36% of All Breaches Start With a Phishing Email
The 2021 Verizon Data Breach Investigations Report made something painfully clear: phishing was involved in 36% of all confirmed data breaches — up from 25% the year before. That's not a trend. That's an escalation. And if your organization still treats phishing awareness as a once-a-year checkbox exercise, you're playing a game you're going to lose.
I've spent years watching companies get compromised not because their firewalls failed, but because one employee clicked one link in one email. Phishing — sometimes misspelled as "phising" in search bars everywhere — remains the single most effective weapon in a threat actor's arsenal. This post breaks down why it keeps working, what the latest attacks look like, and the specific, practical steps that actually reduce your risk.
What Is Phishing? A Quick Answer for the Searchers
Phishing is a social engineering attack where a threat actor sends a fraudulent message — usually an email — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. The goal is typically credential theft, financial fraud, or establishing a foothold for ransomware deployment. It works because it targets human behavior, not technical vulnerabilities.
If you searched for "phising," you're looking for the right thing. The spelling trips people up, but the threat is deadly serious regardless of how you type it into Google.
The $4.88M Lesson Most Organizations Learn Too Late
According to IBM's 2021 Cost of a Data Breach Report, the average cost of a data breach hit $4.24 million this year — the highest in 17 years. Phishing-related breaches were among the most expensive categories. And those numbers don't capture the reputational damage, the lost customers, or the months of incident response chaos that follow.
Think about the Colonial Pipeline attack from May 2021. While the initial vector involved a compromised VPN credential, the broader lesson is the same: a single stolen credential can shut down critical infrastructure. Phishing is the number one way credentials get stolen in the first place.
I've personally reviewed incident reports where a single phishing email led to a wire transfer fraud exceeding $400,000. The employee thought they were responding to the CEO. They weren't. The money was gone in 90 minutes.
Why Phishing Keeps Working in 2021
The Emails Look Legitimate — Because They Basically Are
Gone are the days of broken English and Nigerian prince scams. Modern phishing campaigns use pixel-perfect replicas of Microsoft 365 login pages, DocuSign notifications, and Zoom meeting invites. Threat actors scrape LinkedIn to personalize emails with your name, your job title, and your boss's name.
I've seen phishing emails that were virtually indistinguishable from real IT department communications. The only giveaway was a single character difference in the domain name — and most employees aren't trained to look for that.
Remote Work Blew the Doors Wide Open
The shift to remote work in 2020 and 2021 created a perfect storm. Employees are isolated from IT teams, using personal devices, and drowning in email notifications. The FBI's Internet Crime Complaint Center (IC3) reported that phishing complaints more than doubled from 2019 to 2020, jumping from 114,702 to 241,342. The 2021 numbers are tracking to be just as bad.
When everyone communicates through email and chat, every message looks like it could be real. That's exactly what attackers count on.
Phishing Kits Are Now a Commodity
You don't need to be a sophisticated hacker to launch a phishing campaign anymore. Underground markets sell ready-made phishing kits — complete with cloned login pages, hosting infrastructure, and even customer support — for as little as $50. This has dramatically lowered the barrier to entry for credential theft operations.
The Anatomy of a Modern Phishing Attack
Here's what a typical 2021 phishing attack looks like, step by step:
- Reconnaissance: The attacker identifies your organization, key employees, and the email platforms you use. LinkedIn and your company website provide most of what they need.
- Lure creation: They craft an email mimicking a trusted source — Microsoft, your HR department, a vendor. The email contains urgency: "Your password expires in 2 hours" or "Review this invoice immediately."
- Credential harvesting: The link leads to a cloned login page. The employee enters their username and password. The attacker now has valid credentials.
- Lateral movement: Using those credentials, the attacker accesses email, cloud storage, or internal systems. They may set up email forwarding rules to intercept future messages silently.
- Payload delivery: From a compromised internal account, the attacker sends additional phishing emails to other employees or deploys ransomware across the network.
The entire chain — from initial email to full network compromise — can take less than four hours. I've seen it happen in under one.
What Actually Stops Phishing Attacks
Here's where I get blunt. There is no single tool, filter, or policy that eliminates phishing risk. What works is a layered approach that combines technical controls with genuine behavior change. Here are the specific measures that make a measurable difference.
1. Security Awareness Training That Doesn't Bore People to Death
Annual compliance training slides don't change behavior. Period. What does work is ongoing, scenario-based training that teaches employees to recognize social engineering tactics in context.
Your training program should cover real-world phishing examples, not abstract concepts. Employees need to see what a credential theft page looks like, understand why urgency is a red flag, and practice reporting suspicious emails. If you need a solid starting point, the cybersecurity awareness training at ComputerSecurity.us covers these fundamentals in a practical, engaging format.
