Why Social Engineering Cyber Attacks Demand Staff Training

Social engineering attacks have been in the news over the past few months, whether that’s Phishing, Vishing or the other myriad ways that the human element can be manipulated.

Arup – Vishing | Co-op – Phishing | M&S – Phishing | Ferrari - Whaling

Exploiting human psychology is not a new concept, marketeers have been doing this for over a century to get us to purchase products. However, exploiting human behaviour as a cyber tool started in the mid-90s and has evolved significantly over the years, adapting to technological advancements and becoming more sophisticated.

The National Cyber Security Centre (NCSC) reports that as of June 2025 it has had 43,000,000 scams reported, resulting in 225,000 scams being removed across 405,000 url’s*.

What is Social Engineering?

Social engineering involves manipulating individuals into divulging confidential information or performing actions that compromise security. These attacks often come in the form of phishing emails, fraudulent phone calls, or even in-person deception like vishing. The goal is to trick employees into revealing passwords, clicking malicious links, or granting access to restricted systems.

Unlike traditional cyberattacks, social engineering doesn’t rely on breaking through firewalls or cracking encryption. Instead, it targets the weakest link in any security system: people.

The Risks to Businesses

The consequences of a successful social engineering attack can be devastating. From data breaches and financial loss to reputational damage, legal repercussions, and the deeply personal human cost to the leadership teams and employee’s, the fallout can be severe and long-lasting.

Recent data paints a stark picture:

• 442% increase in social engineering and stolen credential attacks was recorded in the second half of 2024 alone **.
• 98% of cyberattacks now rely on some form of social engineering ***
• 91% of cyberattacks begin with a phishing email ***
• 40% of employees have clicked on a phishing link, unaware of its malicious intent ***
• The average cost of a data breach involving social engineering is $4.45 million (approx. £3.52 million GBP) ***

These figures highlight the scale and sophistication of the threat. Even organisations with advanced technical defences are vulnerable if their staff are not adequately trained.

Why Staff Training is Essential

Technology alone cannot protect against social engineering. Firewalls and antivirus software is powerless if an employee unknowingly hands over their login credentials to a convincing scammer. This is why comprehensive staff training is not just beneficial, it’s essential.

Training should focus on:

• Recognising common tactics: Employees must be able to identify phishing emails, suspicious links, and unusual requests.
• Understanding the consequences: Real-world examples help illustrate the potential damage caused by a lapse in judgement.
• Practising safe behaviour: Regular simulations and drills can reinforce good habits and keep security top of mind.
• Encouraging a security-first culture: Staff should feel empowered to question suspicious activity and report potential threats without fear of reprimand.

Building a Human Firewall

Ultimately, the goal is to turn your workforce into a “human firewall” a first line of defence against social engineering. This requires ongoing education, clear policies, and a culture that prioritises cybersecurity at every level of the organisation.

As cyber criminals become more cunning, the ability of your employees to spot and stop social engineering attacks could be the difference between business as usual and a catastrophic breach.

How Kyocera’s Managed Phishing Defence Can Help

While staff training is essential in building a human firewall, organisations also need robust, proactive tools to reinforce that training and provide real-time protection. Kyocera’s Managed Phishing Defence (MPD) is designed to do exactly that.

This fully managed service helps mitigate the risks of social engineering by combining advanced threat detection with continuous employee education. It includes:

• Simulated phishing campaigns tailored to your organisation, helping staff recognise and respond to real-world threats.
• Automated reporting and analytics to identify vulnerable users and track improvements over time.
• Real-time threat intelligence to stay ahead of evolving phishing tactics.
• Ongoing awareness training to reinforce best practices and keep cybersecurity top of mind.

By integrating Kyocera’s Managed Phishing Defence into your security strategy, you not only do you significantly reduce the likelihood of successful attacks but also foster a culture of vigilance and accountability. It’s a powerful complement to your technical defences and a critical step in turning your workforce into a resilient first line of defence.

According to a KnowBe4 2025 report, implementing Security Awareness Training (SAT) program such as Kyocera’s MPD, leads to a dramatic reduction in phishing risk: Phishing click rates dropped from 33.1% to just 4.1% over a 12-month period. ****

*  https://www.ncsc.gov.uk/collection/phishing-scams

** https://www.crowdstrike.com/en-us/

*** https://gitnux.org/social-engineering-attacks-statistics/

**** https://cyberinsurancenews.org/phishing-training-knowbe4-report-2025/