Meet the Phisher: a Day in the Life of a Social Engineer

We all like to think we have a good handle on cybersecurity awareness, right? After all, we have all done our training in how not to reuse passwords, to think before we click, and to report seemingly dodgy emails at first glance.

In truth, however, there is always room for risk: no matter how much training we do and knowledge we acquire, there is always a risk that the scammers may be smarter - and this is why we need to be one step ahead.

To help, we decided to dive into the mind of a phisher - read on to gain an insight into how they think, what they plan, and the seeds that they plant: having an insider understanding will help you to boost your awareness, and keep your company safe. Sometimes, the best way to beat a phishing scammer is to think like a phisher - and not like a phish.

Morning Routine: Coffee and Target Lists

It’s 8:00 AM. While you’re scrolling through LinkedIn with your morning coffee, so is our cybercriminal: but for very different reasons.
They’re building their target list.

“Ah, Sarah from Finance just posted about attending a procurement event. Perfect. I’ll pose as a vendor following up.”

Phishers don’t always cast wide nets anymore - instead, they can hone in on a single individual with laser focus. Unlike traditional phishing, which sends generic bait to thousands in hopes someone bites, spear-phishing is highly targeted. The attacker researches specific individuals or roles, often using social media, company websites, or even press releases, to craft convincing messages tailored to their routines, responsibilities, and even relationships. It’s personal, precise, and far more effective.

Social engineers now build detailed profiles, finding out who handles payments, HR systems, or CEO calendars. Public info, employee posts, and even job adverts can be weaponised - and being aware of how this data is gathered and used is crucial.

10:00 AM – Crafting the Perfect Lure

Having identified a target, the time has come for our cybercriminal to craft their attack - and here, the devil is in the detail.

There was a time when scammers and phishers were easily identified by their crude spelling and obvious mistakes - think “Urgent Mesage From Your BOSS!!!” or “Click here to claim ur prize” - but times have changed, and the bad guys have got smarter. Rather than give themselves away with obvious spelling and grammatical errors, today’s phishers are patient, polished, and professional, and they know how to mimic your company’s tone of voice, replicate internal communication styles, and forge legitimate-looking branding. More importantly, they are prepared to take their time writing a believable, personalised email, perhaps even spoofing an internal domain.

They might use:

And it’s not just email anymore. Phishing has evolved into a multi-channel threat. Attackers now use:

Each channel is another door into your organisation—and the phisher only needs one to open.

12:30 PM – Lunch Break... and a Quick Vishing Call

With a coffee in hand, our phisher has now gathered key information on Sarah, including her role, her department, and even her direct manager’s name. With just enough detail to sound credible, the attacker is ready to launch a vishing (voice phishing) attack.

They pick up the phone and call Sarah, posing as the IT helpdesk - or, in some cases, even the company’s CEO.

“Hey, this is Mark from IT. We’re rolling out a new remote login system; can you help me test it? I’ll just need your credentials to simulate a user login.”

It’s calm, casual, and all too convincing. It is important to note that the phisher in this case isn’t relying on scare tactics: instead, they’re counting on something more subtle and far more powerful: human behaviour.

They know that people like Sarah are often eager to be helpful, especially when they think they’re assisting a colleague. Or, if the call seems to come from someone senior, there’s the added pressure of hierarchy, and the natural instinct we all have to comply when a "boss" is asking for support. Add in a dash of stress, distraction, or urgency, and it becomes even easier to bypass rational scrutiny.

Psychology is the payload, not malware.
The goal isn’t to break systems—it’s to break trust, and to make the victim feel like sharing credentials is the reasonable, even expected, thing to do.

2:00 PM – Infiltration & Escalation

By now, Sarah has clicked, and one compromised credential opens the door. It is time for the hacker to make their move: they have the power to access internal emails, escalate privileges, or potentially deploy ransomware. If Multi-Factor Authentication (MFA) is enabled, they may launch MFA fatigue attacks, bombarding the target with repeated push notifications until the victim finally accepts one, simply to make it stop.

Alternatively, the attacker might go quiet, sitting in inboxes or shared drives, gathering information and biding their time. The plan could be to launch a Business Email Compromise (BEC) or initiate a large-scale data theft when you least expect it.

5:00 PM – Mission Accomplished... or Not Yet

Sometimes the phisher strikes fast - but sometimes, they’re in it for the long game, watching communications and learning internal rhythms. They’ll wait days or even weeks, carefully planning the right moment to execute a big-money transfer or extract sensitive data. Meanwhile, employees continue their work, blissfully unaware that a successful social engineering attack doesn’t feel like an attack at all: until it’s far too late.

Final Thoughts

Phishing may be a growing threat, but there’s good news - knowledge is power, and with the right awareness and tools, you can protect yourself and your organisation from attack. By understanding how attackers operate and recognising their subtle tactics, you’ll be in a much stronger position to spot suspicious activity and defend against potential threats.

At Bob’s Business, we’re here to help you stay one step ahead. Our tailored training and courses equip you and your team with the knowledge and skills to spot phishing attempts and avoid becoming a victim. Don’t wait for the next attack - take action now to ensure your company’s cybersecurity is stronger than ever.

Don’t end up like Sarah. Contact us today and empower your team to recognise, resist, and respond to phishing attacks with confidence.