SECURITY EDUCATION

Why Phishing Works

A phishing lesson framed as scenario, attack chain, observable evidence, operator response, and WitnessOps controls.

Phishing is an identity attack wrapped in a normal business workflow.

Scenario

You receive an email from a supplier. Subject line: "Invoice #4821 — Payment Due."

The sender name matches a real contact. There is a PDF attachment or a link to "view the invoice online."

You click it.

Attack Chain

Email arrives
  ↓
User clicks the link
  ↓
Fake login page appears
  ↓
Credentials are entered
  ↓
Attacker signs in to the real mailbox
  ↓
Mailbox abuse, resets, or fraud begin

This can take less than a minute from click to compromise.

Observable Evidence

Look for:

the preserved message with headers
a lookalike domain or mismatched reply-to
user confirmation that a link was clicked or credentials were entered
unfamiliar mailbox or identity-provider sign-ins
new forwarding rules, inbox rules, or password reset activity

These artifacts show what happened. They do not prove analytical correctness on their own.

Operator Response

Preserve the original message before changing or deleting anything.
Validate the sender, links, attachments, and user interaction path.
If credentials may have been entered, revoke sessions and start account containment immediately.
Escalate if privileged accounts, MFA approval, executed code, or multi-user exposure is involved.

Use Investigating a Phishing Report for the governed workflow.

WitnessOps Controls

The response should be tied to:

Phishing Investigation for validation and triage
Policy Gates before intrusive mailbox or tenant-wide actions
What Evidence Is Required? for a complete incident record
Receipts to sign the investigation and remediation chain