Organisations continue to invest heavily in technical security controls such as firewalls, endpoint protection and intrusion detection systems. However, a growing proportion of successful attacks now bypass these controls by targeting people rather than technology.
This is commonly referred to as social engineering. It relies on manipulation of human behaviour—such as trust, urgency, authority and routine decision-making—rather than exploiting software vulnerabilities.
As a result, human factors have become a primary attack vector, with security incidents increasingly originating from non-technical weaknesses.
Key non-technical risk factors
- Trust in apparent authority (e.g. executives, suppliers, IT support)
- Time pressure and urgency in decision-making
- Limited verification of requests through secondary channels
- Low awareness of evolving scam techniques
- Over-reliance on email, SMS and voice communications
Common attack methods
- Phishing / Spear phishing: Targeted messages designed to steal credentials or trigger malicious actions
- Business Email Compromise (BEC): Impersonation of executives or suppliers to initiate fraudulent payments
- Smishing / Vishing: SMS and voice-based scams using urgency and impersonation
- Pretexting: Fabricated scenarios used to extract information or access sites & offices
- MFA fatigue attacks: Repeated authentication prompts intended to force accidental approval
Business impact scenarios
- Individual compromise (financial loss): Users are tricked into entering credentials on fake sites, resulting in account takeover and direct financial loss.
- Employee compromise (organisational loss): Staff authorise fraudulent payments based on impersonated executive requests, resulting in significant financial and reputational impact.
- Organisational breach (downstream impact): Compromised employee accounts enable access to sensitive systems and customer data, leading to regulatory exposure, legal liability and loss of trust.
Emerging trends
- Increased use of AI to generate highly convincing phishing communication content
- Deepfake voice impersonation of senior stakeholders
- Coordinated multi-channel attacks (email, SMS, phone, on-site visits)
- Large-scale automated credential harvesting campaigns
Mitigation requirements
Technical controls alone are insufficient. Effective reduction of risk requires:
- Mandatory verification procedures for financial and sensitive requests
- Role-based access control and least privilege enforcement
- Continuous security awareness training with scenario-based testing
- Clear, non-punitive incident reporting processes
- Regular phishing simulation and behavioural reinforcement
The threat landscape has shifted from system-centric attacks to people-centric exploitation. Without addressing the human attack surface through structured controls and behavioural safeguards, organisations remain exposed regardless of the strength of their technical defences.
CISR.Technical’s engineers specialise in all-domain systems hardening, communications, data, identity management and network security. All domain level security is massively increased and policies, processes and systems are built in adhere with Cyber Essentials+ certification standards as a bare-minimum. CISR.Technical provide higher level certification standards (ISO27001:2022, SOC2) can be achieved through additional works with clients and their technical infrastructure teams.
