Author: Stelios Katsantonis, Risk Assurance & Digital Trust Director

Cybersecurity and information security underpin the trust that allows modern society to function. From global finance to healthcare and daily communication, every aspect of our lives depends on digital systems operating reliably. However, as organisations continue to harden their technical infrastructure, cybercriminals are shifting their focus to the one entry point technology cannot fully control: The human element.

Instead of trying to outsmart advanced security tools, modern attackers aim to outsmart people.

This shift highlights a critical reality in today’s digital landscape: humans are simultaneously an organisation’s weakest link and its most vital line of defence.

The Weakest Link: Why Attackers Target Humans

Digital transformation has expanded the “attack surface” (the number of potential entry points for malicious activity). Every new app, device, or online account introduces additional risk. While firewalls and endpoint protection can block malware, human behaviour remains far less predictable.

Social engineering is the art of manipulating people to break security from the inside. Rather than hacking systems, attackers exploit human behaviour, turning trust into vulnerability. By crafting messages that appear legitimate, such as an urgent request from a “manager,” a call from “IT support,” or a seemingly harmless link, they pressure individuals into acting quickly and without suspicion.

These attacks can occur through email, phone calls, messaging platforms, and even face-to-face interactions. That is what makes them so dangerous. They bypass even the most advanced technical defences by targeting the one element that is hardest to secure: Human instinct.

The Psychology Behind the Attack

Attackers do not succeed by accident. They exploit well-documented psychological principles to manufacture the conditions in which people make poor decisions.

• Authority is one of the most powerful levers. People naturally defer to individuals who appear to hold expertise, seniority, or institutional power. Attackers exploit this by adopting authoritative titles, formal language, or official-looking communication. When someone seems to be in charge, targets are far more likely to comply without questioning legitimacy.
  
• Fear and stress are equally potent. Strong emotions significantly impair judgment. When people experience anxiety or perceive a threat, involving legal trouble, financial loss, or account compromise, their ability to think analytically declines. Attackers deliberately design messages to provoke these emotions, creating a sense of immediate danger. In this heightened state, the goal becomes “make the problem go away,” which is precisely the vulnerability social engineers aim to exploit.
  
• Urgency compounds this effect. Time pressure disrupts deliberate, rational thinking by pushing people into a fast, instinctive decision-making mode. Countdown timers, warnings about impending account closures, and “last-chance” notices. The goal is to eliminate the pause where scepticism would normally occur, triggering a psychological shortcut – Act now, Think later.
  
• Trust and familiarity lower defences further. Attackers mimic familiar contacts, replicate branding, or imitate internal communication styles to blend in. The sense of “I know this” reduces suspicion and increases compliance.
  
• Scarcity – framing a situation as exclusive, rare, or expiring soon — creates emotional tension and a fear of missing out that can override normal caution.

The Attack Toolkit

Modern social engineers deploy a wide range of techniques.

Phishing remains the dominant vector, accounting for 65% of social engineering cases in 2025, with over one billion phishing attacks reported in Q1 2025 alone. Spear phishing takes this further, using personalised information about the victim to increase credibility. Business Email Compromise (BEC) involves impersonating executives or trusted partners to request financial transfers or sensitive information.

Beyond email, attackers increasingly use vishing (voice phishing), which surged 442% in late 2024 and has continued to grow into 2025. Smishing (fraudulent SMS), messaging app impersonation, and pretexting  (the creation of a convincing fabricated scenario) are also widely used. Physical techniques such as tailgating, on-site impersonation, and baiting (leaving infected USB drives in common areas) extend the threat beyond the digital realm entirely.

The Staggering Cost of Human Error

The effectiveness of these tactics is reflected in the data. According to the 2024 Verizon Data Breach Investigations Report, the human element is a component in 68% of all breaches, encompassing both non-malicious errors and deliberate social engineering exploitation. Over the past two years, roughly a quarter of all financially motivated incidents involved pretexting, and stolen credentials, often obtained through phishing, have appeared in almost one-third of all breaches over the past decade.

The financial consequences are severe. BEC attacks resulted in $2.77 billion in losses in 2024, with the average cost of a single BEC attack reaching $4.89 million.

