A social engineering attack exploits victims’ emotions—fear, anxiety, pride—to trick them into giving up sensitive information or downloading malware. Common methods for social engineering attacks, like phishing and spear phishing, involve attackers impersonating business leaders, IT vendors, or HR representatives. What looks like an urgent request to reset credentials may actually be a spear phishing email designed to trick whoever opens it.

And without realizing it, employees are leaving the door wide open to cybercriminals by sharing their legitimate credentials. Even with a dedicated 24/7 security operation center (SOC), firewalls, enforced multi-factor authentication (MFA), and an endpoint detection and response (EDR) solution in place, social engineering attacks can still succeed when someone is tricked into sharing credentials or approving a malicious request.

Several high-profile attacks in recent years have relied on some form of social engineering. The MGM/Caesar incident in 2023 and the Harrod and Co-op attacks in 2025 resulted in the loss of millions of dollars. If employees and third-party vendors had recognized the early vishing and phishing signals, these attacks could likely have been contained earlier and their impact reduced.

Here are a few scenarios to help you spot threats before they happen.

When emails look exactly right

In the Harrod and Co-op attacks, members of Scattered Spider used open source intelligence (OSINT) to comb through public information in order to impersonate employees. Through emails sent to the companies’ IT departments, the attackers requested MFA and password reset links for already compromised accounts. This allowed them full control over multiple accounts before moving easily throughout the company's infrastructure.

Hackers don’t just send a random phishing email to the IT help desk and hope for the best—they gradually build rapport with victims through innocent-sounding messages about setting up an account or struggling with a new device. Another common tactic is urgency: Sometimes these emails ask employees to skip normal approval channels to get a high-priority task done. In reality, they’re gaining unauthorized access to company data.

When the caller sounds completely legitimate

In the MGM attack, Scattered Spider used voice phishing (vishing) to gain access to an administrator account before injecting it with ransomware. After researching MGM employees on LinkedIn and choosing victims to impersonate, attackers called and successfully convinced the IT helpdesk to reset credentials and bypass MFA for an administrator account, giving them the access they needed to move laterally and deploy ransomware. To get away with it, the attackers needed just enough information and an overly eager desk agent to pick up the phone.

The one early signal in this scenario? The phone call. As soon as the caller asked for login credentials, the agent should’ve hung up the phone and reported the incident. An employee with proper SAT training would know to never share credentials over the phone—there are user-initiated systems for password and MFA resets for a reason.

When the social engineering is physical

Tailgating through a secure door and posing as a delivery person are common examples of physical social engineering. This gives attackers in-person access to your building where they can plug into your network or leave behind malware-infected USBs. 

Simple attempts like this shouldn’t work; train employees to check the badges and credentials of anyone entering, and keep an eye out for suspicious activity or individuals. Improving on-site security, like incorporating a badge checkpoint, can help you prevent an in-person attack before it starts.

It’s normal for red flags to pop up well before an attack. Properly trained employees or third-party vendors should give you advance notice of these common social engineering tactics before they grow into a problem.

Keep in mind that many of these warning signs seem perfectly innocent at the time. Use the acronym FACEUP to easily remember this checklist of shady behavior. 

• Fear of missing out (FOMO): They create FOMO by mentioning their offer is only valid for a short time, so you need to act fast.
• Authority: They convince you someone in a higher position wants you to ignore protocol or bend the rules “just this once.”
• Camaraderie: They tell you they’re helping you out by bypassing some protocol or handling an important step for you.
• Excitement: They’re offering you a tempting opportunity to RSVP for a paid trip or company-wide giveaway.
• Urgency: They state that their request must be approved immediately to prevent some issue.
• Pity: They claim something bad will happen to them if you don’t take action, like losing their job or having to pay some additional cost.

A great security awareness training program needs to challenge employee’s practical knowledge and critical thinking skills through simulated scenarios and stories. Encourage your learners to think on their feet and apply what they’ve learned to build confidence and real threat intelligence skills.

Huntress Managed Security Awareness Training (SAT) uses gamification, current threat intelligence, and adult-learning frameworks to build hands-on experience. Our interactive training, designed by cybersecurity, learning, and animation experts, sees about a 98% completion rate once a learner starts their assignments (internal data), encouraging active participation through fun, episodic content and immersive simulations.

Social engineering attacks leave fingerprints of their handiwork, and one thing is for certain: Untrained employees often miss early cyberattack warning signs. To fill that gap, Huntress offers programs that teach employees through practical and proven adult learning frameworks that are far more memorable and engaging than standard cybersecurity training. Try out our Managed SAT program today—learn more through our social engineering guide.