Phishing and Social Engineering
π₯ Opening Hook
In 2020 a Twitter employee received
a phone call.
The caller claimed to be from
Twitter’s internal IT department.
They asked the employee to help
with a routine system issue.
The employee β trying to be helpful β
provided the access they asked for.
Within hours the attackers had
taken over the Twitter accounts of
some of the world’s most prominent
people β Barack Obama, Elon Musk,
Apple, and dozens of others β
and used them to run a
cryptocurrency scam.
The breach was not caused by
a technical vulnerability.
It was caused by a phone call
and a helpful employee.
That is social engineering.
And it works on everyone β
including highly trained professionals
at major technology companies.
ββββββββββββββββββββββββββββββββββ
- What Is Phishing?
The Phishing Cycle consist of:
Trust β Urgency β Action β Compromise
Phishing is a type of cyberattack
where criminals send deceptive
communications β typically emails,
SMS messages, or instant messages β
designed to trick recipients into:
β Revealing sensitive information
such as passwords, PINs,
or banking details
β Clicking malicious links that
install malware or redirect
to fake websites
β Transferring money or providing
financial access
β Granting access to systems
or accounts
The name comes from fishing β
attackers cast a wide net,
knowing that even a small
percentage of responses
makes the effort worthwhile.
ββββββββββββββββββββββββββββββββββ
- Types of Phishing Attacks
2.1 Mass Phishing
The most common form β
millions of identical messages
sent to random recipients
impersonating trusted brands.
Common impersonations:
β Banks β “Your account has
been suspended. Verify now.”
β Delivery companies β
“Your package could not
be delivered. Click to reschedule.”
β Government agencies β
“Your tax refund is ready.
Claim it here.”
β Technology companies β
“Your account security
has been compromised.”
β Mobile money providers β
particularly common across
Africa where mobile money
adoption is high
2.2 Spear Phishing
A targeted attack aimed at
a specific individual β
using personal information
gathered from social media,
LinkedIn, or previous data breaches
to make the message more convincing.
Example:
An attacker researches a finance
officer on LinkedIn. They know
their name, their company, their
manager’s name, and recent
company news. They send an email
appearing to be from the manager
with a specific, plausible request.
The personalisation makes it
dramatically more convincing
than a generic phishing attempt.
2.3 Whaling
Spear phishing targeting
senior executives β CEOs,
CFOs, and board members.
These attacks are highly
researched and often involve
requests for large financial
transfers or access to
sensitive corporate systems.
2.4 Smishing and Vishing
Smishing:
Phishing via SMS β
text messages with malicious
links or requests for information.
Vishing:
Phishing via voice call β
as in the Twitter attack above.
Attackers call pretending to be
from banks, IT departments,
government agencies, or
trusted organisations.
ββββββββββββββββββββββββββββββββββ
- How to Recognise a
Phishing Attempt
The most important skill in
cybersecurity is the ability
to pause and examine before acting.
Red flags in email phishing:
Sender address:
β The display name looks correct
but the actual email address
is suspicious β
support@paypa1.com instead of
support@paypal.com
β A domain that is slightly wrong β
one letter changed, a hyphen added,
or a different extension used
Urgency and pressure:
β “Your account will be closed
in 24 hours”
β “Immediate action required”
β “Respond before end of business today”
Urgency is one of the most
reliable red flags in any
suspicious communication.
Legitimate organisations rarely
create panic β attackers always do.
Unexpected requests:
β A bank asking you to confirm
your full password or PIN
β A colleague asking for payment
details via email
β A request to bypass normal
approval processes
Links and attachments:
β Hover over links before clicking β
the actual destination often
reveals the deception
β Unexpected attachments β
particularly ZIP files,
executable files, or documents
asking you to enable macros
β Shortened URLs that hide
the true destination
Grammar and presentation:
β Spelling mistakes and poor grammar β
though sophisticated attacks
are increasingly well-written
β Generic greetings β
“Dear Customer” from your bank
β Formatting that looks slightly
different from genuine communications
ββββββββββββββββββββββββββββββββββ
- What Is Social Engineering?
Social engineering is a broader
category of attack that exploits
human psychology rather than
technical vulnerabilities.
Phishing is one form of
social engineering β but
social engineers use many tactics:
4.1 Pretexting
Creating a fabricated scenario
to extract information or access.
Example:
An attacker calls an employee
pretending to be an auditor
who urgently needs access to
financial records before a
regulatory deadline.
4.2 Baiting
Offering something enticing β
a free download, a prize,
or a USB drive left in a
car park β that contains
malicious content.
