Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Cybersecurity fatigue: A growing risk with AI-driven social engineering attacks

August 2024 Information Security, Training & Education

By Adam Whittington, Security and Services Executive, +OneX


Adam Whittington.

Although the tactics and technologies cybercriminals use have evolved over the past 20 years, phishing and other social engineering attacks are nothing new. Despite the significant amounts of time and money invested in cybersecurity training and awareness, employee carelessness and ignorance remain the most vulnerable parts of the average enterprise’s security posture.

A recent study from security vendor SlashNext found that there has been a 341% increase in phishing attacks in the first half of 2024. If that is not disturbing enough, an alarming proportion of users still fall for phishing attacks — in our experience with phishing simulations, as many as 10% of users among our client companies will still fall victim. Statistics from Verizon show that the median time for users to fall for phishing emails is less than 60 seconds.

Phishing gets more sophisticated

So, what is going on here? There is little doubt that phishing attacks have grown in sophistication over the past few years. Criminals have added smarter techniques to their arsenal, such as ‘spear phishing’ — which targets people with highly convincing and personalised messages — and QR code phishing (quishing), which deceives a recipient into scanning a QR code that redirects them to a bogus website.

Furthermore, while many phishing messages still give themselves away through poor grammar or unnatural-sounding language, criminals have lifted their game. Generative artificial intelligence (AI) tools such as ChatGPT have been a godsend for cybercriminals, enabling them to generate more phishing emails than ever before, while improving the sophistication of their work.

They can, for example, use public data about executives and companies harvested with AI to launch precision attacks on company employees. In addition, Gen AI can help cybercriminals eliminate misspellings and grammar mistakes so that their emails seem like credible copies of communications from a bank or tax authority. Cybercriminals can also use Gen AI to rapidly build convincing landing pages to harvest logins and passwords from people they duped.

With this backdrop and companies taking end user education seriously, one would imagine that employees would be more alert, but the reality is that cybersecurity has become a topic that bores many end users. Not only have they tuned out from the warnings they get from their IT department on an almost daily basis, but they have also started to become tired of the friction that cybersecurity causes in their working lives.

Employees who experience cybersecurity training fatigue become less attentive and vigilant when it comes to identifying potential phishing threats. They are more likely to overlook suspicious indicators or engage with malicious content without critically assessing its legitimacy. As such, cybersecurity training fatigue can weaken an organisation's defences against phishing attacks.

More than a third of users cut security corners

One international study found that 54% of office workers are ignoring important cybersecurity alerts and warnings due to digital communication information overload. Nearly 47% agreed that information overload is inhibiting their ability to identify threats such as phishing emails, while 36% admitted to cutting corners on cybersecurity practices. Shockingly, less than a quarter report being engaged in their cybersecurity training.

Unless every end user is hyper-vigilant, it is only a matter of time before an attacker gets their hands on credentials or tricks someone into downloading a ransomware file. As such, it is essential to combat cybersecurity fatigue and keep users deeply engaged in the importance of security. It is helpful to understand why cybersecurity fatigue sets in, in order to rectify or prevent it.

As the research implies, one of the major issues lies in the sheer amount of information employees need to deal with. In addition to constant cyber threat warnings and frequent cybersecurity training, they may also receive a range of other compliance-related information in their inboxes. As a result, they may feel overwhelmed and start to tune out, or their ability to retain information might be compromised.

For employees who are under pressure to perform every day, cybersecurity training sessions might become an unwelcome chore. That is especially the case when they start to feel that the training is repetitive or that they already know the material. Then there is the effort involved in complying with security procedures, such as remembering long passwords or using multifactor authentication (MFA) every time they sign on.

Part of the answer lies in implementing information best practices such as policies dictating multifactor authentication (MFA) and strong passwords. These first lines of defence will foil most attempted breaches via phishing attacks. Zero-trust architectures, where no device, user or traffic is implicitly trusted, can also help stop attacks in their tracks. Passwordless authentication can reduce friction for end users.

