Artificial intelligence (AI) is becoming an increasingly prevalent and accessible tool for many businesses. As we continue to explore its capabilities, many businesses are actively using AI to boost productivity, enhance efficiency and improve customer experiences.
However, there is a dark side to AI’s evolution. Cybercriminals are also using AI to carry out increasingly targeted social engineering attacks. These attacks can seriously impact a business’s finances, reputation and ability to continue operating.
What is social engineering?
Social engineering refers to the manipulation of individuals by criminals to gain access to confidential information, restricted systems or resources.
Social engineering is different to traditional hacking. In a traditional hacking attack, cybercriminals exploit technological vulnerabilities to gain unauthorised access. For example, infiltrating a business’s systems through a Wi-Fi network with weak password protection or inadequate firewall defences.
On the other hand, social engineering exploits the human element of security. For example, a common form of social engineering is called ‘phishing’. This is where a cybercriminal sends a fraudulent email or text message that seems to be from a legitimate source, such as an employer. In this way, victims can be tricked into clicking malicious links, sharing login credentials or other sensitive data.
Why is social engineering so effective?
Social engineering is effective because it targets human vulnerabilities, which can sometimes be easier for hackers to exploit than technical vulnerabilities. Cybercriminals use a variety of different psychological tactics to manipulate emotions to get their victims to do what they want. They also rely on simple human errors.
According to the Office of the Australian Information Commissioner (OAIC), human errors accounted for 30% of all data breaches in the first half of 2024. The top cause of human error data breaches was sending personally identifiable information to the wrong recipient (38%).
12% of all breaches were caused by phishing, where an employee inadvertently clicked on malicious links or downloaded a compromised attachment.
How are cybercriminals using AI?
According to the Australian Signals Directorate’s (ASD) latest Cyber Threat Report, cybercriminals may use AI for social engineering attacks given its accessibility and its ability to bypass network defences.
For example, AI can allow cybercriminals to carry out more labour-intensive activities, like generating spear phishing content more efficiently and on a larger scale. Cybercriminals may also use AI to create new methods of social engineering attacks, like creating deepfake images or videos that impersonate a target or someone the target trusts.
6 Common types of social engineering attacks
Social engineering attacks come in many different forms. By understanding these threats, you can better recognise and respond to suspicious behaviours.
Phishing
This is one of the most widespread forms of social engineering. Phishing involves sending fraudulent emails, texts or messages to trick recipients into sharing sensitive information. A perfect example of this is a text message or email from a reputable source, such as your bank asking you to verify your account details through a fake login page.
Spear phishing
Spear phishing is a much more targeted form of phishing, in which a specific individual or organisation is targeted. This precision type of cyberattack often uses highly personalised messages to trick their targets into revealing sensitive information, such as pretending to be a colleague or manager and referencing specific projects or events.
Pretexting
Pretexting involves the cybercriminal creating a fake scenario that convinces the target to reveal sensitive information. Attackers typically pose as trusted individuals, like an IT technician or a bank representative.
For example, a scammer may call an employee and pretend to be from the company’s HR department, requesting sensitive information. By devising a convincing story and posing as an authoritative source, pretexting allows cybercriminals to steal information by exploiting trust.
Baiting
As the name suggests, baiting tempts targets with an enticing reward or offer. This can lead them to take actions that compromise security. Baiting relies on a person’s curiosity or greed, or both. This attack often involves distributing physical devices, like USB drives loaded with malware, or offering free software downloads that install malicious programs.
Tailgating
Tailgating is also known as piggybacking. This is a physical form of social engineering, where an unauthorised person gains access to a secure area by following someone with legitimate credentials. For example, an unauthorised person may pose as a delivery driver who needs access to your place of work. They may ask you to hold the door open for them so they can drop off their packages. But once they’ve circumvented security and gained access to the building, they can potentially access sensitive data or systems.
Deepfakes
Deepfakes are highly convincing videos, audio recordings or images created using AI technology that mimic real people. And they are becoming an increasingly dangerous form of AI social engineering.
Used for malicious social engineering scams, deepfakes can be used to impersonate colleagues, managers, business associates or other trusted figures.
Social engineering case study
A small business owner, Mr Smith, received a phone call from someone purporting to be a representative of Mr Smith’s bank. The so-called bank consultant informed Mr Smith that his accounts were being hacked. The consultant told Mr Smith he needed to immediately transfer funds from his personal and business accounts. During this conversation, Mr Smith transferred approximately $329,000 from both accounts to a separate account directed by the consultant.
Of course, Mr Smith realised not long after that he had been the victim of social engineering. He instantly contacted the bank’s fraud team, who were able to recover a portion of the funds.
Fortunately, Mr Smith also held Cyber Liability insurance and coverage under the Social Engineering Clause. An Incident Manager was appointed to assist Mr Smith in managing the incident response. The insurer paid a total cost of $99,000.
How to protect yourself and your business from social engineering
One of the best ways to protect yourself, your employees and your business is to stay up to date with the latest cyberthreats and trends. What are the latest scams cybercriminals are using? What kind of new AI-driven techniques are being used?
Education and training are just one way to protect yourself. Here are some other ways you can help to safeguard your business:
- Employee training: Simple human error contributes to a large portion of data breaches. Having regular training sessions can help your employees understand the risks and responsibilities in maintaining efficient cybersecurity measures and identifying social engineering attempts.
- Cybersecurity culture: Promote a workplace culture that encourages asking questions, double-checking unusual requests and generally empowering employees to raise concerns about potential threats.
- Cybersecurity tools: Tools like multi-factor authentication (MFA), firewalls, email filters and antivirus software can all help to reduce the risk of successful social engineering attacks.
- Cyber Liability insurance: Cyber Liability insurance covers losses from claims arising from data breaches, business interruption and remediation costs following an actual or threatened data breach. In some cases, you may also be able to add the option for cyber insurance for social engineering, phishing or cyber fraud.
Social engineering is a serious threat to Aussie SMEs
Social engineering is becoming more prevalent as cybercriminals begin to utilise AI to make their attacks increasingly sophisticated. Because social engineering exploits human vulnerabilities and emotions, businesses and individuals need to remain constantly vigilant – whether that’s keeping an eye out for suspicious deepfake videos or questioning emails that don’t seem quite right. However, understanding cybercriminals’ tactics, educating yourself and implementing different layers of defence can help to safeguard your business and give you peace of mind.
This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording.
The provision of the claims examples are for illustrative purposes only and should not be seen as an indication as to how any potential claim will be assessed or accepted. Coverage for claims on the policy will be determined by the insurer, not BizCover.
© 2025 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769