The curiosity or greed that
drives someone to plug in
an unknown USB drive or
download a free software
cracker is what the
attacker is exploiting.
4.3 Quid Pro Quo
Offering a service in exchange
for information or access.
Example:
“I am from IT support β
I can fix your computer
slowness if you just give
me your login credentials.”
4.4 Tailgating and Impersonation
Physical social engineering β
following an authorised person
through a secure door, or
impersonating a delivery driver,
maintenance worker, or colleague
to gain physical access.
ββββββββββββββββββββββββββββββββββ
- Why Social Engineering Works
Social engineers exploit
normal, healthy human instincts:
β Helpfulness β we want to
assist people who need help
β Trust β we extend good faith
to people who seem legitimate
β Authority β we comply with
requests from apparent superiors
β Urgency β we act quickly
when something seems time-sensitive
β Fear β we respond to threats
about our accounts, jobs,
or security
β Curiosity β we want to know
what is in that email,
on that drive, behind that link
None of these instincts are flaws.
They are what make us good
colleagues, good professionals,
and good people.
Attackers have simply learned
to exploit them deliberately.
The defence is not to become
suspicious of everyone β
it is to develop the habit of
pausing before acting on
unexpected requests.
ββββββββββββββββββββββββββββββββββ
- What to Do When You
Suspect Phishing
If you receive a suspicious
communication β do not panic.
Do this instead:
β Do not click any links or
open any attachments
β Do not reply to the message
β Verify independently β
if the message claims to be
from your bank, go directly
to the bank’s official website
by typing it in your browser,
or call the official number
β Report it to your IT or
security team if at work
β Report it to your national
cybercrime authority if personal
The key principle:
When in doubt β verify
through a separate, independent
channel before taking any action.
ββββββββββββββββββββββββββββββββββ
π Global and African Context
Phishing attacks impersonating
mobile money providers, banks,
and telecommunications companies
are among the most common
cyber threats facing individuals
across Africa.
The growth of mobile-first
digital services β while enormously
beneficial β has created a large
population of users who are
new to digital financial services
and therefore more vulnerable
to social engineering.
Globally β business email
compromise, where attackers
impersonate senior executives
or trusted suppliers to
authorise fraudulent payments,
costs organisations billions
of dollars every year across
every continent.
ββββββββββββββββββββββββββββββββββ
β‘ Power Insight
The most dangerous phishing
attacks do not look like
phishing attacks. They look
like legitimate, urgent,
personalised communications
from people you trust. The
defence is not suspicion β
it is the habit of pausing,
questioning, and verifying
independently before taking
any action on any unexpected
request. That habit, applied
consistently, stops the
majority of attacks cold.
ββββββββββββββββββββββββββββββββββ
βοΈ Quick Action Challenge
β‘ Takes 5 minutes:
Find a recent email in your inbox
from a company or organisation β
a bank, a delivery service,
a platform you use.
Now examine it as if you were
a security professional:
β Is the sender address exactly right?
β Does the link destination match
the company’s official domain?
β Is there any urgency or
pressure in the message?
β Does anything feel slightly off?
This is not about finding
something wrong β most emails
are legitimate.
It is about building the habit
of looking before you act.
π Want to go deeper?
Google has a free phishing
quiz at phishingquiz.withgoogle.com
β it takes about 10 minutes
and tests your ability to spot
real phishing attempts.
It is surprisingly challenging
even for experienced professionals.
ββββββββββββββββββββββββββββββββββ
π Sources & Further Reading
- Google β
Phishing Quiz
phishingquiz.withgoogle.com - Anti-Phishing Working Group β
Phishing Activity Trends Report
(updated regularly)
apwg.org/resources/apwg-reports - Cybersecurity and Infrastructure
Security Agency (CISA) β
Phishing Guidance
cisa.gov/phishing - INTERPOL β
Business Email Compromise
interpol.int/en/Crimes/
Financial-crime/
Business-Email-Compromise - KnowBe4 β
Security Awareness Resources
knowbe4.com/resources
ββββββββββββββββββββββββββββββββββ
π Key Takeaway
Phishing and social engineering
succeed because they exploit
human nature β not technical
weaknesses. The Twitter hack,
the fraudulent wire transfer,
the stolen mobile money account β
all began with a message, a call,
or a click. The professionals
who resist these attacks are
not more suspicious than others β
they are simply more deliberate.
They pause. They verify.
They never let urgency override
judgment. Build that habit
and you will stop the majority
of attacks before they start.