Why can’t companies stop social engineering attacks?

Over the past year, most of the biggest exploits in crypto have had the same root cause: people. In the past several months alone, Ledger urged users to pause on-chain activity after npm maintainers were duped and malicious packages propagated; Workday disclosed a social-engineering campaign that accessed data in a third-party CRM; and North Korea–linked operators continued fake-job lures against crypto teams to deliver malware.

Despite billions spent on cybersecurity, companies keep getting beaten by simple social engineering. Teams pour money into technical safeguards, audits, and code reviews while neglecting operational security, device hygiene, and basic human factors. As more financial activity moves on-chain, that blind spot becomes a systemic risk to digital infrastructure. 

The only way to slow the surge of social-engineering attacks is a broad, sustained investment in operational security that reduces the payoff of these tactics.

Social engineering is the Achilles’ heel of cybersecurity

Verizon’s 2025 Data Breach Investigations Report ties the “human element” of cybersecurity (phishing, stolen credentials, and everyday mistakes) to roughly 60% of data breaches. 

Social engineering works because it targets people, not code, exploiting trust, urgency, familiarity, and routine. These types of exploits can’t be eliminated through a coding audit and are difficult to defend with automated cybersecurity tools. Code review and other common cybersecurity practices can’t stop an employee from approving a fraudulent request that looks like it came from a manager, or downloading a fake Zoom update that seems legitimate.

Even highly technical teams get caught; human weakness is universal and stubborn. And as a result, social engineering continues to drive real-world incidents.

Crypto raises the stakes

Programmable money concentrates risk. In web3, compromising a seed phrase or an API token can be equivalent to breaching a bank vault. The irreversible nature of crypto transactions amplifies mistakes: once funds move, there is often no way to reverse the transaction. A single lapse in device security or key handling can wipe out assets. Web3’s decentralized design means there is often no help desk to reach out to, leaving users to fend for themselves. 

Hackers, including state-backed mercenaries, have noted the effectiveness of social engineering attacks and adapted accordingly. Operations attributed to North Korea’s Lazarus Group lean heavily on social engineering: fake job offers, poisoned PDFs, malicious packages, and tailored phishing that prey on human vulnerabilities. 

These exploits are startlingly effective and simple to execute, and tech companies seem unable to defend against them. Unlike zero-day exploits, which are quickly patched (forcing hackers to find new exploit strategies), hackers are able to leverage the same social engineering tactics over and over, autonomously, spending more time hacking and less time on R&D.

Companies need to invest in operations security

Too many organizations still treat security as a compliance exercise — an attitude reinforced by permissive regulatory standards. Companies routinely pass audits and publish spotless reports even while harboring glaring operational risks: administrator keys stored on personal laptops, credentials shared over chat and email, stale access privileges that never rotate, and travel laptops repurposed as development machines.

Fixing this failure of discipline requires explicit, enforced operational security. Teams should use managed devices, strong endpoint protection, and full-disk encryption; company logins should leverage password managers and phishing-resistant MFA; and system managers should carefully manage privileges and access. These controls are not a catch-all, but they add to making social engineering attacks more difficult and help mitigate the impact of potential exploits. 

Most importantly, teams need to invest in operational security training; employees (not cybersecurity teams) are the first line of defense against social engineering attacks. Companies should spend time training their teams to spot likely phishing attacks, practice safe data hygiene, and understand operational security practices. 

Critically, we can’t expect organizations to adopt hardened cybersecurity postures voluntarily; regulators must step in and set enforceable operational baselines that make real security non-optional. Compliance frameworks should move beyond documentation and require demonstrable proof of secure practices: verified key management, periodic access reviews, endpoint hardening, and simulated phishing readiness. Without regulatory teeth, the incentive will always favor optics over outcomes. 

Social engineering is only getting worse

It’s critical to invest in operational security now because the rate of attacks is growing exponentially.

Generative AI has changed the economics of deception. Attackers can now personalize, localize, and automate phishing at an industrial scale. Campaigns that once focused on a single user or enterprise can now be used to target thousands of businesses with little extra cost. Phishing attacks can be personalized with just a few clicks, incorporating intimate details to make a spoofed email feel legitimate. 

AI also accelerates reconnaissance. Public footprints, leaked credentials, and open-source intelligence can be mined and assembled into “briefs” on each victim, helping hackers develop deeply convincing attacks.

Slowing the rate of attacks

Social engineering thrives where implicit trust and convenience override verification and prudence. Organizations need to adapt a more defensive posture and (correctly) assume that they are under the constant threat of a social engineering attack. 

Teams should adopt zero-trust principles in daily operations and incorporate operational security principles throughout the company. They should train employees on operational security to stop attacks early and keep their team up to date on the latest social engineering tactics. 

Most importantly, companies need to find where trust still lives in their operations (wherever an attacker can impersonate an employee, a piece of software, or a customer) and add extra safeguards. 

Social engineering will not disappear, but we can make it far less effective and far less catastrophic when attacks occur. As the industry hardens itself against these attacks, social engineering will become less lucrative for hackers, and the rate of attacks will drop, finally bringing a real end to this breathless cycle of exploits.