Security teams are sounding the alarm: 64% of enterprises faced off-channel attacks in the past year, but most still train only for email-based attacks.
As social engineering attacks evolve to exploit encrypted messaging, SMS, collaboration tools, and voice calls, enterprises remain stuck preparing users only for email threats, according to new data from Dune Security. This mismatch leaves organizations vulnerable, even as high-profile breaches highlight the risks.
“Traditional solutions simply can’t keep up with evolving threats or the way people actually work.”
Drawing from Dune Security’s 2025 Insider Threat Intelligence Report, including survey data from leading enterprise CISOs (Chief Information Security Officers) and behavioral telemetry from its simulation engines, concern outpaces action across vectors. For instance, 71% of CISOs worry about SMS phishing (smishing), yet only 27% simulate it; 59% fear voice phishing (vishing), but just 15% test it. Testing for collaboration tools and encrypted messaging? It plummets to single digits or zero, despite 38% concern for attacks coming from these channels.
Key findings include:
- Only 12% of CISOs believe their current Security Awareness Training (SAT) program is sufficient.
- 0% of surveyed enterprises simulate threats in encrypted messaging apps, even as 64% confirmed social engineering attacks via encrypted or informal channels in the past 12 months.
- Just 18% of organizations tailor phishing simulations by both role and behavior, though 91% say this is essential.
- While 100% test email phishing, only 15% simulate vishing and 27% test smishing.
- AI-personalized phishing now drives 300% more user interaction than traditional, templated variants.
“Attackers are exploiting the blind spots where enterprises aren’t defending,” said David DellaPelle, CEO and Co-Founder of Dune Security. “Legacy SAT programs are limited to yesterday’s email threats while real breaches now start in high-trust, low-visibility channels like encrypted messaging, SMS, voice call, and deepfake-based impersonation.”
Forward-thinking security teams are now shifting away from checkbox training toward behavior-based simulation, real-time visibility, and adaptive remediation. Dune’s latest data confirms that legacy awareness programs fail not due to lack of effort, but because the embedded technology misses where risk actually lives: in untested channels and unmonitored user behavior.
“Traditional solutions simply can’t keep up with evolving threats or the way people actually work,” said Dune Security Senior Manager of Engineering and AI, Kyle Ryan.
“Our platform proactively red-teams our customers’ organizations, using the same social engineering attack modalities that hackers are deploying in the wild. We hyper personalize testing, training, and control guardrails to each employee’s role, level, industry, strengths, and weaknesses, empowering them to protect both themselves and their organizations in real time.”
Catch more CIO Insights: Hyperautomation’s Global Spotlight: How IT Leaders Are Transforming Processes Across the Tech Landscape
[To share your insights with us, please write to psen@itechseries.com ]
