TASKS
Security Education
7 Phishing Tricks Attackers Use
Recurring phishing lure patterns mapped to chain mechanics, observable signals, and response decisions.
Problem this page solves
Phishing reports often classify a message as "suspicious" but do not identify the lure mechanism or the decision point it targeted. This page maps recurring lure patterns to chain stages so containment and escalation can follow observed evidence.
Reader outcome
After this page, you should be able to:
- classify common phishing lures by mechanism, not theme
- map each pattern to where it acts in the phishing chain
- select response actions with explicit escalation gates
Mechanism-first pattern model (common lure mechanics and chain location)
Use the same chain stages defined in Why Phishing Works: Delivery -> Interaction -> Credential capture -> Session establishment -> Post-access actions.
| Lure mechanic | Typical operator-facing example | Primary chain stage(s) affected |
|---|---|---|
| Authority impersonation | "IT admin" or executive sender display name | Delivery, Interaction |
| Urgency or fear compression | "Account disabled in 10 minutes" | Interaction |
| Link misdirection / lookalike domain | Branded text, attacker-controlled URL | Interaction, Credential capture |
| Attachment execution bait | Invoice/archive/doc requiring enable-content | Interaction, Post-access actions |
| Fake security verification | "Confirm unusual login" flow | Credential capture, Session establishment |
| Conversation hijack / vendor thread spoof | Reply-like email in business thread style | Delivery, Interaction |
| Payment or invoice workflow spoof | Bank-detail change or urgent payment request | Interaction, Post-access actions |
Pattern-to-signal table (directly observable indicators)
| Pattern | Directly observable indicators |
|---|---|
| Authority impersonation | display name vs actual sender mismatch; reply-to domain divergence; unusual sending infrastructure in headers |
| Urgency or fear compression | short action deadline; threat language without case/ticket reference; pressure to avoid normal verification path |
| Link misdirection / lookalike domain | hover target mismatch; non-canonical domain; URL redirects to newly registered or unrelated host |
| Attachment execution bait | archive or macro-enabled file; double extension; endpoint telemetry showing open/execution attempt |
| Fake security verification | login page not on canonical provider domain; unexpected MFA prompt context; user reports credential entry to non-standard flow |
| Conversation hijack / vendor thread spoof | message style mimics ongoing thread but missing prior thread IDs; subtle sender-domain variation; request scope shift |
| Payment or invoice workflow spoof | change-of-bank-details request; off-process payment urgency; mismatch with known procurement cadence |
Practical response decisions per pattern with escalation gates
Gate definitions:
- Gate A (exposure-only): no click, no file open, no credential or MFA interaction
- Gate B (interaction): click or file open occurred, but no credential/MFA/session evidence yet
- Gate C (account exposure likely): credential entry, MFA approval, or suspicious new session evidence
- Gate D (high impact): privileged account, multi-user spread, or financial workflow impact
| Pattern | Immediate response decision | Escalation gate |
|---|---|---|
| Authority impersonation | preserve email headers, verify sender via known channel, block sender/domain indicators | Gate B if user engaged; Gate D if privileged or finance approver impersonated |
| Urgency or fear compression | pause requested action, validate claim in trusted portal, preserve message timeline | Gate B on click/open; Gate C on credential/MFA interaction |
| Link misdirection / lookalike domain | resolve URL safely, preserve redirect chain, block destination and lookalikes | Gate B on click; Gate C if credentials entered or auth prompt approved |
| Attachment execution bait | quarantine sample, collect hash, review endpoint process tree and child execution | Gate C if execution evidence exists; Gate D if multiple endpoints or privileged host involvement |
| Fake security verification | collect fake-page artifacts, review sign-in logs, revoke suspicious sessions | Gate C when credential/MFA/session evidence appears; Gate D for admin account impact |
| Conversation hijack / vendor thread spoof | preserve full thread metadata, out-of-band verify request, monitor downstream recipients | Gate C if sensitive data shared; Gate D if spread or payment workflow changed |
| Payment or invoice workflow spoof | hold transaction/change request, verify beneficiary through known contact path, preserve approval trail | Gate D on any initiated transfer, account-change execution, or finance-system impact |
What WitnessOps controls can support vs cannot guarantee
WitnessOps can support:
- Phishing Investigation for governed triage, artifact capture, and containment sequence
- What Evidence Is Required? for decision completeness before intrusive action
- Policy Gates for approval controls on high-impact response steps
- Sensitive Artifact Handling for controlled handling of emails, URLs, and credentials-related artifacts
- Receipts for signed decision and remediation traceability
WitnessOps cannot guarantee:
- prevention of all phishing delivery attempts
- full reconstruction when required telemetry is missing, delayed, or altered
- attacker intent or attribution from a single lure artifact
- recovery of external financial transfers without third-party process outcomes
Observed vs inferred separation
- Observed: sender/header mismatch, resolved URL, file hash, click/open telemetry, sign-in/session log, payment-change request artifact.
- Inferred: "credentials were definitely stolen," "attacker had mailbox control," or "full blast radius is known."
Use observed artifacts to justify immediate containment. Keep inferred claims explicit until corroborated.
Trust assumptions and limits
Assumptions:
- email, endpoint, identity, and finance telemetry is retained and time-aligned enough for sequence reconstruction
- original artifacts are preserved before user mailbox cleanup or endpoint remediation
- responder actions follow policy gates when tenant-wide, privileged, or financial-impact steps are proposed
Limits:
- delayed reporting can remove short-lived artifacts (redirect chains, ephemeral pages, transient sessions)
- adversaries may evade, suppress, or overwrite telemetry
- some scope decisions remain probabilistic until additional corroborating evidence is collected
Next-page handoff
Continue to A Real Phishing Email for a line-by-line lure walkthrough using this same observed-signal and escalation model.