In early 2016, a U.S. Department of Justice data breach resulted in the theft of a wide range of confidential information, including the names, email addresses, phone numbers and job descriptions for roughly 20,000 FBI agents and 9,000 Department of Homeland Security employees. What is particularly shocking about this breach is that it was not the result of some technically sophisticated attack by state-sponsored cybercriminals.

It was a 16-year-old kid sitting in his bedroom in Coalville, England.

Now 18, Kane Gamble was sentenced in April to two years in a youth detention facility. During his trial, it became clear how ridiculously easy it was to obtain all this confidential information. He simply called the DOJ, pretended to be a new employee who was having trouble accessing the department’s web portal and was promptly given the security token that allowed him to access the DOJ intranet.

As companies strive for better data privacy and cybersecurity, the case is a reminder that social engineering — often in the form of surprisingly simple con jobs — remains the biggest threat. A new report from the cybersecurity firm Proofpoint claims that as many as 95 percent of observed attacks in 2017 exploited the “human factor” rather than relying on software and hardware vulnerabilities.

In its report, titled “The Human Factor 2018,” the company reports that the instincts of curiosity and trust make people much easier to exploit than technical vulnerabilities. Based on analysis of attack attempts across more than 6,000 organizations worldwide throughout 2017, the report examines a variety of ruses hackers use to convinced people to disable or ignore security, click links, open documents, or download malicious files.

Email phishing lures remain the dominant attack method, although similar attacks using text messaging (SMShing) and the telephone (vishing) are also quite common. However, attackers are increasingly using social media and mobile apps to trick users into infecting their own systems. Proofpoint says that one in five clicks on malicious URLs occurred off the network, many of them from social media and mobile devices.

Proofpoint also found that accounts such as Google Drive and Dropbox that are used to share files and images have become effective “lures” for email phishing campaigns. Typically, users will receive a legitimate-looking email saying that a document or picture has been shared with them in an attempt to get victims to enter login credentials on a fake sign-in page.

Because email is the most likely contact mechanism for phishing attacks, organizations should consider deploying robust security measures that operate within the email flow. For example, a real-time malware analysis solution at the email gateway can detect and block many threats before they ever reach an employee’s inbox.

Emerging solutions are utilizing machine learning to assess the threat posture of inbound email. They use both global and local telemetry data combined with analytics and modeling to validate the reputation and authenticity of senders. This helps organizations understand which emails carry targeted phishing attacks so only legitimate emails reach an employee inbox.

However, it is a mistake to view these threats as strictly a technology issue. With hackers actively working to exploit people instead of software flaws, establishing a strong “human firewall” through internal security policies and training is just as important as investing in cybersecurity tools.