Identifying A Scam

The Two Traits That Make a Message Risky

And What To Do About It

The text seems harmless enough: “FedEx: Your package is undeliverable. Click here to confirm your delivery address.” You weren’t expecting a package, but maybe someone sent you a surprise? Moments like this are exactly where scammers thrive. Every day we receive messages asking us to do something; it’s part of being an employee, a contractor, a team member, or just a person who uses technology. Most of these messages are routine and harmless. But sometimes, a message arrives that carries hidden risk.

There are two specific traits that, when combined, make any message far more likely to be part of a social engineering scam. Not every scam message has both traits, but most do. Recognizing these traits can help you avoid being manipulated into doing something harmful to yourself, your organization, or your data.

Trait 1: The Message Is Unexpected

It doesn’t matter how the message arrives – email, text, WhatsApp, social media, a work chat channel, even a phone call or face-to-face interaction. If the message comes out of the blue, that’s the first red flag.

When you aren’t expecting someone to contact you, your guard should go up immediately. This doesn’t mean it’s definitely a scam, but it does mean you should slow down and evaluate it more carefully.

Trait 2: It’s Asking You to Do Something You Haven’t Done Before

Scammers rely on urgency and unfamiliarity to create confusion. Often, the message will ask you to do something you’ve never done before. It might sound urgent or sensitive. You might be told something bad will happen if you don’t act right now.

That unfamiliar action could be anything:

• Sending a wire transfer
• Sharing sensitive data
• Logging into a “new” system
• Approving a payment
• Buying gift cards or cryptocurrency
• Changing account details

If you’ve never done this before for that person or organization, pause. That’s your second red flag.

What You Should Do Instead

If a message checks both boxes: 1) it’s unexpected, and 2) asks you to do something new, here’s how to handle it:

Do NOT trust any contact details in the message.

Scammers include fake phone numbers, spoofed email addresses, and links that lead to convincing but fraudulent sites or call centers.

• Use an alternate, trusted contact method to verify.
• Call the sender using a phone number you already know or that’s listed on the official website (not from a search engine).
• Visit the company’s official site by typing the URL yourself, not by clicking a link in the message.
• Reach out via known, previously used, internal channels (like a Slack message or corporate directory lookup) to verify the request.

Avoid relying on search engine lookups for phone numbers.

Scammers are known to poison search results with fake contact info. If you must look up a number, do it on the organization’s official site.

Slow Down, Stay Safe

We live in a world where new, unexpected messages are normal. But now you know the two-question test for risk:

• Was I expecting this message?
• Is it asking me to do something new?

If the answer to both is “yes”, stop, verify independently, and don’t act until you’re sure it is a legitimate request.

Scammers don’t need to hack your systems if they can hack your attention. Slow down, ask the two questions, and take control before you act.