Overview
Phishing is a social engineering attack designed to trick users into revealing sensitive information, running malware, or trusting a fake service. Instead of exploiting a software flaw directly, it exploits human decision-making through believable pretexts, pressure, and impersonation.
Common delivery channels include email, SMS messages, phone calls, and cloned websites. Typical attacker goals are credential theft, financial fraud, unauthorised access, and malware delivery.
Types of Phishing
Phishing
Classic phishing is the broad, high-volume version of the attack. A single believable message is sent to many people using generic themes such as invoices, security alerts, or account verification requests.
Spear Phishing
Spear phishing is tailored to a specific person or team. The lure is more convincing because it uses role-specific context and often aims to trigger a click, file open, credential submission, or internal follow-up action.
Whaling
Whaling targets executives and senior decision-makers such as CEOs, CFOs, or leadership staff. The expected payoff is higher because these targets can move money, override controls, or expose regulated information.
Why It Matters in Pentesting
Phishing assessments help measure how exposed an organisation is to social engineering. A well-run exercise does not just test users, it also tests reporting behaviour, internal response processes, and the quality of preventive controls.
Ethical phishing simulations should stay harmless and authorised. The goal is to reveal risk, not to cause damage. That means using benign infrastructure, clear scope, approved targets, and measurable learning outcomes.
Social Engineering Principles
- Scarcity: Creates FOMO through limited-time offers or rare opportunities so users act before thinking.
- Urgency: Pushes fast action with countdowns, deadlines, or threats of account lockout.
- Authority: Uses job titles, official language, or trusted departments such as IT, HR, or Finance.
- Fear: Triggers a protective response with breach alerts, security warnings, or legal pressure.
- Curiosity: Uses vague but tempting hooks to make users open a link or attachment.
- Trust: Reuses familiar brands, teammates, workflows, or logos so the request feels normal.
Cognitive Biases Attackers Exploit
- Overconfidence bias: Users assume they are too experienced to be fooled, which lowers vigilance.
- Confirmation bias: A fake message is trusted more easily if it matches an expected event, such as a bank notice or invoice.
- Authority bias: People comply more readily when a message appears to come from a senior or official source.
Technical Delivery Techniques
URL and Domain Manipulation
- URL masking: A legitimate-looking link label hides a malicious destination.
- Homograph attacks: Visually similar characters are used to fake a trusted domain, such as
go0gle.com.
- Typosquatting: Attackers register near-match domains that rely on typing mistakes.
- Shortened links: URL shorteners obscure the real destination and reduce user inspection.
Email Spoofing
Email spoofing manipulates headers and sender presentation to impersonate a legitimate source. This can include a forged From field, display-name spoofing, or the use of look-alike domains.
Defensive controls such as SPF, DKIM, and DMARC help reduce spoofing risk, but understanding how phishing emails are assembled remains essential for testing and detection.
Credential Harvesting
Credential harvesting relies on cloned login pages that copy a legitimate site's branding and form layout. The victim submits credentials to attacker-controlled infrastructure and is often redirected to the real site to reduce suspicion.
Attachment-Based Payloads
Macro-enabled Office documents remain a common lure. The user is persuaded to click Enable Content, which allows the macro to execute. In a safe engagement, this should trigger a benign beacon or simulation rather than malware.
Phishing Workflow
- Planning and scoping: Define goals, targets, success metrics, legal approval, and rules of engagement.
- Reconnaissance: Gather OSINT from public sources to build realistic but ethical pretexts.
- Scenario and payload development: Create harmless lures, landing pages, and tracking mechanisms.
- Execution: Launch the campaign in a controlled way and monitor user interaction safely.
- Reporting and debriefing: Translate the results into practical training and control improvements.
Useful Tooling
- GoPhish: Campaign management, SMTP setup, email templating, and reporting dashboard.
- Evilginx: Reverse-proxy phishing used to capture credentials and session tokens in advanced scenarios.
- SET: The Social Engineering Toolkit includes spear-phishing workflows and cloned site delivery options.
Metrics That Matter
- Open rate: Measures how many users opened the email.
- Click rate: Measures how many users followed the lure.
- Credential entry rate: Measures simulated submission attempts.
- Attachment detonation rate: Measures risky interaction with attachments.
- Reporting rate: Measures how many users escalated the message to security.
Key point: A phishing simulation is only useful if the results lead to concrete improvements such as better reporting habits, stronger MFA, or improved email authentication controls.
Takeaways
- Phishing succeeds by combining believable pretexts with psychological pressure.
- Technical tricks like spoofing and cloned pages are effective because users often trust appearance over verification.
- Safe phishing tests must stay scoped, authorised, and non-destructive.
- Strong results reporting matters as much as the campaign itself.
- Training users and hardening controls should happen together, not separately.