A Deep Dive into Phishing Threats: Technical Interview with Hadi Baltagi

June 30, 2025

| Hadi Baltagi

| Ethical Hacking

A phishing attack is one of the most prominent parts of the cyber kill chain used by a threat actor to obtain sensitive information and credentials or launch a ransomware attack. Depending on the nature, approach, and target, phishing is further classified into different attack types. One such threat is spear phishing, which leverages personal information to deceive individuals into revealing sensitive data. To understand phishing attacks in depth, EC-Council’s CyberTalks team reached out to Hadi Baltagi, a certified ethical hacker and prominent cybersecurity expert. Understand the different types of phishing, including deceptive phishing, spear phishing, whaling, smishing, and vishing, with real-world examples highlighting the psychological manipulation tactics used by attackers. Discover how attackers gather information, what makes their tactics so convincing, and the effective countermeasures individuals and organizations can take to defend against these attacks.

For those new to cybersecurity, can you explain what spear phishing is?

Spear phishing, like traditional phishing, aims to extract sensitive information from a target, such as passwords, date of birth, or Social Security numbers, for malicious use. However, unlike generic phishing attacks, spear phishing is highly targeted. It uses specific details about the victim to increase the credibility of the message and improve the chances of success for the attacker.

Can you share some spear phishing examples?

One common example of a spear phishing attack involves a hacker posing as an employee of a reputable company that the victim uses the services of. The attacker might send an email claiming that the user’s account is about to be disabled and urging them to take immediate action, such as changing their password, making a payment, or adding funds. What makes this attack convincing is that the hacker already knows the target uses the mentioned services, making the request seem legitimate.

The email may include personal details to increase credibility and trick the user into sharing sensitive information.

Why is spear phishing so compelling?

Spear phishing is particularly dangerous because it’s a highly personalized and targeted form of attack. Unlike generic phishing emails that begin with phrases like “Dear valued customer,” spear phishing messages often use the recipient’s real name and include personal information such as their date of birth, purchase history, etc. This familiarity lowers the recipient’s guard and builds false trust.

For instance, an attacker might write:
“Hi John, we noticed a recent payment of $245 on your PayPal account. Please verify this activity to avoid service disruption.”

Because it contains specific details, the user is more likely to believe it’s legitimate.

The success of spear phishing lies in its believability. Many users are unaware of how personalized these attacks can be and are unprepared to recognize them.

As a result, they are more likely to fall for these scams, clicking on malicious links or sharing sensitive information via email or SMS.

What methods do hackers use for spear phishing?

Hackers use a variety of methods to carry out spear phishing attacks. While email is the most common vector, attackers also leverage SMS (smishing), voice calls (vishing), and even direct messages on social media platforms like Instagram or LinkedIn. The primary goal remains the same: to trick the target into revealing sensitive information. Attackers may impersonate trusted contacts, company representatives, or service providers to build credibility. Because spear phishing can be executed through multiple communication channels and is highly tailored to the victim, it can be difficult to detect and defend against.

What are the best countermeasures against spear phishing?

The most critical countermeasure is verifying the sender’s identity before clicking any links or responding to a message. If you receive an email:

– Verify the sender’s address
– Check for typos or grammatical errors
– Confirm whether or not you were expecting the message

Always be cautious and only interact with messages from trusted, verified sources. Spear phishing is successful when attackers earn your trust

—once that trust is established, it’s much easier for them to successfully carry out further phishing attacks. Staying vigilant and skeptical of unexpected or unusual messages is the best defense.

Can you throw some light on the different types of phishing?

There exist multiple types of phishing, the most common of which is the regular email phishing campaign that we call deceptive phishing. Deceptive phishing involves sending mass emails—potentially to 50,000 users—with messages like, “Dear valued customer, you need to change your PayPal password,” hoping some recipients fall for it. These campaigns typically see a 3–10% success rate, assuming the emails bypass spam filters.

Then you have spear phishing, a targeted campaign against a specific individual, where hackers use personal information that they know about that person to extract more sensitive information. For example, an attacker might approach someone on social media with a message like, “Hi, we noticed that you’re participating in the [xxxxxx] campaign. We’re a company that offers support for the same—click this link to learn more.” If the target clicks the link, they could unknowingly download malware or be prompted to enter their Instagram username and password. This method tends to be more effective because it uses personal information to quickly build trust with the victim.

