Social engineering attacks spread much further than just phishing emails. With human error still contributing to up to 95% of data breaches today, it's clear that technical controls alone are not enough, and organisations must invest further in strengthening human defences.
Social engineering attacks carry real business consequences, including operational disruption, intellectual property theft, and financial loss. The risks are evolving; growing more sophisticated and harder for organisations to spot.
Many organisations include phishing awareness in their security strategy, but in reality, that’s only the tip of the iceberg. Phishing is just one technique within social engineering: the broader psychological attack tactic used by threat actors to manipulate or trick people into disclosing information or granting access to malicious threat actors.
Social engineering extends far beyond emails and even digital channels—attackers exploit the same human behaviours in voice calls, video calls, and even face-to-face interactions. And yet, many organisations today still overlook this, or assume (or hope) it won’t happen to them.
With access to vast amounts of information readily available online about organisations and individuals, it only takes one piece of personal information for an attacker to impersonate a trusted colleague or supplier. This is a technique seen in many recent high-profile breaches, even at well-established and mature companies.
While many organisations understand phishing in theory, and may even already invest in awareness training, plenty still underestimate the full extent of social engineering threat today. Focusing only on phishing awareness creates a false sense of security. Without understanding the full scope of social engineering, organisations remain exposed to attacks that deliberately target human behaviour across different communication channels.
Human behaviour still contributes to up to 95% of data breaches (Mimecast, 2025). Social engineering exploits human nature; attackers often leverage trust, urgency, or authority to get access to something they shouldn’t be allowed to. This is why technical controls aren’t enough to protect your employees and brand. Attackers often seek opportunities through weak points in security, so a lack of human-centric controls can leave your organisation vulnerable to being targeted.
Social engineering attacks can happen through any communication channel. It’s not just email. Threat actors use phone calls (vishing), AI generated voice/video deepfakes, in-person conversations, and even physical site access attempts to get what they want.
1. “We have good technical controls so we’re safe.”
Sure, organisations invest in cybersecurity controls like firewalls, patching programmes, and vulnerability scanning, but no technology can fully protect against a person giving away their password, sending a confidential document, or holding the door open for a stranger. That’s why the human element remains the weakest link in security.
2. “Our employees know about phishing.”
Phishing awareness training doesn’t equate to an appropriate response in real-world scenarios. Focused attacks are intentional and personalised—and they often occur in pressure situations where human nature overrides company policy.
3. “Social engineering is digital only.”
Social engineering doesn’t stop at the computer screen. Attackers can impersonate delivery drivers, contractors, or internal staff. They can use tailored scripts or believable physical props to bypass security controls and gain access to restricted spaces.
Physical security is often treated as a separate entity to cyber security; but the two are more intertwined today than ever. Tailgating, impersonation and in-person manipulation are all proven tactics that can directly compromise digital and operational security. Ignoring these methods of attack leaves organisations exposed in ways that traditional cyber defences can’t prevent.
Security is a people problem at its core, so it’s essential that organisations prepare their employees to recognise these attacks and respond effectively.
To meaningfully reduce the likelihood and impact of a social engineering attack, we need to move beyond awareness and adopt testing that reflects how attackers actually operate today.
Resources are limited, so it’s important to prioritise where you focus your effort. When you understand where the legitimate gaps in your technical and non-technical protective controls are—and what harm that can do to your operations—you won’t just be using your resources wisely, you’ll also be saving on the bottom line.
For example, you have cloud backup processes in place, but these aren’t tested regularly—in fact, if ransomware does strike and no one is entirely sure how long data recovery could take and what impact the system being down would have on operations, that’s a problem. By prioritising this gap, you’re mitigating a major operational risk without overhauling everything.
Attackers often start with research to make their scams believable. Using open-source intelligence (OSINT), they gather information about an organisation and its people to make attacks seem like legitimate contact.
For this reason, organisations need an understanding of what information is publicly available about their people, partners and processes, and how this can be used against them.
To counter this, conduct social engineering assessments that deliberately incorporate this publicly available information to test how employees respond to tailored attacks that seem legitimate. By simulating how threat actors operate in the real world, you can measure the true strength of your human defences.
Attackers will look for any weak points in your security ‘perimeter’. This includes your systems, physical sites, your people and procedures. If you limit testing to only some of your perimeter, you’re creating gaps where vulnerabilities might exist but go undetected.
Effective social engineering and security assessments cover all parts of your perimeter—especially your people—to ensure all your controls are validated.
If your social engineering training is too generic or basic, it won’t prepare your team for attacks that they’re likely to encounter. Not least, because they’ll be bored and won’t be paying attention.
To get real value out of your training, it should be tailored around realistic scenarios that are relevant to your organisation.
Employees need to be aware of what they’re looking for. Providing your team regularly with examples of social engineering attempts can help them stay vigilant. Ideally, do this in an interactive environment where people can discuss it and understand why scams are successful. This can help your team to spot red flags and confidently report suspicious activity.
Implementing just a few of these measures can significantly reduce the likelihood of a successful social engineering attack against your organisation.
At PGI, our team of experts have a deep understanding of how threat actors operate and can design realistic social engineering and physical security testing and training tailored to your people and processes. Get in touch with us to find out how we can help you prepare and defend against sophisticated social engineering attacks.
Download our whitepaper "How can organisations defend against social engineering attacks?" for more practical, strategic recommendations from our experts.
Social engineering attacks are on the rise and small and medium enterprises (SMEs) are especially vulnerable targets, often having more limited security resources and less mature defences that are easier to bypass.
Last week, the WeProtect Global Alliance launched their flagship biennial report, the Global Threat Assessment 2025 (GTA25).
If you’re considering an automated threat intelligence service, it’s important to first weigh up the benefits and limitations against the level of security your business needs.
