Cyber Security

What is Social Engineering?

Social Engineering

Social engineering has become one of the most effective (and most frustrating) techniques used in modern cybercrime. Not because it’s “high tech”, but because it targets the most complex part of any security system: people.

While security software keeps improving, attackers increasingly rely on psychological tactics – urgency, curiosity, fear, authority, and helpfulness – to trick someone into handing over access, money, or sensitive information. In other words, social engineering isn’t primarily about hacking computers. It’s about hacking decisions.

The term “social engineering” was popularised in the cybersecurity world in the 1990s by Kevin Mitnick – who became known for showing how easily people could be manipulated into revealing information or granting access.

In this guide, we’ll explain what social engineering is, why it works, the most common types of attacks (with modern examples), and practical steps you can take – at home or at work – to reduce your risk.

What is social engineering?

Keyword stuffing often starts with a logical thought:Social engineering is a method of manipulation where an attacker tricks someone into taking an action that benefits the attacker, such as sharing credentials, approving a payment, downloading malware, or granting access to a system.

Cybersecurity agencies consistently describe phishing as a form of social engineering – using email or malicious websites to impersonate trusted organisations and “solicit” personal information.

Social engineering can happen through:

Email (phishing, spear phishing, invoice scams)
Phone calls (vishing)
SMS/text messages (smishing)
Social media DMs and fake profiles
Collaboration tools (Teams/Slack impersonation)
In-person tactics (tailgating into an office)
Hybrid approaches (a call that follows a convincing email)

The key point: attackers don’t need to break encryption if they can convince a person to open the door.

Why social engineering works (the psychology behind it)

Social engineering succeeds because it exploits predictable human behaviour – especially in busy workplaces where speed matters.

Common psychological triggers include:

Urgency: “Your account will be locked in 30 minutes.”
Authority: “This is IT / the CEO / the bank / the ATO.”
Fear: “Suspicious activity detected - verify now.”
Curiosity: “Is this you in the video?”
Reciprocity: “We helped you - now do this quick step.”
Scarcity: “Limited-time offer / final reminder.”
Social proof: “Everyone has already completed this verification.”

Attackers also build credibility by collecting bits of information from multiple sources. Even a small detail (job title, colleague name, vendor you use) can make a scam feel real.

The most common types of social engineering attacks

1) Phishing (email-based deception)

Phishing is still the most common gateway into broader compromise. It usually aims to get you to do one of three things:

1. Click a malicious link (leading to a fake login page or malware)

2.Open an attachment (weaponised PDF/Office file, or a ZIP with malware)

3. Reply with sensitive info (credentials, account details, invoices, identity documents)

Typical phishing formats include:

Modern phishing is often tailored. Attackers may reference real projects, real suppliers, or a manager’s name.

Spear phishing and whaling

2) Smishing (SMS/text phishing)

Smishing messages often look like:

In Australia, scams targeting myGov accounts have been widely reported – often using fake links to capture login details and then changing bank details to redirect refunds.

3) Vishing (voice phishing)

Vishing is when attackers call and impersonate a trusted party – IT support, a bank, telco, vendor, or government service.

Vishing works because it creates pressure in real time. People can’t “hover to preview a link” on a phone call.

A key trend is combining channels:

Australian media have reported incidents involving vishing tactics targeting staff (including call-centre environments), demonstrating how attackers can bypass normal friction by manipulating a person at the point of contact.

4) Pretexting (a believable story)

Pretexting is when an attacker invents a plausible scenario to extract information or get a task done.

Examples:

“I’m from your IT provider - there’s a critical patch failure.”
“I’m a new starter - HR told me to contact you for access.”
“I’m from your bank’s fraud team - confirm your identity.”
“I’m from a supplier - your payment has failed; I’ll send new bank details.”

Pretexting is especially dangerous when paired with small, true details gathered from LinkedIn or leaked data.

5) Baiting (temptation and curiosity)

Baiting offers something enticing to lure a click or download:

Baiting can also be physical—like leaving infected USB drives in a car park or office lobby. Universities and security awareness programs commonly describe baiting as using a false promise to lure victims into malware or theft.

