A Single Phish Cost Twilio 163 Million User Records
In August 2022, Twilio — a company that powers authentication for thousands of apps — confirmed that attackers used SMS-based phishing to compromise employee credentials. That single phish gave threat actors access to data from 163 customer accounts, which cascaded into a breach at Signal affecting roughly 1,900 users. Twilio isn't a small startup staffed by amateurs. They're a publicly traded tech company with a dedicated security team.
If Twilio can get caught, your organization can too. And that's the uncomfortable truth about the humble phish: it doesn't need to be sophisticated. It just needs one person to click.
I've spent years watching organizations invest heavily in firewalls, endpoint detection, and zero trust architecture — then lose everything because an employee pasted their credentials into a fake login page. This post breaks down why phish attacks remain the most effective weapon in a threat actor's arsenal, what the data actually says about who falls for them, and what you can start doing this week to reduce your exposure.
What Exactly Is a Phish Attack?
A phish is a deceptive message — typically email, SMS, or voice — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. The goal is almost always credential theft, financial fraud, or initial access for ransomware deployment.
Phishing falls under the broader category of social engineering. Rather than exploiting software vulnerabilities, the attacker exploits human trust, urgency, and habit. That's what makes it so hard to patch.
The Numbers Are Getting Worse, Not Better
The 2022 Verizon Data Breach Investigations Report found that 82% of breaches involved a human element — phishing, stolen credentials, or simple errors. Phishing was the second most common action variety in breaches, and the single most common vector in social engineering attacks. You can read the full report at Verizon's DBIR page.
The FBI's Internet Crime Complaint Center (IC3) reported over 300,000 phishing complaints in 2021 alone — making it the most reported cybercrime category for the third consecutive year. By the time 2022 numbers close out, I expect that trend to hold. The FBI IC3 data paints a clear picture: phish volume is rising and success rates remain stubbornly high.
Here's what bothers me most. Organizations know phishing is a problem. Most employees have heard the word. And yet click rates on phishing simulations at untrained organizations routinely hover between 20% and 35%. One in four employees will take the bait on a moderately convincing phish. That's not a technology problem. That's a training problem.
Why Your Employees Keep Falling for the Same Tricks
The Urgency Trap
The most effective phish messages create a sense of urgency. "Your account will be locked in 24 hours." "Approve this wire transfer by noon." "HR needs your updated W-2 information today." When people feel time pressure, they skip the mental checklist that would normally catch a suspicious email.
I've reviewed phishing simulation campaigns where messages mimicking IT password resets had click rates above 40%. The email looked routine. It felt urgent. People complied without thinking.
Brand Impersonation Has Never Been Easier
Threat actors don't need to be graphic designers anymore. Phishing kits — pre-built packages that replicate login pages for Microsoft 365, Google Workspace, DocuSign, and others — are widely available on dark web marketplaces. A convincing phish with a pixel-perfect Microsoft login page takes minutes to set up.
In the Twilio incident, attackers registered domains that closely mimicked Twilio's internal SSO page. The fake page looked identical. Employees entered their credentials. Game over.
Multi-Factor Authentication Isn't a Silver Bullet
I hear this constantly: "We have MFA, so phishing isn't a concern." Wrong. Adversary-in-the-middle (AitM) phishing kits like EvilProxy and Evilginx2 can intercept MFA tokens in real time. The employee enters their credentials and their one-time code on the fake page, and the attacker relays both to the real service instantly.
MFA raises the bar. It doesn't eliminate the risk. You still need employees who can recognize a phish before they reach the login page at all.
Real Breaches That Started With a Single Phish
Uber — September 2022
In September 2022, an 18-year-old attacker breached Uber's internal systems by sending a phish to a contractor via WhatsApp. The attacker posed as Uber IT and bombarded the victim with MFA push notifications until the contractor approved one. From there, the attacker accessed internal Slack channels, vulnerability reports, and cloud infrastructure dashboards. This wasn't a nation-state operation. It was a teenager with a phish and some patience.
Cisco — August 2022
Cisco confirmed in August 2022 that an attacker gained initial access through voice phishing (vishing) targeting an employee's personal Google account. The employee's credentials synced across devices, and the attacker used that foothold to pivot into Cisco's corporate VPN. The Yanluowang ransomware gang claimed responsibility.
