In January 2024, a finance employee at engineering firm Arup wired $25 million to threat actors after joining a video call where every other participant — including the CFO — was a deepfake. The attackers had studied publicly available footage, cloned voices and faces, and orchestrated an elaborate social engineering attack that bypassed every technical control the company had in place. If you want to know how to spot social engineering, that incident is your wake-up call: these attacks don't exploit software. They exploit people.

This post breaks down the specific tactics attackers use, the red flags you and your employees should recognize, and the practical steps that actually reduce your risk. I've spent years watching organizations get burned by preventable social engineering attacks — and the patterns are remarkably consistent.

What Social Engineering Actually Looks Like in 2024

Forget the stereotype of a poorly written email from a foreign prince. Modern social engineering is targeted, researched, and disturbingly convincing. According to the Verizon 2023 Data Breach Investigations Report, 74% of all breaches involved the human element — including social engineering, errors, and misuse of credentials.

Threat actors do their homework. They scrape LinkedIn for org charts and reporting structures. They monitor company press releases for merger announcements, new hires, and leadership changes. Then they craft messages that feel completely legitimate because they reference real people, real projects, and real deadlines.

The Five Core Tactics You'll Encounter

  • Phishing: The most common vector. Emails, texts (smishing), or voice calls (vishing) designed to steal credentials or install malware. Phishing simulations consistently show that 10-15% of employees will click a well-crafted phishing email.
  • Pretexting: The attacker creates a fabricated scenario — pretending to be IT support, a vendor, or a new executive — to build trust and extract information.
  • Baiting: Offering something enticing — a USB drive labeled "Q4 Salary Review" left in a parking lot, or a malicious download disguised as a popular tool.
  • Tailgating: Physically following an authorized person into a restricted area. It still works because most people hold doors open out of courtesy.
  • Business Email Compromise (BEC): The FBI's IC3 2023 Internet Crime Report logged over $2.9 billion in adjusted losses from BEC attacks alone. Attackers impersonate executives or vendors to redirect wire transfers.

How to Spot Social Engineering: 9 Red Flags That Matter

Knowing how to spot social engineering comes down to pattern recognition. Here are the specific warning signs I train teams to look for — ranked by how frequently I see them exploited.

1. Urgency That Doesn't Make Sense

"I need this wired in the next 30 minutes or we lose the deal." Artificial urgency is the number one manipulation technique. Attackers know that time pressure shuts down critical thinking. If someone is pushing you to act before you can verify, that's the red flag.

2. Authority Without Verification

The message claims to be from the CEO, the IT director, or a government agency. It uses authority to discourage questioning. Real executives expect you to follow process. If someone pressures you to skip verification steps because of who they claim to be, that's social engineering.

3. Unusual Communication Channels

Your CFO has never texted you directly before, but suddenly you get a WhatsApp message asking for a wire transfer. Channel switching is a deliberate tactic. Attackers use unfamiliar channels because they know your normal email might have better security controls.

4. Requests That Bypass Normal Processes

"Don't go through the usual approval — just handle this one directly." Any request to circumvent established procedures is a massive red flag. Legitimate business operations don't require you to skip controls.

5. Mismatched Sender Details

The display name says "John Smith, CEO" but the actual email address is [email protected]. Always check the full sender address, not just the display name. In BEC attacks, threat actors often register domains that are one character off from the real one.

6. Emotional Manipulation

Fear, guilt, curiosity, greed — social engineering always pulls an emotional lever. "Your account has been compromised — click here immediately" triggers fear. "You've been selected for a special bonus" triggers greed. When you feel a strong emotional pull from an unsolicited message, slow down.

7. Requests for Credentials or Sensitive Data

No legitimate IT department will ask for your password via email. No bank will ask you to "confirm" your full account number and SSN through a link. Credential theft is the endgame of most phishing campaigns. Period.

8. Too-Good-to-Be-True Offers

Whether it's a job offer you didn't apply for, an unexpected tax refund, or a vendor offering an impossibly low quote — if it seems too good to be true, it's bait. Literally.

9. Subtle Pressure Against Telling Others

"Keep this confidential — don't discuss it with your team yet." Isolation is a manipulation fundamental. Attackers don't want you consulting with colleagues who might spot the deception.

What Is Social Engineering in Cybersecurity?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits human psychology — trust, fear, helpfulness, and authority. In cybersecurity, it's the most common initial attack vector for data breaches, ransomware infections, and credential theft. It includes phishing, pretexting, baiting, tailgating, and business email compromise.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2023 Cost of a Data Breach Report pegged the average cost at $4.45 million. Social engineering and phishing were consistently among the most expensive initial attack vectors. And that number doesn't capture regulatory penalties, class-action settlements, or the reputational damage that drives customers away.

