According to the UK Government’s Cybersecurity Breaches Survey 2025, 93% of UK businesses and 95% of charities experienced phishing attempts in the past year, up from 84% in 2024.
Even with better tools, smarter technology and stronger defences, people remain the most common way cybercriminals gain access to a business.
It is clear that despite years of awareness campaigns and improved filtering tools, the human element is still the weakest link in the cybersecurity chain.
Why People Are Still The Primary Target
Cybercriminals don’t need to break in if someone opens the door for them. Modern attacks now focus less on code and more on psychology, using social engineering to manipulate people into handing over access.
That’s why most breaches still begin with a single, simple action: clicking a link, approving a login request or downloading what looks like a normal attachment. Attackers know that it’s often easier, faster and cheaper to trick a person than to break through a system’s defences.
And the truth is, people make mistakes. We all do...
Maybe someone had a late night and isn’t thinking clearly.
Maybe they’re under pressure to meet a deadline, juggling too many emails at once.
Maybe their security training was a few years ago and the latest scams look more convincing than ever.
Or maybe, in that split second of distraction, they simply clicked before thinking.
Cybercriminals understand this better than anyone.
They rely on human moments like these. Every small lapse is a potential doorway, and there are countless ways they can take advantage of it. Whether it’s a fake invoice from a supplier, a convincing Microsoft sign-in page, or an urgent message claiming to be from “the boss,” all it takes is one click at the wrong time.
Phishing, impersonation and credential theft continue to succeed because they exploit everyday human behaviour: trust, distraction and routine.
The attackers aren’t just sending random emails; they’re crafting believable scenarios designed to catch people when they’re tired, rushed or simply doing their job.
How Attackers Exploit Human Behaviour
Phishing and Business Email Compromise
Phishing emails today are convincing. Attackers use real branding, genuine names from LinkedIn and professional language. They time them perfectly, sending them during busy periods such as month-end or payroll runs.
Business Email Compromise (BEC) takes this further. Criminals impersonate real inboxes or hijack legitimate ones to request payments, change bank details or share links that steal credentials. On the surface, it all looks genuine.
MFA Fatigue and Login Approvals
Multi-factor authentication (MFA) is effective, but attackers now exploit human behaviour around it. They exploit “MFA fatigue” by repeatedly sending login prompts, often at inconvenient hours, until someone finally clicks approve just to stop the noise. One wrong approval is enough to grant them full access.
Social Engineering and Impersonation
Attackers research businesses like professional marketers. They study websites, staff pages and company announcements to understand roles and tone of voice. Then they pose as IT support, a supplier or a senior leader to build trust.
It might start as a simple question: “Can you confirm this invoice?”, but this can quickly become a way in for the hackers to gain deeper access.
Insider Mistakes and Everyday Errors
Not all breaches are malicious. Many are caused by honest mistakes such as reusing passwords, sending sensitive data to the wrong person, saving work files on personal devices, or even falling for a simple yet realistic scam.
These small moments are easy to miss but can have serious consequences.
Why This Problem Is Growing
The way we work has changed. Remote and hybrid working have expanded the digital perimeter, giving staff access to systems from homes, cafes and mobile devices. Each new connection is a potential entry point.
At the same time, attackers have become more sophisticated. AI tools can now generate personalised phishing messages that mimic writing styles, tone and company language. It’s no longer about spotting bad grammar or strange wording because many phishing emails today look completely authentic.
Add to this the growing skills gap in cybersecurity and stretched IT resources, and it’s clear why human-targeted attacks are increasing. The weakest point isn’t the technology, it is how people use it.
Another growing concern is timing. Many cyberattacks now occur outside normal working hours, taking advantage of the fact that systems are still running but people are not. Attackers know that tired, distracted or unavailable staff are less likely to spot suspicious activity until it is too late.
In our related article, Why Out-of-Hours Attacks Are the #1 Growing Threat, we explore how criminals use automation and social engineering to exploit these quiet periods and what your business can do to stay protected 24/7.
The Real Cost Of Human Error
According to the IBM 2024 Cost of a Data Breach Report, breaches caused by human error or social engineering take the longest to detect and contain. IBM's research suggests it takes an average of 298 days compared to 204 days for technical vulnerabilities.
That delay is expensive. Lost productivity, data recovery costs, regulatory fines and reputational damage can continue for months after the initial breach. For small businesses, a single mistake can be enough to cause lasting financial harm.
Even simple errors, like clicking one bad link, can lead to ransomware infections that encrypt entire networks, causing widespread disruption long before anyone realises what happened.
How To Reduce The Human Risk
Technology can help, but people need to be part of the defence. Awareness, culture and leadership all play a role in reducing human error.
1. Build Awareness
Regular training helps staff recognise threats and understand how to respond. Phishing simulations and short monthly refreshers are far more effective than annual tick-box sessions.
2. Simplify Security
When tools are too complex, people find workarounds. Use password managers, single sign-on and multi-factor authentication that work smoothly in the background.
3. Lead By Example
If leadership treats cybersecurity as a priority, staff will too. Every policy or process should be visible from the top down.
4. Test and Review Regularly
Behaviour changes over time. Run simulations, update training materials and review access policies at least twice a year to keep security awareness current.
From Awareness To Action
Building a culture of cyber awareness isn’t about blaming mistakes, it is about preventing them.
When the right mix of awareness, cyber training, leadership and technology work together, your people stop being your biggest risk and become your strongest defence.
However, human risk is only one part of the bigger security picture. True resilience comes from combining strong processes, smart monitoring and a clear recovery plan.
Get Support From The HBP Group
From phishing simulations and cyber training, to full recovery planning and managed security services, our experts can help you strengthen your cyber resilience.
If you want to improve awareness, reduce risk and protect your business from modern cyber threats, we’re here to help.
info@thehbpgroup.co.uk
01482 423910
