Phishing and Social Engineering Targeting Identity

Phishing and social engineering attacks targeting identity represent the dominant initial access vector in credential-based breaches across US organizations. These attacks exploit human trust and procedural gaps to extract authentication credentials, bypass multi-factor authentication, or impersonate legitimate users within identity infrastructure. This page covers the defining characteristics of identity-focused social engineering, the mechanisms attackers use, the most prevalent attack scenarios, and the classification boundaries that separate distinct attack types.

Definition and scope

Phishing and social engineering, as they relate to identity security, encompass deceptive techniques designed to manipulate individuals into surrendering credentials, approving fraudulent authentication requests, or disclosing account recovery information. The Cybersecurity and Infrastructure Security Agency (CISA) classifies phishing as one of the primary tactics enabling unauthorized access to organizational systems (CISA Phishing Guidance).

The scope of identity-targeting attacks extends beyond simple credential harvesting emails. NIST SP 800-63B (Digital Identity Guidelines) frames identity assurance in terms of authenticator binding and verification, against which social engineering represents a bypass mechanism that circumvents technical controls by attacking the human layer (NIST SP 800-63B). Attacks within this scope include:

The FBI Internet Crime Complaint Center (IC3) reported BEC losses of $2.9 billion in 2023, making it the highest-loss category in the IC3 dataset (IC3 2023 Internet Crime Report).

How it works

Identity-focused social engineering follows a recognizable operational sequence, regardless of delivery channel. The attack lifecycle maps consistently to the following 5 phases:

  1. Reconnaissance — Attackers gather target-specific identity data from public directories, LinkedIn profiles, corporate websites, and prior breach databases. This phase informs the credibility of the lure and the accuracy of impersonation.
  2. Lure construction — A pretext is assembled — a spoofed login portal, a fabricated IT helpdesk request, or a cloned corporate email domain — tailored to the target's role, organization, and expected communications.
  3. Delivery — The lure is delivered via email, SMS, voice call, or increasingly through collaboration platforms such as Microsoft Teams or Slack, where organizational identity is already implicitly trusted.
  4. Credential capture or authentication bypass — In real-time adversary-in-the-middle (AiTM) phishing, attackers proxy authentication sessions to capture session tokens after MFA completion, bypassing the protection entirely. Tools documented in the CISA advisory AA23-187A demonstrate this technique against Microsoft 365 environments (CISA AA23-187A).
  5. Persistence establishment — Captured credentials or session tokens are used to register attacker-controlled authenticators, modify account recovery settings, or establish federated identity trust relationships, as tracked in identity threat detection and response frameworks.

The distinguishing operational feature of identity-targeting attacks is the exploitation of identity verification workflows themselves — attackers do not defeat cryptographic controls; they manipulate the humans and processes that administer them.

Common scenarios

Spear phishing against privileged accounts — Attackers target administrators with access to identity management consoles, Active Directory, or privileged access management systems. A spoofed internal IT communication requests credential verification or MFA re-enrollment, granting the attacker elevated access.

Help desk vishing — Social engineers call IT support desks impersonating an employee, provide reconnaissance-gathered personal details to pass identity verification, and request a password reset or MFA token bypass. The Scattered Spider threat group executed this technique against MGM Resorts International in 2023, as documented in CISA and FBI joint advisory AA23-279A (CISA AA23-279A).

AiTM phishing for session token theft — Rather than capturing static passwords, attackers deploy reverse-proxy phishing kits that relay authentication in real time, capturing post-MFA session cookies. This bypasses TOTP and push-based MFA implementations that do not use phishing-resistant authenticators such as FIDO2/WebAuthn, as specified in NIST SP 800-63B.

Vendor and third-party impersonation — Attackers impersonate a trusted vendor identity to initiate OAuth application consent grants or federated identity configurations within the target's environment, a vector relevant to third-party and vendor identity risk programs.

Account recovery exploitation — Attackers use knowledge-based authentication (KBA) answers derived from public social media data to trigger self-service password resets, bypassing primary authentication entirely.

Decision boundaries

Distinguishing between attack categories determines which controls apply and which regulatory frameworks govern response obligations.

Phishing vs. pretexting: Phishing relies primarily on a technical lure (a malicious link or attachment) to capture credentials passively. Pretexting relies on a fabricated narrative delivered interactively — typically via voice or real-time messaging — to manipulate a human operator into taking an action. Both target identity, but pretexting attacks exploit procedural identity verification gaps rather than technical platform vulnerabilities.

Generic phishing vs. spear phishing: Generic phishing campaigns distribute identical lures at scale, relying on volume to produce credential captures. Spear phishing is targeted, using reconnaissance data to craft role-specific or individual-specific lures. The MITRE ATT&CK framework (Technique T1566) formally subdivides phishing into spearphishing attachment (T1566.001), spearphishing link (T1566.002), and spearphishing via service (T1566.003) (MITRE ATT&CK T1566).

MFA-resistant vs. MFA-susceptible phishing: Attacks using AiTM proxies defeat TOTP, SMS, and push-notification MFA. Attacks are classified as MFA-resistant only when the target organization has deployed phishing-resistant authenticators — FIDO2/WebAuthn or PKI-based smart cards — which cryptographically bind authentication to the legitimate origin domain. CISA's Phishing-Resistant MFA guidance formally defines this boundary (CISA Phishing-Resistant MFA Fact Sheet).

Identity-targeted vs. endpoint-targeted social engineering: Some social engineering attacks prioritize malware delivery over credential theft. The classification boundary lies in the primary objective: identity attacks seek authentication material or account control, while endpoint attacks seek code execution. The overlap occurs when credential theft follows endpoint compromise — a sequence tracked under credential theft and account takeover frameworks.

Regulatory framing for identity-targeted phishing intersects the FTC Safeguards Rule (16 C.F.R. Part 314) for financial institutions, HIPAA Security Rule provisions under 45 C.F.R. § 164.308(a)(5) requiring security awareness training for covered entities, and the NIST Cybersecurity Framework 2.0 Protect function, which maps phishing defense to the PR.AT (Awareness and Training) and PR.AC (Identity Management and Access Control) categories (NIST CSF 2.0).

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator