Social Engineering Attacks

Social Engineering Attacks
ATTACKER 😐 📞 Vishing 📧 Phishing 🎭 Pretexting 🚪 Tailgating 💰 BEC Fraud 🎣 Baiting TRUST NO ONE BLINDLY Verify before you act

Understand how attackers manipulate people — not just technology — to gain access to systems and information.

Social Engineering Attacks

Social engineering manipulates people rather than exploiting technical vulnerabilities. Attackers exploit trust, authority, urgency, and fear to bypass security controls entirely.

The Social Engineering Attack Cycle

ATTACK CYCLE ① RESEARCH LinkedIn, social media, company site ② PRETEXTING Build a convincing cover story ③ APPROACH Call / email / in-person contact ④ EXPLOIT Extract info / access / credentials ⑤ EXIT Disappear, cover tracks ⑥ REPEAT / ESCALATE Use gained access for further attacks

Common Social Engineering Techniques

Pretexting

The attacker invents a scenario (a “pretext”) to establish credibility. Examples:
  • Posing as IT support: “Hi, I’m from the helpdesk — we’ve detected an issue with your account and need your login to fix it”
  • Posing as a supplier: “This is DHL, your parcel was undeliverable — can you confirm your address and credit card for redelivery?”
  • Posing as a manager: “This is Sarah from finance, the auditors need those figures urgently — can you email them to my personal address while my work email is down?”

Tailgating (Piggybacking)

ACCESS CONTROLLED 👤 Employee (badge) ID 👤 Attacker Attacker now inside Has physical access to servers, desks, printers and unattended PCs
An attacker follows a legitimate employee through an access-controlled door without badging in. People are naturally polite and hold doors open — but this completely defeats physical access controls.
Rule: Never hold a door open for someone you don’t recognise. Direct them to reception. This is not rude — it is correct procedure.
⚠ Warning
Tailgating is often carried out by people dressed as delivery drivers, maintenance contractors, or cleaners. Always verify with reception or your facilities team before allowing unescorted access to any secured area.

Vishing (Voice Phishing)

Attackers call on the phone impersonating IT support, the tax office (ATO), police, banks, or suppliers. They may already know your name and basic details from LinkedIn.
Signs of a vishing call:
  • You did not initiate the call
  • Pressure to act immediately or keep the call secret
  • Request for credentials, OTP codes, or remote access
  • Threats of consequences (account suspension, legal action, arrest)
⛔ Important
No legitimate IT department, bank, or government agency will ever ask for your password or a one-time code over the phone. If you receive such a call, hang up and call back on the official number.

The Six Principles Attackers Exploit

  1. Reciprocity — “I’ve done something for you, now you owe me”
  2. Commitment — once you’ve started helping, it feels wrong to stop
  3. Social proof — “Everyone else in your team already gave me access”
  4. Authority — impersonating a manager, IT, police, or the ATO
  5. Liking — building rapport before making a request
  6. Scarcity / Urgency — “You have 10 minutes or your account is deleted”
✓ Key Point
When you feel rushed, under pressure, or emotionally manipulated during a request for information or access — that itself is the red flag. Legitimate requests can wait for verification. Slow down and verify through a separate channel.
Your people are the target — are they ready?
Attackers don’t need to break your firewall when one convincing phone call or held-open door will do. Mobile Techs IT Service helps Gold Coast businesses build a human firewall: security awareness training your staff will actually remember, simulated phishing exercises, verification procedures for payment and access requests, and email filtering that stops most lures before anyone sees them. Home users welcome too — on-site or remote, anywhere in Australia.