July 17, 2026
Modern Cyberattacks Target Both Technology and Human Psychology
By Zeba Shaikh
By Zeba
11 min read
"The strongest firewall in the world cannot stop an employee from willingly handing over their password."
For decades, cybersecurity has been built around one primary objective: protecting technology. Organisations spend billions every year on next-generation firewalls, endpoint detection and response (EDR), intrusion prevention systems (IPS), vulnerability scanners, encryption, Zero Trust architectures, and artificial intelligence (AI)-powered security platforms. These technologies are indispensable because attackers continue to exploit software vulnerabilities, weak configurations, exposed services, and unpatched systems
Technical attacks are far from disappearing. Ransomware groups exploit vulnerable remote services, attackers take advantage of zero-day vulnerabilities before patches are available, and poorly secured cloud environments continue to expose sensitive data. According to the Verizon 2025 Data Breach Investigations Report (DBIR), vulnerability exploitation remains one of the fastest-growing methods of gaining initial access, driven largely by the exploitation of internet-facing applications and third-party software (Verizon, 2025).
However, modern cybercriminals have recognised an important reality:
Sometimes it is easier to manipulate the person than to exploit the system.
This does not mean hackers have stopped targeting computers. Quite the opposite-they attack both technology and the people who use it. Today's most successful cyber campaigns often combine technical exploitation with psychological manipulation. An attacker may exploit a software vulnerability to gain an initial foothold while simultaneously sending convincing phishing emails to harvest credentials or bypass multi-factor authentication.
Cybersecurity is therefore no longer just about protecting devices and networks. It is equally about understanding human behaviour.
The Human Attack Surface
Every organisation has an attack surface-the collection of systems, applications, cloud services, and devices that could potentially be compromised.
Increasingly, people are part of that attack surface.
Unlike computers, humans are influenced by emotion, trust, urgency, curiosity, and social pressure. These characteristics are essential in everyday life, but they can also be manipulated by attackers.
This manipulation is known as social engineering.
Social engineering refers to techniques used to persuade people into revealing confidential information or performing actions that benefit an attacker rather than exploiting a technical vulnerability directly (Jabir, Le, & Nguyen, 2025).
Rather than writing sophisticated malware, an attacker may simply send an email that appears to come from the finance department requesting an urgent payment. The technology works exactly as designed-the compromise occurs because the recipient trusts the message.
This shift reflects an important evolution in cybercrime. Instead of asking, "How can I exploit this server?", attackers increasingly ask, "How can I convince someone to help me?"
Why Social Engineering Works
One of the biggest misconceptions in cybersecurity is that only inexperienced users fall victim to phishing attacks.
In reality, attackers rarely rely on poor spelling or obviously suspicious emails anymore.
Instead, they carefully design messages around predictable human behaviours.
Some of the most commonly exploited psychological triggers include:
- Authority — "This request comes from your CEO."
- Urgency — "Respond within the next 10 minutes."
- Fear — "Your Microsoft 365 account has been suspended."
- Curiosity — "Updated Salary Structure 2026."
- Trust — "This is your colleague sharing a document."
- Scarcity — "Only a few places remain."
These techniques are rooted in behavioural psychology rather than computer science.
Recent research analysing phishing persuasion techniques found that attackers deliberately combine multiple psychological principles to increase the likelihood that victims will comply, especially when users are distracted or under pressure (Khadka, 2024).
In other words, the attack succeeds because it feels legitimate, not because it exploits a software flaw.
Artificial Intelligence Has Changed the Rules
Artificial Intelligence has dramatically lowered the barrier for creating convincing social engineering attacks.
Only a few years ago, phishing emails often contained grammatical mistakes, awkward formatting, or suspicious wording that made them relatively easy to recognise.
Today, large language models can generate professional emails within seconds.
Voice cloning technologies can imitate executives.
Image-generation tools can create convincing company branding.
Deepfake technology can even produce realistic video messages.
Attackers no longer need excellent English or advanced technical writing skills. AI allows them to create personalised messages at a scale that was previously impossible.
Research by Francia et al. (2024) found that AI-generated phishing messages were often perceived as equally convincing — or even more convincing — than messages written by humans.
Similarly, Yu et al. (2024) argue that AI has transformed social engineering by making attacks faster, cheaper, and more scalable, enabling criminals to personalise campaigns against thousands of potential victims simultaneously.
