Social Engineering vs Technical Vulnerabilities: Why Ranking One Above the Other Gets You Breached

Read any breach post-mortem involving a phishing email or a fake support call, and watch the comments fill with the same reaction. How did they fall for that? It looks so obvious. Someone clicked a link, approved a login, wired money to a stranger, and in hindsight every red flag is lit up like a runway.

That reaction feels like security awareness. It is actually the first failure. Scams look obvious only in retrospect, after the outcome is known and the pressure is gone. In the moment, the victim had a plausible story, a deadline, an authority figure, and no reason to suspect that the routine thing they do fifty times a week was the one that mattered. The smugness is hindsight bias wearing a security badge.

It points at a deeper habit in how the industry ranks its own work. Finding a flaw in software, reverse-engineering a protocol, writing an exploit for a fresh CVE: that reads as the serious, technical, advanced side of security. Getting talked out of a password reads as user error, a training problem, the soft side. That ranking does more than insult the people who get targeted. It misreads where the risk actually sits, and attackers price the mistake into their planning. The argument here runs on breach data and one recent court case, and it does not land on "social engineering beats hacking." It lands somewhere more uncomfortable: the moment you decide either layer is the real one, you have already left the other one open.

What the breach numbers actually say

Start with where attackers actually get in, because that is where the hierarchy collapses first.

Verizon's 2026 Data Breach Investigations Report attributes the human element to roughly 62% of breaches: phishing, pretexting, stolen credentials, misuse, and plain error. If you have seen the number 74% quoted, that is the 2023 figure, and it is still circulating in articles that have not refreshed their sources. The exact percentage moves year to year and depends on definitions, but every recent edition lands in the same place. People are involved in the majority of breaches, by a wide margin.

ENISA's 2025 Threat Landscape points the same direction from a European vantage point. It puts social engineering at around 60% of observed initial access and names phishing the primary initial intrusion vector. Vulnerability exploitation, the technical side, accounts for roughly 21.3% of initial access. So the purely technical door is real, and it is dangerous: ENISA notes that when an intrusion did start with a vulnerability, it culminated in a full compromise around 70% of the time. A CVE is a narrower entrance that is devastating once opened. Social engineering is the wide front gate that most attackers simply walk through.

Hold those two facts next to each other. The technical attack surface is where a smaller share of intrusions begin but where each one tends to go deep. The human surface is where most intrusions begin, full stop. Neither of those is the soft side. They are different doors into the same building, and an attacker only needs one of them.

Decision-makers already sense this even when their budgets do not reflect it. In the World Economic Forum's 2026 Global Cybersecurity Outlook, 77% of respondents named cyber-enabled fraud and phishing a major concern, and 73% reported personal or organizational exposure to it. The worry is there. What is often missing is the willingness to treat the human layer as a first-class engineering problem rather than an awareness poster. The clearest illustration of what that costs showed up in an Amsterdam courtroom this June.

The Dutch deepfake case: the machine passed it, the human caught it

In June 2026, the Amsterdam District Court convicted a 34-year-old man for using deepfake technology to open 47 fraudulent bank accounts at ABN AMRO (case ECLI:NL:RBAMS:2026:6093). He was sentenced to 30 months, six of them suspended, and ordered to pay the bank around €13,000. Strip away the AI novelty and the case is a clean parable about over-trusting a technical control.

ABN AMRO let customers open accounts from a phone by photographing an ID and taking a selfie, with an automated system confirming that the two faces matched. That design answers one question well: does the face in the selfie match the face on the document? It does not answer a second, more important question: is this a live human being, present right now, rather than a synthetic image fed into the pipeline? The fraudster exploited exactly that gap. Using face-swap software, he blended his own features with the photos on genuine stolen IDs, then injected the resulting images into the verification stream so the system evaluated a file, not a person. The automated check did precisely what it was built to do, and it was wrong 47 times.

Notice how the documents were obtained, because the attack was blended from the start. One of his sources was a fake apartment listing on Marktplaats, the Netherlands' dominant classifieds site, where prospective tenants were asked to send passport copies and pay slips to verify their rental application. No exploit, no malware, just a normal-looking request in a competitive housing market. People handed over their identity documents because the request fit a routine they trusted. That is social engineering doing the supply-chain work for a technical attack downstream.

The scheme did not end because a better algorithm caught it. It ended because a human did. The fraud surfaced when a reviewer looked at an application and saw an obvious mismatch the automated system had waved straight through, the kind of wrongness a person registers in a second and a similarity score does not register at all. By then 47 accounts had already been opened and mailed debit cards, some of them used for follow-on bank-helpdesk fraud against other victims.

If you ranked these two layers going in, you would have called the automated biometric check the advanced, technical control and the human reviewer the fallback. The case inverts that. The sophisticated control failed silently and at scale. The human was the part that worked.

Why trusting the tool is its own vulnerability

It is tempting to read the ABN AMRO story as a narrow product flaw: the system should have checked for liveness, and now standards like NIST's updated identity guidance and newer European testing benchmarks require exactly that. True, and banks are closing that specific gap. But the narrow reading misses the more general failure, because the next control will have its own blind spot, and the same dynamic will repeat.

The deeper problem is automation bias. When a control is trusted as sufficient, it stops being questioned, and a check nobody questions is a check that fails quietly. Research on human oversight of automated systems keeps finding the same thing: people placed "in the loop" to catch machine errors approve the machine's output a large share of the time regardless of whether it is correct, and the more confidently a system presents its result, the more readily humans defer to it even when it is wrong. Oversight that exists on the org chart is not the same as oversight that happens.

