DEV Community: Kostiantyn Chertov

Social Engineering: Why Attackers Hack People Instead of Systems

Kostiantyn Chertov — Tue, 09 Jun 2026 07:26:04 +0000

A few years ago, when someone mentioned a cyberattack, most people imagined a skilled hacker breaking into servers, exploiting vulnerabilities, and bypassing security controls.

Today, that image is often wrong.

Many successful attacks don't start with a vulnerability scanner or a sophisticated exploit. They start with an email, a phone call, a LinkedIn message, or a simple request that looks completely normal.

Instead of attacking systems, attackers increasingly target people.

And from their perspective, it makes perfect sense.

Why spend weeks attacking a system?

Imagine two possible scenarios.

In the first one, an attacker spends days or weeks searching for a vulnerability in a company's infrastructure. They need technical expertise, specialized tools, and a bit of luck.

In the second scenario, they send a convincing email to an employee and ask them to log in to a fake portal.

If the employee enters their credentials, the result may be exactly the same.

One approach is difficult.

The other is surprisingly efficient.

This is the core idea behind social engineering.

Social engineering is not a technical attack

One misconception I often see is that people treat social engineering as a cybersecurity problem that belongs entirely to the IT department.

In reality, social engineering is mostly a psychology problem.

Attackers use trust.

They use authority.

They use urgency.

They use curiosity.

And occasionally they use fear.

The goal isn't to break technology.

The goal is to influence a decision.

That's why some of the most successful social engineering attacks have nothing to do with malware or software vulnerabilities.

Sometimes all it takes is a convincing conversation.

Smart people fall for social engineering too

Whenever a major incident happens, people often ask:

"How could someone be fooled by that?"

The answer is simple.

Because attackers don't target stupidity.

They target human behavior.

Experienced developers get distracted.

Executives work under pressure.

Finance teams process dozens of transactions every day.

Administrators receive constant requests for access approvals.

Most people don't make mistakes because they lack knowledge.

They make mistakes because they are human.

And attackers know this.

The age of personalized attacks

The old stereotype of phishing is a poorly written email full of spelling mistakes.

That still exists.

But modern attacks are often far more sophisticated.

Attackers can learn a surprising amount about a company without ever contacting anyone.

LinkedIn profiles reveal organizational structures.

Corporate websites identify key personnel.

Job postings reveal technologies and cloud platforms.

Social media posts provide context about projects, travel, and partnerships.

By the time the first email arrives, the attacker may already know who they are targeting and why.

This makes modern social engineering attacks significantly more convincing than they were ten years ago.

Phishing is only one part of the problem

When people hear the phrase "social engineering," they often think exclusively about phishing emails.

Phishing remains important, but it is only one technique.

Attackers also use:

Phone calls (vishing)
SMS messages (smishing)
Fake recruiters
Business partner impersonation
Executive impersonation
Social media conversations

In many cases, there is no malware involved.

The entire attack depends on communication.

That's what makes social engineering so dangerous.

Security awareness training matters

Most organizations respond to social engineering risks by increasing employee training.

And honestly, that's the right thing to do.

People should learn how to identify suspicious emails.

They should understand why urgent requests deserve extra scrutiny.

They should know how attackers operate.

But training has limits.

People get tired.

People rush.

People multitask.

People have bad days.

No amount of awareness training can eliminate human mistakes completely.

At some point, security needs to account for that reality.

Passwords make social engineering easier

The majority of social engineering attacks ultimately aim for one thing:

Credentials.

For decades, passwords have been the primary target.

The reason is obvious.

A password is a secret that can be voluntarily shared.

It can be typed into a fake website.

It can be revealed over the phone.

It can be written on paper.

It can be stored in the wrong place.

No matter how complex a password is, it becomes useless once it's disclosed.

MFA was a huge improvement

Multi-factor authentication changed the game.

Adding a second factor dramatically increased the difficulty of account compromise.

SMS codes.

Authenticator apps.

Push notifications.

Hardware tokens.

All of these improved security.

But attackers adapted.

Today, phishing kits can capture one-time codes.

Users can approve fraudulent login requests.

Some attackers even abuse what is known as MFA fatigue, repeatedly sending approval prompts until the victim eventually clicks "Accept."

MFA remains essential.

But it isn't the end of the story.

The move toward phishing-resistant authentication

This is where technologies like FIDO2 become interesting.

Instead of relying on shared secrets, FIDO2 uses cryptographic credentials tied to a specific service.

If a user accidentally lands on a fake website, the authenticator simply won't work there.

