CISOs Face Widening Gaps in Defending Multi-Channel Social Engineering Threats, Dune Security Finds

Security teams are sounding the alarm: 64% of enterprises faced off-channel attacks in the past year, but most still train only for email-based attacks.

NEW YORK, NY, UNITED STATES, September 4, 2025 /EINPresswire.com/ -- As social engineering attacks evolve to exploit encrypted messaging, SMS, collaboration tools, and voice calls, enterprises remain stuck preparing users only for email threats, according to new data from Dune Security. This mismatch leaves organizations vulnerable, even as high-profile breaches highlight the risks.

Drawing from Dune Security’s 2025 Insider Threat Intelligence Report, including survey data from leading enterprise CISOs (Chief Information Security Officers) and behavioral telemetry from its simulation engines, concern outpaces action across vectors. For instance, 71% of CISOs worry about SMS phishing (smishing), yet only 27% simulate it; 59% fear voice phishing (vishing), but just 15% test it. Testing for collaboration tools and encrypted messaging? It plummets to single digits or zero, despite 38% concern for attacks coming from these channels.

Key findings include:
• Only 12% of CISOs believe their current Security Awareness Training (SAT) program is sufficient.
• 0% of surveyed enterprises simulate threats in encrypted messaging apps, even as 64% confirmed social engineering attacks via encrypted or informal channels in the past 12 months.
• Just 18% of organizations tailor phishing simulations by both role and behavior, though 91% say this is essential.
• While 100% of enterprises test users over email, only 15% simulate voice-based phishing (vishing) attacks, and just 27% test over SMS (smishing).
• AI-personalized phishing now drives 300% more user interaction than traditional, templated variants.

"Attackers are exploiting the blind spots where enterprises aren’t even looking,” said David DellaPelle, Co-Founder and CEO of Dune Security. “Legacy SAT programs are limited to yesterday’s email threats while real breaches now start in high-trust, low-visibility channels like encrypted messaging, SMS, voice call, and deepfake-based impersonation."

Forward-thinking security teams are now shifting away from checkbox training toward behavior-based simulation, real-time visibility, and adaptive remediation. Dune’s latest data confirms that legacy awareness programs fail not due to lack of effort, but because they miss where risk actually
lives: in untested channels and unmonitored user behavior.

“Traditional solutions simply can’t keep up with today’s evolving threats or the way people actually work,” said Dune Security Senior Manager of Engineering and AI, Kyle Ryan.

“Our platform proactively red-teams our customers’ organizations, using the same social engineering attack modalities that hackers are deploying in the wild. We hyper personalize testing, training, and control guardrails to each employee’s role, level, industry, strengths, and weaknesses, empowering them to protect both themselves and their organizations in real time."

The 2025 Insider Threat Intelligence Report draws on survey responses from industry-leading enterprise CISOs, combined with proprietary simulation and behavioral analytics from Dune Security’s platform. The report details attack channel trends, readiness gaps, and the behavioral triggers most likely to lead to compromise.

About Dune Security

Dune Security helps enterprises quantify and reduce user cyber risk. Dune’s User Adaptive Risk Management solution automatically prevents insider threat and social engineering by simulating multi-channel attacks, scoring user risk, and adapting remediation in real time. Dune is trusted by Fortune 1,000s including Hugo Boss, Warner Music Group, and Culligan.

Learn more at dune.security.

Grace Gately
Dune Security
+1 516-713-8030
press@dune.security
Visit us on social media:
LinkedIn
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.