In March 2022, threat actors used a single phishing email to breach Okta through a third-party contractor — potentially impacting hundreds of enterprise customers downstream. The attack didn't exploit some exotic zero-day. It exploited a human being who clicked a link. If you're here to define phishing, that incident tells you more than any textbook ever could.
Phishing is the single most common attack vector behind data breaches. The 2022 Verizon Data Breach Investigations Report found that 82% of breaches involved a human element — and phishing was the top action variety in social engineering incidents. This post breaks down exactly what phishing is, what it looks like in practice, and what your organization can do about it right now.
So How Do You Actually Define Phishing?
Phishing is a social engineering attack where a threat actor impersonates a trusted entity to trick a victim into surrendering sensitive information, clicking a malicious link, or executing a harmful action. That's the clinical version. Here's the practical one.
Phishing is a con game delivered at scale through email, text messages, phone calls, or fake websites. The attacker pretends to be your bank, your boss, your IT department, or a shipping company. They manufacture urgency — "Your account will be locked in 24 hours" — and push you toward a specific action: enter your password, open an attachment, wire money.
I've investigated incidents where a single phishing email led to full credential theft, lateral movement through an entire network, and ultimately ransomware deployment. The initial email took thirty seconds to craft. The damage took months to remediate.
The Anatomy of a Phishing Attack
Step 1: Reconnaissance
Sophisticated attackers don't spray random emails anymore. They research your organization. They scrape LinkedIn for names and job titles. They read your company blog to learn the CEO's name and the CFO's communication style. This reconnaissance makes the eventual phishing email far more convincing.
Step 2: The Lure
The attacker crafts a message designed to bypass your rational brain and trigger an emotional response. Fear, curiosity, urgency, and authority are the four levers. "Urgent: Payroll discrepancy requires immediate verification" hits three of them at once.
Step 3: The Payload
This is where the damage happens. The payload is typically one of three things: a link to a credential-harvesting site that looks identical to a legitimate login page, a malicious attachment containing malware, or a direct request for sensitive data or a financial transaction.
Step 4: Exploitation
Once the victim takes the bait, the attacker moves fast. Stolen credentials get tested against multiple systems within minutes. Malware phones home to a command-and-control server. Wire transfers clear before anyone realizes what happened.
Five Types of Phishing You Need to Recognize
When security professionals define phishing, they're really talking about a family of related attacks. Each variant has its own characteristics and risk profile.
- Email phishing: The classic. Mass-distributed emails impersonating trusted brands. Still devastatingly effective — the FBI's 2021 IC3 Report logged over 323,000 phishing complaints, the most of any cybercrime category.
- Spear phishing: Targeted attacks aimed at specific individuals using personalized information. This is what hit Okta's contractor and what routinely compromises C-suite executives.
- Whaling: Spear phishing aimed specifically at senior executives. The stakes are higher, the research is deeper, and the payoff for attackers can be enormous.
- Smishing: Phishing via SMS text messages. "Your package delivery failed — click here to reschedule." These have surged in 2022 as mobile usage dominates.
- Vishing: Voice phishing. Attackers call pretending to be tech support, the IRS, or your bank. Often combined with spoofed caller ID to appear legitimate.
The $4.88M Question: Why Does Phishing Still Work?
According to IBM's 2022 Cost of a Data Breach Report, phishing was the costliest initial attack vector at $4.91 million per incident on average. So why haven't organizations solved this problem?
Because phishing doesn't attack your firewall. It attacks your people. And most organizations drastically underinvest in their people.
I've seen companies spend six figures on endpoint detection and response platforms while running a single annual security awareness training session that employees click through in eight minutes. That math doesn't work. Your technology stack means nothing when an employee hands their credentials to a fake Microsoft 365 login page.
Phishing works because it exploits trust, habit, and time pressure — three things that no software patch can fix.
Real Phishing Attacks That Changed the Game
The 2020 Twitter Breach
Attackers used phone-based social engineering — vishing — to trick Twitter employees into providing access to internal tools. The result: compromised accounts belonging to Barack Obama, Elon Musk, and Apple, used to run a cryptocurrency scam. The attackers were teenagers.
The Colonial Pipeline Prelude
While the 2021 Colonial Pipeline ransomware attack made headlines for shutting down fuel supply to the U.S. East Coast, the initial access point was a compromised credential. Credential theft — often achieved through phishing — remains the front door for ransomware operators.
The Ubiquiti Networks Incident
In 2021, Ubiquiti disclosed a breach where an attacker used spear phishing to impersonate an employee and gain access to cloud infrastructure. The company initially downplayed the incident before a whistleblower revealed the full scope, including potential access to customer data across the globe.
Every one of these incidents traces back to a human being who was successfully deceived. That's why security awareness training isn't optional — it's the primary control.
How to Defend Against Phishing Attacks
Build a Human Firewall Through Training
Your employees are either your biggest vulnerability or your strongest detection layer. The difference is training. Not a once-a-year compliance checkbox — ongoing, scenario-based education that teaches people to recognize social engineering tactics in real time.
If you're building a security awareness program from scratch, our cybersecurity awareness training course covers phishing recognition, credential hygiene, and threat identification in a format designed for real employees, not security professionals.
Run Phishing Simulations Regularly
You can't measure what you don't test. Phishing simulation campaigns show you exactly which employees click, which report, and which ignore. They also create a feedback loop: employees who fall for a simulation get immediate, targeted training instead of a generic reminder.
For organizations ready to go deeper, our phishing awareness training for organizations provides structured simulation and education tools designed to reduce click rates and build reporting habits across your workforce.
Deploy Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) is the single most effective technical control against credential theft from phishing. Even if an employee enters their password on a fake login page, MFA adds a second barrier the attacker must bypass. It's not bulletproof — attackers are increasingly using MFA fatigue and real-time proxy attacks — but it stops the vast majority of opportunistic phishing campaigns.
CISA's guidance on MFA is a solid starting point if your organization hasn't fully rolled it out yet.
Adopt Zero Trust Principles
Zero trust assumes that no user, device, or network segment is inherently trustworthy. In a zero trust architecture, even authenticated users face continuous verification and least-privilege access controls. This limits the blast radius when a phishing attack succeeds — because it will succeed eventually.
Implement Email Security Controls
Layer technical controls on top of human defenses. DMARC, DKIM, and SPF records help prevent domain spoofing. Email gateway filtering catches known malicious attachments and URLs. Sandboxing detonates suspicious files before they reach the inbox. None of these are perfect alone, but together they raise the bar significantly.
What Should You Do If You Get Phished?
Speed matters. Here's the immediate response playbook I give to every organization I work with:
- Change your credentials immediately — on the compromised account and any account that shares the same password.
- Enable MFA if it wasn't already active.
- Report the incident to your IT or security team. Every minute of delay gives the attacker more time to move laterally.
- Preserve evidence. Don't delete the phishing email. Forward it to your security team with full headers intact.
- Monitor for secondary attacks. Phishing often isn't the endgame — it's the entry point for ransomware, business email compromise, or data exfiltration.
If your organization doesn't have a clear incident response plan for phishing, that's a gap you need to close today — not after the breach.
Phishing Isn't Going Away — But Your Vulnerability Can Shrink
Every day in 2022, threat actors send an estimated 3.4 billion phishing emails worldwide. The attacks are getting more targeted, more convincing, and more automated. AI-generated phishing lures are already emerging in the wild.
But here's what I've seen consistently across two decades in this field: organizations that invest in regular training, run phishing simulations, enforce MFA, and adopt zero trust principles see dramatically lower breach rates. Not zero — there's no such thing as zero risk. But dramatically lower.
The moment you define phishing as a people problem rather than purely a technology problem, your entire defensive strategy shifts. You stop buying more tools and start building more resilient humans. That's where the real security gains live.
Start with awareness. Start with your people. The attacks aren't slowing down, but your organization doesn't have to be an easy target.