Inside a Phishing Attack: How Cybercriminals Steal Credentials

91% of Cyberattacks Start With a Phishing Email

According to the 2023 Verizon Data Breach Investigations Report, phishing and pretexting accounted for 74% of all social engineering breaches — and social engineering drove 83% of all successful breaches. Phishing is not a simple scam where someone writes a bad email and hopes for the best. Modern phishing campaigns are methodically planned operations with reconnaissance, technical infrastructure, and coordinated monetization. Understanding how they actually work — from the attacker's perspective — is the most effective way to recognize and avoid them.

Phase 1: Target Selection and Reconnaissance

Professional phishing operations begin with research, not email. Attackers identify their targets using open-source intelligence (OSINT) gathering:

• LinkedIn — identifies employees by name, title, team, and reporting structure; reveals which business systems the company uses (SAP, Salesforce, Workday)
• Company website and press releases — reveals executive names, recent acquisitions, new vendors, and ongoing projects — all usable as pretexts
• Job postings — "Must have experience with ServiceNow and Okta" tells attackers exactly which platforms to clone
• Data breach dumps — previously leaked credentials allow attackers to check whether targets reuse passwords

Spear phishing — targeted attacks against specific individuals — uses this intelligence to craft messages that reference real colleagues, real projects, and real systems. The 2016 hack of the Democratic National Committee began with a spear-phishing email referencing a real Gmail security alert, convincing campaign chairman John Podesta's aide the message was legitimate.

Phase 2: Infrastructure Setup

Attackers build technical infrastructure designed to evade detection before sending a single email:

Modern phishing kits — sold on criminal marketplaces for $50–$300 — automate this infrastructure setup. They include pre-built pages that clone popular brands, real-time credential forwarding (showing the victim a "success" message while instantly testing their credentials against the real service), and evasion techniques that detect security scanners and show them benign content.

Phase 3: The Email Itself

Phishing emails are engineered around urgency, authority, and fear — three psychological levers that short-circuit critical thinking. The most effective pretexts in 2023–2024 included:

• IT security alerts ("Your account has been compromised — verify now")
• Payroll or HR notifications ("Update your direct deposit information before Friday")
• Package delivery failures ("Your shipment requires action")
• Executive requests ("I need this invoice paid urgently — I'm in a meeting")
• Shared document notifications ("John Smith has shared a file with you in OneDrive")

Business Email Compromise (BEC) — a subset of phishing where attackers impersonate executives or vendors — cost businesses $2.9 billion in 2023 according to the FBI Internet Crime Report. No malware is involved; the "attack" is simply a convincing email requesting a wire transfer or gift card purchase.

Phase 4: Credential Harvesting and Real-Time Exploitation

When a victim enters credentials on a phishing page, modern attack frameworks like Evilginx2 and Modlishka act as man-in-the-middle proxies. Rather than just capturing a username and password, these tools capture session cookies — the authentication tokens that prove a user has already logged in. This bypasses multi-factor authentication entirely. Even if the victim uses an authenticator app, the attacker captures the session token that was generated after the MFA code was entered.

This is why security experts now recommend hardware security keys (FIDO2/WebAuthn) over SMS or authenticator-app MFA for high-risk accounts — hardware keys cryptographically verify that the login page is the genuine domain, and refuse to submit credentials to lookalike sites.

Phase 5: Monetization

What happens after credentials are stolen depends on the target:

How to Recognize Phishing in Practice

The most reliable defense is verification independent of the message itself. If an email asks you to click a link or take an action, verify the request by calling the sender using a phone number you already have — not one in the email. Check the actual URL (hover before clicking) for misspellings or unexpected domains. Watch for urgency language designed to prevent reflection. Organizations should implement DMARC, DKIM, and SPF email authentication policies, which make it harder for attackers to spoof their domain. And any organization handling wire transfers or significant payments should implement a mandatory verbal confirmation policy for any change to payment instructions.