I've seen mid-size companies lose six figures in a single BEC attack — money that was never recovered. I've watched healthcare organizations face OCR investigations after employees fell for phishing emails that exposed patient records. These aren't hypotheticals. They happen every week.

The MGM Resorts breach in September 2023 started with a social engineering phone call. An attacker called the IT help desk, impersonated an employee found on LinkedIn, and gained access to internal systems. The result: an estimated $100 million in losses and a full-scale ransomware incident that shut down hotel operations across the country.

Why Technical Controls Alone Won't Save You

Multi-factor authentication matters. Email filtering matters. Zero trust architecture matters. But none of these controls are bulletproof against a well-executed social engineering attack — because the target isn't your firewall. It's the person sitting behind it.

MFA can be bypassed through real-time phishing proxies (tools like EvilGinx2 have made this trivial). Email filters miss novel phishing campaigns in the first hours before signatures are updated. Zero trust helps limit blast radius, but it doesn't stop an authorized user from being tricked into handing over their session token.

The human layer is your last line of defense — and often your first point of failure. That's why security awareness training isn't optional. It's foundational.

Building a Culture That Catches Social Engineering

Technical controls should be layered with ongoing human training. Here's what actually works, based on what I've seen across hundreds of organizations:

  • Regular phishing simulations: Not once a year — monthly or quarterly. Organizations that run consistent phishing simulations through programs like our phishing awareness training for organizations see click rates drop from 15-20% to under 5% within six months.
  • Just-in-time training: When someone fails a simulation, they get immediate, contextual feedback — not a punitive write-up. This is how adults learn.
  • Clear reporting channels: Make it dead simple for employees to report suspicious messages. A one-click "Report Phish" button in your email client removes friction. Then actually acknowledge reports — people stop reporting if they think nobody cares.
  • Role-specific training: Your finance team faces different social engineering threats than your developers. BEC targets accounts payable. Credential theft campaigns target admins with elevated privileges. Training should reflect these differences.
  • Verification protocols: Establish out-of-band verification for any financial transaction or sensitive request. If the CEO emails asking for a wire transfer, you pick up the phone and call a known number. No exceptions.

Practical Steps You Can Take This Week

You don't need a six-month roadmap to start improving your resilience against social engineering. Here's what you can do right now.

For Individuals

  • Enable multi-factor authentication on every account that supports it. Hardware keys (FIDO2) are strongest, followed by authenticator apps. SMS is better than nothing.
  • Before clicking any link, hover to inspect the actual URL. Look for misspellings, unexpected domains, and suspicious subdomains.
  • Verify unexpected requests through a separate channel. Got an email from your boss asking for something unusual? Call them. Don't reply to the email.
  • Limit what you share publicly on social media. Every detail about your job, your travel, your routines gives attackers ammunition for pretexting.
  • Take a structured cybersecurity awareness training course to build a baseline understanding of current threats.

For Organizations

  • Audit your public-facing information. Can an attacker build an org chart from LinkedIn? Can they identify your vendors from press releases? Reduce unnecessary exposure.
  • Implement DMARC, DKIM, and SPF for your email domain. These protocols won't stop all phishing, but they make it significantly harder for attackers to spoof your domain.
  • Run tabletop exercises focused on social engineering scenarios. Walk your team through a BEC attempt, a vishing call, and a pretexting scenario. Practice builds pattern recognition.
  • Establish a formal incident response process for social engineering attempts — including who to contact, how to preserve evidence, and when to escalate.
  • Review CISA's cybersecurity best practices for additional guidance tailored to your sector.

The Attacks Are Getting Smarter. Your People Need to Keep Up.

In my experience, organizations that treat social engineering as a "soft" threat end up as case studies. The Arup deepfake. The MGM help desk call. The countless BEC wire transfers that never make headlines because the companies are too embarrassed to disclose them.

Knowing how to spot social engineering isn't a one-time lesson. It's a muscle that needs regular exercise. Threat actors evolve their tactics constantly — using AI-generated voice clones, deploying adversary-in-the-middle phishing kits, and exploiting the trust inherent in tools like Teams and Slack.

Your employees are either your greatest vulnerability or your strongest sensor network. The difference is training — consistent, realistic, and ongoing. Start with our cybersecurity awareness training program to build foundational skills, and layer in phishing simulation exercises to test and reinforce what your team learns.

The attackers aren't waiting. Neither should you.