Upcoming Webinar | Assuring Agentic AI on March 5th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

Real-World Phishing Attack Example: A Cautionary Story of a Coinbase Vishing Campaign Blog Feature
Philip Holbrook

By: Philip Holbrook

Print/Save as PDF

Real-World Phishing Attack Example: A Cautionary Story of a Coinbase Vishing Campaign

Penetration Testing | Red Team Assessments

Published: Mar 4, 2026

Recently on a Sunday night my phone rang, showing an unknown number.

My iPhone screens the call, and the display shows “Coinbase withdrawal of 0.1 BTC was just initiated” from my account. I then pick up, press 1 to confirm it’s fraud, and the call immediately disconnects. A few seconds later, I received a call back.

The caller introduces himself as Alexander Evans (AE) from Coinbase Security and presents as calm, confident, and professional. He explains there was a suspicious withdrawal attempt from Germany and that he’s opening fraud case number 192382 on my behalf.

How Attackers Build Legitimacy Step by Step

AE starts by “verifying” me. He confirms my email address and phone number (both already exposed in public data breaches, but still effective). He also adds that the attacker tried to change my primary email to "philholbrookrecovery@protonmail.com." He then says he’s going to email me a confirmation message that I can ignore—but asks me to independently verify that it comes from a "coinbase.com" email address.

pentest-blog-ph-one

It is from coinbase.com, but it’s clearly just a Coinbase newsletter subscription confirmation. That’s the trick: not malicious in its own right, but still enough to anchor trust by making me validate the domain myself. Shortly after, I get a text message from the same number he called from: +1 (513) 443-8799.

pentest-blog-ph-two

At this point, I stop playing along silently and decide to dive deep to see if I’m actually compromised.

How to Detect a Phishing Attack in Real Time

I log into my Coinbase account directly (not via any links) and don’t see any suspicious activity. There are no unfamiliar logins and everything checks out. While still on the call, I run a few quick checks:

  • Recent sign-ins: All mine, going back a year.
  • Domain check: I look up the phishing domain he’s clearly warming up to send. You can typically do this via https://crt.sh, an online tool used for checking certificate transparency logs. It was registered on 12/30/2025, with no subdomains or anything else established.
  • ProtonMail: Out of curiosity, I try to register that address ("philholbrookrecovery@protonmail.com") and see that It's available.

pentest-blog-ph-three

That last check is the smoking gun, causing his whole schpeel to collapse.

How to Respond to a Phishing Attack in Real Time

I ask again what Coinbase needs from me right now to resolve the fraud. That’s when AE pushes me to click the link he texted. He says he’ll provide a verification code once I’m on the page to “validate my case.”

Pushing back, I tell him plainly:

  • "I’m not clicking links sent over SMS."
  • "You called me out of the blue."
  • "My Coinbase account shows no suspicious activity."
  • "I have no direct fraud emails from Coinbase."
  • "This scam stinks. I'm not clicking anything."

There’s a pause followed by laughter.

The Startling Frequency of Phishing Attacks

His response? “Man, you know this scam is good. Tell me what’s wrong with it?” He goes on to explain that he has 15-year-olds running this script all day and that it “gets grandmas all the time.” He gives me credit for checking the ProtonMail address and asks how his delivery was overall.

I tell him the truth: The opening was solid and the first five minutes were legitimately convincing. But the SMS link and freshly registered phishing domain blew the whole thing up. At least put it on a convincing subdomain if you want it to fly.

He insists it works constantly and that I’m just the first person he’s had who checked domains and email infrastructure. And, of course, I’m not going to be providing him with any real feedback to help him ruin someone’s day.

Then, surprisingly politely, he wishes me and my family a Happy New Year and confirms he’ll scrub my number from the system. No hard feelings. “Later bro.” And that was that.

What Makes Vishing Campaigns Convincing

This wasn’t a sloppy robocall scam. It was a coordinated vishing campaign:

  • Cold automated call prompting urgency
  • Immediate human follow-up
  • Real Coinbase infrastructure leveraged for legitimacy
  • Confident, professional social engineering
  • A clear handoff from voice to SMS phishing

What made it unique was watching the operator drop the act and openly discuss the campaign once it failed. I’ve done my share of scam baiting and time-wasting over the years, but it’s rare to get a candid post-mortem straight from the attacker.

Lessons Learned from a Real-World Phishing Attack

  • Pressing “1” is the hook. Once you engage, you’re flagged as responsive and likely enrolled into future campaigns.
  • Real emails don’t equal real intent. Attackers will use legitimate services to bootstrap trust.
  • SMS links are the pivot point. That’s where the real damage happens, and if you put in your credentials, you’re finished.
  • Training matters. This attack would be successful on anyone who doesn’t understand DNS, email headers, and login history.

This attempted attack snuck up on me, and that’s the point. With today’s cyber threats, anyone can be vulnerable. It’s important to stay skeptical, verify independently, and not click on links sent to you by someone who called you first.

Fraud case 192382, closed.

About Philip Holbrook

Philip Holbrook is a Lead Penetration Tester with Schellman & Company, LLC based in Pittsburgh, PA, where he leads red team engagements and performs external and internal penetration tests, advanced phishing campaigns, and web application testing. Philip is actively expanding Schellman's red team practice through researching novel initial access vectors, developing custom internal tooling, and supporting the team's penetration testing infrastructure. Philip brings in-depth knowledge of enumerating macOS and Windows environments for vulnerabilities and privilege escalation opportunities, with specialized expertise in SIEM and EDR evasion techniques. In his leadership role, he mentors junior penetration testers, contributes to methodology development, and drives innovation in adversary simulation techniques. Philip has over 10 years of experience in IT and security, serving clients across various industries with a primary focus on Cloud, SaaS, and Service Provider environments. He has presented at the Pittsburgh BSides Conference on advanced phishing techniques utilizing calendar injection, user scripting, and dockerized phishing infrastructure to bypass MFA restrictions. Philip recently obtained his Certified Red Team Lead certification to complement his expertise in red team operations. Prior to joining Schellman in 2020, Philip worked as a Security Engineer handling SOC integration projects and Incident Response in MSP environments supporting small to medium businesses. He performed malware and root cause analysis to identify attack kill chains and provide accurate remediation steps. He obtained his OSCP in 2018 and leverages his defensive security background to emulate realistic adversary tactics, techniques, and procedures (TTPs) in red team.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.