Social Engineering Red Flags

By the numbers

• 62% of breaches involve the human element (Verizon DBIR 2026)
• $3.05B reported losses to business email compromise in 2025 (FBI IC3 2025)
• 21 sec median time to click a phishing link (Verizon DBIR 2024)

Email and message lures (phishing)

• Urgency and pressure. Act now, this expires, do not tell anyone. Real requests survive a pause.
• A sender that almost matches. Look-alike domains, a reply-to that differs, a display name that spoofs someone you know.
• Verify your account links. A login page reached from a message, not from your own bookmark or typed address.

Phone and voice (vishing)

• A call that manufactures urgency. IT, a bank, or a manager who needs you to act before you have time to think.
• Requests to read a code aloud. No legitimate caller ever needs the one-time code on your screen.
• Pressure not to hang up and check. Discouraging a callback is the tell. Hang up and call a known number.

Impersonation and deepfakes

• A familiar face or voice pushing a transfer. A senior leader on video asking for an urgent, secret payment or login.
• Audio and video that drift. Lip-sync that lags, odd blinking, flat lighting, or a voice slightly off.
• Camera or mic problems on cue. Quality drops the moment you ask a hard or unexpected question.

Authentication attacks (MFA and AiTM)

• An MFA prompt you did not start. Approving a push you did not request hands your live session to the attacker.
• A login reached through a link. Adversary-in-the-middle pages relay your real login and steal the session token.

Payment and authority

• New payment details by message. Wire changes, gift cards, crypto, or new bank details that arrive in a message or call.
• Requests to bypass process. Just this once, skip the second approver, keep it quiet.
• Authority used to skip the check. A name, a title, or a logo deployed to make you waive the normal step.

Do and don't

Do

• Slow down. Pressure is the attack. A real request survives you taking five minutes to check.
• Verify on a channel you chose: a typed address, a saved bookmark, or a number off your card.
• Call the person back on a number you already have, not one from the message.
• Use phishing-resistant MFA (an app, a passkey, or a security key) on important accounts.
• Require a second person to approve any new or changed payment.

Don't

• Do not click a login link from an email, text, or DM. Open the site yourself.
• Do not read a one-time code aloud or type it into a page you reached from a message.
• Do not approve an MFA prompt you did not personally start.
• Do not let urgency, authority, or secrecy talk you out of your normal checks.
• Do not act on a new payment instruction without an out-of-band callback.

The one move

The one move that beats most of them: stop and verify on a channel you chose. Call back on a known number, open the site from your own bookmark, confirm with the person directly. The attacker is counting on you not to pause.

If it happens

1. Stop. Do not send anything else and do not click further.
2. If you ran an attachment or gave remote access, disconnect that device from the network.
3. From a clean device, change the password and sign out all sessions on any exposed account.
4. Tell your bank or IT immediately. With wire fraud, the first hours matter most.
5. Report it: in the US, reportfraud.ftc.gov and the FBI at ic3.gov.

Go deeper

For the bigger picture, read what is social engineering and how to spot a phishing email. See these warning signs in real cases in the weekly briefings.