6) Quid pro quo (“I’ll help you if you…”)

Here the attacker offers something in exchange for access or information:

This is often disguised as free help or support – exactly the kind of offer that feels convenient when you’re busy.

7) Tailgating and physical social engineering

Not all social engineering happens online. Tailgating is when someone follows staff into a restricted area by acting like they belong there:

A strong security culture (and simple habits like not holding doors open for strangers in secure areas) can prevent this.

8) MFA fatigue and “verification” manipulation

Multi-factor authentication (MFA) is essential, but attackers have adapted.

Common tactics include:

Australian government guidance emphasises MFA as a key protective measure, but it only works properly when staff understand when not to approve prompts.

Real-world warning signs: how to spot social engineering quickly

Use this checklist to “pattern match” suspicious contact—especially when you’re under pressure.

Message red flags (email/SMS/social)

A demand for urgent action
Unexpected links, attachments, or login pages
Pressure to bypass normal process (“Don’t raise a ticket—just do it now”)
Strange sender domains (lookalikes, swapped letters)
A change in payment details or invoice destination
“Kindly” + awkward grammar isn’t definitive, but can be a clue
The message doesn’t match the sender’s usual tone or workflow

Phone-call red flags

How to prevent social engineering attacks (practical, modern habits)

1) Slow the process down (even 30 seconds helps)

Most social engineering relies on speed. Introduce a “pause” habit:

2) Verify requests using known contact details

If an email says it’s your bank, don’t use the email’s number or link. Use:

3) Treat MFA codes like passwords

Never share:

Government guidance strongly supports MFA as a protective control, but the user behaviour around prompts is what makes it effective.

4) Lock down email and account access

For individuals and businesses:

5) Reduce what attackers can learn about you

Attackers often use LinkedIn and social profiles to craft believable pretexts.

Consider:

6) Update devices and security tools consistently

Social engineering frequently delivers malware—but updated systems reduce the damage if something gets clicked.

Minimum baseline:

7) Build a workplace culture that rewards reporting (not blame)

People hide mistakes when they fear punishment. That gives attackers more time.

Make it normal to report:

What to do if you think you’ve been targeted (or you clicked)

Speed matters, but panic doesn’t help. Use this response plan.

If you clicked a link or opened an attachment

1. Disconnect from the internet (Wi-Fi off / unplug cable if practical)

2. Report to IT immediately (or your provider/MSP)

3. Do not keep “testing” the link or forwarding it to colleagues

4. If credentials were entered, change passwords immediately (from a clean device)

5. Revoke sessions if the platform supports it (Microsoft/Google often do)

If you shared a password or MFA code

If it’s a payment/invoice scam

Social engineering prevention for businesses (a modern security baseline)

If you manage a business—especially with remote staff, shared inboxes, and cloud tools—social engineering should be treated as a core operational risk.

High-impact controls to implement

Security awareness training (short, frequent, role-based)
Phishing simulations (to build muscle memory)
MFA everywhere (email, VPN, payroll, finance, admin portals)
Strong offboarding (accounts disabled fast, tokens revoked)
Payment verification policy (two-person approval + callback rule)
Least privilege access (reduce blast radius)
Incident response playbook (who to call, what to do, what to isolate)

Australian fraud and cyber authorities have highlighted how impersonation and social engineering can be used to obtain credentials or bypass controls, reinforcing the need for layered processes—not just tools.

These are some of the general ways to avoid falling into the social engineering trap and secure one’s sensitive data. If it comes to the worst, contact us or reach out to our cybersecurity team in Perth at cybersecurity@computingaustralia.group for help in case of social engineering attacks.

Jargon Buster

Multi-factor authentication – An authentication method in which a user is granted access to a device, app or website only after presenting two or more authentication factors.

Malware – A term for Malicious Software that is intended to cause harm to devices, networks and servers. Common types include viruses, ransomware, spyware etc.