Beware the Mind-Hackers: The Growing Threat of Social Engineering
What’s social engineering, anyway?
Imagine hackers who don’t just break into your accounts and systems but instead trick you into handing over the keys. That’s social engineering. Instead of busting firewalls, these malicious actors use deception, impersonation and psychological tricks to direct individuals or staff to get what they want: passwords, sensitive info or even the transfer of funds. They fabricate a sense of urgency and weaponise the human qualities of empathy and trust to manipulate individuals.
Malicious actors craft messages with the goal of appearing legitimate and trustworthy. Their favourite targets? Large private entities and government agencies (those with access to valuable information or influence). They often target individuals with a high profile, access to sensitive information, or the ability to make changes to systems or approve financial transactions. Some of these targets could include:
- senior managers and their staff
- system administrators and information technology (IT) service desks
- staff members from human resources, finance and legal areas.
It’s an increasing problem. The Office of the Australian Information Commissioner (OAIC) reports that 28% of malicious breaches over the period July 2024 to December 2024 involved social engineering, with government entities being the main target.
The usual tricks: phishing, spear phishing and vishing
Malicious actors love to impersonate someone you trust – a colleague, a legitimate business or even a senior manager – to get what they want. While social engineering attacks take countless forms, two of the most common tactics include phishing and vishing.
- Phishing: fake emails or texts posing as legitimate companies or entities, tricking staff into handing over or providing access to information.
- Spear phishing: like phishing but targeted, with customised messages aimed directly at individuals or teams.
- Vishing: the phone version of phishing, using calls or automated messages that sound official but want staff to disclose personal or sensitive information.
Those familiar with our Fraudster Personas will recognise two of them as being present in social engineering: ‘The Impersonator’, where an individual pretends to be a real person or entity, and often ‘The Organised’, a serious or organised crime group.
Real case: the Qantas breach
On 2 July 2025, Qantas revealed a massive breach affecting up to 6 million customers after hackers got into a third-party system through an offshore call centre. Names, email addresses, frequent flyer numbers, dates of birth and phone numbers were stolen.
CyberCX, a private cybersecurity firm contracted by Qantas noted the incident ‘has all the hallmarks of an attack from the so-called Scattered Spider hacker group’ although Qantas has yet to confirm the group’s involvement. The group utilises social engineering practices by impersonating employees or contractors to deceive internal systems operators into providing information such as login credentials or granting access to systems to bypass multi-factor authentication processes.
How to fight back: tips for organisations
Good news - You can fight these mind games! Here’s how:
Raise awareness: run awareness and education campaigns that share real-life stories and strategies for recognising and responding to suspicious communications. The Australian Signals Directorate website has information that you can use to help raise awareness.
Encourage reporting: promote a positive security culture and establish easy-to-use incident reporting systems to report anything suspicious.
Use strong ID checks: confirm and authenticate identities using tools such as multi-factor authentication (MFA).
Collaborate with experts: work closely with your cybersecurity teams and stay updated on new tricks hackers pull.
Our website has some great resources to help Commonwealth entities tighten up their defences against fraudulent activity. Check it out today.