A hooded figure works on a laptop, possibly executing a scam involving data theft through social engineering methods.

What are social engineering scams?

17 January 2025
Teyah
Blog

While we might think of devastating viruses or complex malware as the biggest cyber threats, it’s actually human psychology that poses the biggest risk to cybersecurity. Social engineering exploits our behaviour and disposition to trick people into taking actions or disclosing sensitive information, enabling hackers to gain unauthorised access to devices or accounts and commit fraud.

The danger of social engineering lies in that even advanced security can’t always prevent people from compromising themselves. Knowing how social engineering scams work can help you recognise when someone is trying to influence you for dishonourable purposes.

The alarming rise in social engineering attacks exploits our trust, helpfulness, and our tendency to follow authority or respond to urgent situations. From fake bank emails to phone calls impersonating tech support, social engineers are constantly finding new ways to prey on our proclivities.

As well as exploiting our human sensitivities, they also leverage our reliance on social proof, a psychological trick also used in marketing, that makes us more likely to do something if we see others doing it too (the restaurant is full, it must be good right!?) This looks like customer reviews, celebrity endorsements, or made-up data about user numbers.

These methods are often combined for maximum effectiveness.

Phishing, the most widespread method, uses deceptive emails to trick recipients into revealing personal data or clicking malicious links
Spear phishing takes this approach further by targeting specific individuals with highly personalised messages
Whaling, a variant of spear phishing, focuses on high-profile targets like organisation executives
Baiting lures victims with enticing offers, such as free downloads, to infect systems with malware
Pretexting involves creating false scenarios to gain trust and extract information, like tech support or account compromise claims
In quid pro quo attacks, perpetrators offer a service in exchange for sensitive data.

Romance scammers establish bogus online identities to forge romantic connections with victims, ultimately seeking financial assistance under the guise of fabricated emergencies or travel expenses.

In lottery or prize scams, victims are tricked into believing they’ve won but must pay charges or taxes to collect. Naturally, these prizes don’t exist, and any money sent is lost.

Tech support scams involve criminals posing as tech support representatives, claiming the victim’s device is infected with malware. They’ll then ask for remote access or payment for services that aren’t needed.

Targeting grandparents, scammers create fake emergencies, impersonating grandchildren and pressuring them to send money without involving other family members.

Scammers pretending to be government officials use threats and promises to trick victims into giving up their personal information or money.

Scammers use fake job listings or too-good-to-be-true employment opportunities to target victims. They often request personal information or upfront payments for training or equipment.

By creating realistic fake accounts, scammers impersonate individuals or organisations to trick unsuspecting victims. Stolen pictures and false information are used to make these profiles seem legitimate and used to spread misinformation, phish for data, or build trust for future scams.

Intriguing titles or offers (clickbait) tempts users to click on malicious links that can lead to malware-infected or phishing websites. To exploit users’ curiosity, these links often promise sensational news, exclusive deals, or shocking content.

Data collection disguised as innocent fun like social media quizzes and surveys can secretly gather your personal information. Security questions used by banks and other services are often mirrored in online quizzes, which could risk users’ accounts on multiple platforms.

Unknown friend or connection requests are often sent by scammers to grow their network and steal your personal information. Once linked, scammers may engage in various tactics, like romance fraud and business email compromise.

Australian businesses faced devastating losses from social engineering attacks in recent years. The ACCC reports that business losses to scams increased by 73% in 2022, totaling $23.2 million, with small and micro businesses particularly vulnerable, losing $13.7 million – a shocking 95% increase from the previous year.

Recent data shows improvement in awareness, with 60% of Australian office workers now receiving frequent security training, up significantly from 35% in 2021. However, 23% of workers still report never receiving any cybersecurity training.

Business Email Compromise (BEC) attacks see criminals impersonate executives or suppliers to deceive employees into sending funds or sharing sensitive data. BEC alone cost Australian victims more than $79 million in a single year, with over 3,300 incidents reported to the Australian Cyber Security Centre.

Similar to BEC, Vendor Email Compromise (VEC) targets the link between vendors and their clients. To divert payments or steal sensitive information, scammers can either take control of vendor email accounts or pose as legitimate employees.

Criminal activity targeting CEOs or other C-level executives (“CEO Fraud) is a subcategory of BEC. Exploiting employees’ eagerness to obey authority, they frequently demand rapid wire transfers or confidential information.

Invoice scams occur when fraudsters send fake invoices or manipulate existing ones, often after gaining access to a vendor’s email and alter payment information to redirect funds to their own accounts. Criminals also pose as company executives target HR or payroll staff, requesting wage and tax record forms for use in tax fraud or identity theft.

Another frightening progression comes from deepfake video scams, which can bypass facial recognition systems and create convincing impersonations of company executives. Using AI-generated voices, scammers are convincingly impersonating executives and officials. A notable case involved criminals using deepfakes to recreate a video conference, resulting in a $25.6 million loss.

QR code phishing, or “quishing,” has seen a massive surge, as attackers capitalise on our increasing reliance on QR codes. These attacks succeed due to their ability to circumvent standard security and exploit our reliance on digital tools.