The credentials cannot be reused.

The attacker gets nothing useful.

From a security perspective, this is a significant shift.

Instead of relying entirely on human judgment, the system itself helps prevent mistakes from becoming incidents.

Social engineering is ultimately a business problem

One thing I find interesting is how often social engineering is treated as a purely technical issue.

Yet the consequences are almost always business consequences.

Financial losses.

Operational disruptions.

Damaged reputation.

Lost customer trust.

These are not IT problems.

These are business problems.

That's why protection against social engineering should involve more than security teams.

It requires leadership, processes, training, and technology working together.

Final thoughts

Social engineering has existed long before computers.

Technology changes.

Human nature doesn't change nearly as quickly.

Modern attackers understand this.

That's why they increasingly focus on people rather than systems.

The challenge for organizations is not to create perfect employees.

The challenge is to build systems that remain secure even when people make mistakes.

Because sooner or later, someone will.

And good security is what happens next.

How does your organization approach social engineering risks? Do you rely mostly on awareness training, or have you started implementing phishing-resistant authentication as well?

Why SMS Codes Are No Longer Enough for Business Security

Kostiantyn Chertov — Tue, 26 May 2026 15:40:34 +0000

For years, SMS codes felt like a solid security upgrade. Businesses moved from password-only logins to “password + SMS verification,” and for a while, that was enough to stop many simple attacks.

Today, the situation is different.

Modern cyberattacks rarely focus on brute-forcing passwords anymore. Attackers usually target people instead. Phishing campaigns, fake Microsoft 365 login pages, compromised devices, and social engineering have become much more common than traditional hacking attempts.

As a result, SMS-based authentication is starting to show its age.

It’s still better than relying on passwords alone — but for modern business infrastructure, SMS is no longer considered strong protection.

Why Companies Started Using SMS Authentication

The main reason was simplicity.

Employees already had mobile phones, so businesses could add an extra login step without buying additional hardware or redesigning their infrastructure.

The process was easy:

Enter a password
Receive an SMS code
Confirm the login

For many organizations, this was their first experience with two-factor authentication (2FA). And honestly, it worked fairly well for years.

But cybersecurity evolves fast.

What used to be considered “secure enough” is now often viewed as a weak point.

The Biggest Problem: SMS Was Never Designed for Security

SMS messages were created for communication, not for high-security authentication.

That becomes a problem when businesses start relying on SMS to protect:

corporate email;
cloud infrastructure;
GitLab or GitHub access;
VPN accounts;
admin panels;
financial systems.

Attackers know this too.

SIM Swapping Is a Real Threat

One of the most dangerous weaknesses is SIM swapping.

In this type of attack, criminals convince a mobile carrier to transfer a victim’s phone number to another SIM card. Once that happens, SMS authentication codes start arriving on the attacker’s device instead of the employee’s phone.

This is no longer a rare or theoretical attack.

For businesses, a compromised phone number can mean unauthorized access to:

Microsoft 365;
Google Workspace;
VPN systems;
internal corporate services.

And the scary part is that the company itself may not notice the compromise immediately.

Phishing Defeats SMS More Easily Than People Think

Many users assume:

“Even if someone steals my password, they still need my SMS code.”

That sounds logical.

The problem is that modern phishing pages steal both at the same time.

Today’s fake login pages can look almost identical to real Microsoft or Google authentication screens. A user enters the password, then types the SMS code — and both pieces of information instantly go to the attacker.

From the victim’s perspective, everything looked normal.

This is one of the main reasons why large tech companies are moving away from SMS authentication.

SMS Depends on External Infrastructure

Another issue is reliability.

SMS delivery depends on:

mobile carriers;
roaming availability;
telecom routing;
signal quality;
device availability.

Codes may:

arrive late;
fail completely;
disappear during travel;
stop working after a phone number change.

For personal accounts, this is annoying.

For businesses, it can disrupt access to critical systems.

Why Modern MFA Is Better

This is where modern MFA (Multi-Factor Authentication) becomes important.

Instead of relying on SMS, companies now increasingly use:

authenticator apps;
push confirmations;
hardware security keys;
FIDO2 tokens;
biometric authentication.

These methods are generally much more resistant to phishing and account takeover attempts.

Authenticator Apps

Apps like:

Microsoft Authenticator;
Google Authenticator;
Authy

generate one-time codes directly on the device.

No mobile carrier is involved.

That removes several weaknesses at once.

Push-Based Authentication

Push MFA is becoming especially popular in enterprise environments.

Instead of typing codes manually, employees simply approve or deny a login request on their phone.

