Cyber Security Awareness: Part 2 - Phishing Attacks:The Art Deception in a Digital Age

In cybersecurity, there’s one tactic so deceptively simple, yet devastatingly effective, that it remains the go-to strategy for most cybercriminals: phishing.

The #1 entry used by cyber criminals to infiltrate a corporate network mostly has to be phishing. It used to hover over a link to click on a link that takes one to an infected portal with droppers or an attachment laced with a malicious code to trigger actions on the victim's computer.

Despite years of awareness campaigns, phishing continues to evolve, growing more targeted, more personal, and significantly harder to spot. It’s no longer about a shady email from a so-called foreign prince. It’s the email from your HR department, the text message from your bank, or the DM from your boss. And all it takes is one click.

I have been studying many phishing campaigns and have legally run a few against organizations to see the responsiveness of employees and the results are always still shocking.

I mostly want to see how many will open the email, click on the link and thirdly submit data. In this two part series, I will get to show you the various levels of phishing attacks out there and how they are being crafted by cyber criminals.

Let’s break it down.

What Is Phishing?

Phishing is a form of social engineering where attackers trick individuals into revealing sensitive information, like passwords, bank details, or security codes, by pretending to be someone they trust.

At its core, phishing isn’t a technical hack. It’s psychological warfare.

Attackers rely on emotional triggers: urgency, fear, curiosity, or even empathy. The goal is to bypass your logic before your brain catches up.

The Evolution of Phishing: It’s Personal Now

Gone are the days of generic emails riddled with spelling errors. Today’s phishing is precision-engineered and now with the power of AI, it's harder to cyber criminals to make mistakes:

• Spear Phishing: Tailored messages targeting specific individuals or organizations. Think of an email addressed to you, from your actual boss, about a real project.
• Smishing: Phishing via SMS. “Your M-Pesa or paypal account has been suspended. Click here to verify NOW”
• Vishing: Voice phishing through phone calls. Often used in scams pretending to be customer support or government agencies. Anyone’s voice can be cloned by AI tools.
• Social Media Phishing: Fake profiles and DMs pretending to be someone you know.

Cybercriminals now use data from public sources, LinkedIn, Instagram, breached databases, to personalize attacks and make them nearly indistinguishable from legitimate communication. A breakdown here Public Sources OSINT

Why Phishing Still Works

The success of phishing lies in three key psychological loopholes:

1. Trust in appearance: If it looks official, it must be.
2. Speed over scrutiny: In our fast-paced digital world, few stop to verify.
3. Emotional manipulation: Fear of missing out, financial loss, or disappointing someone triggers impulsive action.

Real-Life Scenario: Anatomy of a Phish

Imagine this:

You receive an email from IT Support, asking you to reset your password urgently due to “unusual activity.” The logo checks out. The signature is legitimate. The tone? Professional.

You click the link, enter your credentials and unknowingly hand over access to your entire network. Within hours, your company’s data is compromised, and systems go dark. All from one email.

2 Step verification can also be bypassed

Most organizations activate 2 step verifications for their emails but mostly done via sms which can be bypassed with a few open source tools. The tool ideally gets hosted on a domain that looks like your company. Eg. phishmenowxxxx111[.]com now becomes phishmenowxxxx111[.]app

The tools however make sure to put in your right username and password and the OTP then redirects you to the real email or portal. All these get to steal your session tokens and the attacker gets to replay on their end to get access to your email.

Pretty difficult to spot as the URL is long for you to not notice. A few other examples can be found here PHSHING.ORG

How to Protect Yourself (and Your Team)

1. Pause Before You Click: Urgency is the oldest trick in the book. If a message pressures you to act fast, slow down. You can use virustotal.com to verify links or documents for malicious activity before you open them
2. Verify Requests Out of Band: If your “boss” emails you asking for urgent payments, confirm via phone or another trusted channel.
3. Examine the Details: Check email domains, URLs, grammar, and the sender’s language. Even a subtle difference (like @ paypal[.]com instead of @ paypaI[.]com) can be a red flag. notice that one is an small "l" and the other is a capital "i"?
4. Use Multi-Factor Authentication (MFA): Even if your password is compromised, MFA adds a critical second barrier. This should be done via the Authenticator Apps of your choice and not via SMS
5. Educate Continuously: Phishing isn’t a one-time threat. Make training regular and relevant. People are your first line of defense, empower them.
6. Email security solution:  Lookout for some email security solutions out there but interrogate them and do POCs extensively before purchasing. Not all solutions are fit for your environment

Final Thoughts

Phishing attacks don’t break into systems, they walk through the front door, often invited in. As our digital lives become more interconnected, vigilance is no longer optional, it’s essential. They are going ot get even more complicated with time and more difficult to spot.

Cybersecurity isn’t just about firewalls and passwords. It’s about awareness, behavior, and building a culture where caution is second nature.

If it feels off, trust that feeling.