For defenders, this creates a significant challenge.
Traditional advice such as "look for spelling mistakes" is becoming increasingly ineffective because many AI-generated phishing emails contain none.
Instead, employees must learn to verify requests based on context rather than appearance.
When Technology Works but People Are Deceived
One of the most interesting aspects of modern cyberattacks is that many occur without defeating security technology at all.
Consider these examples:
- An employee logs into a fake Microsoft 365 portal because the webpage looks genuine.
- A finance manager authorises a payment after receiving an email appearing to come from the Chief Executive Officer.
- A helpdesk employee resets a password after speaking to someone convincingly impersonating a colleague.
- An employee scans a malicious QR code placed over a legitimate one in a public location.
In each scenario, the firewall continues to function correctly.
The antivirus remains active.
The operating system is fully patched.
The compromise occurs because the attacker successfully manipulated human decision-making.
This illustrates an important lesson: cybersecurity failures are not always technical failures. Sometimes they are failures in verification, awareness, or organisational processes.
When One Phone Call Costs Millions
Many organisations believe that investing in the latest cybersecurity technologies will completely eliminate cyber risk. While strong technical controls are essential, recent incidents demonstrate that attackers often succeed by targeting people rather than bypassing sophisticated security systems.
One of the most widely discussed examples is the MGM Resorts cyberattack in 2023. Public reporting indicates that the attackers used social engineering to convince an IT helpdesk employee to reset credentials, allowing them to gain access to internal systems. The attack disrupted hotel reservations, casino operations, digital room keys, and payment systems, resulting in significant operational and financial impacts (CISA, 2023; Microsoft, 2023).
Around the same period, Caesars Entertainment also experienced a cyberattack reportedly involving social engineering techniques that targeted the company's IT support processes. The incident highlighted that even organisations with mature cybersecurity programmes remain vulnerable when attackers successfully manipulate human behaviour (Microsoft, 2023).
These incidents demonstrate an important lesson:
The attacker did not necessarily defeat the firewall first-they persuaded a trusted person to help them.
This does not diminish the importance of technical security. Instead, it highlights that modern cyberattacks often combine technical exploitation with human manipulation, making defence more complex.
Why Humans Remain the Weakest Link
The phrase "humans are the weakest link" is common in cybersecurity, but it deserves clarification.
People are not inherently weak.
Instead, attackers exploit normal human characteristics that are essential for everyday work.
Employees are expected to:
- Respond quickly.
- Help colleagues.
- Trust senior management.
- Solve customer problems.
- Meet strict deadlines.
Ironically, these positive workplace behaviours are exactly what attackers abuse.
Imagine receiving an email from your manager marked "Urgent -Please review immediately."
Most employees will prioritise the request because responding quickly is considered good professional behaviour.
Attackers understand this.
They design attacks that fit naturally into an employee's daily workflow rather than appearing obviously malicious.
Research reviewing phishing attacks in the era of Generative AI concludes that attackers increasingly exploit behavioural and cognitive biases instead of relying solely on technical vulnerabilities (Jabir et al., 2025).
The Rise of AI-Powered Social Engineering
Artificial Intelligence has transformed the way organisations work, but it has also transformed cybercrime.
Generative AI now enables attackers to produce:
- Highly personalised phishing emails.
- Convincing fake company websites.
- Deepfake videos.
- AI-generated voice calls.
- Automated phishing campaigns at scale.
Previously, creating a convincing phishing campaign required considerable effort.
Today, an attacker can generate hundreds of customised emails within minutes.
Imagine an employee whose LinkedIn profile shows they recently attended a cybersecurity conference.
An attacker could ask an AI model to generate an email such as:
"Hi Sarah, it was great meeting you at the conference last week. As promised, here are the presentation slides."
The email may include the employee's name, company, interests, and recent activities — all gathered from publicly available information.
This level of personalisation significantly increases trust.
Francia et al. (2024) found that AI-generated phishing messages can be perceived as equally or more convincing than human-written messages, making traditional awareness advice less effective.
Security Awareness Alone Is Not Enough
Many organisations respond to phishing threats by conducting annual security awareness training.
While awareness programmes remain valuable, they should not be viewed as the only solution.
Employees cannot realistically detect every sophisticated phishing email.
