Listen to the article
In the ever-evolving landscape of cybersecurity, human vulnerability has emerged as the most significant risk factor for organizations worldwide. While technical safeguards remain essential, recent data reveals an alarming trend: 85 percent of security breaches begin with human interaction, according to Dr. Niklas Hellemann, CEO of cybersecurity awareness company SoSafe.
The scale of this challenge is staggering. Of the 3.4 billion phishing emails dispatched daily, approximately 680 million penetrate security filters. Even more concerning, half of these successfully filtered messages are opened or engaged with by recipients, creating entry points for malicious actors.
Global events have exacerbated this vulnerability. The psychological toll of recent crises—from the COVID-19 pandemic to geopolitical conflicts—has created fertile ground for cybercriminals. Heightened states of anxiety, uncertainty, and stress make people particularly susceptible to social engineering tactics that exploit emotional responses.
“Cybercriminals have long understood that targeting humans is more efficient than attempting to breach technical systems directly,” explains Hellemann. “While infrastructure varies across organizations, human psychology remains relatively constant.”
This realization has given rise to a sophisticated underground economy where attackers prioritize psychological manipulation over technical exploits. Cybercriminals systematically leverage human emotions—anxiety, authority bias, and helpfulness—to circumvent even robust security systems.
The attack vectors continue to multiply. When the Omicron COVID-19 variant dominated headlines, security researchers observed an immediate surge in related phishing campaigns. Similarly, Russia’s invasion of Ukraine triggered waves of fraudulent charity schemes designed to exploit compassion and generosity.
The transition to hybrid work models has further complicated the security landscape. Remote work environments typically lack the protective infrastructure of corporate offices, while the rapid adoption of new communication tools has outpaced security awareness. Simultaneously, the accelerating pace of digitization introduces additional risks, including deepfakes, voice phishing, and increasingly sophisticated supply chain attacks.
The 2022 Uber data breach exemplifies these evolving threats. According to multiple reports, attackers initially obtained an employee’s VPN credentials through social engineering, likely phishing. To bypass multi-factor authentication, they deployed “MFA bombing”—repeatedly sending authentication requests until the overwhelmed user approved one—gaining access to critical internal systems.
“This breach demonstrates the constant innovation occurring on the psychological front, not just the technological one,” notes Hellemann. “Attackers are becoming increasingly sophisticated in manipulating human behavior.”
Given these challenges, organizations must fundamentally reconsider their approach to cybersecurity. Rather than viewing employees as liabilities, companies should position them as additional layers of defense by fostering sustainable security cultures.
Effective security awareness requires more than traditional training sessions. SoSafe recommends implementing in-situation awareness tools that improve user reporting behaviors—an early indicator of increasing security consciousness. Dynamic “micro-learning” approaches have proven more effective than conventional training methods, minimizing productivity disruptions while maximizing knowledge retention.
Behavioral science offers valuable insights for cybersecurity education. Regular reminders or “nudges” can increase user activation by 90 percent, helping employees maintain vigilance. Similarly, gamification elements boost engagement by 54 percent, facilitating the development of secure digital habits.
As organizations mature in their security posture, awareness programs should evolve accordingly. The ability to understand and report on both psychological tactics and technical vectors allows security teams to gradually increase the complexity of simulated threats, keeping pace with real-world innovations in attack methodology.
“Cybercrime will never simply disappear,” Hellemann warns. “As our society becomes increasingly technology-dependent, digital spaces will naturally become the primary targets for theft and fraud.”
The recent Uber breach underscores this reality. Had employees been properly educated about emerging threats like MFA bombing, the company would likely have demonstrated greater resilience against the attack.
With humans firmly established as the primary target for cybercriminals, organizations must place them at the center of security innovation, empowering employees with the knowledge and tools needed for effective digital self-defense in an increasingly hostile online environment.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
10 Comments
The data on phishing emails penetrating security filters is alarming. Cybercriminals are clearly adapting their tactics to target human vulnerabilities, which calls for a comprehensive security strategy beyond just technological solutions.
Emotional manipulation as a cybersecurity threat highlights the complex interplay between technology and human psychology. Developing effective countermeasures will require a multidisciplinary approach spanning technical, behavioral, and organizational domains.
The scale of phishing attacks is staggering, and the fact that half of filtered messages are still opened is a concerning statistic. Bolstering cybersecurity will require a multi-pronged approach that addresses both technological and human factors.
You’re right, a holistic security strategy is essential. Employees need to be educated on spotting social engineering tactics and developing cyber-resilient habits.
Emotional manipulation as a cybersecurity threat is a concerning development. Protecting against this requires a shift in mindset – focusing not just on technical defenses, but also on building cyber-resilient employees.
This is a sobering reminder that even the most robust technical defenses can be undermined by human vulnerability. Cybercriminals are increasingly exploiting our emotions to gain access – a troubling trend that requires greater awareness and resilience training.
Targeting human vulnerabilities rather than technical systems is a shrewd tactic by cybercriminals. This underscores the need for robust security awareness training and a culture of cyber-vigilance within organizations.
The prevalence of phishing emails and their success rate is alarming. Cybersecurity must evolve to address the human element and equip employees with the knowledge and tools to identify and resist social engineering tactics.
Emotional manipulation as a cybersecurity threat is a sobering reality. The psychological toll of recent events has made people more vulnerable to exploitation, underscoring the importance of proactive training and support for employees.
Agreed. Cybersecurity awareness and resilience should be a key priority, especially as remote work continues to blur the lines between our personal and professional lives.