Social Engineering. Examining the Most Vulnerable Part - Humans

Cyber threats are constantly evolving, yet one thing remains true: human error is still the primary attack vector. Studies show that 74% of security incidents involve a human element – often a mistake or manipulation [1]. In other words, even the best technology can be undone by a single click on a bad link. This makes employees and leaders the most critical line of defense.

Understanding Social Engineering & Red Teaming

Red Teaming is a proactive security exercise where experts simulate real-world attacks on your business – not just technical hacks, but the full spectrum of tactics a malicious actor might use. The goal is to test your defenses end-to-end, finding weaknesses before real attackers do. A core part of these simulations is social engineering: exploiting human trust and habits to gain unauthorized access.

In practice, attackers often target highly privileged users (including but not limited to admins or executives) through deceptive means:

• Phishing – fraudulent emails or social messages that trick people into clicking malicious links or revealing credentials.
• Vishing – voice calls that impersonate trusted parties (e.g. "IT support" or a bank) to con employees into sharing secrets or codes.
• Other manipulations – from fake text messages to in-person tricks, all aimed at bypassing technical security by targeting people.

These methods prey on human nature and can be very difficult to detect. A well-crafted phishing email or convincing phone scam can slip past spam filters and other defenses. Once an attacker fools someone on your team, the consequences can be severe – think stolen data, fraudulent transfers, or entry into your internal network. In short, social engineering attacks take advantage of the trust we place in our systems and coworkers, making them especially dangerous if untested.

The Rising Sophistication of Cyber Attacks

As technology improves, so do the tactics of cyber attackers. Modern hackers combine technical skills with psychological deception, creating highly sophisticated attack vectors that target human weaknesses. Two recent high-profile cases illustrate this evolution:

• WazirX Exchange Hack (2024): A leading crypto exchange in India lost about $235 million when attackers compromised multiple highly privileged users. By phishing key team members, the hackers gained control of three WazirX devices and tricked those users into signing off a malicious transaction, draining a multisig wallet [2]. Even with robust security systems in place, the human element was exploited to bypass protections.
• Bybit Cold Wallet Heist (2025): In one of the largest crypto hacks to date, Bybit suffered a $1.4 billion theft. After first compromising Safe{Wallet} cloud infrastructure and wallet front-end code [0], attackers leveraged social engineering to entice key Bybit personnel into authorizing a fraudulent smart contract change as part of a highly targeted attack. This allowed hackers to empty the wallet while everything appeared normal to the victims [3].

What do these incidents have in common? Both show that advanced breaches often start by targeting people, not just software. Attackers leverage psychological manipulation alongside code and infrastructure-level attacks, particularly when gaining initial access to organizations. This trend of human-focused attacks is rising, and no industry is immune.

It's a wake-up call: even the best tech defenses can be undone by a single well-crafted con.

Entry Points Matter

How did these breaches happen in the first place? In both the WazirX and Bybit cases – which occurred just months apart, with almost $2 billion in losses combined – all evidence points to a common origin: a compromised user interface or process that fooled people into letting the intruder inside. In simple terms, the attackers found a human-facing entry point and walked right through it.

Common weak entry points that attackers exploit include:

• Phishing Links (Email or SMS): A seemingly harmless email from "IT support" or a text about an urgent account issue can lure an employee to a fake login page. One click, and the attacker has their credentials or installs malware.
• Malicious Browser Extensions or Websites: An unofficial Chrome/Edge plugin or a visit to an infected website can secretly hijack what users see. For instance, it might alter the interface of a finance or wallet app in real-time (as likely happened in the Bybit case), misleading employees to approve something harmful.
• Mobile Device Compromise: Smartphones are a treasure trove of corporate access (emails, authenticator apps, messaging). A targeted malware on iOS/Android could eavesdrop on calls, read messages, or even display fake prompts, opening the door for attackers. Our CISO Ruben Muradyan uncovered multiple state-sponsored attacks that were well described in The Citizen Labs Report.
• Stolen or Weak Credentials: Attackers also hunt for leaked passwords or use social engineering to trick someone into divulging their login info. A reused corporate password found in a past data breach, or an admin who unwittingly shares a VPN login, can become the initial foothold for a breach.
• Third-Party App Scams: Business tools like code repositories (e.g. GitHub), cloud infrastructure, or project management apps can be entry points. An engineer might be tricked into running a poisoned code snippet from a public repo, or an executive might approve an OAuth request from a fraudulent "productivity app" that actually siphons data.

