Phishing and Social Engineering Attack Reference

Phishing and social engineering represent the dominant initial access vector in enterprise security incidents, responsible for a disproportionate share of data breaches across public and private sector organizations. This reference covers the technical and behavioral taxonomy of these attacks, the regulatory frameworks that govern organizational response, and the operational decision criteria used by security professionals to classify and prioritize incidents. The scope spans email-based phishing, voice and SMS variants, pretexting, and multi-stage hybrid campaigns.

Definition and scope

Phishing is a category of deceptive attack in which a threat actor impersonates a trusted entity to induce a target to disclose credentials, transfer funds, execute malicious code, or provide unauthorized access to systems. The broader category of social engineering encompasses phishing as a subset and includes any manipulation technique that exploits human psychology — trust, authority, urgency, or fear — rather than purely technical vulnerabilities.

The National Institute of Standards and Technology (NIST) defines phishing under NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) and addresses social engineering as an attack vector category within NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment). The Cybersecurity and Infrastructure Security Agency (CISA) classifies phishing as a Known Exploited Vulnerability delivery mechanism and maintains a dedicated phishing guidance resource.

From a regulatory standpoint, phishing intersects with obligations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule at 45 CFR Part 164 when protected health information is compromised, and with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for financial institutions. The Federal Trade Commission (FTC) enforces GLBA Safeguards compliance and has published guidance on phishing applicable to covered entities.

Attack scope extends beyond individual credential theft. Phishing campaigns serve as the entry point for ransomware deployment, business email compromise (BEC), and advanced persistent threat (APT) intrusions. The FBI's Internet Crime Complaint Center (IC3) reported that BEC — a social engineering-dependent fraud category — accounted for $2.9 billion in adjusted losses in 2023 (IC3 2023 Internet Crime Report).

How it works

Social engineering attacks follow a recognizable operational sequence regardless of the delivery channel. The phases below reflect the attack lifecycle as documented in MITRE ATT&CK's Phishing technique T1566:

  1. Reconnaissance — The attacker collects target information from public sources: LinkedIn profiles, corporate directories, domain registration records (WHOIS), and social media. Open-source intelligence (OSINT) enables personalized lure construction.
  2. Lure construction — A convincing pretext is assembled: a spoofed email domain, cloned login page, fabricated invoice, or impersonated executive identity. Domain spoofing often exploits typosquatting (e.g., paypa1.com vs. paypal.com).
  3. Delivery — The lure is delivered via email (most common), SMS (smishing), voice call (vishing), or direct message on collaboration platforms such as Microsoft Teams or Slack.
  4. Exploitation — The target clicks a link, opens an attachment, or complies with a verbal request. At this stage, either credentials are harvested through a fake login portal or malware is executed on the endpoint.
  5. Post-exploitation — Captured credentials enable lateral movement, data exfiltration, or further social engineering of internal targets using the compromised identity.

The FBI and CISA jointly issued Advisory AA22-074A documenting how threat actors chain phishing with MFA bypass techniques, highlighting that technical controls alone do not neutralize the human exploitation component.

Common scenarios

Spear phishing vs. bulk phishing — Bulk phishing casts wide nets with generic lures (fake package notifications, prize alerts). Spear phishing targets a named individual or role with personalized content, significantly raising success rates. Whaling is a further subset targeting C-suite executives specifically.

Business Email Compromise (BEC) — Attackers compromise or spoof executive email accounts to authorize fraudulent wire transfers or redirect payroll deposits. No malware is required; the attack is purely social. The IC3 treats BEC as a distinct crime category given its financial scale.

Vishing (Voice Phishing) — Attackers impersonate IRS agents, IT helpdesk staff, or bank fraud departments by telephone to extract account credentials or one-time passcodes. The FTC documented a surge in impersonation fraud losses exceeding $1.1 billion in 2023 (FTC Consumer Sentinel Network Data Book 2023).

Smishing (SMS Phishing) — Malicious links are delivered via text message, often mimicking shipping notifications or financial alerts. Mobile users encountering these scenarios are navigating a threat landscape described in CISA's Mobile Security Guidance.

Pretexting — A broader social engineering method in which the attacker constructs a fabricated scenario (a pretext) without necessarily using digital channels. IT impersonation pretexts — such as fabricated system access requests — are common in corporate environments and are addressed in NIST SP 800-115 testing frameworks.

The infosec providers section of this resource catalogs service providers specializing in phishing simulation, awareness training, and incident response across these specific attack categories.

Decision boundaries

Security professionals and compliance teams use the following classification criteria to triage phishing incidents and determine response obligations:

Successful vs. attempted — An attempted phishing event that was blocked by a secure email gateway (SEG) or DNS filtering carries no breach notification trigger. A successful event in which credentials were entered or malware executed requires incident response under organizational security policy and potentially regulatory notification timelines.

Data exposure threshold — Under HIPAA, a successful phishing attack resulting in unauthorized access to protected health information (PHI) triggers a 60-day breach notification requirement to HHS (45 CFR §164.412). Financial institutions under GLBA must notify the FTC within 30 days of discovering a breach (16 CFR Part 314).

Spear phishing vs. bulk phishing response priority — Spear phishing targeting privileged users (administrators, finance personnel, legal) warrants immediate escalation and forensic triage. Bulk phishing caught in quarantine typically enters a lower-priority review process.

Attribution vs. containment — NIST SP 800-61 Rev. 2 explicitly prioritizes containment over attribution in early incident response. Attempting threat actor attribution before containing an active compromise extends dwell time and risk exposure.

For context on how this reference site structures coverage of threat categories and associated service providers, see the and how to use this infosec resource pages.

 ·   · 

References

Read Next

InfoSec Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority InfoSec Providers The InfoSec Providers section of this... InfoSec Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority InfoSec Network: Purpose and Scope The InfoSec Authority... Threat Intelligence: Concepts and Sources ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority Threat Intelligence: Concepts and Sources Threat intelligence...