In March 2022, the Lapsus$ threat actor group breached Okta by socially engineering a third-party support contractor. No malware. No zero-day exploit. Just a human being who got manipulated. The breach potentially affected hundreds of Okta's enterprise customers, and it started with the simplest attack vector there is — tricking a person. If you want to know how to spot social engineering, you need to understand that these attacks don't look like what Hollywood shows you. They look like a normal Tuesday at work.

This post breaks down the specific red flags, real-world patterns, and practical techniques you can use today to identify social engineering attempts before they turn into breach notifications and regulatory headaches.

What Social Engineering Actually Looks Like in 2022

Forget the hoodie-wearing hacker in a dark room. Modern social engineering is polished, professional, and disturbingly persuasive. According to the Verizon 2021 Data Breach Investigations Report, 85% of breaches involved a human element. Social engineering was the top attack pattern for the second year running.

I've seen attack emails that perfectly replicate internal HR communications — complete with correct logos, employee names pulled from LinkedIn, and references to actual company events. The days of "Dear Sir, I am a prince" are over. Today's threat actors do their homework.

Social engineering works because it targets trust, urgency, and authority — the three psychological levers that bypass critical thinking. Every employee in your organization needs to recognize when those levers are being pulled.

The 7 Red Flags: How to Spot Social Engineering in Real Time

Here's what I tell every team I train. These are the specific signals that should trigger your internal alarm system.

1. Urgency That Doesn't Make Sense

"Your account will be locked in 15 minutes." "The CEO needs this wire transfer completed before close of business." Attackers manufacture time pressure because rushed people make poor decisions. If a request feels unusually urgent, that urgency itself is the red flag.

The FBI's 2021 Internet Crime Report documented over $2.4 billion in losses from business email compromise (BEC) alone. Nearly every BEC attack relies on manufactured urgency — a fake CEO email demanding an immediate wire transfer, a vendor claiming an invoice is past due.

2. Authority Without Verification

Someone claims to be from IT, from the C-suite, from your vendor's security team. They use titles and names to establish trust instantly. But here's the thing: legitimate authority figures don't get angry when you verify their identity. Threat actors do.

If someone pressures you to skip verification steps, that pressure is the attack.

3. Unusual Channels for Sensitive Requests

Your CFO has never once texted you about a wire transfer — and suddenly she's doing it from a number you don't recognize. Your IT department always uses the ticketing system — but now someone's calling your desk phone asking for your credentials. Channel switches are a classic social engineering tell.

4. Emotional Manipulation

Fear, curiosity, greed, helpfulness — attackers pick the emotion most likely to work on their target. "You've been selected for a bonus." "Your computer has been compromised and we need your password to fix it." "A colleague is in trouble and needs your help right now." Each of these targets a different emotional response, but they all have the same goal: get you to act before you think.

5. Requests for Credentials or Access

No legitimate organization — not your bank, not your IT department, not Microsoft — will ever ask for your password over email, phone, or text. Period. Any request for credentials is a credential theft attempt until proven otherwise. This is the single most important rule in security awareness.

Hover over that link before you click it. Does the URL match the organization it claims to come from? Is the domain slightly misspelled — "micros0ft.com" instead of "microsoft.com"? Attackers register lookalike domains specifically to exploit the split-second when you glance at a URL without really reading it.

7. Too-Good-to-Be-True Offers

Gift cards, prizes, exclusive access, surprise refunds. If you didn't enter a contest, you didn't win one. This seems obvious in writing, but in the moment — when an email looks legitimate and the offer is specific — people click. That's what attackers count on.

Beyond Email: Social Engineering Channels You're Probably Ignoring

Most organizations focus their training on email phishing, and that's a good start. But threat actors go where defenses are weakest. Here's where I've seen social engineering attacks succeed that most teams never trained for.

Phone-Based Pretexting (Vishing)

The Lapsus$ group used phone-based social engineering extensively. They'd call help desks, impersonate employees, and request password resets or MFA enrollment changes. Your help desk staff are a high-value target — and they're often the least trained on social engineering detection.

I recommend every organization include vishing scenarios in their security awareness training. If your team only recognizes phishing emails, you've left the back door wide open.

SMS Phishing (Smishing)

Text messages feel personal and urgent by nature. A fake delivery notification, a "suspicious login" alert with a link to "verify your account" — these attacks exploit the trust people place in their phones. The small screen also makes it harder to inspect URLs before tapping.

Physical Social Engineering

Tailgating through secure doors. Dropping USB drives in parking lots. Impersonating delivery drivers or maintenance workers. These attacks still work, especially in organizations that went remote during the pandemic and are now returning to offices with relaxed physical security habits.

