Phishing and Social Engineering

Attacking the Human Layer

No matter how mathematically perfect an encryption algorithm is, it becomes completely worthless if the user voluntarily hands their password to an attacker. Social engineering attacks exploit human psychology rather than mathematical weaknesses. Phishing, the most prevalent form, involves sending deceptive emails, text messages, or websites that impersonate trusted entities to trick victims into revealing their credentials or clicking malicious links.

Modern phishing campaigns are extraordinarily sophisticated. Attackers clone legitimate websites pixel-for-pixel, register lookalike domains (like 'g00gle.com' or 'paypa1.com'), and craft urgent messages that trigger emotional responses. Spear phishing targets specific individuals using personal information harvested from social media and data breaches. Business Email Compromise (BEC) attacks impersonate executives to authorize fraudulent wire transfers, causing billions of dollars in losses annually.

The most robust technical defense against phishing is hardware-bound authentication like FIDO2/WebAuthn passkeys. Because passkeys are cryptographically bound to the exact domain they were registered on, they physically cannot be tricked into authenticating on a fake website. Even if a user clicks a phishing link and lands on a perfect clone, their passkey will silently refuse to respond because the domain does not match.

Everyday Example

Imagine receiving a phone call from someone claiming to be your bank, saying your account has been compromised and you need to 'verify' your PIN immediately. The caller sounds professional, knows your name, and creates panic. In reality, your bank would never ask for your PIN over the phone. The attacker is exploiting urgency and authority to override your rational thinking. That manipulation is exactly what phishing emails do at massive scale.

The Deep Mathematics

FIDO2 authentication binds credentials cryptographically to the RP ID (Relying Party Identifier, essentially the domain). During registration, the authenticator generates a keypair (sk, pk) associated with rpId = SHA-256(origin). During authentication, the authenticator recomputes rpId from the requesting origin and refuses to sign if SHA-256(requesting_origin) ≠ stored_rpId. This origin-binding provides mathematical certainty that credentials cannot be phished, regardless of how convincing the fraudulent interface appears.