In recent months, ransomware attacks on major UK retailers, including Marks & Spencer, Co-op, and Harrods, have dominated headlines. Although the circumstances of each incident vary, every case highlights the same underlying issue: human error remains the single most exploited vulnerability in cybersecurity, writes Carl Wearn, Head of Analysis and Future Ops at the email security product firm Mimecast.
Rather than deploying groundbreaking malware or sophisticated technical exploits, criminals achieved success by exploiting the human element. They manipulated employees, impersonated IT staff and bypassed trust-based systems designed for convenience and speed. It’s a stark reminder that today’s cybercriminals are no longer just breaching systems – they’re breaching people.
An era of human-first cybercrime
We are witnessing a fundamental shift in the cyber threat landscape. Traditional perimeter defences and malware detection still matter, but they’re no longer sufficient. Cybercriminals are increasingly turning to what we call “Living Off Trusted Services” (LOTS), exploiting legitimate platforms like Microsoft 365, DocuSign, Dropbox and even internal help-desk functions to orchestrate attacks.
These aren’t hypothetical threats. At M&S, attackers reportedly gained access through stolen credentials obtained via social engineering – possibly MFA fatigue or phishing – allowing them to disrupt operations. Co-op suffered a similar breach when IT staff were tricked into resetting a legitimate user’s password, giving criminals a foothold in the network. Harrods also confirmed it had fallen victim to social engineering tactics, prompting it to shut down parts of its digital infrastructure as a precaution. These events underscore a critical truth; the weakest link in cybersecurity is no longer outdated software or misconfigured firewalls, it’s the human behind the keyboard.
Why humans are an easy target
There are several reasons for this shift toward people-focused attacks. First, the technical perimeter has hardened. Over the past decade, investments in endpoint protection, network monitoring, and email security have made it more difficult for threat actors to simply “drop” malware and move laterally within systems.
Second, cloud adoption has changed the game. The modern workforce depends on digital collaboration platforms that rely on seamless user access and cross-organisation workflows. These services, while invaluable for productivity, also present opportunities for attackers to masquerade as trusted senders, exploit password reset processes, and trick users into sharing credentials or clicking malicious links.
Third, the public visibility of successful attacks is fuelling a copycat effect. Threat actor groups like Scattered Spider and ransomware-as-a-service operators such as DragonForce are being closely watched and mimicked. Even less technically skilled attackers now have access to tools and tactics, often enabled by AI, that allow them to craft convincing phishing campaigns or impersonate support teams at scale.
Our own threat intelligence team at Mimecast has tracked over 150,000 phishing campaigns since February alone bearing the hallmarks of these tactics. Many are simple in nature – fake CAPTCHAs, spoofed portals and MFA prompts – but they’re effective precisely because they exploit trust, not code.
From malware to manipulation
This evolution presents a challenge for businesses: how do you protect your organisation when the attacker’s main weapon is psychological, not technical?
Business email compromise (BEC) remains one of the most successful forms of attack, not because it’s new or particularly advanced, but because it bypasses technology altogether. A well-crafted email from a “colleague” asking for an invoice payment or password reset can be all it takes. Similarly, attackers are increasingly targeting support desks, managed service providers, and third-party vendors – the very teams often the most exposed to people. These teams are trained to solve problems quickly, reset credentials and keep operations moving. Unfortunately, those very qualities make them attractive entry points for social engineers.
What businesses can do now
We must stop thinking of cybersecurity purely in technical terms. Preventing human-driven breaches requires a combination of process, culture and intelligent defence.
1. Reinforce identity and access procedures
Help-desks and IT support must adopt stricter protocols for password resets and account access. Identity verification processes, whether through secondary channels, time delays or behavioural analytics, are crucial in making social engineering attacks more difficult to execute.
2. Monitor human risk – not just system risk
It’s no longer enough to scan for known vulnerabilities. Organisations must use analytics to identify high-risk individuals based on behaviour patterns, frequent password resets or access to sensitive systems. Targeted awareness and support can make a big difference.
3. Educate and empower employees
Security training cannot be a once-a-year tick-box exercise. It needs to be frequent, contextual and scenario based. Employees should know what an MFA fatigue attack looks like, how to spot a spoofed login page and when to verify a request via another channel.
4. Strengthen pre-delivery protections
Most attacks still begin with email. Filtering out phishing attempts, suspicious links and domain impersonation attempts at the source is foundational. If it doesn’t reach the inbox, it can’t reach the user.
5. Build for resilience
Despite best efforts, some breaches will occur. Organisations need robust data backup, incident response and post-breach monitoring capabilities to minimise the impact and prevent follow-on attacks.
The breach of trust
As cybercriminals evolve, so must we. The shift from malware to manipulation, from systems to psychology, means that organisations can no longer rely on firewalls and filters alone. The battle has moved into inboxes, help-desks and chat windows.
This is no longer just a cybersecurity issue, it’s fundamentally about trust. The organisations that will thrive are those that treat people as both their greatest risk and their greatest defence, embedding resilience into every interaction. Ultimately, the tactics used by threat actors will continue to change but human nature will not, and that will always make people the greatest risk factor in cybersecurity.
About the firm
Mimecast offers a Human Risk Management (HRM) platform. Visit www.mimecast.com.
