Let me tell you a secret: hacking is pretty easy. For most effective hacks, you don’t need to bring down a firewall or sophisticated coding tools. The reality is that many people either overlook their security or remain unaware of its full risks. One or both were true for my target, which enabled me to hack her. By using some social engineering and a Microsoft Word document, I could gain access to my target’s computer. In this article, I’m going to be showing you how I did it and how you can protect yourself from it.

NOTE: Everything done here is for research purposes, and I got proper consent from my target to perform this hack. Doing it to harm others or without proper permission can result in severe consequences.

Terminologies

Before we continue, there are a couple of terminologies I would like you to understand:

Social Engineering

The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Spoofing

Spoofing is a deceptive tactic where an attacker disguises their identity to impersonate a trusted source, like a website, email address, or phone number.

Phishing

The fraudulent practice of sending emails or other messages purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.

OSINT

Open Source Intelligence (OSINT) refers to the practice of gathering and analyzing publicly available information to gain insights into potential threats, vulnerabilities, and risks.

Reverse Shell Attack

A reverse shell is a type of cyberattack in which a victim is duped into having their remote machine establish a connection to the attacker’s computer, rather than the other way around.

The Attack

To perform this attack, I called my friend, who was a huge graphic designer in Nigeria, and asked her if she could be the subject of this project. I hid her identity for the sake of this article. she is one of the highest in-demand designers in the southern region of Nigeria, and having consistently worked with big corporations in Nigeria, she’s also one of the craziest workaholics I know.

Phase 1: The analysis

Using OSINT techniques like Google dorking, I was instantly able to find information about my target. Using search prompts like {site: “instagram.com” intext: “target name”} on Google helped me find instant information about her socials, sort out her content on my Google search, and lead me to some of her pages, both present and past. I did the same for all major platforms, looking for some sort of vulnerability I could exploit, and after hours of searching, I found it!

What was I looking for? A social engineering attack requires one thing: trust. Now you can get that trust using two ways: you can either build it by conversations over time or, as I did, pretend to be someone they trust. While gathering information on my target, I discovered many friends and family members, but one that interested me was an account of a family member who was no longer active. This was perfect. I can disguise myself as this family member, and she will have no way of tracking the original account because it had been deactivated. Using the family member's other social media profiles, I was able to recreate an Instagram profile replica, and the trust she has in this family member was going to be her vulnerability.

I made contact with her using the fake account, and after a few messages, I had prepared a Bait. Given her occupation, coming up with that wasn’t too difficult. I told her I had a contact looking for some serious graphics work, and he was paying well. All I needed was her email since Instagram won’t allow me to send my payload or attachments through the platform. Once I had that, what I needed to work on next was the Delivery.

Phase 2: The Delivery

A simple email delivery is very easy to make, but I can’t do that because she still thinks I’m her brother. In order to ensure that my disguise doesn’t fail, I need to send it using his email, which is a lot harder. The best way to do this, though, is by email spoofing. All I needed for this, though, was a web domain and some PHP code. I know I said you don’t need exceptional coding skills for this, and you really don’t. Using ChatGPT, you can easily generate this PHP code, and I’ll also be dropping my code sample below.

<?php
// Sender's email address
$from = "sender@example.com";  // Replace with the sender's email
// Receiver's email address
$to = "receiver@example.com";  // Replace with the receiver's email
// Email subject
$subject = "Test Email from PHP";
// Email body content
$message = "Hello,\n\nThis is a test email sent from a PHP script.\n\nBest regards,\nYour PHP Script";
// Headers
$headers = "From: " . $from . "\r\n";
$headers .= "Reply-To: " . $from . "\r\n";
$headers .= "X-Mailer: PHP/" . phpversion();

// Send the email
if (mail($to, $subject, $message, $headers)) {
    echo "Email sent successfully to $to from $from";
} else {
    echo "Failed to send email.";
}
?>

Just by making modifications to this code, I could now send my payload of choice to my target, and it would appear as if it came from her family member’s email. What was my payload of choice?

Phase 3: Execution

My payload of choice was a Microsoft Word document. I’m sure you’re wondering how someone can be hacked with an MS Word document, but it’ll shock some of you that Microsoft Word has coding infrastructure. And yes, I did tell you that coding skills weren't needed, and this time I lied. You will need some coding skills in VBA, at least to some degree, to make the MS Word document execute what you want it to. You can set the code to run once the document is open without any suspicion to the user as long as they have macros enabled. I could write a whole separate article about this, but for the sake of this article, I’m just going to put some code for a simple text box that you can test out on your macros yourself.

to get setup:

1. Go to “views” in your toolbar.

2. Go to the “macros” section of the tab.

3. create a new document

4. input the code below

Sub Document_Open()
    hax
End Sub
Sub AutoOpen()
    hax
End Sub

Sub hax()
MsgBox ("you have been hacked")
End Sub

You can run many other types of code with this, including reverse shell attacks. The reverse shell is scary and can grant them complete access to your computer without ever having to touch it. If you have poor infrastructure, the consequences of this attack can be critical and, like for my target, affect your livelihood. With this attack successfully established, I could steal her clients’ information, previous work data, and even sensitive personal data she might be holding.

The Real Life Hack

This isn’t the first time this hack has been done. I was inspired by a famous hack on a financial auditing company called DFIN that resulted in 90 million dollars lost from the USA stock market to Russian trading companies. You can click this to know more about it.

How to prevent social engineering attacks

The most important lesson from my hack isn’t how easy it was—it’s how preventable it could have been. Social engineering thrives on trust, urgency, and lack of verification. To stop it, both individuals and organizations need to build a mindset of healthy skepticism and adopt strong security habits.

Individual security habits

• Verify Before You Trust – If someone asks for your email, password, or details, don’t just hand it over. Call, text, or reach out through a different channel to confirm they are who they say they are.

• Be Careful with Links and Attachments – Never click on links or download files from unknown senders. Even if the message looks familiar, double-check before opening.

• Use Strong Authentication – Protect your accounts with strong, unique passwords and enable two-factor authentication (2FA) wherever possible. This way, even if someone tricks you into revealing your password, they still can’t log in.

• Stay Updated and Protected – Keep your operating system, apps, and antivirus software up to date. Outdated systems are easier to exploit.

• Trust Your Instincts – If an offer sounds too good to be true, or if a message feels “off,” pause. Social engineers count on you acting fast without thinking.

Organizational security habits

• Educate and Train Employees – Regular training on how to recognize phishing emails, suspicious requests, and fake profiles can drastically reduce the success rate of attacks.

• Adopt a Zero-Trust Approach – Build systems that never assume anyone is trustworthy by default. Every access request should be verified, no matter the source.

• Enforce Secure Communication Channels – Encourage staff to use company-approved communication tools and discourage sharing sensitive information over personal accounts.

• Use Physical and Digital Safeguards – Tools like smart ID cards, access logs, CCTV, and multi-factor authentication help secure both digital and physical environments.

• Create clear escalation protocols—employees should feel comfortable reporting suspicious activity immediately without fear of blame. Quick reporting can stop an attack before it spreads.

Take your security seriously

This story highlights a truth that often gets overlooked in cybersecurity: the human weakness. With nothing more than public information and some coding, I could break into this graphic designer's system, and the same is probably true for most people.

This doesn’t mean people should live in fear of the internet. Instead, it’s a reminder that awareness is the first line of defense. Firewalls and antivirus software can only do so much; the real protection comes from building habits of skepticism, verification, and smart decision-making.

If you did learn a lot from this read, make sure to subscribe, and I’ll be posting more things like this.