Phishing and Social Engineering Targeting Identity

Phishing and social engineering attacks targeting identity represent one of the most operationally significant threat vectors in enterprise and public-sector cybersecurity. These techniques exploit human behavior rather than technical vulnerabilities to extract credentials, bypass authentication controls, and enable unauthorized access to identity infrastructure. The scope of this threat category spans credential harvesting, account takeover, identity impersonation, and the manipulation of identity governance processes. For professionals navigating the identity security providers covered in this network, understanding the structure and classification of these attacks is foundational to assessing service provider qualifications and framework applicability.

Definition and scope

Social engineering targeting identity is defined by NIST as the manipulation of individuals into performing actions or divulging confidential information, with phishing representing a specific delivery mechanism using fraudulent electronic communication (NIST SP 800-63B, Digital Identity Guidelines). Within the identity security domain, the scope narrows to attacks that target authentication credentials, identity proofing processes, privileged access pathways, and identity governance workflows.

The Cybersecurity and Infrastructure Security Agency (CISA) classifies phishing as a primary initial access vector in its Phishing Guidance: Stopping the Attack Cycle at Phase One, noting that credential theft through phishing underpins a majority of ransomware and business email compromise incidents tracked by federal agencies. The Anti-Phishing Working Group (APWG) reported over 4.7 million phishing attacks in 2022 in its Phishing Activity Trends Report, making it the most volumetrically active threat category in the credential theft landscape.

Social engineering attacks targeting identity are distinct from network intrusion techniques in one critical respect: they succeed by subverting authorized users rather than defeating technical controls. This distinction affects how identity security frameworks — including those covered in the — categorize detection and mitigation obligations.

How it works

Phishing and social engineering attacks targeting identity proceed through a structured sequence of phases. The following breakdown reflects the attack lifecycle as documented by CISA and the MITRE ATT&CK framework (MITRE ATT&CK, Phishing: T1566):

  1. Reconnaissance — The attacker gathers target information from public sources (LinkedIn profiles, corporate directories, domain WHOIS records) to construct credible pretexts. Identity-targeted attacks require actor-specific intelligence about organizational roles, authentication systems in use, and identity provider configurations.

  2. Pretext construction — A believable identity or organizational context is fabricated. In identity-targeted attacks, this frequently involves impersonating IT helpdesk personnel, identity provider (IdP) vendors, or HR systems processing credential resets.

  3. Delivery — The fraudulent communication is transmitted via email, SMS (smishing), voice call (vishing), or messaging platform. Delivery mechanisms increasingly exploit trusted platforms to evade email filtering controls.

  4. Credential capture — The victim is directed to a spoofed login portal, a session-hijacking proxy, or an adversary-in-the-middle (AiTM) relay that intercepts multi-factor authentication (MFA) tokens in real time. Microsoft's Digital Defense Report documented AiTM techniques as a direct bypass for legacy MFA implementations.

  5. Exploitation — Captured credentials or session tokens are used to access identity management consoles, provider network services (Active Provider Network, Azure AD), or downstream applications authenticated through single sign-on (SSO).

  6. Persistence — The attacker modifies identity configurations — creating new privileged accounts, altering MFA settings, or installing OAuth application grants — to maintain access after the initial session ends.

Common scenarios

Several distinct attack scenarios characterize the identity-targeted social engineering landscape:

Credential phishing via IdP impersonation — Attackers clone the login interface of a widely deployed identity provider such as Microsoft Entra ID or Okta and deliver the link via spear-phishing email. The 2023 MGM Resorts incident, attributed to the group Scattered Spider and documented in public SEC filings and industry reporting, involved social engineering of IT helpdesk staff to reset MFA credentials — illustrating how identity administrative functions are direct attack targets.

Vishing against helpdesk and identity administrators — Voice-based social engineering targets the human operators of identity management systems. The CISA advisory AA23-025A specifically documents threat actor use of voice calls to impersonate employees and manipulate helpdesk personnel into resetting credentials or disabling MFA protections.

Business email compromise (BEC) for identity pivoting — Once an attacker compromises an email account, that identity is leveraged to authorize fraudulent transactions, reset credentials for additional accounts, or impersonate executives to manipulate identity governance approvals. The FBI's Internet Crime Complaint Center (IC3) recorded adjusted losses of over $2.9 billion attributed to BEC in 2023 (FBI IC3 2023 Internet Crime Report).

Adversary-in-the-middle (AiTM) phishing — Distinct from static credential-harvesting pages, AiTM attacks use reverse-proxy toolkits (documented in CISA and Microsoft advisories) to relay authentication sessions in real time, capturing session cookies that remain valid even after the authentication event concludes — bypassing time-of-login MFA controls.

Quishing (QR code phishing) — QR codes embedded in email or physical media direct targets to credential-harvesting sites while bypassing URL-scanning controls applied to traditional hyperlinks. CISA issued guidance on quishing in late 2023 as adoption of this technique expanded across phishing campaigns.

Decision boundaries

Distinguishing phishing and social engineering attacks from technically adjacent threat categories determines which controls, frameworks, and service provider specializations apply.

Social engineering vs. technical exploitation — Social engineering attacks succeed through human action; technical exploitation succeeds through software or configuration vulnerabilities. The two intersect when phishing delivers malware, but the initial access vector — and therefore the primary mitigation domain — differs. Identity security controls (MFA, privileged access management, identity governance) address the social engineering vector; vulnerability management addresses technical exploitation.

Spear phishing vs. bulk phishing — Bulk phishing distributes generic lures at scale; spear phishing targets specific named individuals or roles using personalized intelligence. Identity-targeted attacks are predominantly spear phishing operations because the value of identity credentials scales with organizational specificity. The NIST Cybersecurity Framework (NIST CSF 2.0) categorizes these under the "Identify" and "Protect" functions, with response obligations mapped across "Detect" and "Respond."

Account takeover vs. identity fraud — Account takeover (ATO) refers to unauthorized access to an existing authenticated account; identity fraud involves the creation of new accounts or identities using stolen personal information. Phishing and social engineering attacks produce ATO outcomes; the downstream use of harvested identity data may produce identity fraud. Both categories intersect with breach notification obligations under statutes such as the Gramm-Leach-Bliley Act (GLBA) and state-level breach laws documented by the National Conference of State Legislatures.

Organizations assessing service providers in the identity security sector — as profiled in identity security providers — should distinguish vendors specializing in phishing simulation and awareness training from those providing identity threat detection and response (ITDR), privileged access management (PAM), or MFA-resistant authentication architecture. These are operationally distinct service categories with separate qualification standards and regulatory touchpoints. The how to use this identity security resource page provides further context on navigating these distinctions within this network's classification structure.

 ·   · 

References

Read Next

Identity Security Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Security Authority Identity Security Providers The identity security... Identity Security Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Security Authority Identity Security Network: Purpose and Scope The... Identity Threat Detection and Response (ITDR) ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Security Authority Identity Threat Detection and Response (ITDR)...