Phishing is still one of the easiest ways for attackers to get a foothold in community banks. Even in 2026, it works far too well. At Infotex, we run these kinds of authorized simulations for our clients all the time. We build them the same way real attackers do, but we do it ethically, with the bank’s full permission, so they can see exactly where their weaknesses are.

This piece walks through how we put together a realistic phishing campaign, from start to finish. We’ll cover OSINT reconnaissance, the psychology behind what makes people click, how we build the emails, some of the more advanced tricks we can simulate and what we’re seeing now, and what the numbers from our own tests actually tell us.

Starting with Reconnaissance (OSINT)

Good phishing doesn’t come out of nowhere. It starts with gathering publicly available information about the target.

We look at LinkedIn for job titles, recent posts, and company updates. We check the bank’s own website, press releases, and social media accounts on Facebook, X, or Instagram. Sometimes a simple post about a conference, quarter-end push, or new initiative gives us everything we need to make the email feel real and timely.

For example, if someone publicly mentions working on “quarter-end reviews,” we can turn that into a believable follow-up email. That kind of personalization makes a huge difference in how many people click.

For banks: Take a look at what your team is sharing publicly. Small details can be turned against you.

The Psychology That Makes It Work

People aren’t stupid, but we’re all predictable in certain ways. Successful phishing leans on basic human tendencies.

We use things like authority (making it look like it comes from the CEO or a trusted vendor/employee), urgency (“you need to do this today or by x date”), and reciprocity (offering something like feedback on an appreciation event). In a community bank environment, where everyone knows each other and wants to be helpful, these tactics hit especially hard.

We’ve seen this play out clearly in our tests. Lures that reference a recent internal appreciation event, branch initiative, or quarter-end push – details often pulled from public posts or press releases – consistently outperform generic templates. The combination of authority and reciprocity (“help leadership gather quick feedback”) lands especially well when people genuinely know and support each other.

Building the Campaign Step by Step

Here’s how a typical one comes together:

• Pick the theme: We go with things we’ve seen work well – HR and benefits updates, fake shared file links (Dropbox/OneDrive style), or survey/feedback requests.
• Personalize it: Pull in details from OSINT and spoof the sender so it looks like it’s coming from inside the organization or a known vendor.
• Write the email: Keep the tone professional and matching how the bank normally communicates. Include a clear call to action that leads to a realistic-looking landing page.
• Send and track: We time it for normal business hours and watch opens, clicks, and any credential submissions.

Advanced Techniques We’re Seeing in 2026

The game is changing fast. Attackers are combining tools and using AI to make phishing much harder to spot.

Some of the more advanced setups let us test things like session hijacking that can get around traditional MFA. Instead of just stealing a password, these methods capture active sessions.

AI is a big part of it now too. We can use it to quickly generate emails that sound exactly like your internal communications, reference specific recent events, or fix grammar and wording so it feels completely natural. On the vishing side, voice cloning from short public audio clips is getting scary good. Some attacks even combine email, text, and a follow-up call or video.

When we test these modern approaches, it shows banks how even cautious employees can still get caught if the phish feels personal enough.

What the Data from Our Campaigns Shows

We’ve pulled together results from 19 recent tests covering more than 2,300 emails.

What performed best:

• Survey and feedback lures often got the highest number of credentials submitted (one campaign had over 15).
• Fake shared file links (Dropbox/OneDrive style) sometimes hit crazy click rates – we saw one at 100%.
• HR and benefits updates were consistently strong.

Security awareness or legal-themed ones usually did the worst, which is actually encouraging.

Overall averages across the campaigns:

• Open rate: around 39%
• Click rate: around 23%
• Credential submission rate: around 4%

Those credential numbers are the ones that keep us up at night – because that’s what attackers are really after.

Turning Results into Better Defenses

After every test we send them recommendations.

Practical steps we recommend:

• Get in the habit of “Stop. Close. Verify.” – pause, close the suspicious email, and check through a known safe channel.
• Run realistic simulations regularly (at least quarterly).
• Use the results for targeted training instead of generic yearly sessions.
• Strengthen technical protections like DMARC, good email filtering, and phishing-resistant MFA.
• Be mindful of what your team posts publicly.
• Make it easy and rewarding for people to report suspicious messages.

Wrapping Up

Phishing is definitely an art — it combines research, psychology, timing, and now tools like AI to exploit trust. But defending against it is a discipline. The more your team understands how these attacks are built, the better prepared you’ll be.

Community banks have real advantages — strong relationships and a culture of looking out for each other. Lean into that, stay vigilant, and keep testing.

If you’d like to run a simulation tailored to your bank (including some of these newer techniques), reach out to us at Infotex. We’re doing this work every week and can show you exactly where you stand.

Think before you click!