Hacking the human

Social engineering: how to protect your business from attack

Following a high-profile incident involving Qantas which saw the personal information of 5.7 million customers exposed, social engineering is in the spotlight. 

Socially engineered attacks – also known as hacking the human – is a popular tactic amongst cybercriminals. And it is crime that is on the rise. 

The Office of the Australian Information Commissioner (OAIC) warned that 28% of malicious breaches covering the second half of 2024 involved social engineering. The Notifiable Data Breaches Report: July to December 2024, noted there had been “a significant increase in data breaches caused by social engineering and impersonation, the manipulation of people into carrying out specific actions or divulging information”. 

What is social engineering? 

Social engineering is the act of exploiting human psychology to manipulate individuals into divulging confidential information or performing actions that compromise security. 

“Social engineering attacks manipulate people into sharing information that they shouldn’t share, downloading software that they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals or making other mistakes that compromise their personal or organisational security,” explains IBM.  

“Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of getting around firewalls, antivirus software and other cybersecurity controls.” 

Instead of ‘hacking’ their way into a system, someone trusted with that access gives them an ‘in’ by handing over information such as log-ins, passwords or sensitive information. Cybercriminals use deception, impersonation and psychological tricks to manipulate a person into giving them access to information or data. According to the Commonwealth Fraud Prevention Centre, “they fabricate a sense of urgency and weaponise the human qualities of empathy and trust to manipulate individuals.” 

The OAIC defines a social engineering/impersonation attack as: “An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations.” 

Once a cybercriminal has access to the information, they can use it to carry out a range of crimes including identity theft, ransomware attacks, extortion, and fraud. In some cases, the hacker will get the victim to directly transfer funds. 

Qantas’ cyberattack 

On 30 June 2025, Qantas suffered a cyberattack that led to the theft of the personal data of 5.7 million of its customers. 

Cybercriminals used social engineering tactics to convince a staff member at a third-party platform used by a Qantas airline contact centre to share frequent flyer member data.   

The cybercriminals used AI to impersonate Qantas staff and coerced a Manila-based call centre employee to share the information.  

The data exposed included some customers’ names, email addresses, home/business addresses, phone numbers, birth dates, and frequent flyer numbers. The airline advised that no credit card details, personal financial information, or passport details were held in the infiltrated system. No frequent flyer accounts were compromised, and no passwords, PINs or log-in details were accessed. 

Qantas quickly obtained an injunction to limit any person from publishing customer information – a move supported by the New South Wales Supreme Court. The airline also notified authorities about the breach (including the Australian Cyber Security Centre, the OAIC, as well as privacy and data protection regulators in a number of other relevant jurisdictions) and said it was working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre (ACSC) and independent specialised cybersecurity experts. Given the criminal nature of the incident, the Australian Federal Police were also notified. 

The cybercriminals later contacted the airline to advise they had stolen the data. No details of any demands have been made public. There is currently no evidence that the data has been leaked on the clear or dark webs.  

In the wake of the incident, the airline has implemented tighter access restrictions and enhanced security monitoring. The airline has also advised customers to be wary of scammers impersonating Qantas and enticing them to click through links or share personal details. 

Qantas may also face a class action. Law firm Maurice Blackburn has made a representative complaint to the OAIC against Qantas for a breach of the Privacy Act 1988. 

How social engineering works 

While social engineering attacks do not follow a fixed strategy, as cybercriminals often adapt their tactics based on the victim, situation, and context, there are certain common elements that most social engineers employ, according to GeeksForGeeks.org: 

• Research: cybercriminals gather information about their targets to help create a convincing narrative.  

• Pretext creation: the cybercriminal develops a believable scenario or identity to gain the victim’s trust, such as posing as a company executive or IT support.  

• Execution: the cybercriminal then engages with the victim, often creating a sense of urgency or fear to prompt quick action, such as clicking a malicious link or providing sensitive information.  

• Exploitation: once the victim responds, the cybercriminal exploits the trust established through the pretext. 

• Capitalising: after successfully obtaining the desired information or access, the cybercriminal can take advantage, for example commit financial fraud, access sensitive systems, install ransomware, or sell stolen data. 

• Cover-up: social engineers are often skilled at erasing signs of their presence so, after exploiting the victim, they may delete or modify logs or use encryption. 

Social engineering targets and tactics 

Any individual or business could be the target of a social engineering attack. However, the most popular targets are those with access to valuable information or influence such as large private entities and government agencies, notes the Commonwealth Fraud Prevention Centre. According to the ACSC, cybercriminals will “often prioritise the targeting of certain individuals or staff due to factors of value such as their profile, access to sensitive information, ability to make changes to systems, authority to perform high-impact actions (such as approving financial transactions or granting system access), or whose roles require regular interaction with unknown or external parties”.  Amongst those most frequently targeted are: 

• • high-profile individuals 

• • senior managers and their staff 

• • system administrators and IT service desks, and 

• • human resources, sales, marketing, finance and legal staff. 

How the cybercriminal gets the person trusted with access to give it up, frequently involves the crafting of messages that appear to be legitimate and trustworthy. 

