Social engineering has always been effective because it targets something every organization depends on: human trust. What has changed is the amount of effort required to make those attacks convincing.
Generative AI now allows attackers to automate much of the work that once made targeted social engineering difficult: researching victims, mimicking tone, localizing messages, generating believable pretexts, and adapting conversations in real time. The result is a more scalable form of identity-based attacks that are cheaper to produce, easier to personalize, and harder for employees to distinguish from legitimate communication.
Increasingly, these attacks are reaching employees through the device they trust and use most: their phone.
AI Changed the Economics of Social Engineering
With widely available generative AI tools, attackers can generate personalized phishing messages, mimic executive writing styles, translate attacks fluently across languages, create realistic fake profiles, and produce convincing business communications with far less manual effort.
That does not mean every attacker suddenly becomes sophisticated. But it does mean the barrier to launching sophisticated-looking attacks has dropped.
A campaign that once required significant research and customization can now be generated faster, tested more easily, and adapted across more targets. For security teams, that changes the scale of the problem. The threat is no longer limited to a smaller set of carefully crafted attacks, but has become a repeatable process that can be applied across employees, departments, geographies, and communication channels.
Why Mobile Makes These Attacks More Effective
Mobile devices create a particularly favorable environment for AI-assisted social engineering because they combine immediacy, personal trust, and limited enterprise visibility.
Employees are conditioned to respond quickly on their phones. They approve MFA prompts, answer messages, join calls, respond to notifications, and handle work communications while moving between personal and professional contexts. That behavior is exactly what attackers exploit.
The visibility gap makes this worse. Compared with corporate email, many mobile communication channels are harder for organizations to monitor consistently. They often lack centralized logging, sender authentication, mature filtering, and consistent security controls. In BYOD environments, the challenge is even greater because personal and professional communications often coexist on the same device.
AI Is Making Impersonation More Convincing
One of the clearest changes AI has accelerated is the quality of impersonation. AI-generated messages can mirror executive tone, reference real projects, imitate vendor communications, create convincing urgency, and adapt during an ongoing conversation.
Deepfake technology is accelerating this further. Deloitte predicts that GenAI-enabled fraud losses in the U.S. could reach $40 billion by 2027, up from $12.3 billion in 2023, as attackers use synthetic audio and video to make impersonation attacks harder to detect.
In some cases, a short audio sample from social media, a podcast, a webinar, or a public appearance may be enough to create a convincing fake voice. In an enterprise environment, this creates a serious problem. Employees are expected to move quickly, support teams are trained to remove friction, and executives are often trusted by default.
Help Desks Have Become Identity Attack Surfaces
One of the clearest examples of this shift is the rise of attacks targeting help desks and identity recovery processes.
Instead of attacking infrastructure directly, attackers impersonate employees to manipulate the workflows organizations rely on to keep people productive. They may try to reset passwords, enroll new MFA devices, bypass identity checks, regain account access, or pressure support staff into making exceptions.
These attacks are effective because they do not always look like a traditional compromise. The attacker may not deploy malware. They may not exploit a vulnerability. They may simply convince someone inside the organization to complete a legitimate process for the wrong person.
That is what makes identity-centric social engineering so difficult to detect. From the perspective of many systems, the activity may appear valid. A password reset was requested. An MFA device was enrolled. A login was completed. Access was granted through an approved workflow. In other words, the security failure happens before the system sees anything suspicious.
Traditional Controls Were Not Built for Malicious Persuasion
Most enterprise security controls were designed to detect malicious code, suspicious infrastructure, unauthorized software, or direct exploitation attempts. AI-assisted social engineering often bypasses those controls because the attack is not always technical in the traditional sense.
The employee may willingly engage. The authentication request may be valid. The workflow may be approved. The communication may appear legitimate. No malicious file may ever touch the device. None of this makes the attack less dangerous. It makes it harder to classify.
This challenge becomes even more difficult on mobile, where attacks frequently occur outside monitored environments and across channels the enterprise does not fully control. A convincing SMS, messaging app conversation, voice call, or mobile email can initiate a chain of events that leads to credential theft, account takeover, fraudulent payments, or access granted to the wrong person.
The Real Shift Is Toward Identity and Manipulation
AI did not create social engineering, but it has accelerated a shift attackers were already making: toward the exploitation of trusted identities, communication channels, and human decision-making.
That shift has major implications for enterprise security. Organizations can no longer treat phishing as only an email problem. They can no longer treat mobile security as only a device management problem. And they can no longer assume that a technically valid login, MFA approval, or support request is automatically trustworthy.
Because with the rise of AI, attackers do not always need sophisticated malware to compromise an organization. They can compromise the trust that the organization depends on: the employee who responds quickly, the help desk that removes friction, the workflow that treats approval as proof. The failure is not that people are gullible. It is that trust that has become part of the attack surface.
Subscribe to our blog to receive the latest research and industry trends delivered straight to your inbox. Our blog content covers sophisticated mobile threats, unpatched vulnerabilities, smishing, and the latest industry news to keep you informed and secure.