{"id":19672,"date":"2026-01-12T16:58:55","date_gmt":"2026-01-12T16:58:55","guid":{"rendered":"https:\/\/bitunikey.com\/news\/why-cant-companies-stop-social-engineering-attacks-opinion\/"},"modified":"2026-01-12T16:59:12","modified_gmt":"2026-01-12T16:59:12","slug":"why-cant-companies-stop-social-engineering-attacks-opinion","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/why-cant-companies-stop-social-engineering-attacks-opinion\/","title":{"rendered":"Why can\u2019t companies stop social engineering attacks? | Opinion"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<div class=\"cn-block-disclaimer\">\n<div class=\"cn-block-disclaimer__icon\">\n            <svg class=\"icon icon-info\" aria-hidden=\"true\"><use xlink:href=\"#icon-info\"><\/use> <\/svg>        <\/div>\n<p class=\"cn-block-disclaimer__content\">\n            Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news\u2019 editorial.        <\/p>\n<\/p><\/div>\n<p><!-- .cn-block-disclaimer --><\/p>\n<p>Over the past year, most of the biggest exploits in crypto have had the same root cause: people. In the past several months alone, Ledger <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.theblock.co\/post\/369893\/ledger-warns-halt-onchain-transactions-massive-npm-supply-chain-attack?utm_source=chatgpt.com\" target=\"_blank\" rel=\"nofollow\">urged<\/a> users to pause on-chain activity after npm maintainers were duped and malicious packages propagated; Workday disclosed a social-engineering campaign that accessed data in a third-party CRM; and North Korea\u2013linked operators <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/north-korean-cyber-spies-created-us-firms-dupe-crypto-developers-2025-04-24\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"nofollow\">continued<\/a> fake-job lures against crypto teams to deliver malware.<\/p>\n<div id=\"cn-block-summary-block_75db76c02b08e42b0e2093e82d8df388\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Crypto isn\u2019t being hacked \u2014 it\u2019s being talked into giving itself away. Most breaches now come from phishing, fake updates, and impersonation, not broken code, making \u201cpeople\u201d the primary attack surface.<\/li>\n<li>Programmable money turns small mistakes into catastrophic losses. A single leaked key or approved request can drain funds instantly and irreversibly, making social engineering a systemic risk, not a user error.<\/li>\n<li>Until operational security is treated like core infrastructure, exploits will keep scaling. Audits and code reviews can\u2019t stop human deception \u2014 only enforced device, access, and training standards can.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>Despite billions spent on cybersecurity, companies keep getting beaten by simple social engineering. Teams pour money into technical safeguards, audits, and code reviews while neglecting operational security, device hygiene, and basic human factors. As more financial activity moves on-chain, that blind spot becomes a systemic risk to digital infrastructure.\u00a0<\/p>\n<p>The only way to slow the surge of social-engineering attacks is a broad, sustained investment in operational security that reduces the payoff of these tactics.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h2 class=\"wp-block-heading\">Social engineering is the Achilles\u2019 heel of cybersecurity<\/h2>\n<p>Verizon\u2019s 2025 Data Breach Investigations <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\" target=\"_blank\" rel=\"nofollow\">Report<\/a> ties the \u201chuman element\u201d of cybersecurity (phishing, stolen credentials, and everyday mistakes) to roughly 60% of data breaches.\u00a0<\/p>\n<p>Social engineering works because it targets people, not code, exploiting trust, urgency, familiarity, and routine. These types of exploits can\u2019t be eliminated through a coding audit and are difficult to defend with automated cybersecurity tools. Code review and other common cybersecurity practices can\u2019t stop an employee from approving a fraudulent request that looks like it came from a manager, or downloading a fake Zoom update that seems legitimate.<\/p>\n<p>Even highly technical teams get caught; human weakness is universal and stubborn. And as a result, social engineering continues to drive real-world incidents.<\/p>\n<h2 class=\"wp-block-heading\">Crypto raises the stakes<\/h2>\n<p>Programmable money concentrates risk. In web3, compromising a seed phrase or an API token can be equivalent to breaching a bank vault. The irreversible nature of crypto transactions amplifies mistakes: once funds move, there is often no way to reverse the transaction. A single lapse in device security or key handling can wipe out assets. Web3\u2019s decentralized design means there is often no help desk to reach out to, leaving users to fend for themselves.\u00a0<\/p>\n<p>Hackers, including state-backed mercenaries, have noted the effectiveness of social engineering attacks and adapted accordingly. Operations attributed to North Korea\u2019s Lazarus Group lean heavily on social engineering: fake job offers, poisoned PDFs, malicious packages, and tailored phishing that prey on human vulnerabilities.\u00a0<\/p>\n<p>These exploits are startlingly effective and simple to execute, and tech companies seem unable to defend against them. Unlike zero-day exploits, which are quickly patched (forcing hackers to find new exploit strategies), hackers are able to leverage the same social engineering tactics over and over, autonomously, spending more time hacking and less time on R&amp;D.<\/p>\n<h2 class=\"wp-block-heading\">Companies need to invest in operations security<\/h2>\n<p>Too many organizations still treat security as a compliance exercise \u2014 an attitude reinforced by permissive regulatory standards. Companies routinely pass audits and publish spotless reports even while harboring glaring operational risks: administrator keys stored on personal laptops, credentials shared over chat and email, stale access privileges that never rotate, and travel laptops repurposed as development machines.