The eSafety Commissioner wrote: “Bad actors know how to manipulate the social fabric of our interpersonal relationships to get what they want: information, access, insight. The kitbags of these social engineers are filled with powerful and subtle tools. Act with authority, and those around you will assume you’re in charge. Confect a crisis, and people will try to help. Intimidation is a blunter tool, but no less effective – most of us will do just about anything to avoid conflict. Some use the idea of transitive trust: Dan trusts Mohammed, Mohammed trusts Kate, so Dan may feel he can also trust Kate. But it’s bad news for Dan if Kate is compromised.”  

In fact, some cybercriminal gangs specialise in social engineering attacks. According to private cybersecurity firm CyberCX, gangs like Scattered Spider (which was initially thought to be behind the Qantas hack) use “social engineering practices by impersonating employees or contractors to deceive internal systems operators into providing information such as log-in credentials or granting access to systems to bypass multi-factor authentication processes.” Scattered Spider has previously used vishing – phoning IT support lines and impersonating employees – to obtain log-in credentials or re-set access.  According to the FBI, the techniques the group uses involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorised MFA devices to compromised accounts. “Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.” 

Summary – Social engineering tactics 

Cybercriminals frequently impersonate someone the target trusts such as a colleague, senior manager or a legitimate business. Social engineering attacks can take numerous forms, including:  

• Phishing: fake emails or texts posing as legitimate companies or entities are used to trick people into handing over, or providing, access to information. 

• Spear phishing: like phishing but targeted, with customised messages aimed directly at individuals or teams. 

• Vishing (voice phishing): the phone version of phishing, using calls or automated messages that sound official but want people to disclose personal or sensitive information. 

• Whaling: similar to spear phishing but targets high-profile individuals such as executives, celebrities or politicians. 

• Clone phishing: where a legitimate email is used to create an almost identical or ‘cloned’ email but with some critical changes. 

• Baiting: people are lured into revealing personal information or installing malware by the criminal making false promises. 

• Diversion theft: steals confidential information by tricking the person into sending it to the wrong recipient, often involves spoofing (where cybercriminals disguise themselves as a known or trusted source).  

• Business email compromise (BEC) and CEO fraud: cybercriminal poses as a trustworthy executive who is authorised to deal with financial matters within the organisation and sends an email requesting their subordinates make funds transfers, change banking details, or carry out other money-related tasks. 

• Smishing (SMS phishing): phishing conducted specifically through SMS messages. 

• Quid pro quo: cybercriminal requests sensitive information from a person in exchange for a desirable service. 

• Pretexting: involves cybercriminals creating a fabricated (yet plausible) scenario to obtain information from a person.  

• Honeytrap: specifically targets individuals looking for love on online dating websites or social media. 

• Deepfaking: uses AI technologies to create realistic images, videos or audio to manipulate or deceive. 

• Scareware: tricks people into thinking their computer is infected with malware, urging them to install software that is actually malware itself.  

• Watering hole attack: cybercriminal identifies a website or resource their target group frequently uses and infects it with malware to compromise members of the group. 

• Ransomware: a type of malicious software, or malware, that encrypts a person’s files, and the cybercriminal then demands a ransom to restore access to the data. 

• Tailgating or piggybacking: is a physical breach whereby a criminal gains access to a physical facility by asking the person entering ahead of them to hold the door or grant them access. 

Social engineering fraud 

Cybersecurity firm Secureframe reported the average organisation now faces more than 800 social engineering attacks each year (that’s more than two attacks every single day) and 99% of all successful cyberattacks involve some form of social engineering. 

A key risk for all businesses is social engineering fraud (SEF) – a form of deception used to manipulate a staff member into divulging confidential information or inducing fraudulent monetary transfer. SEF is a cybercrime that is not only on the rise, but ever evolving. 

SEF has become one of the most frequent causes of financial loss for businesses. According to one source, Australians lose about $40 million a month to social engineering scams. IBM notes data breaches caused by social engineering tactics (such as phishing and BEC) are among the most costly. 

As technology advances, so do the tactics employed by cybercriminals seeking to exploit human psychology rather than technical vulnerabilities. With the advent of AI and voice-cloning, SEF has evolved from rudimentary email scams to advanced tactics including deepfakes and real-time impersonation. 

The ACSC notes: “Recent advancements in artificial technology (AI) have amplified the effectiveness of social engineering techniques. Malicious actors have weaponised empathy, urgency and trust to trick individuals or staff into circumventing regular processes to achieve their goal.” 

SEF and insurance 

If a business falls victim to SEF it may look to its insurance. But will it be covered? This will depend on the type of policy the business has, and on the policy wording.  

There are two insurance products which clients might expect to cover SEF – cyber and crime. However, it is very important to be aware of the policy wording in respect to losses due to SEF. Depending on the policy, there may not be any cover, or there may be a sub-limit. 

