Case Study: How a Phishing Attack Tricked 40% of Employees

Let’s be blunt: The most vulnerable part of any security system is the human being. No matter how advanced your tech stack is, all it takes is a single employee clicking a malicious link or opening an infected attachment—and your entire infrastructure is compromised.

Attackers know this. That’s why social engineering techniques keep evolving. With the rise of AI, it’s becoming harder than ever to detect fraud.

Phishing remains the most common entry point. But attackers are also leveraging fake phone calls, SMS messages, and increasingly, deepfake technology—using fabricated voice recordings or videos to impersonate executives and trick employees into transferring funds or handing over credentials.

It’s the combination of AI, emotional manipulation, and authority that makes these attacks so effective nowadays.

Education Is Your First Line of Defense

The only reliable defense against social engineering is awareness. A well-trained employee who can spot a phishing email or recognize red flags is your best protection against real-world attacks.

One of our clients wanted to see just how resilient their organization really was. The results were eye-opening.

Testing People, Systems, and the SOC

The client asked us to run a simulated phishing campaign targeting three layers of defense:

• Employee awareness of social engineering tactics

• Configuration of the company’s email infrastructure

• Responsiveness of the internal SOC team

To do this, we deployed a blended phishing and vishing campaign—emails and phone calls, engineered to feel authentic. With over a decade of real-world experience, our team knows exactly how attackers operate. And we replicated their tactics with surgical precision.

How the Simulation Worked

1. Phishing: Email-Based Credential Harvesting

We registered a domain almost identical to the client’s and used it to create:

• A fake login page, visually indistinguishable from the client’s real site

• Four fraudulent email accounts

• A spoofed email template, designed to look like an internal message

2. Vishing: Voice-Based Social Engineering

We were provided a list of 50 employees. Using OSINT (Open-Source Intelligence), we gathered publicly available information about them—from company websites to social media.

This allowed us to craft highly personalized attack scripts. We then:

• Used a spoofing service to mask our caller ID as internal IT

• Wrote realistic call scenarios designed to build trust and urgency

During the campaign, our team called the targets posing as IT support. The goal was to convince them to take risky actions—such as running a malicious command or providing sensitive data.

While speaking on the phone, we sent them follow-up phishing emails from spoofed addresses, reinforcing the illusion that the request was legitimate.

“A large number of employees still open phishing emails—which leads to real consequences. In fact, 58% of organizations experienced account takeovers in 2023, and 79% of those began with credentials stolen via phishing,”

— Tomáš Zatko, CEO, Citadelo

The goal was to get employees to click a malicious link and enter their credentials—or, in more advanced cases, execute potentially harmful commands on their endpoint.

The Results: Why Config Isn’t Enough

Even though the company had undergone similar training before, many employees still took the bait.

1. Employee Awareness Testing

Out of the 50 employees we targeted, 36% followed our instructions far enough to execute a dangerous command. Let that sink in: more than one in three.

And it only takes one.

Overall risk level: Critical

2. Email Security Configuration

The client had a reasonably solid email security setup. Their mail servers were configured to check domain reputation, SPF/DKIM settings, and content heuristics.

Still, we successfully delivered spoofed phishing emails into inboxes.

Overall risk level: Medium

3. SOC Responsiveness

The company had a dedicated Security Operations Center (SOC) in place. Its job is to detect and mitigate exactly these kinds of threats.

Despite that, we were able to reach multiple employees and guide them into unsafe actions without triggering a meaningful response in time.

Overall risk level: Medium

Ongoing Training Isn’t Optional—It’s Critical

Attacks like this are preventable—but only with consistent training, simulation, and audits.

No firewall or filter can replace an employee who knows what to look for and how to report suspicious activity. Those few seconds of hesitation can stop a breach in its tracks and give your security team time to act.

Final Thought

Cyberattacks are getting more sophisticated. So should your defenses. The most effective protection isn’t just more tech—it’s building a culture of security awareness that includes every employee, not just the IT team.

If your organization is ready to put its defenses to the test—or raise them to a new level—Tomáš Horváth is here to help.

We’d like to thank our client for allowing us to share this anonymized case study. Education is the most powerful tool we have in cybersecurity, and real stories like this one help others stay one step ahead.