Twilio, a company with a sophisticated security team and a tech-savvy workforce, got phished in August 2022. Attackers sent SMS messages to employees pretending to be the IT department, directing them to a fake login page. The result: compromised credentials, unauthorized access to customer data, and a breach that rippled across 163 Twilio customers — including the encrypted messaging app Signal. If a company like Twilio can fall for it, anyone can. And that starts with understanding the phishing definition as it actually plays out in the real world, not just as a textbook entry.
This post isn't a glossary page. I'm going to give you the precise phishing definition, show you what it looks like in practice with real incidents from this year, break down every major variant, and walk you through the specific steps that actually stop these attacks. If you're responsible for protecting an organization — or just your own inbox — this is what you need to know right now.
The Real Phishing Definition, Stripped of Jargon
Here's the phishing definition in plain language: phishing is a social engineering attack where a threat actor impersonates a trusted entity to trick you into handing over sensitive information, clicking a malicious link, or installing malware. The "trusted entity" can be your bank, your boss, Microsoft, the IRS, or a shipping company. The delivery mechanism can be email, text message, phone call, or even a QR code.
The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the number-one reported cybercrime in 2021, with 323,972 complaints — more than double the next category. That trend has only accelerated through 2022. You can review the full report at FBI IC3's 2021 Internet Crime Report.
What makes phishing so effective isn't technical sophistication. It's psychology. Threat actors exploit urgency, authority, fear, and curiosity. They don't need to hack your firewall when they can simply ask you for the keys.
Why the Textbook Phishing Definition Isn't Enough
Most people hear "phishing" and picture a Nigerian prince email from 2005. That mental model is dangerously outdated. Modern phishing attacks are targeted, well-researched, and nearly indistinguishable from legitimate communication.
The 2022 Verizon Data Breach Investigations Report found that 82% of data breaches involved a human element — and phishing was the top action variety in social engineering incidents. Read the full findings at Verizon's 2022 DBIR.
I've seen organizations that thought they were safe because they had a spam filter. Spam filters catch the obvious stuff. They don't catch the carefully crafted email that spoofs your CEO's display name and asks the finance team to wire $48,000 to a "new vendor." That's business email compromise (BEC), and it's a phishing variant that cost organizations $2.4 billion in 2021 according to the FBI IC3.
Every Phishing Variant You Need to Recognize
Email Phishing: The Original Attack Vector
Bulk email phishing is still the most common form. Attackers send thousands or millions of emails that mimic brands like Microsoft, Amazon, or DHL. The goal is credential theft — get you to enter your username and password on a convincing fake login page. Once they have those credentials, they're inside your accounts, your email, your cloud storage.
Spear Phishing: When They Know Your Name
Spear phishing targets a specific individual or small group. The attacker has done homework — they know your role, your colleagues' names, current projects, even your writing style from LinkedIn posts. The Twilio breach was a spear phishing attack delivered via SMS. These are dramatically harder to detect because they feel personal and contextually relevant.
Whaling: Going After the C-Suite
Whaling is spear phishing aimed at executives — CEOs, CFOs, board members. The stakes are higher, and so is the attacker's preparation. A whaling email might reference a real pending acquisition or a recent board decision. The payoff for the threat actor is enormous: access to the most privileged accounts in the organization.
Smishing and Vishing: Beyond Email
Smishing (SMS phishing) and vishing (voice phishing) have surged in 2022. The Twilio attack was smishing. Vishing attacks often involve callers posing as tech support, bank fraud departments, or government agencies. The threat actor uses urgency to prevent the victim from thinking critically. "Your account has been compromised — I need your verification code right now."
Business Email Compromise (BEC)
BEC doesn't always involve malware or malicious links. Sometimes the attacker simply compromises or spoofs an executive's email and sends a convincing request — usually involving a wire transfer, gift card purchase, or sensitive data export. It's phishing at its most refined: no attachments to scan, no links to block, just a persuasive email from what looks like the boss.
What Does a Phishing Attack Actually Look Like?
This section directly answers the question people are really asking when they search for a phishing definition: what does it look like in my inbox?
A typical phishing email has these characteristics:
- Sender mismatch: The display name says "Microsoft Support" but the actual email address is something like [email protected].
