Phishing Craft Lab — Learn How Attackers Build Their Traps by Building One Yourself

In 2025, Verizon's DBIR revealed that 36% of data breaches involved phishing — making it the most common attack vector for the eighth consecutive year. But what's truly shocking is not the statistic itself — it's that 91% of cyberattacks begin with an email. One email. It passes through every firewall and protection system and reaches the weakest link directly: the human.

Saudi organizations are no exception. The National Cybersecurity Authority (NCA) classifies phishing among the highest risks in its annual reports. With the acceleration of digital transformation under Vision 2030, the attack surface has expanded enormously — more employees working remotely, more cloud systems, and greater reliance on email for official and financial transactions.

This article is not another theoretical guide about phishing. This is a hands-on lab. You will build a complete phishing attack from scratch — the attack vector, psychological trigger, sender identity, subject line, email body, and technical deception tricks. Not to attack anyone — but to understand exactly how attackers operate, why they succeed, and where the vulnerabilities they exploit lie.

Anatomy of a Phishing Attack — 7 Core Components: Every successful phishing attack consists of seven components working together as an integrated system. The first component is the Attack Vector — the specific type of phishing: credential harvesting, business email compromise (BEC), invoice fraud, fake delivery notification, IT security alert, prize scam, fake job offer, or QR phishing (quishing). Each vector targets a different demographic and exploits different behavior.

The second component is the Psychological Trigger — the tool attackers use to manipulate victims: urgency ("your account will be suspended in 24 hours"), authority ("from the CEO's office"), fear ("suspicious activity detected"), curiosity ("someone shared a document with you"), reward ("you have a refund"), or social proof ("your team has completed verification — you're the only one left"). Proofpoint's 2024 report confirms that fear and urgency messages achieve the highest click rates.

The third component is Sender Identity — the display name, organization name, and fake email address. A professional attacker doesn't use a random email — they craft one that looks familiar: security@riyadh-d1gital-bank.com (notice the digit 1 replacing the letter i). The fourth component is the Subject Line — the first thing the victim sees, determining whether they'll open the message. KnowBe4 research shows that subject lines containing words like "urgent," "security," and "verify" achieve 40% higher open rates.

The fifth component is the Email Body — the text that builds the story and pushes the victim toward clicking. Attackers use formal language, mention details that seem real (invoice numbers, department names, specific amounts), and end with one clear CTA button. The sixth component is the Fake Link — technical tricks that hide the real destination: misleading subdomains, homoglyphs, URL shorteners, and HTML masking. The seventh component is the Landing Page — where the attacker actually steals the data.

The best way to learn how to protect yourself from phishing is to understand how it's built — not from books, but with your own hands.

Psychological Weapons — Why People Click: Phishing doesn't succeed because of technical weakness — it succeeds because of psychological brilliance. Attackers exploit six scientifically documented psychological principles. The urgency principle: when we feel time pressure, our critical thinking drops by 60% according to behavioral psychology studies. Attackers exploit this by adding short deadlines ("within one hour"). The authority principle: we naturally tend to comply with those we perceive as authority figures — SANS Institute documents that authority impersonation triples click rates.

The fear principle: threatening negative consequences (account closure, financial penalty, breach) disables logical thinking and triggers the "fight or flight" response. The curiosity principle: mystery stimulates the brain — "someone shared a document with you" exploits our innate desire to know. The reward principle: a promise of a prize or refund activates reward centers in the brain. The social proof principle: "your colleagues have completed verification" exploits our tendency to act like the group.

Attack Vectors — Deep Dive: Credential Harvesting is the most common type — a fake login page that looks identical to the original. Average click rate: 18%. Primarily targets banking, email, and HR systems. Business Email Compromise (BEC) targets employees in financial departments — FBI estimates BEC losses at $2.9 billion annually. Invoice fraud is rising with organizations' adoption of electronic payments — a change in vendor bank account is the number one red flag.

Fake delivery notifications exploit Saudi Arabia's growing e-commerce culture — 20% click rate. IT security alerts are the most dangerous — 25% click rate because they exploit the innate fear of being hacked. Fake prizes and rewards target the less aware — lower click rate (12%) but with direct financial damage. Fake job offers are a rising phenomenon with increased digital job searching — asking for "registration" fees or sensitive personal data. QR phishing (quishing) is an emerging threat — QR codes in emails bypass traditional URL filters because the filter cannot read image content.

This is where the interactive part begins — the Phishing Craft Lab. In the following seven steps, you will build a complete phishing attack. You'll select the attack vector and psychological trigger, craft the fake sender identity, write the subject line, fill in the email body, explore technical deception tricks, and receive a comprehensive assessment of your attack's effectiveness. The goal: to understand exactly what makes phishing work — because when you understand the attack, you can defend against it.

How to Defend — Technical and Human Controls: Defense against phishing requires multiple layers. The first layer is technical: enabling DMARC, SPF, and DKIM on email domains — this blocks 80% of phishing emails that spoof your domain. An advanced email gateway with link analysis and URL sandbox. Attachment filtering that blocks executables and macros. Multi-factor authentication (MFA) on all accounts — even if a password is stolen, MFA prevents access.

The second layer is human — and it's the most important: a continuous security awareness program (not a single annual training). Periodic phishing simulations to measure awareness levels and identify the most vulnerable employees. A "report, don't punish" culture — employees who report suspicious messages are rewarded, not penalized. Alternative verification procedures for financial requests — a direct phone call to confirm any transfer request or payment detail change.

Saudi Regulatory Context: The NCA's Essential Cybersecurity Controls (ECC) include specific controls for email protection and employee awareness. PDPL requires reporting data breaches within 72 hours — and a breach resulting from phishing is a reportable breach. SAMA's Cybersecurity Framework requires financial institutions to conduct periodic phishing simulations as part of their awareness program. Organizations without a documented security awareness program face increasing regulatory, financial, and reputational risks.

For Organizations — How to Run an Effective Phishing Simulation Program: Step one: establish a baseline — run a simulated phishing campaign on all employees without prior notice and measure the initial click rate. The global average: 17.8% (KnowBe4 2024). Step two: classify employees by risk — those who clicked twice or more need intensive training. Step three: launch monthly campaigns with diverse scenarios (BEC, delivery notifications, security alerts). Step four: measure progress — the goal: reduce click rate below 5% within 12 months. Step five: document everything — record campaigns, results, and training as compliance evidence for NCA and SAMA.

References: (1) Verizon DBIR 2025 — verizon.com/dbir. (2) Essential Cybersecurity Controls ECC — NCA. (3) KnowBe4 Phishing Report 2024 — knowbe4.com. (4) Proofpoint State of the Phish 2024. (5) FBI Internet Crime Complaint Center IC3 — Annual Report 2024. (6) Personal Data Protection Law PDPL — SDAIA. (7) SAMA Cybersecurity Framework.