I’m A Hacker, Here’s How I Break Into Your Company’s Network | How Phishing Attacks Work

Luke Stephens (@hakluke)
5 min readOct 19, 2018

Have you ever received an email from a Nigerian prince or a non-existent distant relative who is offering you an absurd amount of money? It was a phishing scam, albeit an extremely unsophisticated one. These unsophisticated phishing emails are generally sent to a huge number of people, in the hundreds of thousands or even millions. Sending this many emails does not take much effort given the right resources. If just 0.01% of people fall for this phishing scam, at $1000 per victim, with 1 million emails, you have just made yourself a tidy $100,000. Not bad for a weekend’s work!

Phishing attacks are not just for Nigerian scammers, they are the most common way that malicious hackers gain access to corporate networks. The more sophisticated phishing attacks are highly targeted and believable. A motivated hacker might spend months enumerating their target before they strike. Let’s give a simple example of how this might work.

Let’s say that I decide that I am a super evil hacker who would really like to have full control of ABC Bank’s network. Fred Jones is the receptionist for ABC Bank. Like most people, he has a LinkedIn and Facebook account. I know Fred works there as a receptionist, because I can see it on his LinkedIn profile. I also know that he has applied for annual leave, because he posted about an upcoming trip to Hawaii with his wife and two kids. His bosses name? No problem… His boss also has LinkedIn.

After 5 minutes of Googling, we are armed with the following information about ABC Bank:

  • Fred Jones is the receptionist
  • Bobby Gertrude is Fred’s boss
  • Fred has applied for annual leave for a trip to Hawaii

With this small amount of knowledge, I could put together a pretty believable phish. First I create a Gmail account, bobby.gertrude@gmail.com, and write an email that goes something like this:

From: bobby.gertrude@gmail.com

Hi Fred,

My corporate email seems to be not working on my phone so I’m sending this from my personal email. Your annual leave should be approved, but we just need a few extra details from you. Do you mind filling out this…

Luke Stephens (@hakluke)