Smooth criminals talking their way into cloud environments, Google says

Summary

Voice phishing surged last year to become the second most common method used by cybercriminals to gain initial access to their victims' IT estate – and the No. 1 tactic used when breaking into cloud environments. Groups like ShinyHunters and Scattered Lapsus$ Hunters increasingly used this and other types of interactive social engineering tactics that involve a human steering the conversation in real time in their 2025 attacks, according to Jurgen Kutscher, VP of Mandiant Consulting at Google Cloud. "It's the interactive ones, the voice based ones, that are really creating a new challenge," he told The Register in an interview about the security shop's annual M-Trends report, based on data collected from Mandiant's more than 500,000 hours of incident response engagements conducted around the world last year. The report found attackers used voice-based phishing as the initial infection vector in 11 percent of attacks last year, making it the second-most common method of gaining illicit access to systems. Exploiting vulnerabilities topped the charts for a sixth year, accounting for 32 percent of successful attacks. Non-interactive lures like phishing emails, however, declined, at just six percent of 2025 intrusions. "What we've seen in 2025 is certain threat actors calling IT help desks to, for example, register attacker-controlled devices for MFA to try and reset passwords," Kutscher said. "They're building a number of different scenarios to trick IT help desks, and an IT help desk, by default, tries to help. That's part of the reason why the social engineering attacks that are interactive are so powerful." Don't click the 'fix' Scammers aren't only targeting IT help desks with interactive social engineering scams, as Google – along with other security researchers – also documented a spike in ClickFix attacks over the past year as well. ClickFix is an extremely popular social engineering tactic in which the attackers trick the users into running malicious commands on...