In March 2022, threat actor group Lapsus$ breached Okta by compromising a single support engineer's laptop — an attack chain that started with social engineering and credential theft. One employee. One set of stolen credentials. And suddenly, a company trusted by thousands of organizations to manage authentication was scrambling to contain the damage. That's how a phishing attack works in the real world. Not with dramatic hacking montages — with a single convincing email and one moment of misplaced trust.

This post breaks down exactly how phishing attacks unfold in 2022, why they remain the most effective weapon in a threat actor's arsenal, and what specific steps your organization can take right now to stop them. If you're responsible for security at any level, this is the playbook you need.

The $4.88M Reason You Can't Ignore a Phishing Attack

IBM's 2022 Cost of a Data Breach Report pegs the average breach cost at $4.35 million globally. But breaches that start with phishing — the most common initial attack vector — tend to be among the most expensive. The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved a human element, including social engineering, errors, and misuse.

I've investigated incidents where a single phishing email led to full domain compromise in under 48 hours. The attacker didn't need a zero-day exploit. They didn't need to brute-force anything. They sent a convincing email, harvested credentials from a fake login page, and walked through the front door.

Your firewall doesn't stop that. Your endpoint detection might not catch it in time. The human clicking that link is your first and last line of defense — and most organizations haven't trained that human properly.

Anatomy of a Modern Phishing Attack

Let's stop talking about phishing in the abstract and walk through exactly how these campaigns work in 2022. Threat actors have professionalized their operations. Here's the typical kill chain I see in incident after incident.

Step 1: Reconnaissance

Attackers scrape LinkedIn, company websites, press releases, and social media. They identify targets by name, title, and reporting structure. They know who your CFO is. They know your new VP of Engineering just started last month. They know which vendors you use because your employees post about them publicly.

Step 2: Weaponization and Delivery

Using that reconnaissance, the attacker crafts a targeted email. It might impersonate Microsoft 365, DocuSign, your HR department, or a known vendor. The email contains either a malicious link leading to a credential harvesting page or an attachment with embedded malware. In 2022, I've seen a massive uptick in attackers using legitimate services — Google Docs, Microsoft Forms, even Notion — to host phishing pages, which helps them bypass URL reputation filters.

Step 3: Credential Harvesting

The victim clicks the link, sees a perfect replica of a login page, and enters their username and password. The attacker now has valid credentials. If your organization hasn't deployed multi-factor authentication, the game is already over. Even with MFA, sophisticated attackers use real-time phishing proxies like Evilginx2 to capture session tokens and bypass that second factor.

Step 4: Lateral Movement and Escalation

Once inside, the attacker pivots. They access email, SharePoint, internal wikis — anything the compromised account can reach. They look for credentials stored in emails, escalate privileges, and move laterally across your network. This is where a phishing attack transforms into a full-blown data breach or ransomware event.

Step 5: Exfiltration or Detonation

The endgame varies. Some attackers exfiltrate data quietly for weeks before anyone notices. Others deploy ransomware and demand payment. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most reported cybercrime in 2021, with over 323,000 complaints — and those are just the ones that got reported.

What Is a Phishing Attack? (The Quick Answer)

A phishing attack is a social engineering technique where an attacker sends a fraudulent message — typically via email — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or installing malware. It's the most common method threat actors use to gain initial access to organizations. Variants include spear phishing (targeted), whaling (targeting executives), smishing (SMS-based), and vishing (voice-based).

Why Phishing Simulations Alone Won't Save You

I talk to security leaders every week who think running a quarterly phishing simulation checks the training box. It doesn't. Simulations are a measurement tool, not a comprehensive defense. Here's what actually works.

Layer 1: Continuous Security Awareness Training

Your employees need ongoing education — not a single annual video they click through while eating lunch. Effective cybersecurity awareness training covers the full spectrum of social engineering tactics, teaches employees to recognize credential theft attempts, and reinforces secure behavior repeatedly throughout the year.

Training must evolve as fast as the threats do. The phishing emails of 2022 look nothing like the Nigerian prince scams of 2010. Your training program needs to reflect current tactics, including the use of QR codes in phishing (quishing), callback phishing where attackers ask victims to call a number, and supply chain impersonation.

Layer 2: Targeted Phishing Awareness Programs

Generic training isn't enough for high-risk roles. Finance teams, executives, HR, and IT administrators need phishing awareness training built specifically for organizations that addresses the exact types of attacks they'll face. A controller who processes wire transfers needs different training than a developer who manages cloud infrastructure.

