Guest Blog: Cieran Smith, Infrastructure and Cyber Security Engineer at KubeNet
In light of several recent high-profile cyber attacks including incidents affecting Qantas, Glasgow City Council, and Marks and Spencer, all of which have been linked to human error, we've invited Cieran Smith to share his insights. As an experienced infrastructure and cyber security engineer at KubeNet, Cieran offers a deep dive into the growing threat of social engineering. In this article, he explains what social engineering is, explores how attackers are exploiting human behaviour to infiltrate systems, and, crucially, offers insight into what businesses can do to stay protected.
What is social engineering?
Social engineering is, to put it simply, the art of deception. Defined as the psychological manipulation of individuals to perform actions or disclose confidential information, it is the weapon of choice for hackers and cyber threat actors when trying to gain an initial foothold into digital systems.
The prevalence of social engineering, and the difficulty in defending against it, comes down to basic human behaviour and psychology.
Think of a master social engineer as a skilled pick pocket in a crowded Parisian marketplace. The skilled pick pocket doesn’t just go for the first person he sees. He waits and scans the crowd looking for weaknesses to exploit. Who might be distracted? Who might be careless with their personal belongings?
Once a target is carefully selected, it becomes a game of subtlety and misdirection. A small bump, or maybe a request for a cigarette. All a carefully crafted scenario designed to distract the victim.
When it comes to social engineering, threat actors employ the same tactics. They study their targets, research them at a distance, and go for high-value or vulnerable individuals.
Sophisticated social engineering is a calculated deception. Just like our pickpocket scenario, it's a sequence of misdirection where the threat actor builds trust with their victim. And just like with a skilled pickpocket, it often isn’t until the damage is done that the victim realises they were targeted, making awareness and education the first line of defence in protecting your organisation.
The Evolution of Social Engineering
Social engineering as a cyber tactic can be traced back as early as the 1970s and 1980s, as discussed in Kevin Mitnick’s book Ghost in the Wires. Mitnick, a former high-profile American hacker turned security consultant, gives a first-hand account of how attackers exploited people, targeting vulnerabilities in individuals rather than the systems.
Mitnick famously referred to social engineering as “the art of human hacking”. His exploits shed light on the early days of social engineering in the United States at a time when attackers relied on more basic tactics such as impersonation and manipulation of trust.
Fast forward to 2025, almost half a century later, and these tactics are still being used today, but in a more evolved state aided by A.I. tools.
How Cybercriminals Use AI and Deepfakes in Modern Social Engineering
The most concerning modern development in the war against social engineering is the sharp increase in the use of artificial intelligence by cybercriminals. According to the 2025 IBM X-Force Threat Intelligence Index, A.I. now helps threat actors carry out phishing campaigns more efficiently than ever before. In this modern cyber security landscape, threat actors are using A.I. tools to:
- Write phishing emails
- Build malicious websites
- Generate code
- Create deepfakes
All of this in a fraction of the time it would take a skilled human to perform the same tasks.
For cyber criminals, the primary advantage of using A.I. in social engineering is in its ability to create flawless and convincing messages. That’s a major advantage for attackers, especially those operating from abroad who may not speak English as a first language but can still manipulate targets with increasingly polished messaging. Previously, one of the tell-tale signs of a phishing email was poor grammar or out-of-place phrasing. However, A.I. can generate emails in any language and with perfect grammar, making them incredibly difficult to spot.
DID YOU KNOW: LLM-generated phishing emails had a 54% click-through rate, compared to just 12% for human-written phishing.
It all comes down to orchestrating the most convincing play. As Carruthers from IBM points out, A.I. allows attackers to craft more urgent and persuasive messages, significantly increasing the likelihood of success.
The issues with A.I. do not just end with phishing emails. Recently, there has been a surge in the sophistication of deepfake technology, which will only become more advanced as tools develop.