They become tired.
They work under pressure.
They make mistakes.
Instead of blaming employees, organisations should design systems that expect mistakes to happen.
This philosophy is reflected in the Zero Trust security model.
Zero Trust assumes that no user, device, or request should be automatically trusted.
Every request should be continuously verified regardless of whether it originates inside or outside the organisation.
When combined with Multi-Factor Authentication (MFA), least privilege, endpoint security, and continuous monitoring, Zero Trust reduces the impact of successful phishing attacks because stolen credentials alone are often insufficient to compromise the organisation (NIST, 2020).
Building a Human Firewall
Cybersecurity professionals often refer to employees as the human firewall.
Unlike traditional firewalls that filter network traffic, a human firewall consists of employees who can recognise suspicious behaviour before responding.
Building this capability requires continuous investment rather than a single annual training session.
Effective organisations typically implement:
- Regular phishing simulation exercises.
- Short, role-specific security awareness sessions.
- Secure reporting mechanisms.
- Multi-Factor Authentication.
- Password managers.
- Verification procedures for financial transactions.
- Continuous security culture programmes.
The goal is not to create fear.
The goal is to create confidence.
Employees should feel comfortable asking,
"Can I verify this request before I proceed?"
rather than fearing criticism for delaying urgent work.
Security culture is often more valuable than security technology alone.
Security Is a Shared Responsibility
Cybersecurity is no longer the sole responsibility of the IT department.
Executives, managers, finance teams, human resources, developers, customer support staff, and third-party suppliers all influence organisational security.
A finance department approving payments.
An HR employee opening job applications.
A software developer managing source code.
An executive using cloud services.
Every role presents different risks.
Modern organisations therefore need security strategies that combine:
- Strong technical controls.
- Secure organisational processes.
- Employee awareness.
- Executive support.
- Continuous risk management.
Technology protects systems.
People protect decisions.
Both are equally important.
The Future of Social Engineering: AI Will Make Attacks Smarter
As Artificial Intelligence continues to evolve, so will cybercriminals. In the coming years, social engineering attacks are likely to become more personalised, automated, and difficult to detect.
Imagine receiving a video call from your CEO asking you to urgently transfer funds for a confidential acquisition. The voice sounds authentic, the face matches perfectly, and the conversation includes details about projects only your company knows.
This scenario is no longer science fiction.
Advances in deepfake technology and AI voice cloning have made it increasingly possible for attackers to impersonate trusted individuals. Combined with information gathered from social media, company websites, and previous data breaches, attackers can create highly convincing scenarios that exploit trust rather than technical weaknesses (Yu et al., 2024).
At the same time, AI is also helping defenders. Security platforms now use machine learning to detect phishing campaigns, identify unusual user behaviour, and recognise abnormal login patterns. The future of cybersecurity is therefore not a battle between humans and machines, but a competition between AI-powered attackers and AI-assisted defenders.
The Importance of a Security-First Culture
Technology alone cannot create a secure organisation.
Employees should not view cybersecurity as solely the responsibility of the IT department. Instead, security should become part of everyday business operations.
A strong security culture encourages employees to:
- Verify requests before taking action.
- Report suspicious emails without fear of criticism.
- Follow security policies consistently.
- Challenge unusual requests, even if they appear to come from senior management.
- Participate in regular security awareness programmes.
Organisations that foster this mindset create an environment where security becomes everyone's responsibility rather than a task assigned to a single department.
Research consistently shows that organisations combining technical controls with ongoing security awareness programmes are more resilient against phishing and social engineering attacks than organisations relying solely on technical solutions (Jabir et al., 2025).
Practical Recommendations for Organisations
Based on current research and industry best practices, organisations should adopt a balanced approach that addresses both technology and human behaviour.
1. Implement Zero Trust Architecture
Never assume that users or devices are trustworthy simply because they are inside the corporate network.
Instead:
- Continuously verify identity.
- Apply Multi-Factor Authentication (MFA).
- Enforce the Principle of Least Privilege.
- Continuously monitor user behaviour.
Zero Trust significantly reduces the impact of stolen credentials because authentication is continuously evaluated rather than assumed (NIST, 2020).
2. Invest in Continuous Security Awareness
Annual training sessions are no longer sufficient.
Employees should regularly experience:
- Phishing simulations.