This improves:

usability;
speed;
suspicious login visibility.

Some systems even show:

device information;
location;
IP address;
browser details.

That helps users recognize unusual login attempts faster.

FIDO2 Security Keys Are Changing the Game

Hardware security keys are currently one of the strongest MFA methods available.

Unlike SMS codes, FIDO2 keys are phishing-resistant by design.

Even if a user lands on a fake login page, the key usually will not authenticate because it is tied to the legitimate domain.

That’s a major improvement over traditional SMS verification.

FIDO2 adoption is growing quickly across:

Microsoft 365;
GitHub;
GitLab;
Google Workspace;
enterprise VPN systems.

Businesses Are Gradually Moving Away From SMS

Most companies won’t replace SMS overnight.

But many are already limiting SMS usage to lower-risk scenarios while moving critical accounts to stronger MFA methods.

Usually the first systems upgraded are:

admin accounts;
DevOps environments;
corporate email;
cloud infrastructure;
financial platforms;
executive accounts.

This gradual approach makes the transition much easier for employees.

Good Security Should Also Be Practical

One important thing businesses often forget:

Security that is too complicated eventually gets bypassed by users.

That’s why modern MFA implementation is not just about “adding another step.”

The goal is to build a system that:

protects accounts;
reduces phishing risks;
stays usable for employees;
works in daily business operations.

Final Thoughts

SMS codes helped businesses move beyond password-only protection, and they still provide some value today.

But modern cyber threats exposed their limitations.

SIM swapping, phishing attacks, and telecom dependency make SMS authentication too weak for many business-critical systems.

That’s why more organizations are adopting modern MFA solutions like authenticator apps, push verification, and FIDO2 security keys.

If your company still relies heavily on SMS authentication, now is probably the right time to reconsider the long-term security strategy.

You can read more about modern MFA and business authentication approaches here:

👉 https://sm4rt-lab.tech/en/multi-factor-authentication-mfa/

Why Phishing-Resistant MFA Matters More Than Ever

Kostiantyn Chertov — Thu, 21 May 2026 07:59:54 +0000

A few years ago, enabling MFA was already considered a serious step forward for most businesses.

If a company used strong passwords together with SMS codes or an authenticator app, that was usually enough to feel reasonably protected. Many organizations stopped there, assuming attackers would move on to easier targets.

But things changed surprisingly fast.

Modern phishing attacks no longer look like the clumsy fake emails people used to joke about. Some of today’s phishing pages are almost indistinguishable from legitimate Microsoft 365, Google, or cloud service login portals. In many cases, even technically experienced users can get caught off guard, especially during a stressful workday.

And that creates a difficult situation:
companies improve authentication, attackers improve phishing techniques, and the gap between convenience and security becomes smaller every year.

Traditional MFA Still Helps — But It Has Limits

To be fair, classic MFA is still far better than relying on passwords alone.

Even basic second-factor authentication can stop:

password reuse attacks,
credential stuffing,
simple brute-force attempts,
and many automated login attacks.

The problem is that attackers adapted.

Today there are phishing kits capable of intercepting credentials and one-time verification codes in real time. Some attacks even proxy the entire login session, forwarding information between the victim and the legitimate service almost instantly.

From the user’s perspective, everything looks normal.

They enter credentials, approve MFA, and continue working — without realizing somebody else may now have access to the authenticated session.

For smaller businesses, this often comes as a surprise. Many still assume advanced phishing attacks target only large enterprises. In reality, attackers increasingly focus on organizations with weaker protection and limited internal security expertise.

The Human Side of Security

One thing becomes obvious after enough real-world incidents:

People are rarely the actual problem.

Most employees are not careless. They are simply busy.

A user opens email while answering messages in Slack, joining a Teams call, approving invoices, and trying to finish tasks before the end of the day. Under those conditions, even obvious security advice becomes harder to follow consistently.

This is why relying entirely on “user awareness” is not always realistic.

Security systems should help people avoid mistakes, not assume humans will behave perfectly forever.

That idea is one of the main reasons phishing-resistant authentication is gaining attention.

So What Makes MFA “Phishing-Resistant”?

The key difference is that authentication becomes tied to the legitimate website itself.

Technologies like:

FIDO2,
WebAuthn,
hardware security keys,
and passkeys

use cryptographic verification instead of manually entered temporary codes.

In practice, this means a fake login page cannot simply “reuse” the authentication process the same way older phishing attacks often do.

Even if somebody accidentally opens a malicious website, the authentication device checks whether the domain actually matches the legitimate service.

