Trust Your Gut: Looking for Confidence Scam Red Flags
Social engineering attacks work by bypassing your security software and targeting the one thing software can't patch: human psychology.
That “urgent” invoice, the “problem” with your account, and the “IT admin” needing your password right now. These are all tactics designed to make you panic. The good news is that they all leave clues as to the source of each fraudulent request.
In this chapter, we’ll focus on training your eye to spot the obvious — and not-so-obvious — red flags of a social engineering attack.
Psychological influence and deception can cause you to voluntarily and unknowingly give up your credentials to bad actors. Here’s how to protect yourself against social engineering attacks.
Trust your gut. If something seems off, it’s better to be safe than sorry. Resist the pressure to respond to urgent requests or those that seem too good to be true, and verify sender details before interacting with hyperlinks, downloadable files, or buttons.
The keys to defeating social engineering attacks are self-awareness and vigilance. Never act on anything that elicits panic, and always take a moment to breathe and think critically when something demands sensitive information or funds. Social engineers can only profit by making you act without thought.
Specific red flags you should be on the lookout for include:
Heightened Emotions
If you receive a call, email, or SMS message from anyone you know, especially someone with authority over you or one of your accounts, you need to stop and think before you click! Odds are, a social engineer will attempt to make you act out of fear, anger, or urgency. Take a moment to pause and investigate the situation, and judge whether it makes sense.
Something Seems Off
Maybe you recognize the sender’s name in an SMS message or email. However, the content doesn’t align with a previous thread, seems strange or off-topic, or includes anything that doesn’t feel right. Again, take a pause to investigate. You can contact your friend or account manager through the usual channels to determine the legitimacy of the message.
Details are Skewed
Or, maybe you recognize an email or SMS for the most part, but the sending domain is different, or there are extra numbers or characters in the address. Same as above: stop and investigate before clicking anything! An example of this would be someone emailing you from Amazon customer support telling you that your account is being suspended. It seems legit, but there are a few spelling errors in the address line, like “support@amazon1.com.” Odds are, the person contacting you is not from Amazon.
It’s “Too Good to Be True”
Is the message or email you’re receiving offering you something highly unrealistic in exchange for clicks or sign-ups? Remember the old adage: if something sounds too good to be true… then it probably is.
Message Contains Links or Downloads
To be honest, you probably shouldn’t download or click any links at all unless you can verify the sender or are expecting the message from that individual. Always confirm a link is safe to click in advance of opening anything, especially at work.
Are you sure you're protected against chargebacks resulting from third-party fraud?
When a CEO who normally emails suddenly texts about an urgent wire transfer, or a long-time vendor switches from their corporate email to a personal Gmail account, that's a red flag. Attackers exploit unfamiliar channels where verification habits aren't established and recipients are less likely to scrutinize requests carefully.
Bypassing Standard Verification
Legitimate business requests follow established protocols. When someone asks you to “skip the usual approval process,” use an “alternative payment method,” or to “just this once” circumvent normal security procedures, that's a manipulation tactic. Fraudsters know your procedures exist to prevent fraud, so they create justification for ignoring them.
Demands for Confidentiality or Secrecy
Phrases like “don't mention this to anyone,” “this deal isn't finalized yet,” “keep this between us,” or “the acquisition is confidential” are designed to isolate you from the verification resources you'd normally use. Legitimate sensitive business matters still follow proper channels and verification protocols.
Changes to Established Payment or Account Information
Say a vendor you've paid for years suddenly provides updated banking details. Or, an employee requests a direct deposit change via email, or a supplier's invoice has a different account number. These changes can be legitimate, but they're also the most common BEC tactics, which is why they require verification through a separate, trusted communication channel.
Unavailability Through Normal Verification Channels
The “executive” emailing you claims to be in back-to-back meetings, traveling internationally with limited access, or dealing with an emergency... basically anything that explains why you can’t reach them directly by phone or through their assistant. Legitimate executives understand security protocols and make themselves available for verification of sensitive requests, even if it takes a few minutes longer.
