How phishing works in 5 steps

List of things that not only Cybersecurity specialist should know about fishing.

Hello everyone!

Today, we’ll take a look at a topic that’s useful for everyone who uses a computer or any other device connected to the internet. Our role, as cybersecurity specialists, is to spread awareness about these topics. No matter how many technical controls you implement, attacks like phishing are always a threat.

How phishing works in 5 steps

How phishing works in 5 simple steps

Step 1: Targeting the Victim

Attackers start by picking a target. It could be:

• a specific person (spear phishing),

• an entire company, or

• anyone with an email address.

They often gather info from public sources like LinkedIn, social media, or data from old breaches (e.g., names, job roles, emails).

Step 2: Creating the Bait

The attacker creates a message that looks legitimate.

For example, if the attacker finds out you expect a delivery, he can create an email saying your package won’t be delivered unless you click a link and fill out a form.

Common tactics:

• Fake login pages ("Update your password")

• Fake invoices

• Scare tactics ("Your account will be suspended")

These are made to trick your human instincts, not your firewall.

Step 3: Delivering the Message

The bait is sent through:

• Email (most common)

• SMS (“smishing”)

• Messaging apps (Slack, WhatsApp)

• Social media (LinkedIn DMs, Facebook)

The sender's address or phone number may be spoofed to look real.

Step 4: Hooking the Victim

Once the message lands, the attacker’s goal is to make you click, download, or enter credentials.

Typical hooks:

• “Track your package”

• “See your updated payroll”

• “Login to secure your account”

The link may look legit at first sight (paypal.com.user-auth.info) but leads to a malicious site.

Step 5: Exploitation

Once you’ve clicked:

• Your credentials may be stolen.

• Malware or ransomware could be installed.

• Access to your systems or cloud accounts may be gained.

How to Protect Yourself

But how do we protect ourselves from such attacks? Most of the technical controls, like firewalls, are useless in this case. All we can do is educate all of the users of our systems so they won’t fall for such emails.

All users should always follow these principles:

• Always check the sender’s address and URL.

• Don’t rush. Phishing relies on urgency.

• Use a password manager – it won’t autofill on fake sites.

• Enable 2FA – it can stop attackers even with your password.

• Report suspicious emails to your IT/security team.

Key takeaways

• Phishing is a psychological attack — it targets human behavior more than systems.

• Attackers go through five steps: Target → Bait → Delivery → Hook → Exploitation.

• Phishing messages are often disguised as trusted communications: emails, texts, or social media messages.

• One careless click can lead to stolen data, ransomware, or full system compromise.

• Education is the best defense. Users must stay alert and cautious.

• Always:

  • Verify sender identity and URL.

  • Avoid acting on urgency or fear.

  • Use password managers and 2FA.

  • Report anything suspicious.

✅ Study Tip for people preparing for the CC exam

On the exam, always think “what’s the best first response” when facing a scenario. For phishing, that’s often reporting the attempt, not clicking, or alerting security, not blocking the sender manually, or ignoring it.

---