Hoppseoy® RETURN TO BASE
THREAT BRIEFING SOCIAL ENGINEERING

Anatomy of a Phishing Attack

Modern phishing is purpose-built, not opportunistic. It runs on real reconnaissance, abuses trust, and gets past your technical controls and your better judgment.

Phase 1: Reconnaissance

Before they send anything, the attacker builds a profile of you using publicly available information. This is what separates targeted phishing from the spam everyone gets. And it's why it works.

They gather things like:

  • Organizational structure and reporting relationships (LinkedIn, corporate website)
  • Names and roles of key personnel: HR, finance, IT, executives
  • Internal tools and platforms in use (job postings, employee reviews on Glassdoor)
  • Ongoing projects, recent acquisitions, or public announcements
  • Credential exposure from historical data breaches
  • Personal social media revealing relationships, travel patterns, and interests

By the time the attacker contacts the target, they often know more about the target's organization than many of the employees do. The lure they craft reflects this intelligence.

Phase 2: Infrastructure Setup

Professionals don't reuse old attack infrastructure. They build new systems designed to work long enough to do damage before being detected.

STEP 01
Domain Registration: Typosquatted or lookalike domains , often mimicking the target's own domain or a trusted vendor's domain. The presence of an SSL certificate means nothing; padlock ≠ safe.
STEP 02
Email Infrastructure: SPF, DKIM, and DMARC records are configured to maximize deliverability. Some campaigns compromise legitimate email accounts to send from trusted sources entirely.
STEP 03
Payload Hosting: Credential harvesting pages cloned from legitimate services, malicious document delivery sites, or OAuth consent abuse pages are staged and ready before the first lure is sent.

Phase 3: The Hook

The message goes out. Using what they learned about you, they craft something that references real people, real projects, and real context. The goal is to get action before you have time to think.

The psychological triggers most commonly exploited:

  • Urgency: "Your account will be locked in 24 hours." Pressure collapses deliberation.
  • Authority: Impersonating an executive, IT, legal, or a known vendor activates compliance instincts.
  • Fear: Threat of consequence (legal, financial, reputational) bypasses rational evaluation.
  • Curiosity: A file labelled with something relevant to the target's actual work is opened without hesitation.
  • Reciprocity: Offering something useful (a report, a tool, a resource) in exchange for an action.

Building a Defense

No single tool stops a serious campaign. You need layers that work together, built on the assumption that each layer will eventually fail:

  • Email Filtering & DMARC: Implement strict DMARC policies on your own domains and use email security gateways that inspect links and attachments dynamically.
  • Lookalike Domain Monitoring: Proactively monitor for newly registered domains that impersonate your brand or your key vendors. Act before they're weaponized.
  • MFA (Phishing-Resistant): Hardware security keys (FIDO2) are the only 2FA method that resists real-time phishing proxies. TOTP codes and SMS are not.
  • Out-of-Band Verification: Any unusual request - wire transfers, credential resets, sensitive data access - should be verified via a separate, pre-established channel. Not reply-to. Not the number in the email.
  • Behavioral Training: Teach people to slow down on urgent requests, to question authority claims, and to verify, not just to spot bad grammar. Modern lures have no grammar errors.