Phishing & Social Engineering
The oldest exploit in the book targets the one system you can't patch: a human under pressure.
01 Hacking the Human
Social engineering is manipulation dressed as a normal interaction. It bypasses firewalls entirely because it attacks judgment, not code. And it works on smart people — especially smart people, who trust their own instincts. To defend, you have to understand the psychological levers being pulled.
Most scams lean on the same handful of principles that the psychologist Robert Cialdini catalogued as the drivers of influence:
- Authority. We comply with bosses, IT, police, banks. A message "from the CEO" or "from Microsoft security" short-circuits scrutiny.
- Urgency. "Your account will be closed in 24 hours." Time pressure is the attacker's best friend because it stops you from thinking and checking.
- Scarcity. "Only 3 left," "exclusive offer." Fear of missing out overrides caution.
- Reciprocity and liking. A small favor, a friendly tone, a shared connection — we want to return goodwill and trust people we like.
02 The Phishing Family Tree
Phishing is fraud that impersonates a trusted party to steal credentials, money, or access. The generic version is mass email. But it branches into a whole family, distinguished by targeting and channel.
| Term | What it is | Channel |
|---|---|---|
| Phishing | Mass, generic lures sent to many | |
| Spear phishing | Personalized to a specific person, using researched detail | |
| Whaling | Spear phishing aimed at a 'big fish' — an executive | |
| Smishing | Phishing via SMS text messages | Text |
| Vishing | Voice phishing — a phone call with a pretext | Phone |
| Quishing | Malicious QR codes leading to fake sites | QR code |
The trend is toward targeting. Generic phishing has a low hit rate, so attackers invest in research — your job title, your colleagues' names, a recent company event scraped from LinkedIn — to craft a message that fits your world perfectly. A spear-phishing email referencing a real project you are working on is worlds more convincing than "Dear valued customer."
03 Business Email Compromise: The Quiet Billions
Ransomware gets the headlines, but business email compromise (BEC) quietly steals more money. There is no malware and often no malicious link — just a convincing email that redirects a payment. The FBI's Internet Crime Complaint Center attributes tens of billions of dollars in cumulative losses to BEC, making it one of the costliest cybercrimes there is.
The mechanics are simple and human. An attacker impersonates a CEO ("wire this urgently, I'm in a meeting, keep it confidential"), or a vendor ("we've changed our bank details — please update our account"), or hijacks a real email thread to slip in fraudulent invoice details at exactly the right moment. Because it exploits trusted relationships and normal business processes, technical defenses often never trigger.
The classic case: between roughly 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas defrauded Google and Facebook of over 100 million dollars by impersonating a real hardware supplier (Quanta Computer) and sending fake invoices to accounts-payable departments. Two of the most sophisticated technology companies on Earth paid, because the paperwork looked exactly right.
04 Deepfakes and the Voice on the Phone
For decades, "call to confirm" was the gold-standard defense against email fraud. AI is eroding that. Cheap voice-cloning can now mimic a specific person from a short audio sample, and real-time video deepfakes have moved from theory to active use.
In 2019, criminals used AI to clone the voice of a German parent-company chief executive and phoned the head of a UK subsidiary, who — recognizing the voice and even its slight accent — wired roughly 243,000 dollars to a fraudulent account. It was one of the first publicly reported voice-deepfake heists.
Then it scaled. In early 2024, a finance employee at the engineering firm Arup in Hong Kong joined what appeared to be a routine video call with the company's CFO and several colleagues. Every participant except the victim was a deepfake. Convinced by the familiar faces and voices, the employee authorized transfers totaling about 25 million US dollars.
Seeing is no longer believing. Hearing a familiar voice is no longer proof. The face and voice on the screen are now things an attacker can manufacture.
05 Spot It, Stop It, Report It
You do not need to catch every trick — you need a reliable habit that trips the alarm. Run any unexpected message through a quick mental checklist:
- Emotion. Does it make you feel urgent, afraid, or excited? That is the pressure lever.
- Sender. Look at the actual email address, not just the display name. Look-alike domains (
micros0ft.com,paypa1.com) are common. - Links. Hover to preview the real destination before clicking. On mobile, long-press. Where does it truly go?
- Request. Does it want credentials, payment, gift cards, or a "quick favor"? Legitimate organizations do not ask for your password.
- Verify. When in doubt, contact the sender through a channel you look up independently.
Then report. At work, forward suspicious mail to your security team or use the built-in "report phishing" button — you may be the early warning that protects hundreds of colleagues. As an individual, report to the platform, forward suspected phishing to the Anti-Phishing Working Group at reportphishing@apwg.org, and file financial fraud with the relevant authority (in the US, the FBI's IC3).
⌘ Field Glossary
- Social engineering
- Manipulating people into revealing information or taking actions that compromise security, by exploiting trust, emotion, and authority rather than technical flaws.
- Phishing
- Fraud that impersonates a trusted party — usually by email — to steal credentials, money, or access.
- Spear phishing
- A phishing attack personalized to a specific target using researched details, making it far more convincing than mass phishing.
- Whaling
- Spear phishing aimed at high-value targets such as executives, who can authorize large payments or access sensitive systems.
- Business email compromise (BEC)
- A scam that uses a convincing email to redirect a legitimate payment or wire transfer, often without any malware, causing tens of billions in cumulative losses.
- Vishing
- Voice phishing: a phone-based social-engineering attack using a false pretext, increasingly aided by AI voice cloning.
- Deepfake
- AI-generated synthetic audio or video that convincingly imitates a real person, now used to defeat 'call to confirm' verification.
Knowledge Check
Field Assessment
01 Which psychological lever is an attacker using when an email says 'Your account will be suspended in 1 hour unless you act now'?
02 What is the defining feature of business email compromise (BEC)?
03 Why is a request to 'update our banking details' considered especially high-risk?