Social engineering refers to manipulating someone into performing an action or giving away information. It's a type of cybercrime that relies on 'hacking humans', taking advantage of our natural tendencies to trust other people, help our colleagues, be emotionally driven and to comply with requests from people in positions of authority. 

The reality is that many businesses are compromised not as a result of technical weaknesses, but as a result of staff being tricked. That’s why it’s so important to speak to your staff regularly about social engineering – what it looks like and how to react when you see it.

How does social engineering play out, and what are the consequences? 

Social engineering attempts can come via email, SMS or even over the phone. But regardless of which channel is used, all social engineering is designed to override normal reasoning and judgement. The goal of scammers is to apply pressure in such a way that your emotions are heightened and you act quickly to do something that, under normal conditions, you’d consider more carefully.

While some social engineering campaigns may lack sophistication and be poorly targeted (adopting a scattergun approach), it only takes a small amount of research through social media, company websites or even data breach databases for a social engineer to be able to tweak their activities into a more convincing lure and increase their effectiveness.

Some common types of social engineering are:

Phishing & spearphishing

Phishing is an email scam aimed at obtaining personal information, such as usernames, passwords or bank account details by disguising as a trustworthy source. Phishing attacks may also download malicious software onto devices through a compromised attachment or website link, or direct people to a fake webpage where they’re asked to provide personal information.

Spearphishing is a phishing email that's tailored for a particular individual, company or industry so it is more likely to be acted upon by the target.

Smishing & vishing 

Smishing is a phishing campaign that is delivered via text, and vishing refers to a campaign that uses a voice telephone call or message to execute.

Business email scams 

These scams target businesses of all sizes. Using emails made to look like they are from someone you know, such as your boss, your supplier or your customer, these scams request payment to be made to an account under the scammer’s control.

There are two main examples of these kinds of scams that it’s important to be able to recognise.

  1. Supplier email scams occur when a fraudulent request for payment looks like a legitimate expected invoice, or it could be a fake email requesting you update a supplier’s payment details for future payments.
  2. Scammers can also masquerade as your colleagues, emailing a request to make an urgent or confidential payment, often in a way that’s different from your usual process.

Learn more about scams that target businesses.

Top tips to help protect your organisation:

  1. Before you make a first-time payment for any amount you're not prepared to lose, call the person or organisation you're paying on a trusted number.
  2. Ensure all your accounts, especially your email accounts, have strong, unique passwords and are set up with multi-factor authentication where available.
  3. Set up a payments approval process for your business, preferably requiring multiple approvers, with no exceptions.
  4. Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive.

Baiting is another type of social engineering attack that tries to pique a person’s interest and therefore convince them to take action, often involving accessing a USB drive. 

An example could be where an employee may be enticed to plug a USB drive labelled with something compelling (e.g. “Staff Bonuses”) into a USB port. Attackers can install malware onto the USB drive, which is executed on the machine into which it is inserted. The malware may enable the attackers to remotely survey and control the infected device and potentially spread throughout a network.

Make staff aware of these types of scams, and give them an appreciation for the fact that hackers will see their devices as access points, which is why we need to keep the operating system and applications up to date and use security features that let you track, lock and wipe devices

What to do if something goes wrong

Time is of the essence if something goes awry, so it’s important to make sure your staff know what process to follow in the event something has gone wrong and that they feel supported to speak up and report quickly.

An incident management plan will help your business respond fast and efficiently. It’s also a good idea to keep a paper copy of the updated plan in case you are ever locked out of your system.


  • Contact your bank if you've given financial details to a scammer or anyone you're not sure should have them
  • If you've made a payment to a scammer, contact your financial institution and make an official report to police
  • If you've been impacted by cyber crime, you should also report it to the Australian Government’s ReportCyber service
  • Report other scams to Scamwatch

Find out more about keeping your business safe

CommBank Safe for Business

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. As this information has been prepared without considering your objectives, financial situation or needs. You should, before acting on this, consider the appropriateness to your circumstances.