Why Hackers Target People, Not Systems

Last Updated on July 2, 2025 by Arnav Sharma

When we think of cyberattacks, images of sophisticated code, malware, and firewalls being bypassed usually come to mind. But some of the most devastating breaches don’t involve a single line of malicious code. Instead, they hinge on a simple truth: it’s often easier to trick a person than to outsmart a system.

Welcome to the world of social engineering, where the target isn’t your firewall, it’s people.

The Psychology Behind the Hack

Social engineering is psychological manipulation. Think of it as a con artist operating in a digital age. Instead of picking locks, they pick at emotions: fear, urgency, curiosity, and trust. It’s the art of “hacking the human,” and unfortunately, it’s incredibly effective.

Ever clicked on a “Your package couldn’t be delivered” message without checking the sender? That’s curiosity and urgency at work. Or maybe you’ve gotten a call from someone claiming to be from “tech support,” needing your password to fix an issue. That’s authority bias in action.

Why We’re Wired for These Mistakes

Attackers don’t just throw darts in the dark instead they understand how our brains work.

• Authority Bias: If someone sounds official (say, pretending to be your CEO), we’re more likely to comply.
• Scarcity and Urgency: “Only 2 hours left to claim your reward!” rushes people into mistakes.
• Reciprocity: A free ebook or discount in exchange for an email address might sound innocent — until it’s not.
• Decision Fatigue: Repeated MFA prompts can wear us down to the point we just hit “approve” without thinking, yes, that’s a real attack strategy called MFA fatigue.

These tactics are everywhere. From emails and texts to voice calls and even deepfake video meetings, attackers tailor their methods to exploit the same instincts that help us navigate everyday life.

Attack Types: More Than Just Phishing Emails

Let’s explore the most common and dangerous social engineering tactics, through both their mechanics and examples.

1. Phishing, Spear Phishing & Whaling

We’ve all seen them, emails pretending to be from PayPal, Microsoft, or your bank, urgently asking you to click a link. But today’s phishing is more polished. Spear phishing targets specific individuals using personal details scraped from social media. Whaling goes even higher ie. directly after C-suite executives.

Example: The 2014 Sony Pictures hack started with a well-crafted spear phishing email. The result? Leaked emails, unreleased movies, and a major corporate crisis.

Tip: Train employees to spot and report suspicious messages. Combine that with tools like SPF, DKIM, and DMARC to help validate email authenticity.

2. Vishing (Voice Phishing)

Voice adds a layer of credibility and attackers know it. They impersonate banks, tech support, even colleagues, convincing victims to give up credentials or MFA codes.

Example: The 2020 Twitter breach involved attackers posing as IT support and calling employees to harvest MFA codes. It worked and gave them access to some of the world’s most influential Twitter accounts.

Tip: Encourage employees to always hang up and call back on verified numbers before trusting requests made over the phone.

3. Smishing (SMS Phishing)

Text messages feel personal and immediate, making them fertile ground for deception.

Example: The “Australia Post” scam tricked users into clicking a link to “reschedule” a delivery. The link led to a fake site, harvesting user details.

Tip: Train users to avoid clicking links in SMS messages unless they’re sure of the source. If in doubt, visit the website directly.

4. Pretexting

Here, attackers create elaborate stories, maybe they’re a vendor following up on a fake invoice, or an IT tech needing your password. The goal is to build trust and get you to act.

Example: One attacker simply carried coffee and walked into an office building behind someone posing as an employee. No badge, no challenge. That’s social pressure at work.

Tip: Teach employees to verify identities, even if it feels uncomfortable. Security over social niceties.

5. Baiting

Leave a USB labeled “Bonus Structure Q4” in a company bathroom, and odds are someone will plug it in. Curiosity trumps caution more often than we’d like to admit.

Example: In a university experiment, nearly half of planted USB drives were plugged into computers.

Tip: Disable auto-run features, deploy USB restrictions, and make it crystal clear: never plug in unknown devices.

6. Tailgating and Piggybacking

This is social engineering in the physical world. Attackers follow authorised employees into secured areas, sometimes unnoticed, sometimes invited in out of politeness.

Tip: Reinforce “no badge, no entry” policies. Make it okay for employees to challenge unfamiliar faces — even the friendly ones with coffee.

7. Quid Pro Quo

The attacker offers something (help, a survey reward, tech support) in exchange for information. This is classic con artist territory.

Example: One attacker claimed to be from IT offering help with a computer issue and walked away with login credentials.

Tip: Make it clear to employees: real support teams don’t cold-call for passwords.

8. Business Email Compromise (BEC)

BEC attacks are sophisticated. They impersonate executives or vendors, convincing finance teams to send money or data to attackers.

Example: Ubiquiti lost nearly $47 million in 2015 to a fake vendor request. They recovered just a fraction.

Tip: Implement strict verification processes for payment requests, especially account changes. Always confirm via a second, known communication channel.

9. Deepfake Attacks (The New Frontier)

Imagine getting a video call from your CFO but it’s not really them. Deepfakes can replicate voices and faces, making even face-to-face interactions suspect.

Example: In 2024, scammers used deepfake video calls to impersonate multiple executives at a UK firm, walking away with $25 million.

Tip: Introduce multi-factor verification for large transactions, especially during video meetings. And start training employees to question even what they see.

The Real Cost: It’s More Than Just Money

Yes, social engineering costs billions. But the damage often goes deeper lost trust, shattered reputations, and regulatory fallout.

• The FBI reported over $16 billion in cybercrime losses in 2024, with Business Email Compromise (BEC) alone accounting for $2.77 billion.
• Average recovery costs can exceed $5 million per ransomware incident many of which start with a simple phish.

These aren’t just numbers. They’re a wake-up call.

Building the Human Firewall: What Actually Works

Let’s talk defense. No silver bullet exists, but combining the right strategies creates a resilient, human-aware security posture.

1. Make Training Actually Work

Skip the dull compliance videos. Instead:

• Run phishing simulations regularly.
• Use gamified platforms to make learning stick.
• Focus on behavior change, not just awareness.

Pro tip: Track progress through reporting rates and engagement not just who completed the module.

2. Layer Your Defences

• Email filters and link scanners help catch many attacks before they hit inboxes.
• Endpoint detection and response (EDR) tools help contain malware if someone slips up.
• Zero Trust Architecture minimizes the damage even if a user is compromised.

3. Incident Response Is Not Optional

Even the best defenses fail. That’s why an incident response plan isn’t just nice to have — it’s essential. Make sure:

• Everyone knows how to report something suspicious.
• There’s a clear playbook for containment and recovery.
• Lessons learned from incidents feed into training and policy updates.

4. Cyber Hygiene Still Matters

• Enforce strong password policies and use password managers.
• Roll out Multi-Factor Authentication everywhere.
• Limit access based on role and audit it regularly.

These basics are your safety net. If they’re weak, even the best user awareness won’t help.

Final Thoughts

Social engineering isn’t a tech problem. It’s a human one. And the only way to fix it is to bring the human factor to the center of your security strategy.

This means empowering your people, investing in behaviour driven training, and treating security not as an IT function but as a shared responsibility. Because at the end of the day, your people are your best defence or your biggest risk.