Imagine a scenario in which a business professional is finalizing a three-month negotiation with a US marketing executive representing a company aiming to enter the European market. This individual had built a rapport over time, discussing various business details and presenting the partnership as a promising opportunity. Just before the anticipated contract signing, the “client” sends a zip file containing what they claimed were essential materials to initiate the work.
Eager to proceed, the recipient downloads and attempts to open the file immediately. Upon doing so, the computer is locked entirely, signaling that this was no ordinary document. It quickly becomes evident that this is a phishing attack, designed to compromise the user’s system and extract valuable information. Within minutes, passwords, social media credentials, and internal accounts are taken over, locking the user out of their own systems.
The attackers had carefully constructed a scenario that leveraged trust, a sense of urgency, and the appearance of professionalism. This incident is one of the cases which highlighted the risks of social engineering during a panel at the recent Cyber Security Summit – Cyberfy in Belgrade. The event saw cybersecurity experts examine how phishing and other social engineering tactics exploit human weaknesses rather than technical vulnerabilities.
Social engineering and the human factor
One of the central points was how social engineering relies on human psychology to succeed. According to psychologist Ina Poljak, susceptibility to these attacks isn’t necessarily tied to one’s tech skills.
People of all backgrounds, from tech novices to IT experts, can fall prey due to factors like decision fatigue, stress, or even misplaced trust in familiar names and logos. Many people click harmful links not out of ignorance but simply because they are overwhelmed by digital decision-making—something attackers are all too ready to exploit.
“People who work closely with technology every day face constant digital stimuli and make frequent decisions. Over time, this leads to a phenomenon known as *decision fatigue*, where the brain, though still functioning, becomes mentally exhausted. In this fatigued state, it’s easy to click on a harmful link—not out of carelessness, but simply because it’s the end of the day and focus has worn thin,” Puljak explains.
Phishing: Anatomy of a growing threat
Phishing remains the most common form of social engineering, primarily because it targets emotions and takes advantage of common human responses to authority and urgency. Marko Gulan, an independent cybersecurity consultant, shared the real-world example which involved a sophisticated phishing scheme that targeted a member of his family.
The outcome, as explained in the beginning, was devastating, with passwords and social media accounts compromised and several sleepless days required to restore security.
Social engineering strategies often exploit “the halo effect,” as Poljak highlighted, where the presence of an authoritative logo or a familiar name can override our critical thinking. She points out that people may respond to phishing emails if they appear to come from a reputable source, such as a bank or government institution, especially if they induce fear or urgency.
Advanced tactics and deepfake dangers
What makes social engineering particularly dangerous is its adaptability and the availability of advanced tech. Zoltan Szalai, a regional sales manager for Thales, explained that deepfake technology is adding a new level of sophistication to social engineering attacks.
By using AI-generated audio or video to mimic a trusted individual, attackers can manipulate their targets with striking realism. While current technology often reveals subtle glitches in deepfakes, Szalai warned that as deepfake technology improves, these attacks will only grow harder to detect.
“First, there’s the psychological manipulation behind social engineering attacks, which exploit human tendencies and biases. Second, attackers now have access to advanced technologies and tools that make these tactics even more convincing. For instance, attackers often use deepfake techniques—altering voices, faces, or videos to closely resemble a trusted individual. This tactic helps them create a convincing illusion of authenticity, building trust and making the target believe they’re in a secure environment,” Szalai emphasizes.
Furthermore, the experts at Cyberfy emphasized that awareness is the first line of defense against social engineering. As attackers use increasingly complex psychological tricks, organizations must invest in regular training to help employees recognize and respond to phishing attempts and other manipulative tactics. Last but not least, there is also the importance of educating not just cybersecurity professionals but all employees about these evolving threats.
