Phase 1: Reconnaissance
Before they send anything, the attacker builds a profile of you using publicly available information. This is what separates targeted phishing from the spam everyone gets. And it's why it works.
They gather things like:
- Organizational structure and reporting relationships (LinkedIn, corporate website)
- Names and roles of key personnel: HR, finance, IT, executives
- Internal tools and platforms in use (job postings, employee reviews on Glassdoor)
- Ongoing projects, recent acquisitions, or public announcements
- Credential exposure from historical data breaches
- Personal social media revealing relationships, travel patterns, and interests
By the time the attacker contacts the target, they often know more about the target's organization than many of the employees do. The lure they craft reflects this intelligence.
Phase 2: Infrastructure Setup
Professionals don't reuse old attack infrastructure. They build new systems designed to work long enough to do damage before being detected.
Phase 3: The Hook
The message goes out. Using what they learned about you, they craft something that references real people, real projects, and real context. The goal is to get action before you have time to think.
The psychological triggers most commonly exploited:
- Urgency: "Your account will be locked in 24 hours." Pressure collapses deliberation.
- Authority: Impersonating an executive, IT, legal, or a known vendor activates compliance instincts.
- Fear: Threat of consequence (legal, financial, reputational) bypasses rational evaluation.
- Curiosity: A file labelled with something relevant to the target's actual work is opened without hesitation.
- Reciprocity: Offering something useful (a report, a tool, a resource) in exchange for an action.
Building a Defense
No single tool stops a serious campaign. You need layers that work together, built on the assumption that each layer will eventually fail:
- Email Filtering & DMARC: Implement strict DMARC policies on your own domains and use email security gateways that inspect links and attachments dynamically.
- Lookalike Domain Monitoring: Proactively monitor for newly registered domains that impersonate your brand or your key vendors. Act before they're weaponized.
- MFA (Phishing-Resistant): Hardware security keys (FIDO2) are the only 2FA method that resists real-time phishing proxies. TOTP codes and SMS are not.
- Out-of-Band Verification: Any unusual request - wire transfers, credential resets, sensitive data access - should be verified via a separate, pre-established channel. Not reply-to. Not the number in the email.
- Behavioral Training: Teach people to slow down on urgent requests, to question authority claims, and to verify, not just to spot bad grammar. Modern lures have no grammar errors.