Strengthening the weakest link

Ultimately, humans remain the weakest link. To mitigate this risk, organisations should deliver engaging, targeted training initiatives that address employees' specific needs and foster a culture of continuous learning and improvement. Microsoft's phishing simulation tools can be a helpful way to keep people on their toes, correct behaviour, and understand end user behaviour. Strategies such as gamification, role-based training, micro-learning, and reward programmes are also effective.

We also find that it helps to take a positive slant, focusing on what employees should do rather than what they must not do. This means offering ways for employees to do their jobs and remain productive — clear guidance around the right cybersecurity behaviours and principles. Positive reinforcement works better than a punitive approach, especially when the goal is to get users to report to IT when they see a suspicious message or believe they have fallen for a scam.

Ultimately, the objective is to create an environment where every employee understands the importance of addressing cyberthreats and commits to playing their part. With the right technology and an engaged, vigilant workforce, enterprises can be optimistic about their odds of success, but it requires an environment where people feel rewarded for constantly learning and adapting.

For more information, go to https://www.plusonex.com




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Integrated security key to protecting cloud applications
Infrastructure Information Security
Cloud-native applications have transformed the way businesses operate, enabling faster innovation, greater agility, and enhanced scalability. Yet this evolution brings an equally complex security landscape.

Read more...
Factories, grids, and finance: Critical infrastructure cyber lessons of 2025
Asset Management Information Security Industrial (Industry)
Africa has seen an accelerated, large-scale digitisation of our overall industrial base, and this rapid convergence of IT and OT is happening on a foundation that, in essence, was not designed to be cybersecure.

Read more...
Axis signs CISA Secure by Design pledge
Axis Communications SA News & Events Surveillance Information Security
Axis Communications has signed the United States Cybersecurity & Infrastructure Security Agency’s (CISA) Secure by Design pledge, signalling the company’s commitment to upholding and transparently communicating the cybersecurity posture of its products.

Read more...
Eight African cybersecurity trends for 2026
Information Security
Check Point Software Technologies has released eight critical trends shaping Africa’s digital turning point in 2026, noting that their implementation will require the government, the private sector, and key civic institutions to cooperate.

Read more...
The year of the agent
Information Security AI & Data Analytics
The dominant attack patterns in Q4 2025 included system-prompt extraction attempts, subtle content-safety bypasses, and exploratory probing. Indirect attacks required fewer attempts than direct injections, making untrusted external sources a primary risk vector heading into 2026.

Read more...
AI cybersecurity predictions for 2026
AI & Data Analytics Information Security
The rapid development of AI is reshaping the cybersecurity landscape in 2026, for both individual users and businesses. Large language models (LLMs) are influencing defensive capabilities while simultaneously expanding opportunities for threat actors.

Read more...
SMARTpod Talks to Check Point Technologies about the African Perspectives on Cybersecurity report
SMART Security Solutions News & Events Information Security Videos
SMART Security Solutions spoke with Check Point's Hendrik de Bruin about the report, the risks African organisations face, and some mitigation measures.

Read more...
Securing the smart fleet
Information Security Transport (Industry) Logistics (Industry) IoT & Automation
Contributing around 10 to 12% of South Africa’s GDP, the transport and logistics sector supports almost every part of the country’s economic activity. The stakes for keeping these systems secure are higher than ever before.

Read more...
Who are you?
Access Control & Identity Management Information Security
Who are you? This question may seem strange, but it can only be answered accurately by implementing an Identity and Access Management (IAM) system, a crucial component of any company’s security strategy.

Read more...
Check Point launches African Perspectives on Cybersecurity report
News & Events Information Security
Check Point Software Technologies released its African Perspectives on Cybersecurity Report 2025, revealing a sharp rise in attacks across the continent and a major shift in attacker tactics driven by artificial intelligence

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.