and producing measurable security consequences.

The strongest finding in the report is the role attributed to data brokers and people-search sites. Respondents rated data broker and people-search platforms as the most significant source of intelligence used in targeted social engineering attacks, ahead of social and professional platforms and breach data.

“Data broker exposure is not a theoretical risk for organizations,” said Lawrence Gentilello, CEO and founder of Optery. “Leaked ransomware group communications, incident investigations, and government advisories have all shown threat actors using data brokers to identify employees, map organizations, and support targeted social engineering.”

According to the report, 97.6 percent rated data broker or people-search data as a significant source of attack intelligence.

The report says commercially aggregated identity data is especially useful because it is structured, searchable, and often includes contact details, employment context, and personal relationships.

“Targeted social engineering is putting real pressure on enterprise security teams, but the most important finding is where organizations are focusing their response,” said Paul Mander, CCO and general manager of Optery for business.

“Security leaders,” Mander said, “are identifying data broker and people search sites as a major source of attacker intelligence, and they are prioritizing employee data exposure reduction as a result. That points to a meaningful shift in how enterprises are thinking about social engineering defense.”

According to the survey, 96 percent of cybersecurity leaders reported an increase in targeted social engineering attempts over the past 12 months. Nearly three-quarters, 74.6 percent, reported credential compromise resulting from targeted social engineering, while 77.9 percent reported either confirmed or suspected compromise.

The survey also found that 89.8 percent of respondents said recent attacks were highly or moderately personalized.

Optery frames the issue as a shift from traditional phishing to more sophisticated, reconnaissance-driven campaigns.

Attackers are not simply sending generic emails and waiting for someone to click. They are selecting specific employees, collecting personal and professional information, and using that data to craft more convincing approaches across email, voice, SMS, social media, and spoofed web domains.

The report identifies employee personal information as a key enabler. Security leaders said attackers can easily obtain corporate email patterns, personal phone numbers, personal email addresses, breached credentials, job titles, reporting structures, family or associate names, and home addresses.

More than three-quarters of respondents said employees’ personal data is very or somewhat exposed across data broker and people search websites.

That exposure matters because it reduces the amount of work attackers must do before launching a targeted campaign. Most respondents said sensitive pieces of identity data are readily accessible online.

The survey found that 83.6 percent said home addresses are easy to obtain, 82.7 percent said breached credentials tied to personal contact information are accessible, 82.2 percent said personal mobile numbers are easy to find, and 77.4 percent said personal email addresses are accessible.

Respondents also said job titles and reporting structures, family member or associate names, and corporate email format patterns are easy to obtain.

The result is a low-friction reconnaissance environment in which attackers can assemble convincing dossiers on workers without first breaching a company’s network.

That information can then be used to impersonate colleagues, trick help desks, target identity and access management personnel, or pressure finance and human resources employees into taking sensitive actions.

The report says the pressure is already being felt inside enterprise security teams. While some organizations said the volume remains manageable, 52.7 percent said social engineering volume is creating increasing strain, is difficult to keep up with, or is overwhelming existing defenses.

The report also highlights a tension between confidence and actual compromise rates. Only 32.3 percent of respondents said they are very confident in their ability to detect and block modern social engineering techniques before user interaction, while 61 percent said they are somewhat confident.

For AI-scaled personalized attacks, 29.9 percent said they are very confident and 58 percent said they are somewhat confident.

The report’s findings also undercut the idea that social engineering is primarily an email problem. Organizations reported confirmed incidents across multiple channels, including social media, voice and phone calls, company website or domain impersonation, email, and SMS or text messages.

Social media was cited by 56.3 percent of respondents, voice or phone by 55.3 percent, company website or domain impersonation by 52 percent, email by 50.8 percent and SMS or text by 41.1 percent.

Attempted impersonation followed the same pattern. The report found that 68.2 percent of organizations reported email-based impersonation, 57 percent reported voice impersonation, 51.5 percent reported fake or cloned social media accounts, 50.8 percent reported spoofed domains or lookalike websites, and 49.4 percent reported SMS or text impersonation.

Defensive confidence was uneven across those channels, with respondents rating email defenses strongest and social media impersonation defenses weakest.

The survey also found that attackers are targeting employees based on access and operational leverage, not only seniority. IT and identity and access management personnel were the most frequently targeted group by a wide margin, with 80.5 percent of organizations reporting that those workers had been targeted.

That was far higher than executives, who were reported as targets by 42.3 percent of respondents. HR was cited by 44.7 percent, finance by 43.9 percent, help desk workers by 33 percent, and engineers by 22.8 percent.

That distribution reflects how modern social engineering campaigns often work. Executives remain attractive targets because their names and authority can be used to pressure employees. But workers who manage identity systems, authenticate users, process payments, approve sensitive requests or validate employee identities can be just as valuable.

A successful attack against a help desk or identity management employee can give an attacker the ability to reset credentials, enroll a new device, bypass controls, or gain access to systems that would otherwise be protected.

Optery’s report also describes a defensive shift underway inside large organizations. Rather than focusing only on detecting attacks after they are launched, many companies are trying to reduce the amount of employee information available to attackers in the first place.

Reducing publicly exposed employee data ranked as the most widely used security measure for addressing social engineering, with 59.9 percent of organizations reporting that it is already in use.

Other measures included SMS or mobile security controls, multi-factor authentication, email filtering and blocking, social media monitoring, user training and phishing simulations, and brand or domain monitoring and takedown.

Personal data removal also ranked as the top investment priority. The report found that 33.7 percent of respondents identified it as their primary area of spend, ahead of email filterin, user training and simulations, brand and domain monitoring and takedown, authentication, social media monitoring and incident response.

More than three-quarters of respondents said limiting employee personal data online is critical or very important as AI-generated social engineering attacks become more scalable.

The report argues that this is especially important because AI can increase the scale and quality of personalization. Publicly available personal information can be used to generate more realistic messages, scripts, and impersonation attempts.

In that environment, exposed employee data becomes not only a privacy issue, but a security risk that can feed account takeover, credential theft and fraud.

Still, the report found that many personal data removal programs remain limited in scope and that coverage is more often concentrated among executives and privileged access holders, high-risk roles, or executives only.

That suggests enterprises are treating data exposure as a risk-based problem, starting with the employees most likely to be targeted or exploited. But it also leaves a gap. Social engineering does not only move through the C-suite. It moves through the help desk, HR, finance, IT administration, contractors, and employees whose access or relationships can be weaponized.

Article Topics

cybersecurity  |  data brokers  |  identity management  |  identity security