It is when someone tricks a person into taking an action, such as making a payment or sharing information, by pretending to be someone they trust.
Why Australian businesses keep falling for social engineering attacks
Cyber attacks do not always look like hacking.
For many Australian businesses, the most disruptive cyber incidents start with something far more ordinary. An email from a familiar supplier. A phone call that sounds urgent. A payment request that looks familiar. However, they can be all but legitimate and often are the products of social engineering. It works by using trust, routine, and pressure rather than technical skill. And that is why it continues to catch businesses off guard.
What social engineering looks like in everyday business
Social engineering attacks usually blend into normal business activity.
There is often no suspicious link, no antivirus warning, and no system outage. Instead, the request looks reasonable and time-sensitive.
Social engineering fraud can take many forms including:
- Phishing: Fake emails or texts posing as legitimate companies or entities, tricking staff into handing over or providing access to information.
- Spear phishing: Targeted version of phishing, with customised messages aimed directly at individuals or teams.
- Vishing: Voice phishing uses phone calls or automated messages that sound official but want staff to disclose personal or sensitive information.
Common examples seen across Australian businesses include a supplier advising of updated bank details, a finance team member receiving an urgent payment request from someone claiming to be a director, or a customer being sent an invoice that looks genuine but routes payment elsewhere.
Because these interactions feel routine, they are often acted on quickly. That is exactly what attackers rely on.
Why do these attacks not feel like cybercrime?
When people hear the term "cybercrime," they often picture malware, system breaches, or stolen data.
Social engineering does not usually fit that picture.
The email appears to come from a known name. The phone call comes from the same country code. The invoice looks familiar. Nothing appears broken or compromised at the time.
In many cases, the business only realises something is wrong when money does not arrive, a supplier follows up, or a customer queries an unexpected request.
By then, the damage is already done.
Trust is the entry point
Social engineering works because it mirrors how businesses already operate.
Payments rely on trust. Email relies on trust. People rely on each other to do their jobs efficiently.
Attackers study how businesses communicate, who approves payments, how invoices are sent, and how urgent requests are handled. They then step into that process at the weakest point.
This is why invoice fraud, payment redirection scams, and impersonation attacks are so common. They do not break systems. They exploit expectations.
An example of how trust can lead to financial loss
The following example illustrates how easily a trusted process can be exploited without raising immediate concern.
A small construction firm regularly works with subcontractors and pays invoices electronically as part of its normal operations. Project managers primarily communicate with suppliers by email and forward invoices to their finance team for payment.
The incident began when an employee received an email that appeared to come from Microsoft, asking them to verify their email account details. The message appeared legitimate and was acted on without suspicion. This allowed a fraudster to gain access to the employee’s inbox.
From there, the fraudster quietly monitored email conversations. When a genuine invoice arrived from a subcontractor, the fraudster intercepted the exchange and stepped in at the right moment.
Using an email address that looked almost identical to the subcontractor’s real address, the fraudster sent an updated invoice explaining that the subcontractor had changed bank accounts. The invoice layout, branding, and wording all matched previous invoices.
The request followed the usual process. The invoice was forwarded internally and paid in full.
It was only weeks later, when the real subcontractor followed up on the unpaid invoice, that the business realised the payment had been sent to a fraudulent account. By that point, the funds were no longer recoverable, and the business had to pay the invoice a second time.
There was no system failure and no technical warning. The incident relied entirely on trust, familiarity, and routine. That is why social engineering attacks are so difficult to spot while they are happening.
Where losses tend to occur
While every business is different, social engineering losses often follow similar patterns.
Payments are redirected after false change requests. Staff act on urgent instructions that appear to come from senior management. Customers pay invoices that look genuine but are not.
These incidents can result in direct financial loss, customer disputes, and reputational pressure. In some cases, they can also create regulatory obligations if personal information is involved.
Why prevention is not always enough
Even well-run businesses can be caught out by a moment of urgency, a convincing request, or a skipped check in the process. While it’s impossible to eliminate all risk, there are steps SMEs can take to help reduce the risk of being caught out:
- Clear payment-change protocols: Ensure that clear protocols are established if a request to change payment methods are made. For example, add a step in your accounts payable process for staff to call a trusted phone number from your existing records to confirm the change. Do not accept changes by email alone.
- Employee training: Between January and June 2025, 37% of all reported data breaches in Australia were caused by human error1, highlighting the need for all businesses to consider implementing ongoing employee cybersecurity training and awareness. Consider government-supported programs such as Cyber Wardens which is a complimentary online cybersecurity training program designed to support Australian small businesses.
- Test and review internal controls: Strong IT security and controls, like using a second verification step to log in (MFA) or turning on automatic software updates, help close the gaps scammers try to exploit. Businesses should carry out regular reviews to make sure their security controls are robust.
How cyber insurance fits into the picture
Cyber insurance does not prevent social engineering attacks.
What it can do is help businesses respond when a trusted process has been exploited. Depending on the policy, this may include access to incident response support, technical investigation, legal advice, and assistance with managing the financial and operational impact of an incident.
These services and related costs are critically important to SMEs where your businesses may not have the financial capacities to withstand both the direct financial losses and ability to cover for these additional extra services.
Understanding how cyber risk applies to the way your business operates day to day is an important part of managing that exposure.
More information about cyber insurance for Australian businesses is available on Marsh’s cyber insurance page.
Frequently asked questions
Yes. Social engineering methods, such as phishing and impersonation continue to be one of the most common forms of cyber attacks in Australia. In FY2024–25, Phishing was recorded in 60% of the incidents reported to the Australian Signals Directorate’s ACSCi.
Yes. Invoice fraud usually relies on impersonation and trust, rather than technical hacking or system breaches.
They copy normal business processes and create urgency, which makes them harder to question in the moment.
Yes. These attacks are not limited by business size and can affect businesses of all types.
No. They can also involve phone calls, text messages or a mix of different communication channels.
Yes. It involves digital communication and system access.
Stop any further payments, contact your bank straight away, and seek professional advice as soon as possible.
Some policies may respond, depending on the terms, conditions and how the incident occurred.
Training helps reduce risk, but it cannot remove the risk entirely.
Yes. Attackers often focus on people who handle payments or approve transactions.
Authoritative guidance is available from the Australian Cyber Security Centre and business.gov.au.
Because familiarity reduces suspicion and speeds up decision-making.
References
[1] Office of the Australian Information Commissioner, ” Small business”, https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/small-business, accessed 24 January 2026.
[2] Australian Government, “Protect your customers' information”, https://business.gov.au/online-and-digital/cyber-security/protect-your-customers-information, accessed 24 January 2026.
[3] Australian Signals Directorate, “Spotting scams”, https://www.cyber.gov.au/protect-yourself/spotting-scams, accessed 24 January 2026.
Marsh Advantage Insurance Pty Ltd (ABN 31 081 358 303, AFSL 238369) (“Marsh”) arranges the general insurance (i.e. not the Discretionary Trust Arrangement) and is not the insurer. This page contains general information and does not take into account your individual objectives, financial situation or needs. For full details of the terms, conditions and limitations of the covers, refer to the specific policy wordings and/or Product Disclosure Statements available from Marsh on request. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). Any advice or dealing in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226 827) (“JLT”). JGS and JLT are businesses of Marsh McLennan. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions.
LCPA 26/2028