<\/p>\n<p>Fixing this failure of discipline requires explicit, enforced operational security. Teams should use managed devices, strong endpoint protection, and full-disk encryption; company logins should leverage password managers and phishing-resistant MFA; and system managers should carefully manage privileges and access. These controls are not a catch-all, but they add to making social engineering attacks more difficult and help mitigate the impact of potential exploits.\u00a0<\/p>\n<p>Most importantly, teams need to invest in operational security training; employees (not cybersecurity teams) are the first line of defense against social engineering attacks. Companies should spend time training their teams to spot likely phishing attacks, practice safe data hygiene, and understand operational security practices.\u00a0<\/p>\n<p>Critically, we can\u2019t expect organizations to adopt hardened cybersecurity postures voluntarily; regulators must step in and set enforceable operational baselines that make real security non-optional. Compliance frameworks should move beyond documentation and require demonstrable proof of secure practices: verified key management, periodic access reviews, endpoint hardening, and simulated phishing readiness. Without regulatory teeth, the incentive will always favor optics over outcomes.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Social engineering is only getting worse<\/h2>\n<p>It\u2019s critical to invest in operational security now because the rate of attacks is growing exponentially.<\/p>\n<p>Generative AI has changed the economics of deception. Attackers can now personalize, localize, and automate phishing at an industrial scale. Campaigns that once focused on a single user or enterprise can now be used to target thousands of businesses with little extra cost. Phishing attacks can be personalized with just a few clicks, incorporating intimate details to make a spoofed email feel legitimate.\u00a0<\/p>\n<p>AI also accelerates reconnaissance. Public footprints, leaked credentials, and open-source intelligence can be mined and assembled into \u201cbriefs\u201d on each victim, helping hackers develop deeply convincing attacks.<\/p>\n<h2 class=\"wp-block-heading\">Slowing the rate of attacks<\/h2>\n<p>Social engineering thrives where implicit trust and convenience override verification and prudence. Organizations need to adapt a more defensive posture and (correctly) assume that they are under the constant threat of a social engineering attack.\u00a0<\/p>\n<p>Teams should adopt zero-trust principles in daily operations and incorporate operational security principles throughout the company. They should train employees on operational security to stop attacks early and keep their team up to date on the latest social engineering tactics.\u00a0<\/p>\n<p>Most importantly, companies need to find where trust still lives in their operations (wherever an attacker can impersonate an employee, a piece of software, or a customer) and add extra safeguards.\u00a0<\/p>\n<p>Social engineering will not disappear, but we can make it far less effective and far less catastrophic when attacks occur. As the industry hardens itself against these attacks, social engineering will become less lucrative for hackers, and the rate of attacks will drop, finally bringing a real end to this breathless cycle of exploits.\u00a0<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<div class=\"cn-block-author author-card\">\n<div class=\"author-card__photo\"><\/div>\n<p><!-- .author-card__photo --><\/p>\n<div class=\"author-card__content\">\n<div class=\"author-card__name\">\n                Jan Philipp Fritsche            <\/div>\n<p><!-- .author-card__name --><\/p>\n<div class=\"author-card__bio\">\n<p><span style=\"font-weight: 400;\">Dr.<\/span><b> Jan Philipp Fritsche<\/b><span style=\"font-weight: 400;\"> is the managing director of Oak Security, a cybersecurity firm specializing in web3 audits. Prior to his role at Oak Security, Dr. Fritsche amassed extensive experience in econometric and risk modeling, holding positions at institutions such as the European Central Bank and DIW Berlin. He holds a Ph.D. in Economics from Humboldt University of Berlin.<\/span><\/p>\n<\/p><\/div>\n<p><!-- .author-card__bio --><\/p>\n<div class=\"author-card__social\">\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/in\/janf\/\" class=\"community-link\" target=\"_blank\" rel=\"nofollow\" aria-label=\"LinkedIn\"><\/p>\n<p>    <svg class=\"community-link__icon\" aria-hidden=\"true\">\n        <use xlink:href=\"#icon-social-linkedin\"><\/use>\n    <\/svg><\/p>\n<p><\/a><\/p>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/jphfritsche\" class=\"community-link\" target=\"_blank\" rel=\"nofollow\" aria-label=\"Twitter\"><\/p>\n<p>    <svg class=\"community-link__icon\" aria-hidden=\"true\">\n        <use xlink:href=\"#icon-social-twitter\"><\/use>\n    <\/svg><\/p>\n<p><\/a><\/p><\/div>\n<p><!-- .author-card__social --><\/p><\/div>\n<p><!-- .author-card__content --><\/p><\/div>\n<p><!-- author-card --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news\u2019 editorial. Over the past year, most of the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":15841,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-19672","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19672","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=19672"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19672\/revisions"}],"predecessor-version":[{"id":19673,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/19672\/revisions\/19673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/15841"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=19672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=19672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=19672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}