The Weakest Link is Still Human: Why social engineering remains the top cyber threat and how we keep falling for it by Isobel McCaffery

If it seems too good to be true, it probably is.

That was one of my mother’s favourite sayings growing up. Back then, I thought it was just her way of both avoiding doing something preventing my brother and me from arguing with her decisions. But now, as an adult, I understand why she kept repeating it. This warning is timeless. It’s a synopsis for a story as old as humanity itself: someone blindsided by promises of an easy fix or a great deal for something trivial soon realises they have been conned. It’s why we have clichés about snake-oil salesmen and why words like far-fetched exist. As long as people have had possessions, people with malicious intent use fabrications – Whether grand or alarming – to swindle them.

With all the information and advanced technology available to us today, why are we still so vulnerable to these kinds of manipulative tactics, both online and in the real world?

The answer is simple: no matter how many technological advancements are made to close these entry points, humans will always be human. We may try to deny it, but as a species, we are heavily influenced by feelings like fear, curiosity, trust, and urgency. When faced with an email that appears to come from a trusted vendor demanding immediate payment of an overdue invoice, we’re likely to respond quickly, bypassing our usual caution. Likewise, a message that seems to come from a company executive requesting confidential information can catch even seasoned employees off guard.

This exploitation of routine behaviour and perceived authority is what cybersecurity professionals refer to as social engineering. Unlike malware, which depends on complex code or system vulnerabilities, attacks like phishing succeed through convincing storytelling, a sense of familiarity, and plausible scenarios that manipulate human trust. According to Verizon’s 2024 Data Breach Investigations Report, phishing and email-based deception account for 83% of all breaches.

While modern cybersecurity tools, such as spam filters, antivirus software, and multi-factor authentication, have come a long way, they cannot fully defend against social engineering. These tools can block many technical threats, but they can’t stop a user from voluntarily giving up sensitive information or clicking a malicious link in response to a well-crafted message or phone call.

Here’s the critical insight: the strongest technological defences are only as effective as the people operating within the system. A single click or slip-up can bypass even the most robust technical controls, granting attackers access.

The rise of hybrid and remote work environments has expanded the opportunities for social engineering attacks. Employees working outside secure office networks may use personal devices or unsecured Wi-Fi, increasing vulnerability. Communication is now more reliant on digital channels which are precisely the platforms exploited by phishing.

Moreover, with fewer informal “water cooler” conversations, employees have less chance to verify suspicious requests through quick, casual checks with colleagues. Attackers capitalize on this isolation by crafting believable scenarios that pressure users to act fast.

Given these realities, one must adopt a holistic approach that goes beyond technology to include people and processes. We must promote a culture of vigilance, encouraging employees to verify unusual requests, even if they appear to come from trusted sources. Creating easy, non-punitive channels for reporting suspicious activity is also vital.

While cybersecurity technology will continue to evolve, the human factor remains the most critical element – both a vulnerability and a line of defence. Those who recognize this duality and invest in educating themselves alongside improving their systems will be best equipped to withstand the persistent threat of social engineering in 2025 and beyond.

No firewall or AI system can replace a well-informed and vigilant user. The future of cybersecurity relies on strengthening the human firewall. Stay informed, think critically, and always verify before you click or share. When in doubt, remember: if something seems too good – or too bad- to be true, it probably is.