- Interactive security workshops.
- Micro-learning sessions.
- Real-world attack demonstrations.
- Lessons based on current cyber threats.
The objective is to improve decision-making rather than simply increasing technical knowledge.
3. Strengthen Identity Management
Most successful social engineering attacks ultimately seek one objective:
Access.
Organisations should therefore strengthen identity protection by implementing:
- Password managers.
- Multi-Factor Authentication.
- Conditional Access Policies.
- Privileged Access Management.
- Account monitoring.
Even if credentials are compromised, additional security layers can prevent attackers from progressing further into the network.
4. Develop an Incident Response Plan
No organisation can guarantee that every attack will be prevented.
What distinguishes resilient organisations is how quickly they detect, contain, and recover from incidents.
An effective incident response plan should include:
- Clearly defined responsibilities.
- Rapid isolation procedures.
- Communication plans.
- Regular testing exercises.
- Lessons learned after each incident.
Prepared organisations recover significantly faster than those responding without a structured plan.
Cybersecurity Is Ultimately About Trust
Every successful social engineering attack begins with one thing: Trust
Attackers do not create trust.
They exploit trust that already exists between colleagues, departments, suppliers, customers, and executives.
-Every email opened.
-Every QR code scanned.
-Every password shared.
-Every phone call answered.
-These decisions involve trust.
Modern cybersecurity therefore extends beyond protecting technology. It requires protecting the relationships and decision-making processes that organisations depend upon every day.
Final Thoughts
Cybersecurity has evolved considerably over the past two decades.
While attackers continue to exploit technical vulnerabilities such as zero-day exploits, ransomware, and insecure cloud environments, they increasingly recognise that influencing human behaviour can be equally effective.
Rather than viewing technology and people as separate challenges, organisations should recognise that both are interconnected.
-Firewalls protect networks.
-Endpoint protection secures devices.
-Encryption safeguards information.
-However, informed employees protect decisions.
The strongest cybersecurity strategy is therefore not built solely on advanced technology, nor solely on employee awareness.
It is built on both.
The future belongs to organisations that invest equally in secure technologies, resilient processes, and educated people.
Because in modern cybersecurity, protecting systems is no longer enough — we must also protect the people who use them.
References:
Francia, J., Hansen, D., Schooley, B., Taylor, M., Murray, S., & Snow, G. (2024). Assessing AI vs Human-Authored Spear Phishing SMS Attacks: An Empirical Study Using the TRAPD Method. arXiv. https://arxiv.org/abs/2406.13049
Jabir, R., Le, J., & Nguyen, C. (2025). Phishing Attacks in the Age of Generative Artificial Intelligence: A Systematic Review of Human Factors. AI, 6(8), 174. https://doi.org/10.3390/ai6080174
Khadka, K. (2024). Persuasion and Phishing: Analysing the Interplay of Persuasion Tactics in Cyber Threats. arXiv. https://arxiv.org/abs/2412.18485
Verizon. (2025). 2025 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/
CISA. (2023).
Scattered Spider and ALPHV BlackCat actors target large organizations. Cybersecurity and Infrastructure Security Agency.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
Francia, J., Hansen, D., Schooley, B., Taylor, M., Murray, S., & Snow, G. (2024).
Assessing AI vs Human-Authored Spear Phishing SMS Attacks: An Empirical Study Using the TRAPD Method. arXiv.
https://arxiv.org/abs/2406.13049
Jabir, R., Le, J., & Nguyen, C. (2025).
Phishing Attacks in the Age of Generative Artificial Intelligence: A Systematic Review of Human Factors. AI, 6(8), 174.
https://doi.org/10.3390/ai6080174
Microsoft Threat Intelligence. (2023).
Financially motivated actors exploit social engineering to target organizations. Microsoft Security Blog.
https://www.microsoft.com/security/blog/
National Institute of Standards and Technology (NIST). (2020).
Zero Trust Architecture (Special Publication 800–207). U.S. Department of Commerce.
https://doi.org/10.6028/NIST.SP.800-207
Yu, J., Yu, Y., Wang, X., Lin, Y., Yang, M., Qiao, Y., & Wang, F.-Y. (2024). The Shadow of Fraud: The Emerging Danger of AI-powered Social Engineering and its Possible Cure. arXiv. https://arxiv.org/abs/2407.15912