That small detail changes a lot.

Instead of depending entirely on the user spotting every phishing attempt, the authentication system itself becomes part of the defense.

Hardware Security Keys Feel Different in Practice

One interesting thing about hardware authentication keys is that people often expect them to feel complicated.

In reality, many users find them easier than older MFA methods after a short adjustment period.

There is:

no waiting for SMS messages,
no copying six-digit codes,
no endless push notifications,
and fewer opportunities to approve something accidentally.

The login process becomes shorter and more predictable.

From an infrastructure perspective, security teams also gain stronger protection against:

session hijacking,
credential replay,
and several common phishing techniques.

For organizations with remote employees or distributed teams, that additional protection can matter quite a lot.

MFA Fatigue Is a Real Issue

A few years ago, many people viewed push-based MFA as one of the best balances between convenience and security.

Then attackers discovered MFA fatigue attacks.

Instead of bypassing authentication technically, they simply bombard users with repeated approval requests until somebody clicks “Accept” out of frustration, confusion, or exhaustion.

It sounds ridiculous until you remember how people actually work.

A tired employee receiving dozens of login prompts late in the evening may eventually approve one just to stop the notifications.

Unfortunately, several major security incidents have already involved this exact tactic.

Phishing-resistant authentication significantly reduces the effectiveness of these attacks because approval alone is no longer enough without proper cryptographic validation.

Small Businesses Are Increasingly Targeted

One dangerous misconception is that smaller companies are “too small to matter.”

Attackers often prefer easier targets.

A compromised:

hosting account,
WordPress admin panel,
email mailbox,
cloud dashboard,
or shared company password manager

can still lead to financial loss, data exposure, or reputational damage.

And unlike large enterprises, small businesses rarely have dedicated incident response teams available when something goes wrong.

In practice, many successful attacks begin with something surprisingly ordinary:
a phishing email, a reused password, or a stolen session cookie.

That is why authentication security deserves more attention than it sometimes receives.

Passwordless Authentication Is Slowly Becoming Normal

The industry is gradually moving toward passwordless systems.

Companies like:

Google,
Microsoft,
Apple,
GitHub,
and many enterprise SaaS providers

are already investing heavily in passkeys and FIDO2 authentication flows.

Passwords probably will not disappear tomorrow, but their importance is clearly shrinking.

And honestly, most people would not miss them.

Few users enjoy managing dozens of passwords, rotating credentials, or dealing with account recovery after phishing incidents.

The long-term direction seems fairly obvious:
authentication should become both safer and less frustrating.

Security Usually Improves Through Small Decisions

One thing that sometimes gets overlooked in cybersecurity discussions is that meaningful protection rarely comes from a single dramatic change.

Usually, security improves because organizations make dozens of smaller practical decisions over time.

Things like:

enabling proper MFA,
limiting privileged access,
separating admin accounts,
monitoring suspicious logins,
reducing password reuse,
and improving phishing resistance

do not always sound exciting individually.

But together, they make attacks significantly harder.

And for many businesses, that is exactly the goal:
not becoming impossible to attack, but becoming much harder to compromise than the average target.

Final Thoughts

Authentication is no longer just a login screen problem.

It has become one of the main battlegrounds in modern cybersecurity.

Attackers understand that stealing credentials is often easier than exploiting infrastructure directly. At the same time, organizations are trying to balance usability, remote work, cloud adoption, and growing security requirements.

Phishing-resistant MFA is not a perfect solution to every problem.

But it is one of the more practical improvements businesses can make today — especially in environments where email, cloud services, and remote access have become central to everyday work.

And perhaps most importantly, it moves security closer to something users can realistically live with instead of constantly fighting against.

Why We Started Writing About Cybersecurity

Kostiantyn Chertov — Wed, 20 May 2026 11:15:00 +0000

Cybersecurity has stopped being a topic only for large enterprises.

Today, even small businesses depend on:

cloud services,
email communication,
electronic signatures,
WordPress websites,
remote access,
MFA authentication,
online payments.

At the same time, phishing attacks, credential theft, and social engineering are becoming more sophisticated every year.

We created Smart Lab to focus on practical security:
not theoretical checklists, but solutions businesses can actually implement.

Here on DEV Community, we plan to share:

practical MFA and authentication insights,
phishing protection approaches,
FIDO2 and passwordless authentication,
WordPress security improvements,
secure infrastructure practices,
lessons learned from real-world projects.

We’re especially interested in the intersection of:
security, usability, and real business needs.

Looking forward to joining the DEV Community.