Social Media Reconnaissance

Before the attack even starts, threat actors mine LinkedIn, Twitter, Instagram, and company websites for information. Your org chart, your employee names, your technology stack, your upcoming events — all of this feeds into more convincing pretexts. Knowing how to spot social engineering means understanding that the attack often begins weeks before the first phishing email lands.

What Does a Social Engineering Attack Feel Like?

This is the question I get most often, and it's the one most likely to save someone from falling for an attack. Here's my answer, formatted for the people who need it most — your employees on the front lines.

A social engineering attack feels normal. That's what makes it dangerous. It feels like a routine request from a trusted person. It feels like a minor inconvenience you want to resolve quickly. It feels like helping someone who needs you. The only difference is a subtle wrongness — a detail that doesn't quite fit.

Maybe the email address is off by one character. Maybe the request skips a step that normally happens. Maybe the person on the phone gets impatient when you ask a verification question. That subtle wrongness is your signal. Train your people to trust that instinct and to verify before acting.

Building a Culture That Catches Social Engineering

Detection isn't just about individual awareness. It's about creating an environment where reporting suspicious contacts is easy, expected, and rewarded.

Run Realistic Phishing Simulations

Phishing simulation programs give your team practice in a low-stakes environment. But they have to be realistic. If your simulations look nothing like actual attacks, they're training people to spot fake tests — not real threats. Our phishing awareness training for organizations provides simulation frameworks built around the tactics threat actors actually use today.

Make Reporting Frictionless

If it takes five steps to report a suspicious email, people won't bother. Give them a one-click "Report Phish" button in their email client. Acknowledge every report. Celebrate catches publicly. I've seen organizations reduce successful phishing rates by over 60% just by making reporting easy and culturally expected.

Train Continuously, Not Annually

Annual compliance training checks a box. It doesn't change behavior. Effective security awareness requires short, frequent training touchpoints — monthly at minimum. Our cybersecurity awareness training program is designed for exactly this: ongoing education that keeps social engineering detection sharp throughout the year.

Implement Multi-Factor Authentication Everywhere

Even when social engineering succeeds in stealing a password, multi-factor authentication (MFA) can stop the attacker from using it. MFA isn't perfect — Lapsus$ proved that by bombarding victims with MFA push notifications until they approved one — but it raises the bar significantly. Combine MFA with number-matching or FIDO2 keys for stronger protection.

Adopt Zero Trust Principles

Zero trust means never assuming a user, device, or connection is legitimate just because it's inside your network. Every access request gets verified. This architecture limits the blast radius when social engineering does succeed — and it will, eventually. CISA's Zero Trust Maturity Model offers a practical framework for getting started.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2021 Cost of a Data Breach Report pegged the average cost of a data breach at $4.24 million — the highest in 17 years. Breaches involving social engineering and credential theft were among the most expensive and took the longest to identify and contain.

Here's what those numbers actually mean for your organization: every employee who can't spot a pretexting call or a spear-phishing email represents an open vulnerability. You can spend millions on firewalls, endpoint detection, and SIEM tools. But if someone in accounts payable clicks a link because the email looked like it came from a real vendor, none of that technology matters.

The organizations I've seen handle social engineering best share three traits. They train frequently. They test realistically. And they treat security awareness as a core business function — not an afterthought managed by a single IT person with a compliance checklist.

Your 5-Step Action Plan Starting Today

Here's exactly what I'd do if I were building your social engineering defense from scratch this week.

  • Audit your current exposure. Review your public-facing information — LinkedIn profiles, company website, social media. What could an attacker learn about your org chart, technology, and processes? Reduce unnecessary exposure.
  • Deploy phishing simulations monthly. Track click rates, reporting rates, and time-to-report. Use these metrics to identify departments that need additional training.
  • Train on all vectors. Email, phone, SMS, physical access, social media. If your training only covers email, you're leaving critical gaps.
  • Harden your help desk. Require callback verification for password resets and MFA changes. This single step would have prevented multiple high-profile breaches in the last year.
  • Enforce MFA with phishing-resistant methods. Push notifications are better than nothing, but hardware security keys or number-matching prompts are significantly harder to bypass through social engineering.

Knowing how to spot social engineering isn't a one-time skill. It's a muscle that atrophies without practice. The attackers evolve constantly — your defenses need to evolve with them. Start with training, reinforce with simulation, and build a culture where healthy skepticism is the default. That's how you stop the next attack before it starts.