Offensive SecurityJun 16, 2026 · 14 min read

Phishing and social engineering: how to spot and stop an attack

Most serious breaches start with a message, not a vulnerability. Phishing and social engineering target people, not systems. Here is what the attacks look like, how to recognize them, and how to protect your company.

Two colleagues carefully reviewing a suspicious email on a laptop in an office.

Written by

Raptoric Offensive Security

LinkedInX / TwitterCopy link

Phishing is an attack in which the attacker poses as a trusted person or organization to get you to reveal a password, click a malicious link, or make a payment. It is the most common form of social engineering, the broader term for any technique that manipulates people instead of attacking technology. Most serious breaches today do not start with a sophisticated flaw in code. They start with an ordinary message that convinces someone to do something they should not have.

The reason is simple. Technical defenses, firewalls, encryption, and detection systems have grown much stronger in recent years. People have not changed at the same pace. An attacker who would need weeks to break into a well-secured network can often get the access they want in minutes with one convincing message. That is why understanding phishing and social engineering matters as much as technical protection. This post explains what these attacks look like, how to recognize them, and what a company can do to reduce the risk.

Social engineering is the manipulation of people so they reveal confidential information or take an action that benefits the attacker. Rather than looking for a technical weakness in a system, the attacker exploits human tendencies: trust, the urge to help, fear of consequences, and the reflex to obey authority and urgency. Phishing is its best-known form, but not the only one.

Social engineering attacks almost always follow a similar pattern. The attacker first gathers information about the target, often from public sources such as social media and the company website. They then build a believable pretext, make contact, and create a sense of urgency that leaves the victim no time to think it through. Urgency is the signal to watch for most closely.

Types of phishing attacks

Phishing comes in several forms that differ by channel and by how targeted they are. The more targeted an attack, the more convincing and dangerous it becomes.

Form	How it works
Classic phishing	The same message to a large number of recipients; relies on volume.
Spear phishing	Targets a specific person or company, tailored to the information gathered.
Whaling	Targets senior executives whose access and authority cause the most damage.
Smishing / vishing	Phishing by SMS (smishing) or phone (vishing).
BEC	Business email compromise: a fake executive or supplier requests a payment or a change of details, covered in our piece on business email compromise.
Site cloning	A fake page identical to the real one leads the victim to enter their details.

The most common forms of phishing attack by channel and target.

Beyond phishing, attackers also use techniques that do not necessarily depend on email.

Pretexting is an invented scenario the attacker uses to justify a request, for example a fake IT staffer who asks for a password for supposed maintenance.
Baiting offers something attractive, such as a USB stick left in a parking lot or a free download, that carries malicious software.
Tailgating is following an authorized person into a secured area without identifying yourself.
Quid pro quo offers a service in exchange for information, for example fake technical support that asks for access in return for help.

An attacker does not need to break through your firewall if an employee lets them in through the door. Social engineering targets trust, and trust has no patch.

How to recognize a phishing message

Although the attacks keep getting more convincing, most phishing messages still carry recognizable signs. They are worth knowing, and worth teaching employees to pause when they notice them.

A sense of urgency or threat, such as a message saying your account will be blocked unless you act immediately.
A sender whose address looks correct at first glance but contains a small difference in the domain or name.
A generic greeting instead of your name, even though the sender claims to know you.
Links that lead to an address different from the one the text displays, which you can see by hovering over the link.
Unexpected attachments, especially documents that ask you to enable macros.
A request for confidential data, passwords, or a payment that arrives outside the usual procedure.
Language and style errors, although these are getting rarer as attackers use writing tools.

An attack in practice

Picture a typical business email compromise scenario. The attacker first studies public information and works out who in the company handles payments. They then send an email that looks like it comes from the director, from an address very close to the real one, urgently requesting a payment to a new supplier before the end of the working day. The message is short, uses the director's name, and stresses confidentiality. Under deadline pressure, the employee makes the payment, and the money disappears before anyone notices the mistake.

What makes this attack work is not technical sophistication but psychology: authority, urgency, and trust. That is why the defense is not only technical. A simple procedure to verify every change of payment details through a second channel, for example a phone call, would have stopped the whole attack.