AI is now accelerating these threats, as 82% of phishing emails in 2025 used AI-generated content, and AI-powered phishing campaigns achieve a 42% higher success rate than traditional email scams.

Key Social Engineering Statistics

65% of social engineering cases in 2025 were phishing‑driven

1,003,924 phishing attacks were reported in Q1 2025 alone

442%  surge in Vishing in late 2024, continuing into 2025

42% higher success rate in AI‑powered phishing campaigns compared to traditional email scams.

66% of social engineering attacks targeted privileged accounts

2.77B in losses from BEC in 2024, with continued growth into 2025

$4.89m – Average cost of a BEC attack

82% of phishing emails in 2025 used AI‑generated content

Real-world breaches illustrate these numbers vividly.

• In 2023, MGM Resorts suffered estimated losses exceeding $100 million after attackers impersonated an employee to trick the IT helpdesk into resetting credentials, enabling ransomware deployment that disrupted hotels and casinos nationwide.
• Caesars Entertainment paid approximately $15 million in ransom after social engineering was used against an IT vendor.
• In 2024, Change Healthcare was crippled when stolen credentials obtained via phishing enabled a ransomware attack that disrupted healthcare services across the United States.
• More recently, a U.S. manufacturing firm lost approximately $2.1 million after a pretexting attack, combining spoofed emails and phone calls, convinced a senior executive to approve a fraudulent transfer.

The lesson is consistent across every case: it does not take sophisticated malware or complex exploits. Just one moment of misplaced trust.

The Strongest Defense: Transforming the Human Firewall

While human error is a leading cause of security incidents, employees are not merely a liability. They are an untapped and powerful security asset. The same human qualities that attackers exploit, such as awareness, judgement, and the instinct to protect, can be cultivated and directed. Building a resilient organisation requires transforming the workforce into an active line of defence: a human firewall.

Visibility into Human Risk

Effective defence begins with understanding exposure. Organisations must assess both digital vectors such as email, messaging, and phone, as well as physical vectors, including on-site access and impersonation attempts.

By running realistic attack simulations and tracking how employees respond (i.e., who clicks, who shares information, and crucially, who reports), organizations can identify high-risk users, departments, and behaviours. This builds a clear picture of where the organisation is most exposed and provides the evidence base for targeted intervention.

Targeted, Continuous Awareness Training

Generic, once-a-year compliance training is no longer sufficient. Effective security awareness requires tailored, scenario-based programmes grounded in real-world findings. Employees must learn from practical, relevant examples that reflect the actual threats their organisation faces.

The impact of this approach is measurable and significant. A 2025 benchmarking report that took into consideration the analysis of 67.7 million phishing simulations across 14.5 million users from 62,400 organisations, found that before training, one-third of employees (33.1%) interacted with phishing simulations. After just three months of continuous training, the global Phish-prone percentage dropped by 40%. After twelve months, it fell by 86% to just 4.1%. This demonstrates that even short-term, well-designed training can produce dramatic and measurable behavioural change.

Building a Security Culture

The ultimate goal extends beyond training programmes. It is the creation of a long-term security culture, where awareness and accountability are embedded in everyday behaviour. When employees are empowered to recognise and report threats quickly, they reduce the time attackers have to operate undetected, limiting the potential damage of any incident.

A recent industry breach investigations report noted a positive trend in this direction, as 20% of users identified and reported phishing during simulation exercises, and 11% of those who initially clicked a phishing link also reported it.

This indicates “a culture change that destigmatises human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce”. This shift from passive vulnerability to active participant is the foundation of genuine cyber resilience.

Conclusion

As long as organisations rely on people to operate, the human element will remain the preferred attack vector for cybercriminals. Technology alone cannot solve the problem of misplaced trust. Firewalls, endpoint detection, and encryption are essential, but they are incomplete without a workforce that understands the threats it faces and knows how to respond.

The data is unambiguous: social engineering is pervasive, financially devastating, and growing more sophisticated with the adoption of AI. Yet the evidence is equally clear that investment in people through realistic simulations, targeted training, and a culture of security awareness, leads to measurable, significant improvement.

The human element is not simply the weakest link in the security chain. With the right investment and the right approach, it has the potential to be the strongest.