The human factor in cyber security is now the most exploited attack vector in modern business. As cyber defences become increasingly sophisticated, attackers are shifting their focus, from breaking code to breaking people.
With robust firewalls, EDR tools and AI threat detection making brute-force and malware attacks harder than ever, cyber criminals have adapted. They're no longer just looking for vulnerabilities in your tech stack. They're looking for vulnerabilities in your team. And unfortunately, human behaviour is far easier to predict and manipulate than machine logic.
Human-centric attacks are on the rise
Recent high-profile attacks have underlined this shift. One of the most notable was the Scattered Spider breach targeting M&S, where attackers used social manipulation, posing as internal staff, to gain access to sensitive systems. You can read the full BBC report here.
Our own Retail Data Breach Report – May 2025 confirms the trend.
Attackers are actively exploiting human behaviour in sectors like retail, where frontline staff, supply chain relationships, and fast-paced environments create fertile ground for deception.
The changing face of cyber threats
In the early days, cyber attacks relied on technical exploits such as malware, unpatched systems and brute-force entry points. Today, however, IT defences have evolved dramatically. AI-driven anomaly detection, zero trust frameworks, and advanced encryption make technical breaches increasingly difficult.
So attackers adapted. They turned to the human attack surface; a vast, unpredictable and emotionally-driven environment that’s harder to secure.
Why? Because humans are inherently trusting, emotionally reactive, and often juggling too much to pause and question a suspicious request. It's far easier to trick someone into handing over their password than it is to brute-force your way into a secured server.
Understanding the human attack surface
There are three key reasons humans are vulnerable:
- Trust – We want to believe emails from colleagues or service providers are genuine.
- Urgency – “Action required”, “Your account is suspended”, “Invoice overdue”… these messages pressure people into mistakes.
- Emotion – Fear, curiosity, reward. All can override caution in the moment.
And the access points are everywhere:
- Email (still the #1 attack vector)
- Phone calls and SMS (vishing and smishing)
- Social media (personal info used for targeted attacks)
- In-person manipulation (tailgating, fake IDs, drop-in “tech support”)
Remote and hybrid working models have only widened this surface. People now access sensitive systems from home networks, shared devices, and public spaces, blurring the lines of responsibility and weakening security perimeters.
Phishing: still the #1 cyber crime in 2025
According to the UK Government’s Cyber Security Breaches Survey 2025, phishing remains the most prevalent cyber threat, affecting:
- 93% of businesses
- 95% of charities
that experienced any form of cyber crime.
Common types include:
- Spear phishing – Targeted, personalised messages aimed at specific individuals
- Whaling – Directed at high-level execs, often imitating board members
- Business Email Compromise (BEC) – Impersonating suppliers, CEOs or CFOs to request payments or sensitive data
These attacks succeed because they’re emotionally charged and time-sensitive. Playing on curiosity, urgency, and fear of missing out. A well-crafted email or WhatsApp message can bypass even the best digital defences… because it bypasses them entirely.
Social engineering is going beyond email
Modern social engineering now includes:
- Pretexting – Fabricating a scenario to gain trust (e.g., pretending to be IT support)
- Baiting – Leaving infected USBs or offering fake downloads
- Tailgating – Physically entering secure areas by following authorised staff
- AI-powered impersonation – Deepfakes and cloned voice tech are being used to impersonate leaders and pressure staff into action
- Social media reconnaissance – Harvesting birthdays, relationships, and personal info to build more convincing attacks
The tools are smarter. The tactics are more believable. And the barrier to entry is lower than ever.
Defending against human-centric attacks
Technology still has a critical role to play. MFA, email filtering, and endpoint detection are essential. But without a parallel investment in human-focused defences, you’re only half-protected.
Boxphish’s proven approach: Strengthening your human firewall
At Boxphish, we specialise in helping organisations build a security-first culture through practical, measurable and scalable human risk solutions.
Our approach includes:
- Simulated phishing campaigns to safely test and educate users
- Bite-sized training modules tailored to different roles and risk levels
- Real-time reporting and analytics to measure improvement
- GDPR and ISO-aligned frameworks for compliance confidence
- Culture change resources to embed security as a mindset, not a checklist
Want to see how this works in action? Explore our guide on transforming your cyber culture.
Conclusion: the human factor in cyber security
The human factor in cyber security is now the frontline of digital defence. As technical barriers grow stronger, social engineering and psychological manipulation will only become more common, more advanced and more dangerous.
But here’s the good news... with the right awareness, culture, and support, you can turn employees into your best defence.
Start influencing security behaviours and transforming your cyber culture today with Boxphish.
