Businesses spend considerable money on firewalls, antivirus software, and security hardware. Then someone clicks a link in a phishing email, and none of it matters.
This isn’t a criticism of the people involved, it’s a reflection of how attackers actually work. Technical security controls are well understood and increasingly difficult to breach directly. Targeting people is easier, cheaper, and consistently effective. Understanding this changes how you think about security.
Why People Are the Target
A firewall has no emotions. It doesn’t get rushed, distracted, or curious. It doesn’t feel pressure from what looks like a message from the CEO. It doesn’t make exceptions because a request seems urgent.
People do all of these things…and attackers exploit exactly that.
The techniques that target people rather than technology are collectively called social engineering. They work by manipulating behaviour rather than exploiting software vulnerabilities. And they’re responsible for the majority of successful attacks against businesses of every size.
The Most Common Human-Enabled Attacks
Phishing
A fraudulent email designed to look legitimate (from a bank, a courier, Microsoft, or a colleague) that tricks the recipient into clicking a link, opening an attachment, or entering credentials on a fake website.
Phishing is the most common initial access method for ransomware, business email compromise, and credential theft. Modern phishing emails are often convincing: correct logos, plausible language, and sender addresses that look right at a glance.
Spear Phishing
A targeted version of phishing aimed at a specific individual or organisation. The attacker researches the target (their role, colleagues, suppliers, current projects) and crafts a message that’s difficult to distinguish from a legitimate one. The CFO receiving what appears to be a payment request from a known supplier is a classic example.
Business Email Compromise (BEC)
A form of fraud where an attacker impersonates a senior executive or trusted supplier to request a fraudulent payment or data transfer. No malware is involved, just a convincing email and a pressured employee. BEC losses run to billions of dollars globally each year.
Credential Stuffing and Password Reuse
When a data breach exposes usernames and passwords from one service, attackers test those credentials against other services; banking, email, cloud platforms. If your staff reuse passwords across personal and work accounts, a breach of an unrelated service can become a business security incident.
Tailgating and Physical Access
Social engineering isn’t limited to email. Holding a door open for someone who looks like they belong, allowing unescorted visitors into secure areas, or leaving screens unlocked are physical security failures that can have the same consequences as a technical breach.
What Makes People Vulnerable
Understanding the psychological levers attackers use helps staff recognise when they’re being manipulated:
Urgency. “Act now or your account will be suspended.” “This payment needs to go today.” Urgency bypasses careful thinking. Legitimate requests rarely require immediate action that skips normal processes.
Authority. Messages appearing to come from the CEO, IT department, or a government agency carry implicit pressure to comply without questioning.
Familiarity. An email that references a real colleague, a known supplier, or a current project feels credible. Attackers research their targets specifically to exploit this.
Fear. Threats of account closure, legal action, or security breach create anxiety that overrides scepticism.
Helpfulness. The instinct to assist a colleague or customer in need can be exploited, particularly in situations where someone claims to be locked out, under pressure, or in need of an urgent favour.
What You Can Do About It
Training and Awareness
Staff who understand how phishing works, what to look for, and what to do when something seems wrong are significantly harder to compromise than those who don’t. Security awareness training doesn’t need to be expensive; it needs to be regular, relevant, and practical.
Simulated phishing exercises (where staff receive fake phishing emails and their responses are tracked) are one of the most effective ways to build genuine awareness. The goal isn’t to catch people out; it’s to make phishing attempts feel familiar before a real one arrives.
Clear Processes for High-Risk Actions
The most effective defence against business email compromise is a process that makes fraudulent requests fail regardless of how convincing they look. Examples:
- Payment requests above a threshold require verbal confirmation via a known phone number, not a number in the email
- New supplier bank details are verified by a separate channel before any payment is made
- Password resets or IT requests from “management” follow a defined verification process
These processes work because they don’t rely on anyone correctly identifying a fraudulent email, they require a second verification step that the attacker can’t easily replicate.
MFA Everywhere
Multi-factor authentication means a compromised password alone isn’t enough to access an account. Even if an attacker obtains credentials through phishing or a data breach, they can’t log in without the second factor. We cover MFA in detail in a separate post in this series.
A Culture Where Questions Are Safe
Staff who feel they’ll be criticised for questioning an unusual request or reporting a suspicious email will stay quiet. Staff who know that raising concerns is expected and welcomed will flag things before they become incidents. The tone is set from the top.
The Realistic Goal
The goal isn’t to make staff infallible…realistically that’s not achievable. The goal is to make human error less likely, less exploitable, and less consequential when it does occur. Training reduces the frequency of mistakes. Processes limit the damage when someone is successfully deceived. Technical controls provide a backstop.
None of these alone is sufficient. Together, they make your business significantly harder to compromise through the human layer.