Social engineering is a significant threat to individuals and organisations, enabling malicious actors to compromise accounts, devices, systems or sensitive information.
This publication offers guidance on identifying and responding to social engineering attempts delivered through email, SMS, instant messaging through social media platforms or by voice phishing, known as ‘vishing’. The ability to identify these techniques is the first step in reducing the risk of compromise.
Defining social engineering techniques
Social engineering techniques are used by malicious actors to direct individuals or staff into performing specific actions such as opening an attachment, visiting a website, revealing credentials, disclosing sensitive information or transferring funds.
Malicious actors often go to great lengths to make their communication seem legitimate and trustworthy, increasing the chances that targeted personnel will follow their instructions. Recent advancements in artificial technology (AI) have amplified the effectiveness of social engineering techniques. Malicious actors have weaponised empathy, urgency and trust to trick individuals or staff into circumventing regular processes to achieve their goal. These communications may appear to come from someone known to the victim such as a relative, colleague, senior manager or an authoritative part of their organisation.
Common targets for socially engineered messages
While social engineering techniques can be received by anyone, malicious actors often prioritise the targeting of certain individuals or staff due to factors of value such as their profile, access to sensitive information, ability to make changes to systems, authority to perform high-impact actions (such as approving financial transactions or granting system access), or whose roles require regular interaction with unknown or external parties. Some broad examples of these targets could include:
- high profile individuals
- senior managers and their staff
- system administrators and information technology (IT) service desks
- staff members from human resources, sales, marketing, finance and legal areas.
It should be emphasised that other individuals or staff should not consider themselves immune to social engineering. Malicious actors may contact as many staff as possible hoping that at least one social engineering attempt will be successful.
Recognising social engineering threats
Social engineering techniques can be highly convincing. Individuals and staff should understand the following indicators in messages or phone calls:
Unusual attachments or website links
Be cautious of unexpected attachments or website links, particularly if they come from unfamiliar sources. If a communication is unexpected or from an unknown sender, do not click on any links or visit any websites it suggests. This includes links within common business communications such as calendar invitations, instant messaging applications or customer engagement portals.
If you receive a message from a known organisation and expect the communication, avoid clicking on links in the message. Instead, visit the official website or application and login to your account through previously verified means.
Never enter credentials or personal information into a website accessed through a link in a suspicious message.
Similarly, treat unexpected attachments with caution. If unsure, confirm with the sender using a known, trusted contact method, such as their phone number listed on the organisation’s official website.
Urgent or authoritative requests by vishing
Vishing is a form of social engineering where malicious actors impersonate staff or executives to extract sensitive information or perform actions such as password resets. Malicious actors may also use AI tools like voice cloning or deepfake technology to sound convincing and may spoof caller IDs to make their calls appear legitimate. Organisations should ensure they have robust procedures to verify the legitimacy of any contact, particularly before fulfilling sensitive requests like password resets or access changes. Never let urgency override security.
Requests to run code or to bypass security controls and procedures
Malicious actors often attempt to bypass organisational controls by persuading staff to change system settings or perform specific actions that compromise security. For example, if Microsoft Office macros are disabled, a malicious actor may provide detailed instructions to enable macros – allowing malicious code to be executed when a user opens a document.
Malicious actors may also use social media or online gaming to offer a deal that is too good to be true such as free software or a giveaway if a user runs particular code on their device. These tactics often exploit an individual’s fear of missing out. To make a social engineering attempt seem more legitimate, malicious actors may also exploit current news stories and events, such as providing a fix for a high profile technical issue. By sharing an excerpt of code and encouraging users to run it on their devices, malicious actors can expose those devices to further exploitation and compromise.
Any request to change system configurations, run code or alter security settings, should be treated as highly suspicious and verified independently.
Another common technique is chief executive officer (CEO) or chief financial officer (CFO) fraud, where a malicious actor impersonates a senior executive and urgently requests high-value transactions, such as transferring large sums of money. These requests often occur when the executive is unavailable or difficult to contact, increasing the pressure to comply without proper verification.
Requests for sensitive or unnecessary information
One of the simplest forms of social engineering involves malicious actors asking for information by exploiting an individual’s natural desire to be helpful. These requests may seem plausible at first.
For example, a malicious actor might impersonate a colleague and ask for copies of documents that they claim to have accidentally deleted. Alternatively, they might pose as someone the recipient has never met but could be reasonably expected to have a requirement to access the information they are requesting, such as a new starter in the IT service desk or a staff member working on a shared project from a different office. Be mindful of what you share online and consider limiting the personal details you post, as malicious actors can use this information to impersonate you or make their approach seem more believable. To help protect your privacy online, review your settings and follow best practices outlined in secure your social media.
This type of request can also occur via phone calls, where malicious actors create a sense of urgency or authority to pressure individuals into disclosing information.
Organisations should ensure their password reset/account recovery processes never require staff to disclose their current passwords for any reason. This should be re-enforced through security awareness training to better protect the organisation and its staff against common social engineering techniques.
It is important to be cautious of requests for sensitive information from people that you do not interact with regularly. Even if the requestor is known, consider whether they have a legitimate need-to-know for that information. Malicious insiders may exploit their contacts to gather information or privileges they should not have.
Poorly written or unusual communications
While malicious actors may go to lengths to make their information appear as if they were legitimate and from a relevant and trustworthy source, some may lack the skills or motivation to do so. Threats may exhibit poor spelling, punctuation, grammar, or an unusual tone. Messages lacking a specific addressee or containing generic greetings can also indicate malicious intent. However, now that AI tools can generate messages with flawless grammar and spelling, it’s becoming harder to rely on poor language as a clear sign of a scam.
Responding to suspected social engineering attempts
If you suspect a social engineering attempt, do not engage, delete, or forward the communication. Report it immediately to your organisation’s cybersecurity or IT support team for advice. Preserving the communication is important for investigation and threat response.
More information
- The Information Security Manual (ISM) is a cybersecurity framework that organisations can apply to protect their systems and data from cyberthreats. This guidance is complemented by the Strategies to mitigate cybersecurity incidents, including the Essential Eight.
- For further information on phishing, scams, and additional cyber security advice, search the cyber.gov.au website.
- Help keep Australia secure by reporting the scam to the National Anti-Scam Centre - Scamwatch.
Contact details
If you have any questions regarding this guidance, you can contact us or call 1300 CYBER1 (1300 292 371).