Layer 3: Technical Controls That Assume Humans Will Fail

Security awareness reduces risk. It doesn't eliminate it. You still need technical controls layered on top:

  • Multi-factor authentication (MFA) on every account, every application, no exceptions. Hardware security keys (FIDO2) are the gold standard.
  • Email authentication protocols: SPF, DKIM, and DMARC properly configured. CISA's guidance on email and web security is a solid starting point.
  • Zero trust architecture: Never trust a connection based on network location alone. Verify every user, device, and session continuously.
  • Endpoint detection and response (EDR): When an employee does click something malicious, EDR can catch the payload before it executes.
  • DNS filtering: Block known malicious domains at the network level before the browser even loads the phishing page.

Real Phishing Attacks That Made Headlines in 2022

Let's ground this in reality with incidents that happened this year.

Okta / Lapsus$ (January 2022)

Lapsus$ compromised a third-party support engineer's account and accessed Okta's internal tools. The breach affected approximately 366 Okta customers. The initial vector involved social engineering and credential compromise — a textbook phishing-adjacent attack that demonstrates how one compromised identity can cascade across an entire supply chain.

Twilio (August 2022)

Attackers sent SMS phishing messages to Twilio employees, directing them to fake login pages impersonating Twilio's SSO portal. Multiple employees entered their credentials. The attackers then accessed internal systems and customer data, affecting at least 125 Twilio customers. This is smishing — phishing via text — and it's surging because employees have been trained to scrutinize email but often trust text messages implicitly.

Cisco (August 2022)

Cisco confirmed a breach after an employee's personal Google account was compromised, giving attackers access to credentials synced in the browser. The threat actor then used voice phishing (vishing) and MFA fatigue — repeatedly sending push notifications until the employee accepted one. Once inside the VPN, the attacker moved laterally across Cisco's network.

Notice the pattern. Every one of these breaches started with a human being manipulated. Not a software vulnerability. A person.

Building a Phishing-Resistant Culture (Not Just a Policy)

Policies are necessary. Culture is what actually changes behavior. Here's how I've seen organizations build genuine resilience against phishing attacks.

Make Reporting Easy and Rewarded

Deploy a one-click "Report Phish" button in your email client. Then actually respond when employees use it. Acknowledge every report. Publicly recognize teams with high reporting rates. When you punish people for clicking and ignore people for reporting, you create a culture of silence — which is exactly what attackers exploit.

Run Realistic Phishing Simulations Monthly

Not gotcha tests designed to humiliate. Realistic, educational simulations that mirror actual current threats. Vary the difficulty. Include spear phishing, not just mass-blast templates. Track click rates, reporting rates, and credential submission rates over time. The goal is trend improvement, not perfection.

Brief Your Executive Team Separately

Executives are high-value targets for whaling attacks. They also tend to have the most access and the least patience for security friction. I've seen CEOs who click every link in their inbox because they're moving fast. Dedicate time to brief your leadership team on the specific threats targeting them — including business email compromise (BEC), which the FBI IC3 says caused over $2.4 billion in losses in 2021.

Integrate Phishing Defense Into Onboarding

Don't wait 90 days to train new hires. Attackers know that new employees are the most vulnerable — they don't yet know internal communication norms, they're eager to please, and they'll click links from people they think are their new boss. Include phishing awareness in the first week.

The Technical Stack That Stops What Training Misses

Here's my recommended technical baseline for organizations serious about stopping phishing attacks at scale:

  • FIDO2/WebAuthn hardware keys for all privileged accounts. Phishing-resistant MFA is the single highest-ROI control you can deploy.
  • Conditional access policies that restrict logins to managed devices, compliant endpoints, and expected geolocations.
  • Email gateway with advanced threat protection that detonates attachments in sandboxes and rewrites URLs for time-of-click analysis.
  • SIEM with behavioral analytics to catch impossible travel, anomalous login patterns, and mass email forwarding rules that attackers set up after compromise.
  • Automated incident response playbooks that immediately disable compromised accounts, revoke sessions, and trigger forensic collection.

None of these replace training. All of them complement it. The organizations I've seen weather phishing attacks successfully are the ones that invest in both human and technical defenses simultaneously.

Your Next Move

Every breach report tells the same story. Phishing works because organizations underinvest in the human layer. You can deploy every technical control on the market and still get breached if your employees can't recognize a well-crafted phishing attack.

Start with a realistic assessment of your current exposure. How many of your employees would submit credentials to a convincing phishing page today? If you don't know the answer, that's your first problem.

Build a program that combines ongoing cybersecurity awareness training with dedicated phishing awareness training for your organization, layer in the right technical controls, and measure everything. The threat actors aren't slowing down. Neither should your defenses.