- Urgency or threat: "Your account will be locked in 24 hours" or "Unusual sign-in activity detected."
- A call to action: A link to "verify your identity" or an attachment to "review your invoice."
- Slightly off branding: The logo looks right, but the footer text is different, or the URL in the button doesn't match the brand's real domain.
- Generic greeting: "Dear Customer" instead of your actual name — though spear phishing will use your real name.
In the Cisco breach disclosed in August 2022, an attacker used vishing combined with MFA fatigue — repeatedly sending push authentication requests to an employee until they accepted one. The attacker then gained VPN access to Cisco's network. This shows how phishing has evolved beyond a single email into multi-stage attacks that chain social engineering techniques together.
The $4.35M Reason Organizations Can't Ignore This
IBM's Cost of a Data Breach Report 2022 pegged the global average cost of a data breach at $4.35 million. Phishing was the second-most expensive initial attack vector, behind only business email compromise. And here's the kicker — breaches initiated by phishing took an average of 295 days to identify and contain.
That's nearly 10 months of an attacker inside your network, moving laterally, exfiltrating data, and setting up persistence. The cost isn't just the breach response. It's regulatory fines, class action suits, customer churn, and reputational damage that lasts years.
If your organization doesn't have a structured phishing awareness training program, you're gambling with those numbers every single day.
How to Actually Defend Against Phishing
Layer 1: Technical Controls
Start with the basics. Deploy email authentication protocols — SPF, DKIM, and DMARC. These make it significantly harder for attackers to spoof your domain. Enable multi-factor authentication (MFA) on every account that supports it, but choose phishing-resistant MFA like FIDO2 security keys over SMS codes or push notifications. The Cisco breach proved that MFA push fatigue is a real vulnerability.
CISA has published detailed guidance on phishing-resistant MFA at cisa.gov/mfa. Implement it.
Layer 2: Phishing Simulation and Training
Technical controls are necessary but not sufficient. Your people are the last line of defense — and often the first point of failure. Regular phishing simulation exercises train employees to recognize and report suspicious messages in a controlled environment.
I've watched organizations cut their phishing click rates by 60-70% within six months of implementing consistent simulation and training programs. The key word is consistent. A one-time annual training session does almost nothing. Threat actors evolve their tactics constantly, and your security awareness program has to keep pace.
That's exactly why we built our cybersecurity awareness training course — to give organizations and individuals practical, current training that reflects how phishing actually works in 2022, not how it worked a decade ago.
Layer 3: Zero Trust Architecture
Assume breach. That's the foundational principle of zero trust. Even if a phishing attack succeeds and an attacker gets valid credentials, zero trust architecture limits the blast radius. Every access request is verified. Lateral movement is restricted. Network segmentation contains the damage.
Zero trust isn't a product you buy. It's an approach: verify explicitly, use least-privilege access, and assume the network is already compromised. NIST's Zero Trust Architecture publication (SP 800-207) is the definitive guide.
Layer 4: Incident Response Readiness
Someone in your organization will eventually click a phishing link. That's not defeatism — it's reality at scale. What matters is what happens in the next 60 minutes. Do employees know how to report a suspected phish? Does your security team have a playbook for credential compromise? Can you rapidly revoke access tokens and force password resets?
Build the playbook now. Test it quarterly. The organizations that recover quickly from phishing incidents are the ones that practiced before it mattered.
The Phishing Definition Is Evolving — Your Defenses Should Too
Five years ago, the phishing definition was largely about deceptive emails with malicious attachments. Today it encompasses SMS attacks, voice calls, QR codes, compromised OAuth tokens, adversary-in-the-middle proxy attacks, and MFA fatigue exploits. Tomorrow it will include techniques we haven't seen yet.
The constant isn't the technology — it's the human psychology being exploited. Fear, urgency, trust, and authority are the real attack surface. That's why technical controls alone will never solve this problem. You need people who can recognize manipulation when they see it.
If you're looking to build that capability in your workforce, start with a structured phishing awareness training program for your organization. Pair it with our broader cybersecurity awareness training that covers ransomware, credential theft, social engineering, and the full spectrum of threats your employees face every day.
Phishing isn't going away. It's getting sharper. The organizations that survive it are the ones that take it seriously before the breach — not after.