Each of these entry points is essentially a human door into your company. Attackers will knock on all of them to see which opens. The WazirX and Bybit hacks suggest that something as small as a phony UI prompt or a single clicked link can cascade into a multi-million dollar disaster. This is why shoring up these entry points is paramount.

Fortify Your Perimeter

Traditional security software solutions are crucial, but they cannot catch every trick in an attacker's playbook – especially the ones targeting your people. To truly secure your operations, you need to fortify the human perimeter of your organization. This means proactively finding and fixing the human vulnerabilities before a real attacker exploits them.

The good news: limiting the risk of human entry points is possible. How? By rigorously testing and training your team. This is where red teaming with social engineering comes in. We conduct safe, controlled simulations of attacks (like custom-tailored phishing emails, phone scams, or bait scenarios) to see how your employees respond. These simulations have been refined by years of cybersecurity research and real-world data, making them highly realistic.

When we run these exercises, two things happen:

1. We identify weak spots – maybe certain departments click on links too quickly, or perhaps executives are oversharing information publicly. Every failure in the simulation is a learning opportunity, not a punishment.
2. We emulate real threat actors—if in-scope—and show what is possible after gaining initial access by following through with tailored post-exploitation and privilege escalation attacks.
3. We strengthen your team's awareness – by experiencing these ploys firsthand in a no-risk setting, your employees and security team become much better at spotting and resisting real attacks. It's the difference between reading about a con and actually almost falling for one; the lesson sticks.

Think of it as a fire drill for cyber threats. You wouldn't wait for a real fire to test your smoke alarms; similarly, don't wait for a real breach to test your people. Proactive red team engagements help ensure that when a genuine phishing email or scam attempt hits your organization, your team will recognize the danger and know how to handle it.

In short, we help turn your humans from potential liabilities into a strong first line of defense.

Tailored to Your Business Needs

One size does not fit all when it comes to security testing. Your company's culture, industry, and tech stack are unique – so your security approach should be as well. We believe in a customized strategy for each client. Before we even think about phishing your team, we do our homework through comprehensive Open-Source Intelligence (OSINT) gathering.

This OSINT phase is like reconnaissance: we scour public sources to map out things an attacker could learn about your organization, such as:

• Organizational Structure: Who are your key executives and admins? What are their roles and public profiles (X, LinkedIn, press releases, etc.)? Knowing this, helps to craft convincing targeted scams (e.g., an email that appears to come from the CFO to the finance team).
• Technology Stack & Processes: What software and platforms does your team rely on? For example, if you use Office 365 and Slack, attackers might send a fake OneDrive share link or a spoofed Slack message. We catalog these details to make our simulations realistic.
• Public Exposure: Are any employee emails or passwords floating around the web from past leaks? Do team members post work details on social media? We compile these tidbits – like phone numbers, project names, vendor relationships – because hackers certainly will.
• Physical & Network Footprint: Even things like office addresses, keycard systems, or Wi-Fi network names can be found online. An attacker might, say, tailgate into your office lobby or set up a rogue Wi-Fi near HQ. We consider these angles, too, if they are in scope.

After gathering this intelligence, we design custom attack flows tailored to your environment. If you have a specific high-value asset (say a financial database or a crypto wallet), we simulate how an attacker might target the people with access to that asset. The result is a red team exercise that feels authentic and relevant to your employees – not a generic, out-of-the-box test. This tailored approach not only uncovers hidden vulnerabilities but also resonates more with your team, driving the lessons home. They'll recognize scenarios from their daily work, which reinforces the training's effectiveness.

Invest in a Secure State of Mind

At the end of the day, investing in security awareness and testing is an investment in peace of mind. For executives and founders, it's about knowing you've done everything possible to protect your company's operations and reputation. Breaches have real business impacts – financial loss, legal ramifications, customer trust damage – but these risks can be proactively mitigated.

Think of security training and red teaming not as expenses, but as strategic investments that strengthen your organization. Just as you conduct regular safety drills or refine business processes for efficiency, preparing your team for cyber threats is smart business. It fosters a culture where security is everyone's responsibility—often your strongest line of defense.

Ready to fortify your human defenses?

We offer a free consultation to assess your needs and propose a tailored security testing program for your company. Don't wait for a news-making hack to take action.

Get a Quote and let's discuss how to put your company one step ahead of threat actors. Together, we'll build an enterprise where every member – from the CEO to the newest hire – is vigilant and prepared against evolving cyber threats.