Social Engineering: How to spot the scams targeting your business

What is social engineering?

Social engineering is when an attacker manipulates a person — not a computer — into handing over access, information or money. Instead of breaking through your security, they talk their way past it: posing as your bank, a supplier, the IT team, or even your own manager.

It works because the request feels normal. A password reset. An urgent invoice. A quick call from “support.” Each looks routine. Each can be the start of a breach.

And it’s how most attacks now begin. More than a third of incidents start with social engineering, with business email compromise among the costliest. Your firewall can’t stop a convincing conversation. Your people can.

 

The red flags: six signs someone is trying to social-engineer you

You don’t need to be technical to spot these. Watch for the request, not the polish.

1. They ask for your password or your one-time code.

No legitimate business will ever ask for your password, and no genuine support agent needs the code from your authenticator app. If someone asks, it’s a scam — full stop.

2. They push you to click a link or scan a QR code.

Links and QR codes lead to fake login pages built to capture what you type. Don’t act from the message. Open the site yourself from a bookmark or by typing the address you know.

3. They create urgency — and ask you to keep it quiet.

“Act now.” “Final notice.” “Don’t tell anyone yet.” Pressure and secrecy are designed to stop you thinking. Real requests survive a five-minute pause.

4. They ask for money, gift cards, or a change to payment details.

A new bank account for a supplier, an urgent transfer from the “CEO,” a request for gift cards — this is business email compromise, and it’s one of the costliest scams there is. Always confirm the change with the person directly, on a number you already have.

5. They phone you pretending to be IT or a supplier.

Voice scams (vishing) have overtaken email as the leading tactic. A friendly caller “from support” may ask you to approve a login, reset your MFA, or install remote-access software. Hang up and call back on a number you trust.

6. They tell you to “fix” a problem by running a command.

A fake error page or CAPTCHA asks you to copy something and paste it into your device to continue. Don’t. You’d be running the attack yourself. Close the page and report it.

 

The old advice no longer works

For years the guidance was “look for spelling mistakes and dodgy grammar.” That test is dead. Attackers now use AI to write flawless, personalised messages — and to clone voices and faces convincingly. Don’t judge a message by how professional it looks. Judge it by what it’s asking you to do.

 

What to do: Stop. Check. Report.

Three steps handle almost every attempt.

  • Stop. Anything urgent, unexpected or unusual gets a pause. That pause is your best defence.
  • Check. Verify the request on a different channel you already trust — call the person on their known number, or walk over and ask. Never verify using the contact details in the suspicious message.
  • Report. Tell your IT or security team, even if you’re not sure. Early reporting can stop one click from becoming a company-wide problem.

 

Think you’ve already been caught?

Don’t panic, and don’t stay quiet. Speed limits the damage.

  1. Disconnect the device from the network if you ran something or downloaded a file.
  2. Change your password from a different, trusted device — and revoke active sessions if you can.
  3. Report it to your IT or security team straight away.
  4. If money moved, contact your bank immediately and report it to Scamwatch and the Australian Cyber Security Centre.

 

Frequently asked questions

What’s the difference between social engineering and phishing? Phishing is one type of social engineering — usually by email. Social engineering is the broader craft of manipulating people, which also includes phone scams (vishing), text scams (smishing), QR-code scams and in-person tricks.

Why do social engineering attacks work even on careful people? Because they exploit trust and routine, not gaps in your knowledge. A well-timed request that fits your workday can slip past anyone — which is why a verify-first habit matters more than “being careful.”

Can multi-factor authentication stop social engineering? It helps, but it’s not a force field. Attackers now trick people into approving prompts or handing over one-time codes. Treat every unexpected MFA prompt as suspicious and never share a code.

How do I protect my team? Regular, realistic awareness training and a simple “when in doubt, report it” culture make the biggest difference. That’s exactly what a managed security partner can set up and run for you.

 

Stay one step ahead

Your people are your strongest defence — when they know what to look for. Commuserv helps Australian businesses build that instinct with security awareness training, phishing simulations and managed cyber security that works quietly in the background.

Book a free security review →

Stay Connected
Sign Up Today

Name(Required)