That is why a single high-tech control can be more dangerous than the sum of its features suggests. It does not just have a blind spot. It actively discourages anyone from looking, because the whole point of automating verification was to stop having humans look. ABN AMRO's reviewers did eventually look, which is the only reason the story has an ending, but they looked after 47 accounts, not after the first anomaly.

The market has started to price this in. Gartner has projected that around 30% of enterprises will come to regard standalone identity verification as unreliable on its own, not because any one tool is bad but because no single tool should be the last word on a high-stakes decision. So the takeaway from the Dutch case is both smaller and larger than "buy liveness detection." Whatever technology sits behind a high-consequence decision, one automated pass should never be the thing that closes the question.

The opposite mistake: treating people as a poster, not a practice

If the argument stopped here, it would read as a familiar pivot: technology fails, so trust the humans. That is the mirror-image error, and it fails just as reliably.

The human layer collapses when an organization treats it as a checkbox. The pattern is everywhere: an annual training module, a slide deck about not clicking links, a phishing test once a quarter, and a quiet belief that the humans are the weakest link so the most you can do is remind them to be careful. By the numbers, this is theater. Industry research finds that around 94% of organizations run security awareness training, but only about 6% achieve full completion. A module nobody finishes is not a control. It is a compliance artifact.

The frustrating part is that the human layer responds well to actual engineering. Point-of-error training, where someone who clicks a simulated phishing link gets an immediate, specific correction at the moment of the mistake, measurably works. A meta-analysis spanning 42 studies found that just-in-time intervention reduced susceptibility by roughly 40%. The difference between that and the annual module is the difference between realistic rehearsal and awareness theater. One builds a reflex under realistic conditions. The other delivers information and hopes.

So the honest version of "humans are the weakest link" is narrower and more useful: un-rehearsed people facing un-rehearsed attacks are a weak link. Rehearsed people are a sensor, the part of the system that, as in Amsterdam, catches the thing the machine cannot. You do not get that sensor from a poster. You get it from practice, frequency, and feedback, the same way you get reliable behavior out of any other part of an operational system.

Why the gap is widening now: AI intensifies both fronts at once

All of this would matter even in a static threat environment. The environment is not static. AI is pushing on both the human and the technical front at the same time, which is the real reason a single-layer strategy is becoming untenable.

On the human side, AI has erased the skill gap that made social engineering look amateurish. A human-subject study of fully automated AI spear phishing found it achieved around a 54% click-through rate, matching campaigns crafted by human experts and far above the roughly 12% from a generic control, at a cost near $0.04 per email. The "obvious scam" full of typos and broken grammar is a relic. The current article is fluent, personalized to your role and tools, and arrives across email, voice, and video at industrial scale and near-zero marginal cost.

That breaks the advice most awareness programs were built on. Telling people to spot the glitch no longer maps to reality. In a 2026 study testing whether people could identify AI-generated media in a spear-phishing context, 66% failed to recognize AI-generated audio as fake and 43% failed to recognize deepfake video. You cannot eyeball your way out of synthetic media, which is why the defensible response is procedural verification rather than perceptual judgment, a point I will come back to.

Meanwhile the technical front is not standing still to make room. The UK's National Cyber Security Centre assesses that the most significant near-term effect of AI on cyber threat is the acceleration of vulnerability research and exploit development, the work of finding and weaponizing software flaws faster than defenders can patch them. In controlled testing, GPT-4 exploited roughly 87% of one-day vulnerabilities when handed the public description, against 7% without it. Both the front gate and the narrow door are getting easier to open at once.

And the line between them is dissolving in practice. Look at the breaches that defined the past year. ShinyHunters reportedly obtained Okta single sign-on credentials by voice-phishing employees, then used that access to reach Salesforce data, a human exploit that unlocked a technical kingdom. Scattered Spider talked its way past help-desk verification at Marks & Spencer before deploying ransomware that disrupted operations and cost the retailer a reported nine-figure market-cap hit. The Coinbase incident traced back to insider recruitment, a person persuaded rather than a system cracked. In each case the strongest technical controls in the environment were not defeated. They were bypassed by way of a human, then turned into the technical part of the attack. Sorting these into "social engineering" or "technical" buckets is an academic exercise. The attackers do not respect the boundary, and neither should the defense.

What balanced defense actually requires

None of this resolves into a slogan about people being your greatest asset. The practical move is duller and harder: stop ranking the two disciplines, and treat them as complementary controls in one system, each covering the other's blind spot.

A few principles follow directly from the cases above. Verify high-risk actions by procedure, not perception. When a request carries real consequences, moving money, resetting credentials, approving an identity, the verification path should be out-of-band and structural: a callback to a known number, multi-person authorization, a cooling-off period for unusual first-time requests. None of those depend on a human or a machine correctly judging whether a face or a voice is synthetic, which is exactly the judgment AI has made unreliable. Layer presence and liveness checks on top of identity matching rather than trusting a single automated pass, and assume every individual control has a blind spot that another layer needs to cover.

Then instrument the human layer like the operational system it is. That means realistic, multi-channel rehearsal against the attacks people will actually face, including voice and deepfake scenarios and not just email, with point-of-error feedback when someone slips and measurement that you track the way you track patch latency or mean time to detect. Human risk is measurable. Treating it as unmeasurable is a choice, and an expensive one.

This is the substance behind the well-worn phrase "defense in depth." CISA frames it as three co-equal pillars, people, technology, and operations, and the framing matters because the failure mode is almost always an organization that funds one pillar to maturity and leaves another as a poster on the breakroom wall. The Dutch bank had advanced technology and a human reviewer. What it lacked was a system that assumed the technology would fail and positioned the human to catch it before 47 accounts, not after. That is an architecture problem, not a personnel problem.