In March 2022, the hacking group Lapsus$ breached Okta by phishing a single contractor's credentials. That one successful social engineering attack gave threat actors access to systems used by thousands of companies worldwide. If you're searching for the definition of a phishing attack, that incident is the clearest real-world example I can give you — and it's far from the only one.
Here's the plain truth: phishing isn't some abstract concept from a textbook. It's the number one method attackers use to get inside your organization. The FBI's 2021 IC3 report logged over 323,000 phishing complaints — more than any other cybercrime category, and that only counts what people actually reported.
This post gives you a precise, actionable definition of a phishing attack, breaks down the variants you'll actually encounter, and walks you through what to do about it. Whether you're a business owner, an IT admin, or someone who just got a suspicious email, this is for you.
The Real Definition of a Phishing Attack
What Is Phishing, Exactly?
Phishing is a type of social engineering attack where an attacker impersonates a trusted entity — a bank, a boss, a vendor, a cloud service — to trick the target into taking a harmful action. That action is usually clicking a malicious link, opening an infected attachment, or entering credentials into a fake login page.
The key word in that definition is impersonation. Phishing doesn't exploit a software vulnerability. It exploits human trust. An attacker doesn't need to break through your firewall if they can convince your accounts payable clerk to wire $50,000 to a new "vendor" account.
The definition of a phishing attack comes down to three elements: a deceptive message, a spoofed identity, and a desired action that benefits the attacker. Every variant — from mass email blasts to laser-targeted spear phishing — follows this formula.
Why the Dictionary Definition Falls Short
Most glossary definitions describe phishing as "fraudulent emails designed to steal passwords." That's dangerously incomplete. Phishing now happens over SMS (smishing), voice calls (vishing), social media DMs, QR codes, and even collaboration tools like Slack and Microsoft Teams.
I've seen organizations that trained employees to spot suspicious emails but completely ignored text-message phishing. Then an attacker sent an SMS pretending to be the CEO, and an employee handed over their multi-factor authentication code without hesitation. If your definition is too narrow, your defenses will be too.
The $4.88M Problem Hidden in Your Inbox
According to IBM's 2022 Cost of a Data Breach Report, phishing was the second-most-expensive initial attack vector, averaging $4.91 million per breach. Credential theft — which phishing directly enables — was the most common vector overall.
The 2022 Verizon Data Breach Investigations Report (DBIR) found that 82% of breaches involved a human element. Phishing and pretexting dominated the social engineering category. These aren't hypothetical risks. They're the primary way data breaches start in 2022.
Your organization doesn't need a sophisticated zero-day exploit to suffer a catastrophic breach. It needs one employee who doesn't recognize a phishing email. That's the math that should keep you up at night.
Five Phishing Variants You Need to Recognize
1. Email Phishing (Mass Campaigns)
This is the classic. Attackers send thousands or millions of emails impersonating brands like Microsoft, Amazon, or DHL. The goal is volume — even a 1% click rate on a million emails gives them 10,000 victims. These emails typically direct targets to credential theft pages that clone legitimate login portals pixel-for-pixel.
2. Spear Phishing
Spear phishing targets a specific individual using personalized information. The attacker might reference a real project, a recent conference, or a mutual contact. This is how the Okta breach started. This is how countless ransomware incidents begin. Spear phishing is harder to detect because it doesn't look generic — it looks like a real email from someone you know.
3. Business Email Compromise (BEC)
BEC is spear phishing with a financial motive. The attacker impersonates a CEO, CFO, or vendor and requests a wire transfer, a W-2 file, or a change in payment details. The FBI's IC3 report documented over $2.4 billion in BEC losses in 2021 alone. That made it the single most financially damaging cybercrime category — by a wide margin.
4. Smishing and Vishing
Smishing uses SMS text messages. Vishing uses phone calls. Both rely on the same core principle: impersonation and urgency. "Your account has been locked. Call this number immediately." "Your package couldn't be delivered. Click here to reschedule." These attacks bypass email security filters entirely, which is why they're surging.
5. Pharming and Clone Phishing
Pharming redirects users from a legitimate website to a fake one through DNS poisoning or malware. Clone phishing takes a real email the target previously received, copies it, replaces the attachment or link with a malicious one, and resends it. Both are difficult to spot because they closely mirror legitimate interactions.
How a Phishing Attack Actually Works: Step by Step
Understanding the mechanics matters more than memorizing a definition. Here's what I've seen in incident after incident:
- Reconnaissance: The attacker researches the target organization. LinkedIn profiles, press releases, and social media give them names, titles, email formats, and relationships.
- Crafting the lure: They create a convincing message. It might be an "urgent" invoice, a password reset notification, a shared document, or a message from the CEO.