Whaling is a more refined and specifically targeted form of spear phishing aimed at high-level individuals—commonly referred to as “whales”—such as CEOs, executives, or other senior leaders within a company.

If an attacker successfully compromises one of these individuals, for example, by gaining access to the CEO’s account, they can then impersonate that person to extract sensitive information from other employees. These high-value targets are often the focus of phishing campaigns because compromising them can provide admin-level access to critical systems across the organization.

Smishing also exists, which is a phishing attack carried out via SMS. For example, an attacker could send a fake two-factor authentication code for WhatsApp and then message the user saying, “You might have received this code by mistake. It was meant for me. Can you send it back?” Once the user sends the code, the attacker gains access to their WhatsApp, Instagram, or any other account protected by two-factor authentication. Attackers may also spoof messages pretending to be from a bank, prompting the user to click a malicious link to check their balance or reset their password, ultimately stealing their credentials.

Lastly, we have vishing, which is carried out over voice calls. For example, an attacker might call a mobile network company pretending to be you, requesting a change to your account information. If they successfully convince the representative, they could gain access to your SMS messages, call logs, or any personal data the organization holds. Most companies don’t perform strong verification checks over the phone, so if the attacker is persuasive enough, they could reset your account using just their voice.

Phishing is a huge concern for many. Why do you think that is?

Phishing is a major concern because no matter how much security you implement, regardless of your company’s size or the number of security professionals you employ, the weakest link is always the human element.

If an attacker wants access to something within your company, like your Slack Workspace or email system, they don’t necessarily need to go after your IT team. They might target someone in a department like marketing who may not have the technical knowledge needed to recognize and defend against phishing. If they compromise that person’s email account, they can access internal systems, read messages, and potentially move deeper into the network. Phishing is particularly dangerous because it exploits social elements and human vulnerability. That’s why it’s essential to train all employees, regardless of their role or department, to understand what phishing is and how to protect themselves against it.

How do phishers target their victims?

Phishers use multiple methods to target their victims. They may reach out through social media, email, SMS, or even phone calls. Sometimes, they gather personal information by calling companies to ask about you or by spoofing details like your Social Security number, phone number, or email address.
For example,

If a hacker gains access to your social media account, they can use it to impersonate you and message your friends with malicious links.

Since your friends believe it’s you, they’re more likely to trust the message, click the link, and unknowingly share their personal and sensitive information. This form of attack works because people trust communications that appear to come from someone they know.

For those concerned about phishing, what is the best defense against it?

Never share your password with anyone. If you need to change your password, always make sure you’re on the official website. For example, if you’re on Facebook, ensure the URL is facebook.com, double-check for typos or slight misspellings that may go unnoticed, like “faceb00k.com” or “facebok.com.” Hackers often rely on these subtle errors to trick users.

When you receive an email that seems suspicious, such as an email asking you to reset your password or add money to your account, verify the sender’s address. Make sure it’s from a legitimate source, like [email protected], not [email protected] or another misspelled domain.

Pay attention to:

Typos or grammatical errors in the message
Unusual or mismatched links (hovering over links to see where they lead)
Sender details that don’t match the organization

If you’re unsure about a message or don’t trust the sender, don’t click any links or provide any personal information. Staying alert and verifying sources is the best defense against phishing campaigns.

Conclusion

Spear phishing is an increasingly sophisticated phishing attack that continues to exploit the human element, often the weakest link in any organization’s security posture. Like other phishing attacks, the goal here is to gain trust by using personal information, a familiar tone, or impersonation to extract sensitive data. With the expansion of digital communication channels such as SMS, social media, and voice calls, phishing has diversified beyond traditional email attacks. Hadi Baltagi, a certified ethical hacker and a cybersecurity expert, stresses caution against these sophisticated forms of phishing. He emphasizes that despite advancements in security technologies, human vulnerability remains the most exploited entry point in the cyber kill chain. He also stresses awareness training, vigilance, and a culture of security awareness as essential steps to combating phishing threats. Individuals should always verify the authenticity of messages, check URLs and sender addresses carefully, and report suspicious communications. Staying informed and cautious is the most effective defense against phishing attacks and their many variants.

Hadi Baltagi is a Senior Software Engineer and CTO with nearly a decade of experience driving business growth through innovative tech solutions. With deep expertise in full-stack development and CEHv10-certified cybersecurity skills, he has led cross-functional teams to deliver scalable software and is passionate about aligning technology with strategic goals to deliver real-world impact.