Logo
FrontierNews.ai

The Human Click: Why 98% of Cyberattacks Still Start With People, Not Code

Social engineering remains the dominant attack vector in cybersecurity, with 98% of cyberattacks involving some form of human manipulation. Despite billions spent on firewalls and security software, the weakest link remains unchanged: people. A median of just 21 seconds separates a phishing email from a click, faster than any automated defense can intervene.

The financial toll is staggering. FBI-reported social engineering losses in the United States surged from $12.5 billion in 2023 to $16.6 billion in 2024, a 33% year-over-year increase. Business Email Compromise (BEC) alone accounted for $2.77 billion of that total, with the FBI recording $55.5 billion in cumulative BEC losses over the past decade. The average cost per BEC breach reaches $4.89 million, making it the most financially devastating social engineering technique on record.

What makes this crisis urgent is the role artificial intelligence now plays in scaling these attacks. AI has fundamentally changed the economics of social engineering. Prior to 2023, creating a convincing phishing campaign required skilled operators who understood language, psychology, and target context. Today, AI tools can generate perfect phishing emails in any language at 95% lower cost, clone a voice from just 3 seconds of audio, and produce deepfake video calls that have fooled finance teams into transferring millions. The barrier to entry for attackers has collapsed.

How Has AI Transformed Social Engineering Attacks?

Artificial intelligence now powers over 80% of phishing campaigns, according to Abnormal Security data cited in the research. This represents a fundamental shift in attack sophistication and scale. The convergence of multiple AI-powered channels creates compound risk: an attacker might research a target on LinkedIn, send an AI-crafted phishing email, follow up with a deepfaked voice call from their "CEO," and request an urgent wire transfer via BEC. Each layer adds credibility, and each layer is now cheaper and more convincing thanks to AI.

Vishing, or voice phishing, has emerged as a particularly alarming trend. Vishing attacks surged 442% between the first and second half of 2024, and deepfake vishing attacks specifically jumped 1,633%. These voice-based attacks now account for 60% or more of all phishing engagements, surpassing traditional email phishing in effectiveness. SMS phishing, or smishing, proves even more dangerous per message, with click rates of 19% to 36%, compared to email phishing's 2% to 4% baseline.

The attack surface is expanding faster than defenses can adapt. Fake CAPTCHA campaigns surged 1,450% in the first quarter of 2025, while fake road toll smishing scams spiked 2,900% from 2023 to 2024. AI-generated BEC emails now account for 40% of all BEC messages, blurring the line between human and machine-crafted fraud.

Why Do Humans Remain the Primary Breach Vector?

The human element is involved in 60% of all breaches, according to Verizon's 2025 Data Breach Investigations Report. This includes phishing clicks, credential reuse, and pretexting conversations that trick employees into authorizing fraudulent transfers. Pretexting, the practice of creating a fabricated scenario to extract information, now accounts for 50% or more of all social engineering incidents and 27% of social engineering breaches.

Untrained employees remain highly vulnerable. Baseline phishing click rates among untrained staff reach 33.1%, meaning roughly one in three employees will click a malicious link without proper awareness training. However, the good news is that security awareness training demonstrably works. Organizations that implement 12 months of continuous training see an 86% reduction in click rates, proving that the gap between problem and solution is fundamentally a training gap, not a technology gap.

For financial institutions, the risk is particularly acute. South African banks, for example, face a multi-layered threat landscape where AI-generated phishing emails imitate trusted banking communications to steal customer credentials, SMS phishing tricks customers into revealing account details, and deepfake voice attacks enable criminals to impersonate executives authorizing fraudulent transactions. The convergence of these techniques creates a perfect storm for institutions that lack comprehensive employee awareness programs.

How to Reduce Social Engineering Risk in Your Organization

  • Implement Continuous Security Awareness Training: Organizations that deploy 12 months of structured security training reduce phishing click rates by 86%, making employee education the single most effective defense against social engineering attacks.
  • Deploy Multi-Factor Authentication (MFA): MFA adds a critical layer of identity verification that reduces the risk of credential-based attacks, even when passwords are compromised through phishing or credential theft.
  • Establish Email Security and Advanced Filtering: Advanced email security solutions detect malicious attachments, suspicious links, and business email compromise attempts before they reach employee inboxes.
  • Monitor for Voice and SMS-Based Attacks: Since vishing and smishing now account for 60% or more of phishing engagements and have higher click rates than email, organizations must train employees to recognize voice-based social engineering and SMS fraud.
  • Conduct Regular Phishing Simulations: Simulated phishing campaigns help identify vulnerable employees and reinforce training, creating a measurable baseline for improvement over time.

The scale of the social engineering crisis demands immediate action. 68% of confirmed breaches involve the human element, not a firewall misconfiguration or unpatched server. Yet the solution is not a new technology purchase; it is sustained investment in employee awareness and behavioral change. Organizations that treat security training as a one-time checkbox rather than a continuous process remain exposed to the full force of AI-powered social engineering attacks.

For banks and financial institutions, the stakes are even higher. Deepfake technology now enables attackers to mimic executives or banking officials, authorizing fraudulent transactions or gaining unauthorized access to sensitive systems. Without a comprehensive defense strategy that combines technical controls, employee training, and incident response planning, institutions face not only financial losses but also erosion of customer trust and regulatory consequences.

"AI can understand our native languages, and it is integrated into many products you are not aware of. Products we use in daily life, email processing, collaboration and productivity tools all have AI capabilities, which can be silently enabled by an attacker. You cannot know every place where AI is used because it is integrated at the earliest stages of the supply chain," noted Vladimir Kropotov, principal threat researcher at TrendAI Research.

Vladimir Kropotov, Principal Threat Researcher at TrendAI Research

The convergence of AI-powered social engineering and shadow AI, the proliferation of AI agents and capabilities deployed without security review, creates an additional layer of risk that most organizations have not yet addressed. IBM's 2025 report on the cost of a data breach found that shadow AI breaches cost $670,000 more than average, with 97% of affected organizations lacking proper AI access controls and 63% having no AI governance policy. As AI becomes embedded deeper into enterprise workflows, the attack surface expands, and the human element remains the most exploitable entry point.