2. Regular Phishing Simulations
You can't improve what you don't measure. Running regular phishing simulations — not to punish employees, but to identify knowledge gaps — is one of the most effective risk-reduction strategies available.
Organizations that run monthly phishing simulations see click rates drop from an average of 30% to under 5% within a year, according to industry benchmarks. The key is combining the simulation with immediate, constructive feedback. The phishing awareness training program at phishing.computersecurity.us is specifically designed to help organizations build this kind of simulation-and-education cycle.
3. Multi-Factor Authentication Everywhere
If an attacker steals a password through phishing, multi-factor authentication (MFA) is often the only thing standing between them and your data. CISA has called MFA one of the most important steps any organization can take to protect against credential-based attacks.
Deploy MFA on every externally facing system — email, VPN, cloud applications, admin portals. Use app-based authenticators or hardware keys. SMS-based MFA is better than nothing, but it's vulnerable to SIM-swapping attacks.
Learn more about MFA implementation from CISA's multi-factor authentication guidance.
4. Email Authentication Protocols: DMARC, DKIM, SPF
These three protocols work together to verify that incoming emails actually come from the domains they claim to come from. Without them, an attacker can spoof your CEO's email address with trivial effort.
If you haven't implemented DMARC with a policy of "reject," you're leaving the door open for impersonation attacks against your employees, customers, and partners. This is a technical control your IT team can deploy this week.
5. Zero Trust Architecture
Zero trust assumes that any user, device, or network segment could be compromised at any time. Instead of trusting everything inside the firewall, zero trust requires continuous verification.
In practice, this means segmenting your network so a compromised email account can't access financial systems. It means requiring re-authentication for sensitive operations. It means logging everything and alerting on anomalies. NIST published Special Publication 800-207 on Zero Trust Architecture — it's the definitive framework.
6. Incident Response Plan With a Phishing-Specific Playbook
When — not if — a phishing email gets through, your team needs to know exactly what to do. That means a documented playbook that covers:
- How employees report suspected phishing (a dedicated button in Outlook or a specific email alias)
- How the security team triages reports within minutes, not days
- How compromised credentials are immediately revoked and sessions terminated
- How affected systems are isolated to prevent lateral movement
- How the phishing email is purged from all other inboxes organization-wide
If your incident response plan doesn't have a section specifically for phishing, it has a hole in it.
The Variants You Need to Watch in 2021
Spear Phishing
Targeted phishing aimed at specific individuals, usually executives or finance team members. These attacks use personal details to build trust. The FBI's IC3 reported that business email compromise — a form of spear phishing — caused $1.8 billion in losses in 2020 alone, making it the costliest cybercrime category by far. Review the full report at FBI IC3's 2020 Internet Crime Report.
Smishing and Vishing
Phishing via SMS (smishing) and voice calls (vishing) are surging in 2021. Attackers send text messages impersonating banks, delivery services, or IT help desks. Voice phishing attacks use spoofed caller ID to impersonate trusted entities. Your security awareness training needs to cover these channels — not just email.
Consent Phishing
This newer technique tricks users into granting OAuth permissions to malicious applications. Instead of stealing a password, the attacker gets a persistent access token to the victim's cloud account. MFA doesn't help here because the user authorized the access themselves. This is particularly dangerous in Microsoft 365 and Google Workspace environments.
Building a Culture Where People Actually Report Phishing
Here's something I've seen kill phishing programs: punishment. When organizations discipline employees for clicking on simulated phishing emails, they create a culture of fear and hiding. Employees who fall for real phishing attacks stay silent instead of reporting them — and silence gives attackers more time.
The most resilient organizations I've worked with reward reporting. They celebrate employees who flag suspicious emails. They share anonymized metrics — "Our team reported 47 phishing attempts this month" — as a point of pride. They make the reporting process dead simple: one click, done.
When employees become your first line of detection rather than your weakest link, your entire security posture transforms.
Your Next Steps — This Week, Not Next Quarter
Phishing isn't going away. It's getting more sophisticated, more targeted, and more profitable for attackers. But the organizations that take these steps measurably reduce their risk:
- This week: Audit your MFA deployment. Every externally facing application needs it.
- This month: Launch a phishing simulation program. Establish your baseline click rate. Start building a training cadence with resources like the phishing awareness training at phishing.computersecurity.us.
- This quarter: Implement DMARC enforcement on your domains. Deploy a one-click phishing report button. Review and update your incident response playbook.
- Ongoing: Invest in continuous security awareness training through programs like ComputerSecurity.us. Make security part of your culture, not just your compliance checklist.
The threat actors aren't waiting. Neither should you.