Axie Infinity / Ronin Network — March 2022
The $625 million Ronin Network hack — the largest DeFi theft in history at the time — reportedly started with a fake job offer sent via LinkedIn to a senior engineer at Sky Mavis. The phish delivered a malicious PDF that gave attackers access to internal systems. From there, they compromised validator nodes and drained the bridge. A phish led to a loss worth more than most companies' total valuation.
How to Actually Reduce Phish Click Rates
Step 1: Run Realistic Phishing Simulations
Generic "click here to claim your prize" simulations don't prepare employees for modern attacks. You need simulations that mimic the actual lures threat actors use against your industry — fake invoice approvals, shared document notifications, IT credential resets, and package delivery alerts.
Our phishing awareness training for organizations includes scenario-based simulations designed around the phish tactics that are actually working right now. Simulations should run monthly at minimum and rotate lure types frequently.
Step 2: Teach Recognition, Not Just Rules
"Don't click suspicious links" is useless advice because the whole point of a good phish is that it doesn't look suspicious. Effective security awareness training teaches employees to check sender domains, hover over links, question unexpected requests, and verify through a second channel before acting.
Recognition is a skill, and skills require practice. That's why our cybersecurity awareness training program focuses on pattern recognition through real-world examples rather than abstract policies.
Step 3: Deploy Technical Controls as a Safety Net
Training reduces click rates. Technology catches what training misses. Layer these controls:
- Email authentication: Enforce DMARC, DKIM, and SPF to block spoofed domains.
- Link isolation: Use browser isolation or URL rewriting to sandbox clicked links.
- Phishing-resistant MFA: FIDO2 security keys eliminate the risk of AitM token theft.
- Credential monitoring: Watch for your organization's domains appearing in phishing kits.
CISA maintains excellent guidance on phishing-resistant MFA implementation at cisa.gov/mfa.
Step 4: Make Reporting Easy and Rewarded
If reporting a phish takes more than two clicks, employees won't do it. Deploy a one-click "Report Phish" button in your email client. Then celebrate reporters — publicly acknowledge employees who flag suspicious messages. This builds a culture where catching a phish earns recognition instead of embarrassment for almost falling for one.
Step 5: Assume Breach and Build Zero Trust
Even with the best training and tools, someone will eventually click. Zero trust architecture limits the blast radius. Segment your network. Apply least-privilege access. Require continuous authentication. Make sure that when the next phish succeeds, the attacker can't pivot from a compromised inbox to your crown jewels.
What Should You Do if an Employee Takes the Bait?
Speed matters more than blame. Here's the immediate response playbook:
- Isolate the account: Reset credentials immediately and revoke active sessions.
- Check for lateral movement: Review login logs, email forwarding rules, and OAuth app grants.
- Contain the endpoint: If malware was downloaded, quarantine the device from the network.
- Notify your security team and legal counsel: If sensitive data was exposed, you may have regulatory reporting obligations under state breach notification laws.
- Conduct a post-incident review: What made the phish convincing? What controls failed? Feed lessons back into your training program.
Don't punish the employee who clicked. Punitive responses drive underreporting. The employee who tells you they clicked a phish in five minutes is far more valuable than the one who hides it for five days.
Why a Phish Simulation Program Pays for Itself
IBM's 2022 Cost of a Data Breach Report put the global average data breach cost at $4.35 million. Breaches where phishing was the initial attack vector averaged $4.91 million. Compare that to the cost of running a proper security awareness program with regular phishing simulations.
Organizations that invested in security awareness training and tested employees regularly saw measurably lower click rates over time. In my experience, well-run programs cut initial click rates by 60% or more within the first year. That's not theoretical — I've watched it happen across dozens of organizations.
Investing in phishing awareness is one of the highest-ROI security decisions your organization can make. Start with our organizational phishing awareness training, then build a broader security culture with the cybersecurity awareness training program.
The Phish Threat Isn't Going Away — Your Response Has to Evolve
Attackers iterate faster than most security teams update their training decks. The phish that worked in 2020 — clumsy grammar, generic greetings, obviously spoofed domains — has evolved into targeted, well-crafted social engineering that exploits real business processes and current events.
As we head into 2023, expect more MFA bypass phishing, more supply chain phish attacks targeting SaaS integrations, and more AI-assisted lure generation. The defenders who will win are the ones who treat phish defense as a continuous program, not a once-a-year compliance checkbox.
Your firewall can't read an email and decide whether the sender is lying. Your employees can — if you train them. That's the investment that matters most heading into the new year.