AI makes phishing more convincing

Artificial intelligence has raised the quality of phishing attacks considerably. Language errors, once a reliable sign of fraud, have all but vanished because attackers use the same writing tools as everyone else. Messages are now grammatically flawless, tailored to the target, and written in a convincing business tone. According to threat assessments from the EU agency ENISA, phishing and social engineering remain among the leading ways attackers gain initial access.¹

This means a defense cannot rely on spotting badly written messages alone. It needs procedures, technical controls, and regular practice. Strong identity controls, especially multi-factor authentication, also limit the damage when a credential is stolen.

How to protect your company

Defending against phishing and social engineering combines people, process, and technology. No single layer is enough on its own.

Regular employee training, because an informed employee is the first and most important line of defense.
Multi-factor authentication, which makes a stolen password far less useful to an attacker.
Email filtering and domain-level protection, which stop a large share of messages before they reach users.
Clear procedures for sensitive actions, especially payments and changes to payment details, with mandatory verification through a second channel.
An easy way for employees to report a suspicious message, without fear of consequences if they get it wrong.
Regular testing through simulated phishing campaigns, which measure real resilience rather than assumed resilience.

Simulated phishing and resilience testing

Training without verification stays an assumption. Simulated phishing is a controlled exercise in which the security team sends employees harmless messages that mimic a real attack, then measures how many recognized the threat, how many clicked, and how many reported the message. The results show where the real weaknesses are and how training is progressing over time.

These exercises are part of the social engineering we run within offensive security. The goal is not to embarrass employees but to measure the organization's resilience under real pressure and give concrete recommendations for improvement. A broader, adversary-driven test of the whole defense is covered in our piece on red teaming.

What to do if you fell for it

If an employee clicks a link, enters a password, or makes a payment based on a fake message, the speed of the reaction is decisive for limiting the damage.

Change the compromised passwords immediately and, where possible, revoke active sessions.
Notify IT or the security team so they can check whether the attacker gained access.
If a payment was made, contact the bank at once, because funds can sometimes be stopped.
Preserve the message and evidence, which matter for the investigation and any report.
Check whether a personal data breach occurred, which can trigger an obligation to report within 72 hours.

The ability to detect and stop an incident quickly is built in advance. That is what we cover through threat detection and response, where we help companies recognize a breach and react before the damage grows. Having an incident response plan ready makes that reaction far faster.

Phishing and social engineering remain the most common route to a breach because they target people, and people cannot be patched like software. But resilience can be built and measured. If you want to know how resilient your organization is against a real attack, see our offensive security services and book a scoping call.

Frequently asked questions

What is the difference between phishing and spear phishing?

Classic phishing sends the same message to a large number of people and relies on volume. Spear phishing targets a specific person or company and tailors the message, using gathered information to look credible. Spear phishing is harder to spot and more dangerous because it looks personal and expected.

Is multi-factor authentication enough protection?

Multi-factor authentication greatly reduces the risk because a stolen password alone is not enough to get in, but it is not impenetrable. Some attacks target the second factor too, for example by tricking the user into approving a fake request. MFA is an essential layer, but it should be combined with training and procedures.

How do I report phishing?

Report a suspicious message inside the company to IT or the security team, and do not delete it right away because it can be useful for the investigation. Phishing that impersonates a bank or institution can also be reported to that organization and to your national CERT. The key is to keep the reporting process simple.

Can companies really defend against social engineering?

They cannot eliminate it entirely, but they can greatly reduce the risk and limit the damage. A combination of training, technical controls, clear procedures, and regular testing makes an organization much more resilient. The goal is to make sure a single mistake is not enough for an attack to succeed.

Sources

1ENISA. ENISA Threat Landscape. European Union Agency for Cybersecurity, 2024. Link
2CISA. Avoiding Social Engineering and Phishing Attacks. Cybersecurity and Infrastructure Security Agency, 2021. Link

Want this tested on your own systems?

Our team will scope it with you on a 30-minute call.

Book a scoping call

Keep reading

All insights →

01Offensive Security

How much does a penetration test cost?

Read →12 min read

02Offensive Security

Penetration testing services: what you actually get

Read →11 min read

03Offensive Security

How to choose a penetration testing company

Read →13 min read