This article is a part of BG BrandLab’s Cybersecurity Special Report, meant to provide insights about today’s cyberthreats and the steps readers can take—as  individuals, employees, and decision-makers—to protect against them.

“People are humiliated. They’re hurt and they’re vulnerable,” says Kurt Baumgartner, principal security researcher for the cybersecurity firm Kaspersky. This echoes a sentiment shared by many in his industry about the experience of getting hacked.

Modern hacking has outgrown the lone-gunman approach of the internet’s early decade. Today, criminal enterprises drive most data breaches, sometimes vast ones such as the recently disbanded Fin 7 that operate from locations all across the world. These groups test networks again and again, looking for any vulnerability, knowing that out of a million attempts they only need to succeed once. And their preferred target isn’t an obscure piece of code or an error in a database.

It’s you.

A million to one shot can work when you take a million shots

Some cyber attacks take place entirely offline, such as when the hacker will enter an office and look for written down passwords (“tailgating”).

“The vast majority of hacks that make front pages use social engineering,” says Jason Hong, a professor at Carnegie Mellon University’s Human-Computer Interaction Institute. “This is mostly because computer systems have gotten better in recent years, the operating systems, networking, etc., and so the weak point tends to be people.”

Over the past 30 years, technological solutions such as security patches, two-factor authentication, and dedicated security software have grown increasingly successful at stopping data theft. So much so that, today, only approximately 7% of significant data breaches depend entirely on technological solutions. The security measures that networks put in place, when used properly, generally work.

To get around this problem, hackers have begun targeting the users behind the keyboard. This is “social engineering,” a tactic in which the hacker attempts to manipulate someone into giving up valuable data or network access that they cannot get purely by breaking into the computer system. By some estimates, Hong says, more than 90% of data breaches today involve this element of human error.

Social engineering can look different with every attack. Some involve sophisticated deceptions, such as setting up a fake website that copies the login screen of a legitimate one in hopes that users will enter their credentials by mistake (a “watering hole”). Others are more crude, such as sending out millions of emails and hoping to trick careless users into clicking on a malicious link or downloading an infected attachment (“phishing”). Then there are the attacks that take place entirely offline, such as when the hacker will enter an office and look for written down passwords (“tailgating”) or simply offer someone a bribe (“quid pro quo”).

The tactics change, but the goal is always the same: to defeat a network’s security through its users.

The hack can hurt

Some hackers put malware in banking or weather apps.

While many social engineering hacks are one-time events, such as putting malware in a weather app or sending someone an email posing as their bank, the most devastating attacks take time and human investment. They involve building a relationship with the victim then taking advantage of that trust. It might still end with a malicious link or infected download, but the emotional toll is far higher. The manipulation involved in these attacks can trigger feelings of guilt and shame that linger for years, long after the financial consequences of the hack have settled.

And it happens often.

Of the most personal social engineering hacks, there’s “romantic compromise,” Baumgartner says. “That requires a human who’s willing to create a fictitious world or reality to their target.” This brazen approach, he notes, requires a lot more time and effort than more distant forms of social engineering, like spoofing emails or websites.

Those more “spammy” schemes tend not to work as well as they used to, Baumgartner says. Spam filters have gotten more effective while users have grown more educated, all pushing many hacker organizations towards more complex (and lucrative) schemes. Today, nine out of ten cyberattacks involve “spear phishing,” email fraud targeted at an individual specifically, instead of broadcast at random.

In one social engineering attack, called “a watering hole,” hackers will use a fake website that copies the login screen of a legitimate one in hopes that users will enter their credentials.

To do this, cybercriminals rely on sources similar to those used by law enforcement, intelligence agents, and investigative journalists. They search social media looking not only for information but also for connections. A criminal might research public records, looking for deeds, taxes, court filings, bankruptcies, or any other government document that could suggest financial stress, legal troubles, family troubles, or other forms of vulnerability. They will call the target’s friends and family, or sometimes even the targets themselves, under false pretenses to try and develop this portfolio of information.

All of these sources provide information that the hacker can use to create an opening, and when they have finished their research the organization will make contact. In an elaborate scam, the hacker might develop a relationship with the victim that lasts for weeks. They use their knowledge of the target to build trust or, in some cases, inspire fear. (It is not uncommon for hackers to blackmail their victims or prey on financial insecurity.) Eventually, either way, the victim drops their guard.

“I know some people who have been to therapists to help work through this,” Baumgartner says, “…because trust is so broken at that point. They get concerned about, what have I done? I’ve messed things up. My identity is stolen, I’ve put everyone at risk.”

If we’re the problem, we’re also the solution

Social engineering is based on manipulating human emotions.

What makes social engineering so effective is that “there’s usually some appeal to a human emotion,” Hong says. “Whenever there is a disaster, there are scams asking for emergency funds (compassion). Or a friend is stuck in London and needs cash (friendship). Or your account is locked out and you need to verify your account (fear). Or you can win a prize (greed).”

Because social engineering plays on the emotions of the victim, this is the place to start for users looking to protect themselves. Beware of appeals to emotion.

Also be wary of emails that try to great a sense of urgency or peril. “There’s also often a short fuse, that you have to do this quickly,” Hong says. “This is meant to circumvent our rational thinking processes, and to get our impulsive nature to act.”

Beyond paying closer attention to the emotional content of an email, security experts agree that protecting networks against data breaches will take ever-greater awareness on the part of individual users. That starts with education not only about the risks, but about the tools already at their disposal; most importantly one that most users instinctively ignore.

“The best piece of advice you can give any end user right now,” says Sumir Karayi, CEO of the IT firm 1E, “is just before you go home or when you’re home, just patch the machine. It’s really important to do that.”

Operating systems like Windows and Mac OS regularly prompt users to install software updates. Most of the time it’s a small box that pops up and is just as quickly ignored by the average user, but these updates don’t just include new features. They deliver security patches critical to closing off newly discovered vulnerabilities and avenues for malware.

According to Karayi, approximately 90% of all machines in service across corporations and governments do not have all the latest security and software updates. This means that they are connected to the internet while vulnerable to known threats, forms of attack that hackers currently and actively may try. He calls it a case of leaving the doors and windows open.

Educating users in the tactics of social engineering has become ever more important. Users need to learn how to avoid the traps that hackers set for them, because that new friend might not be who they seem.