Some cyber insurance policies are designed to protect against cyber liabilities (the legal costs and expenses related to data breaches, including compensation payments), others against cybercrime (losses related to various types of digital fraud, including phishing attacks and other cyber deception tactics). Others still, a combination. Crucially, a number of cyber insurance policies exclude SEF. 

There may also not be coverage for SEF under a standard crime/fidelity policy either. This is because no ‘direct’ fraud has taken place, instead someone was tricked into taking the action that led to the fraud. However, endorsements for SEF can often be included (but may be subject to a sub-limit). 

It is important to know the main features of SEF, as this can help you understand the risk to your specific business and put into place risk controls to reduce or prevent damage from SEF. Getting the right advice and purchasing the correct insurance is vital to managing risks and protecting your business. Your EBM Account Manager can provide guidance on the insurance options available. 

Protecting businesses from social engineering  

As social engineering exploits human psychology to manipulate individuals into compromising their security, it should be a critical focus area for cybersecurity. An important security aspect is understanding social engineering’s methods and implications so that data can be protected. 

Social engineering is a significant cybersecurity concern. As it relies on human vulnerabilities (such as innate social tendencies, willingness to trust, desire to help, and so forth), social engineering attacks can often bypass even the most robust security measures. Once cybercriminals gain access to sensitive information, they can commit identity theft, financial fraud, or launch further attacks on the business (and often other businesses with which it is connected such as through supply chains, contracts or partnerships). The average cost of a social engineering attack can be substantial but is not limited to financial loss – it can also inflict reputational damage or lead to regulatory penalties or litigation (for example, for breaching privacy). 

While social engineering attacks are grounded in manipulating people into granting a cybercriminal access to information or defrauding the business of funds, that is, they target psychological manipulation instead of exploiting technical vulnerabilities, there are practical actions the business can take to try to reduce the risk.  

Tips – Reducing the risk of businesses falling victim to social engineering attacks 

• Employee training: conduct practical training sessions to educate employees about recognising social engineering attempts, and what to do and what not to do. Regularly provide cybersecurity best-practice training. 

• Awareness raising: run awareness and education campaigns to better equip employees to recognise and respond to suspicious communications. The Australian Signals Directorate has information to help raise awareness.  

• Secure devices: ensure all company-owned and BYO devices regularly install updates and security patches, are protected through locking (PIN, facial recognition, fingerprint ID), and have remote wiping enabled to protect integrity of data if they are compromised. 

• Security policies: develop and enforce clear security policies, particularly in respect to handling sensitive information. Ensure policies align with legal and compliance requirements.  

• Simplify security measures: making security protocols simpler and more intuitive can help users follow best practices without feeling overwhelmed. 

• Cybersecurity: use best-practice cybersecurity procedures and protocols including antivirus software, data backups, access controls, secure Wi-Fi connections, and regular updates and system patches. 

• ID checks: confirm and authenticate identities using tools like MFA. 

• Passwords: use best-practice password management (e.g. strong passwords, regular changes, unique passwords and passphrases). 

• MFA: use MFA to secure accounts (however, cybersecurity experts warn businesses not to rely solely on MFA, as it is not infallible). 

• Verification: use contact verification for any usual requests involving the transfer of funds or sensitive data (i.e. verify the request through an alternative communication channel).  

• URL scanning: regularly scan links for malicious content before users click on them. 

• Email filtering: use email filtering solutions to detect and prevent phishing emails reaching users’ inboxes.  

• Detection software: use behaviour-based intrusion detection systems and software. 

• Segment data: use data masking and tokenisation where possible. Store critical data in isolated environments. 

• Encryption: encrypt sensitive data both in transit and at rest. 

• Monitoring: continuously monitor the environment for malicious activity and indicators of attack (IOA). Use endpoint detection and response (EDR) technology. 

• Zero-trust: adopt a zero-trust approach to security to ensure that no user or device is trusted by default. Use the least privilege model to grant employees the minimum access they need to do their jobs. 

• Limit personal information: reduce exposure by limiting the amount of personal information shared on company websites, LinkedIn or other social platforms.  

• Vet: tighten third-party risk management by vetting all vendors for security compliance and ensure vendors follow strict data access controls. 

• Reporting: create a positive security culture and establish easy-to-use incident reporting systems. Encourage the reporting of suspicious activity. 

• Logs: regularly monitor and log access to sensitive data.  

• Audits: conduct regular security audits. 

• Currency: stay up to date with cybersecurity threats and best-practice. Visit the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch for information on the latest threats. 

Key takeaway 

Social engineering poses a significant risk for businesses of all shapes and sizes. It is a form of cybercrime that relies on manipulating people into disclosing sensitive data, sharing credentials, granting access to a device or network, or otherwise compromising their – and the business’ – digital security. 

The ramifications of a business falling victim to a social engineering attack can be far-reaching, and the financial and reputational costs significant. But there are practical steps a business can take to reduce the risk.  

Need expert guidance? 

Contact your EBM Account Manager to discuss social engineering risk mitigation strategies and the insurance options that may be available to help protect your business.  

Further reading/resources 

• Business email compromise 

• Protecting data 

• Safeguarding privacy