Social engineering is the manipulation of people, not technology, to steal money, data or system access. Instead of breaking through your firewall, attackers exploit your trust: a fake invoice, an urgent phone call, a text that looks like it’s from your bank. For Australian small businesses, it’s one of the most common ways a breach begins.
Key Takeaways
- Social engineering targets people rather than systems, using deception to steal money, data or access.
- The Australian Signals Directorate received over 84,700 cybercrime reports in 2024-25, one every six minutes (ASD Annual Cyber Threat Report).
- The average cybercrime cost for Australian small businesses rose 14% to $56,600 per report.
- Phishing was Australia’s most reported scam in 2025, with 65,361 reports to Scamwatch.
- Staff training, payment verification steps, and email security stop most attacks before they start.
What Is Social Engineering?
Social engineering is a cyber attack method that tricks people into handing over confidential information, transferring money or granting access to systems. The Australian Signals Directorate (ASD) received more than 84,700 cybercrime reports in 2024-25, an average of one every six minutes, according to the ASD Annual Cyber Threat Report. These attacks don’t exploit software flaws; they exploit trust, and they’re aimed at your staff.
Attackers do their homework first. They’ll scan your website, LinkedIn profiles, and social media to learn who approves payments, which suppliers you use, and when key staff are away. Then they impersonate someone you trust. It works because it exploits normal workplace habits: helpfulness, urgency, and respect for authority. Technical controls still matter, but your people are the front line. Our cyber security services in Perth cover both sides.
What Are the Most Common Social Engineering Attacks?
Phishing was the most reported scam in Australia in 2025, with 65,361 reports to Scamwatch and $97.6 million in losses, according to the National Anti-Scam Centre. It’s one of several social engineering techniques aimed squarely at busy staff.
| Attack type | How it works | What it looks like |
|---|---|---|
| Phishing | Mass emails imitating trusted brands | A “password reset” link from your bank |
| Spear phishing / BEC | Targeted emails impersonating executives or suppliers | A fake invoice with changed bank details |
| Vishing | Phone calls impersonating IT support or banks | “We’ve detected a problem with your account” |
| Smishing | SMS messages with malicious links | A parcel delivery text asking you to click |
| Pretexting | An invented scenario built on researched detail | A “new supplier contact” confirming payment terms |
Business email compromise deserves special attention. One convincing email asking accounts to update a supplier’s bank details can redirect weeks of cash flow in a single transfer. Scamwatch tracks the current wave of phishing and impersonation scams.
Why Do Hackers Target Australian SMBs?
Small businesses hold the same valuable data as large enterprises: client records, payment details, and login credentials, but usually with fewer defences. The average self-reported cost of cybercrime for Australian small businesses rose 14% to $56,600 per report in 2024-25, and Australians reported $2.18 billion in scam losses across 2025.
Criminals know that smaller teams rarely run security awareness training and that one person often handles both invoices and payments without a second sign-off. That’s exactly the gap social engineering is designed to slip through. Our guide to cybersecurity for Australian small businesses covers the wider threat picture.
How Can You Protect Your Business from Social Engineering?
Most social engineering attacks fail when staff know what to look for and payment processes include one verification step. These five controls block the majority of attempts:
- Train your team regularly. Short, practical sessions beat annual box-ticking. Include simulated phishing tests.
- Verify payment changes by phone. Always call the supplier on a number you already have, never one from the email.
- Turn on multi-factor authentication. Stolen passwords become useless without the second factor.
- Harden your email. Filtering and anti-spoofing controls catch threats before staff see them. Our email security services handle this layer.
- Align with the Essential Eight. The framework builds layered protection. See our Essential Eight guide.
If something does get through, a tested backup and recovery plan limits the damage.
Frequently Asked Questions
Not quite. Phishing is one type of social engineering, delivered by email. Social engineering is the broader tactic of manipulating people, which also covers phone scams (vishing), SMS scams (smishing) and in-person deception. All rely on trust rather than technical hacking.
Urgency is the biggest red flag: “pay now”, “your account will be locked”, “the director needs this today”. Watch for unexpected payment detail changes, email addresses that are slightly off, and requests to bypass normal process. When in doubt, verify by phone.
Act fast. Contact your bank immediately to attempt a funds recall, change affected passwords, enable MFA and report the incident through ReportCyber and Scamwatch. Then review how it happened, without blaming the employee, and close the gap with training or process changes.
Quarterly short sessions work better than one long annual course. Threats change quickly, and regular exposure keeps scam recognition fresh. Pair training with occasional simulated phishing emails to measure whether the message is sticking.



