A persuasive writing course can be far more valuable to an attacker than advanced coding skills.
As Managed IT Service providers, if there’s one thing we’ve learned from watching modern cyberattacks evolve, it’s that humans make the best attack vector.
A report from US based Security-as-a-Service vendor, Proofpoint, shows a clear shift. Attackers now rely less on automated zero-day exploits and more on manipulating the weakest point in any network, the human.
Humans are vulnerable in cybersecurity for a simple reason: we think, feel, assume, trust, rush, and make mistakes. Attackers know exactly how to exploit those behaviours.
What attackers are doing now
Most modern attacks fall into just three buckets:
- Convincing users to ignore warnings and run risky code
- Tricking people into giving away credentials
- Persuading victims to transfer money directly
Each of those attack methods requires social engineering: the art of persuading someone that you deserve their trust and that they should act on your instructions.
While the initial data in this article was pulled in 2016, human-error still remains the weakest link.
However, we've added in some more recent stats to see how specific trends have shifted over the last decade.
Key findings
Enterprise Data Loss is Still a People Problem
2015: Proofpoint found that 99.7% of malicious attachments required user action to succeed, often by convincing users to enable macros or disable security tools.
2025: 58% of data loss incidents were still caused by carelessness by employees or third-party contractors. It was found that 1% of users were responsible for 76% of data loss events.
Threat actors target people because it’s easier to deceive a human than bypass modern detection tools.
Cybercrime Waits for No One
2015: Proofpoint claimed that most campaigns launch between 9–10am on Tuesdays, rolling across global time zones to hit each region at peak business hours.
2025: While no more recent data could be found on this, data shows that attacks tend to align with major holidays and events. For example, the Tokyo Olympics, where bot traffic increased by 103%.
Defences are lower when your workforce is distracted.
App Exploits and Inbox Attacks
2015: Over 12,000 malicious Android apps were downloaded more than 2 billion times from authorised app stores. These apps looked legitimate but carried malware designed to steal data and open backdoors.
2025: The threat hasn’t gone away, but organisations now see email misuse as the bigger risk. 47% of organisations list it as their top security gap, with the US and Australia leading the concern. Common issues include misdirected emails, wrong attachments, and intentional data exfiltration.
In both cases, one thing hasn’t changed: humans are the ones enabling the threat.
From Fake Apps to AI Blind Spots
2015: Around 40% of large organisations had users installing malicious apps from rogue marketplaces like DarkSideLoader. Attackers often tricked users by offering free versions of paid apps, such as Minecraft, leading them to ignore multiple security warnings and unknowingly install malware.
2025: With AI now woven into everyday workflows, a new kind of risk has emerged. Agentic workspaces, where humans and AI tools interact with sensitive data, create challenges traditional security wasn’t built for.
65% of companies already use AI‑enhanced tools to classify data. 44% say their biggest struggle is poor visibility and weak data controls in AI tools. Without proper data classification and strong AI governance, organisations can’t clearly see what sensitive information employees may be feeding into AI applications.
Plenty of Phish in the Sea
2015: Phishing campaigns using Google Drive, Adobe or Dropbox links generate the highest clickthrough rates, especially when the sender appears to be a known contact. These brand lures are effective because these services are familiar, and the user is used to clicking to sign-in to view shared content.
2025: Phishing remains the leading attack type. Household names like Microsoft, who intercept 30 billion phishing attempts in one year, or ~82 million per day, continue to be leveraged by cyber criminals to trick insiders into sharing credentials or installing spyware.
How to protect your organisation
1. Educate users
If users don’t click, most attacks fail. Training must encourage healthy suspicion toward links, attachments and unexpected messages, especially when busy.
2. Enforce strong Group Policy
Limit what systems, files and applications users and AI can access to contain potential damage. Educate employees around how to safely and sensibly adopt AI.
3. Implement Application Control
Lock down your environment so only approved applications can run. This dramatically reduces the chance of malware executing in user space.
4. Use advanced detection solutions
There are other barriers that can be put into place as well. Platforms like Cisco’s Advanced Malware Protection can identify previously unseen, signatureless threats.
5. Test your backups regularly
A backup is only useful if it restores correctly, yet many organisations rarely perform full recovery tests. When was the last time you performed a complete back-up test?
It’s good to look back and see how far (or not so far) we’ve come when it comes to cyber security. If you’d like to read Proofpoint’s full 2025 report (we recommend it, it’s insightful and well written) click here.
