Social engineering is now responsible for 39% of all successful attempts to gain access to organizations, with fake CAPTCHA campaigns being the most common method. This represents a huge increase of 1450%, according to LevelBlue’s second Threat Trends Report. Partly as a result of this, the number of organizations reporting cybersecurity incidents tripled in the first half of 2025.
The main driver behind the explosive growth in cyberattacks is ClickFix campaigns, a popular form of fake CAPTCHA social engineering. These attacks cleverly exploit users’ trust in familiar security interfaces and have now become the dominant method of attack. HP Wolf Security has previously reported on the rise of fake CAPTCHAs, which deceive users by exploiting their familiarity with these security mechanisms.
“A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception,” said Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue. Attackers are moving away from traditional Business Email Compromise (BEC) attacks (even though this is still the most common way to gain access to an organization) and focusing on targeted social manipulation.
Strong growth in incidents
In its Threat Trends Report, LevelBlue, which since last year is the new name for what used to be AT&T Cybersecurity, reports that in the first five months of 2025, the percentage of its customers who fell victim to an incident rose from 6% in the second half of 2024 to 17% in 2025. We currently have no information about the severity of the incidents and therefore the absolute impact of this increase. This is, of course, important in order to properly assess how we should interpret this. Nevertheless, it is undoubtedly a significant increase.
Faster infiltration of networks
In addition to the sharp increase in social engineering as a means of gaining access to organizations, the report highlights another striking finding. Once attackers are inside, they move rapidly through organizational networks. The average breakout time (the period in which attackers can move laterally, i.e. from one silo to another, from one system to another, after initial access) is now less than 60 minutes. In extreme cases, this takes only 15 minutes, which indicates how efficiently modern attackers work.
What can you do about it?
LevelBlue expects social engineering to remain the dominant method for the rest of 2025 and 2026. This means that organizations will have to arm themselves even better against it. There are some best practices they can follow, according to LevelBlue.
First of all, employees of organizations need to be made more aware of the phenomenon of fake CAPTCHAs. In addition, attacks via the browser need to be given more attention. Restricting the use of PowerShell or the command prompt is also worth considering.
Furthermore, it is important for organizations not only to develop protocols for verification, but also to enforce them. Think of things such as MFA and IAM platforms. MFA should always be used to gain access via VPN. If you really have to use RDP, make sure to put a jump server in between.
As an organization, you can also take steps in the area of software to better protect yourself against social engineering attacks. The Windows program Quick Assist should be removed from virtually all endpoints. In addition, organizations must do everything they can to prevent the download of alternative RMM tools. This is a proven method for attackers to gain access. Finally, it goes without saying that it is important to stay up to date when it comes to installing patches.
Is this enough?
Several of the above steps are part of what we generally refer to as basic security hygiene. Organizations that are not yet doing this should definitely take a long, hard look at themselves. We doubt, however, that these measures will be sufficient to counter the rise in social engineering. Ultimately, it’s all about employees being able to recognize social engineering. And that’s really hard, especially because attackers are always coming up with new ways to do it and the spectrum for social engineering is really wide. That doesn’t mean organizations can’t get their security tech in order to minimize the impact of a possible attack, though.
We believe that more attention to social engineering and issues such as fake CAPTCHA and ClickFix campaigns is definitely a good idea. LevelBlue’s report of a 1,450 percent increase tells us at least two things. The first is that it was very rare before and therefore a very small problem. Otherwise, a 1,450 percent increase would be highly implausible. The second is that because it occurred so rarely, little to no attention was paid to it by organizations. This makes it an even more interesting weapon for attackers to use. Attention and action are therefore definitely recommended.