- Delivery: The phishing message arrives via email, SMS, or another channel. It often includes a link to a credential harvesting page or a malicious attachment.
- Exploitation: The target clicks, enters their credentials, or opens the attachment. The attacker now has a foothold — a valid username and password, a malware implant, or both.
- Lateral movement: With stolen credentials, the threat actor moves deeper into the network. They escalate privileges, access sensitive data, or deploy ransomware.
The entire chain — from reconnaissance to ransomware — can take less than 48 hours. In many cases, the initial phishing email to credential theft takes under 60 seconds of the victim's time.
Why Technical Controls Alone Won't Save You
Email gateways, spam filters, DMARC, and multi-factor authentication all matter. I'd never tell you to skip them. But here's what I've seen repeatedly: organizations with robust technical controls still get breached because an employee approved an MFA push notification they shouldn't have, or because a phishing page was hosted on a legitimate cloud service that the email filter whitelisted.
Technical controls reduce volume. They don't eliminate risk. The Verizon DBIR data tells the same story year after year — the human element remains the decisive factor in most breaches.
This is why security awareness training isn't optional. Your people are your last line of defense and, more often, your first point of failure. A well-trained employee who pauses before clicking a link is more valuable than a six-figure email security appliance.
Building a Phishing-Resistant Organization
Start with Realistic Training
Generic "don't click suspicious links" advice is almost useless. Your employees need to see real phishing examples — the kind that actually fool smart people. They need to practice identifying spear phishing, BEC, and smishing in context.
Our cybersecurity awareness training course covers these scenarios in depth, using real-world examples and current attack techniques. It's built for organizations that want practical results, not checkbox compliance.
Run Phishing Simulations Regularly
You don't know your organization's phishing risk until you test it. Phishing simulation programs send realistic mock phishing emails to your employees and measure who clicks, who reports, and who enters credentials.
I've seen initial simulation click rates of 30% or higher in organizations that had never tested before. After several rounds of simulation plus targeted training, those rates typically drop below 5%. The data is clear — simulated phishing works. Our phishing awareness training platform helps organizations run these campaigns and track improvement over time.
Implement a Zero Trust Mindset
Zero trust isn't just a network architecture principle — it's a philosophy. Train your people to verify before trusting. If the CEO emails asking for a wire transfer, verify by phone. If IT sends a password reset link, go to the portal directly instead of clicking. If a vendor sends a new bank account, confirm through a known contact.
Every request involving credentials, money, or sensitive data should be verified through a separate channel. Period.
Layer Your Technical Defenses
- Multi-factor authentication (MFA): Deploy phishing-resistant MFA like FIDO2 security keys wherever possible. SMS-based MFA is better than nothing but vulnerable to SIM swapping and real-time phishing proxies.
- Email authentication: Implement SPF, DKIM, and DMARC. CISA has published extensive guidance on email security configurations.
- Endpoint detection: Ensure endpoints can detect and quarantine malicious payloads even when a user clicks.
- DNS filtering: Block access to known phishing domains at the network level.
Create a No-Blame Reporting Culture
Here's something most organizations get wrong. Employees who fall for phishing simulations get shamed — or worse, punished. That teaches them one thing: don't report it when it happens for real.
You want the opposite behavior. You want people to immediately report suspected phishing, even — especially — if they already clicked. The faster your security team knows about an incident, the faster you can contain it. Reward reporting. Never punish honesty.
What to Do If You've Already Clicked
If you or an employee clicked a phishing link or entered credentials into a suspicious site, here's the immediate playbook:
- Change the compromised password immediately — and any other account that uses the same password.
- Revoke active sessions for the affected account.
- Enable or reset MFA on the compromised account.
- Alert your IT/security team so they can check for lateral movement or data exfiltration.
- Scan the device for malware if an attachment was opened.
- Report the phishing message to your email provider, to your security team, and to the FBI's IC3 at ic3.gov if financial loss occurred.
Speed matters. In many incidents I've investigated, the window between initial credential theft and attacker access to email, cloud storage, or financial systems was less than an hour.
The Bottom Line: Phishing Is a People Problem That Requires People Solutions
The definition of a phishing attack is straightforward — it's a deceptive message designed to trick you into helping an attacker. But defending against phishing is anything but simple. It requires continuous training, regular simulation testing, layered technical controls, and an organizational culture that treats security as everyone's responsibility.
The data from IBM, Verizon, and the FBI all converge on the same conclusion: phishing is the most common, most costly, and most persistent threat vector organizations face in 2022. If your team hasn't completed security awareness training recently, or if you've never run a phishing simulation, you're operating with a gap that threat actors actively exploit every single day.
Close the gap before someone else opens it for you.