Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


5 min read

Social Engineering Red Flags


Whenever you think of cybercrime or hacking, you’ll probably think about a bad actor using their technical skills to break down digital defenses and use technology or coding against you. Descending lines of green code, Matrix-style, on multiple screens, as the hacker types faster than the eye can see to break through your firewall...or something similar. 

And sure, there are plenty of ways that bad actors can use technology or technical know-how to exploit vulnerabilities in computer systems. However, some of the most successful and hard-to-prevent cyberattacks are not done by traditional hacking and don’t really rely on technology at all. Social engineering attacks rely on research, manipulation, trickery, and an understanding of normal human behavior and are some of the most subtle and hard to defend against cyberattacks out there.

Social engineering attacks rely on psychological tricks, persuading people to make mistakes and capitalizing on human error. They exploit the naturally trusting nature of most people and look to use personal information to persuade people to hand over data and information or undertake activities that allow hackers to gain access to sensitive material or systems.

Because of the subtle nature of social engineering attacks, they can be hard to spot. Bad actors will find out personal information about their targets and use the information to convince you that they are trustworthy. This could be by impersonating a boss or a family member or by tricking their target into clicking links or downloading files that seem trustworthy.

However, there are some things to look out for that can help protect against social engineering attacks. Being vigilant and on the lookout for suspicious activity is always a good idea, and if you know what to look for, many attempts can be prevented. Here are some of the most common things that can give the game away when it comes to a social engineering attack.

Who is it from?

The most obvious giveaway is the person who is sending you the message. If you don’t recognise the person sending the message, or the email address is different from the normal address you see connected to the supposed sender, this should raise red flags.

Watch out for emails from people outside your organization who you don’t usually communicate with, emails you don’t recognise at all, and addresses that come from suspicious or dodgy-looking domains.

Who else is it to?

The other recipients on a suspicious email can also provide a clue as to whether it is trustworthy or not. If the email seems like it is something relevant to you and your work, but you don’t recognise the other addresses copied in, or if the group or mix of people is unusual or doesn’t make logical sense, even within an organization, then alarm bells should ring. 

One of the biggest red flags in an email, and coincidentally one of the main ways that social engineering attacks exploit vulnerabilities, are suspicious hyperlinks. You should always look at hyperlinks very carefully before clicking them, no matter who has sent you the message. If the hyperlink looks odd or is misspelled in any way, don’t click it. Similarly, be wary of shortened links like or If the email just contains a hyperlink with no other content or information, you should be extremely cautious.

One way to ‘test’ a hyperlink is to hover your mouse over it and take a look at the link-to address. If it is different from the one suggested in the email or the text of the hyperlink, it is potentially dangerous.

When was it sent?

Of course, some of your colleagues might keep weird working hours, but the timing of an email can provide a clue about its legitimacy. If you receive something that you’d normally expect to get during business hours but sent at a peculiar time (say 3 am), then you might want to treat it with caution.

What is it about?

The subject line of an email can provide clues about how solid and trustworthy it is. If the subject line is irrelevant or doesn’t correspond well with what the email is actually about, then you might want to investigate further. Equally, if the email seems to be replying to a message that you didn’t or don’t remember sending, it could also be suspicious. A ‘reply’ can seem far less likely to be a trick at first glance than a random email out of the blue, so always pay attention to whether you actually sent anything to reply to in the first place!

What is that attachment?

Attachments to emails can be huge no-nos and are one of the most obviously problematic elements of a social engineering attack. Things to look out for are attachments that don’t make sense with the subject, content, or scope of the email, unexpected attachments, or attachments that are a potentially dangerous file type. In a work context, unless you are absolutely certain about the document you are opening, anything other than a .txt file should be treated with caution.

What is the content?

Finally, we come to the actual content of the email. This can give you some pretty major clues as to whether the message is legit or whether you should be concerned about it. If the sender is asking you to do something that will give you a reward, or if they are threatening bad consequences if you don’t do something, then it’s probably an attack. If the grammar or the spelling is poor, the content doesn’t make sense, or the messages just give you a bad feeling, think twice. Most of all, if the message is asking you to do something weird, uncomfortable, or inappropriate, don’t do it!

Social engineering attacks can be subtle and hard to pick up, and it is not unusual for smart, alert people to fall victim to them. However, with some extra vigilance and paying attention to the red flags mentioned above, guarding against them is totally possible!

Let's talk about how VC3 can help you AIM higher.