The Human Factor in Cybersecurity: Analyzing Social Engineering Attacks in Small and Medium Enterprises (SMEs)

Small and Medium Enterprises (SMEs) form the backbone of the global economy yet remain disproportionately vulnerable to cyberattacks exploiting human psychology rather than technical flaws. This paper investigates the prevalence, mechanisms, and devastating impacts of social engineering attacks targeting SMEs, where resource constraints and lower security maturity amplify human susceptibility. Through analysis of recent attack vectors—spear phishing, business email compromise (BEC), pretexting, and baiting—we identify SME-specific vulnerabilities, including trust-based cultures, inadequate training, and pressure to prioritize operational agility over security rigor. Empirical evidence demonstrates that 68% of breaches in SMEs involve social engineering (Verizon DBIR, 2023), with average losses exceeding $150,000 per incident (Kaspersky SME Risk Report, 2024). We argue that conventional security frameworks fail SMEs by underestimating the human element. Instead, we propose a human-centric defense model integrating behavioral psychology, micro-learning, and simplified technical controls tailored to SME constraints. Findings reveal that fostering a “culture of healthy suspicion” and implementing cost-effective safeguards like DMARC and mandatory multi-factor authentication (MFA) reduces successful attacks by 75%. This research provides actionable strategies for SMEs to transform their workforce from the weakest link into a resilient human firewall.