Deepfakes, media of a person in which their face or body has been digitally altered so that they appear to be someone else, enable cybercriminals to impersonate voices, images and even video calls of trusted individuals. This new era of technology allows attackers to conduct highly targeted and personalised attacks, namely CEO fraud, where an executive’s image or voice is used to manipulate employees.
In many places this technology is so new legislation is yet to catch up. And for businesses today, this isn't a future threat — it's a present day challenge. If your teams aren't trained to question what they see, hear, or read, even if it looks and sounds right, then your organisation is already at risk.
QUICK FACT: In 2024, attackers used deepfake video clones of executives to steal $25.6 million through social engineering fraud
High-Risk Sectors for Social Engineering and Cyberattacks in 2025
While social engineering does affect everyone, individuals and businesses alike, there are some sectors that are targeted at a much higher rate than others. According to the Cyber Security Breaches Survey 2024, medium and large businesses are more likely to experience breaches or attacks, with 74% of large businesses and 70% of medium businesses reporting incidents in the last year.
The attraction to larger businesses is usually down to the scale of financial and data assets they manage, as well as the more complex third-party and vendor management systems in place. These make them highly desirable targets for attackers.
Furthermore, sectors handling sensitive data such as healthcare, financial services and education are at the most risk in 2025. These industries hold data such as health records, financial data or highly protected educational records, which is like gold dust to attackers. This type of information is highly sensitive, meaning it is worth more on the black market and carries a higher chance of ransom payout.
REALITY CHECK: The financial services, media, manufacturing, and engineering sectors saw a 200-300% increase in targeted cyber intrusions last year!
Why Cyber Hygiene and Staff Training Matter More Than Firewalls in 2025
While organisations, big and small, can implement a plethora of robust technical safeguards such as malware protection and firewalls, the survey drives home the importance of cyber hygiene. Cyber hygiene is a set of best practices that can significantly reduce your risk of cyber-attack. It is like taking your car in for its MOT and service, except in this scenario, it is monthly, not yearly.
Most businesses will demonstrate their cyber hygiene to customers and vendors by seeking accreditation with frameworks such as ISO27001 and Cyber Essentials Plus. These frameworks require a robust set of controls, including:
- Regular system updates
- Patching critical vulnerabilities
- Robust password policies
- Multi-factor authentication
While these measures are increasingly being adopted, phishing remains a major threat due to the human element. The right type of attack can bypass almost any of these controls, and multi-billion-dollar companies have fallen victim. This highlights the sheer importance of staff security training as a core principle for businesses.
Unfortunately, many organisations still funnel 100% of their security budget into cyber technologies, while overlooking staff training. Regular, engaging training sessions that highlight how to spot and mitigate common social engineering tactics can go a long way in protecting a company. The right training solution is often far less costly than high-tech firewalls and 24/7 security teams.
For SMBs, regular staff training can be considered the strongest defence a business can adopt against social engineering.
WORTH NOTING: 79% of cyber intrusions in 2024 were malware-free, relying instead on tactics like social engineering and credential abuse.
Staying Ahead of AI-Driven Social Engineering in 2025
The evolution of social engineering, particularly through the use of A.I. and deepfakes, has significantly raised the bar for security in 2025. As attackers continue to adapt and refine their tactics, businesses must remain vigilant and proactive in their cybersecurity approach. Implementing strong cyber hygiene and regular staff training has never been more important.
We must remember that social engineering targets people, not systems. Businesses need to adopt the mindset that everyone is responsible for cybersecurity, and unfortunately, these days, everyone is a target.
That's why Human Risk Management and Cyber awareness Training are critical for building long-term resilience. From improving staff awareness through phishing simulation to reinforcing critical policies with policy management, Organisations should support their teams at every layer of defence from awareness training to policy reinforcement and phishing simulations.
To stay ahead of these risks, businesses should consider implementing structured cyber training programmes tailored to their workforce
Or if you'd prefer KubeNet to do the work for you, get started with your free Human Risk Report!