In August 2022, Twilio disclosed that a sophisticated phishing campaign had compromised employee credentials and exposed data tied to over 130 organizations — including the encrypted messaging giant Signal. A month earlier, a massive phishing operation dubbed "0ktapus" by researchers at Group-IB had already hit over 130 companies. If you follow phishing news at all, 2022 has been relentless. These aren't isolated incidents. They're signals of a broader shift in how threat actors operate.
This post breaks down the most significant phishing developments of 2022, explains the tactics behind them, and gives you specific steps to protect your organization right now. If you've been putting off security awareness training, the news this year should change your mind.
The Phishing News That Defined Early 2022
Let's start with the numbers. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most common cybercrime in 2021, with over 323,000 complaints — and 2022 is tracking even higher. The 2022 Verizon Data Breach Investigations Report (DBIR) confirmed that 82% of breaches involved a human element, with phishing and credential theft leading the pack.
That's not a theoretical risk. That's the actual shape of the threat landscape your organization faces today.
Twilio and the 0ktapus Campaign
The Twilio breach is a case study in modern phishing. Attackers sent SMS messages to employees that impersonated Twilio's IT department, directing them to a fake Okta login page. Employees entered their credentials. Attackers walked right in.
Group-IB researchers traced the campaign back to a larger operation they called "0ktapus," which targeted companies using Okta for identity management. Over 9,900 credentials were stolen across 130+ organizations. The attackers didn't exploit a software vulnerability. They exploited people.
The Mailchimp Breach in March
In March 2022, Mailchimp disclosed that attackers used a social engineering attack against its employees to gain access to internal tools. The breach exposed data from 319 Mailchimp accounts, many of which belonged to cryptocurrency-related companies. Attackers then used that data for downstream phishing campaigns against those companies' customers.
This is the multiplier effect. One successful phish leads to compromised data, which fuels the next wave of attacks. It's a supply chain of fraud.
Microsoft: Still the Most Impersonated Brand
According to multiple threat intelligence reports published in the first half of 2022, Microsoft remains the most impersonated brand in phishing attacks. Attackers craft fake Microsoft 365 login pages, fake OneDrive share notifications, and fake Teams messages. Your employees see these brands every day, which is exactly what makes the impersonation so effective.
Why 2022 Phishing Attacks Look Different
If you're still picturing phishing as a badly spelled email from a Nigerian prince, you're defending against threats from 2005. The phishing news in 2022 tells a different story entirely.
Smishing and Vishing Are Surging
The Twilio attack wasn't an email. It was an SMS — a technique called smishing. Attackers increasingly use text messages and voice calls (vishing) because employees have been trained to scrutinize emails but not other channels. The FBI IC3 2021 Annual Report flagged the rise in callback phishing schemes, where victims are tricked into calling attacker-controlled phone numbers.
Your security awareness program needs to cover more than email. If it doesn't, you have a gap threat actors are already exploiting.
MFA Bypass Is Now Standard
Here's a reality check: multi-factor authentication is essential, but it's no longer a silver bullet. Adversary-in-the-middle (AiTM) phishing kits — like the ones Microsoft's Threat Intelligence team reported on in July 2022 — can intercept MFA tokens in real time. The attacker proxies the victim's session through a phishing site that sits between the user and the real login page. The user completes MFA. The attacker captures the session cookie.
This doesn't mean you should stop using MFA. It means you need to pair MFA with phishing-resistant methods (like FIDO2 hardware keys) and invest heavily in training your people to recognize phishing attempts before they ever reach a login page.
Phishing-as-a-Service Lowers the Bar
In 2022, threat actors don't need technical sophistication. Phishing-as-a-service platforms sell ready-made phishing kits on dark web marketplaces for a few hundred dollars. These kits come with realistic login pages, hosting infrastructure, and even customer support. The barrier to entry for launching a phishing attack has never been lower.
What Does a Phishing Attack Actually Cost?
The IBM Cost of a Data Breach Report 2022 put the global average cost of a data breach at $4.35 million — the highest in the report's history. Phishing was the second most expensive initial attack vector, averaging $4.91 million per breach.
For small and mid-sized businesses, those numbers are existential. You don't recover from a $4.91 million breach when your annual revenue is $10 million. And that figure doesn't count the reputational damage, the lost customers, or the regulatory consequences.
The $4.35M Question: What Actually Stops Phishing?
I've spent years watching organizations throw money at email filters and gateway appliances while ignoring the humans clicking the links. Technology matters, but it's only half the equation. Here's what works.
1. Run Realistic Phishing Simulations
The most effective security programs test employees with realistic phishing simulations on a regular cadence. Not once a year — monthly, at minimum. You need to measure click rates, report rates, and time-to-report. If you're not running simulations, you're guessing at your risk. Our phishing awareness training for organizations is built around exactly this kind of hands-on approach.
2. Train Beyond Email
As the Twilio breach proved, phishing now comes through SMS, voice calls, social media DMs, and collaboration platforms like Slack and Teams. Your training must cover the full spectrum of social engineering vectors. If your employees only know how to spot a suspicious email, they'll fall for a suspicious text.
3. Implement Phishing-Resistant MFA
CISA issued guidance in 2022 specifically recommending phishing-resistant MFA methods like FIDO2/WebAuthn. Traditional SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping and AiTM attacks. Hardware security keys eliminate the phishing risk at the authentication layer. CISA's MFA guidance is a solid starting point.
4. Adopt Zero Trust Architecture
Zero trust isn't a product you buy. It's a strategy that assumes no user, device, or network connection is inherently trusted. Every access request is verified. This limits the blast radius when a phishing attack does succeed — and statistically, one eventually will.
5. Build a Reporting Culture
In my experience, the organizations that recover fastest from phishing incidents are the ones where employees feel safe reporting mistakes without fear of punishment. If someone clicks a bad link and immediately reports it, your incident response team can contain the damage in minutes. If they hide it out of fear, you lose hours or days.
How Do I Stay Updated on Phishing News?
Staying current on phishing news means following the right sources. I recommend monitoring CISA's alerts page, the FBI IC3 annual reports, and the Verizon DBIR. Vendor threat intelligence blogs from Microsoft, Google TAG, and Proofpoint also publish detailed breakdowns of active phishing campaigns. Subscribe to RSS feeds or email digests — don't rely on social media algorithms to surface critical security updates.
And most importantly, translate the news into action. Every major phishing incident is a training opportunity. When the Twilio breach hit the news, that's the day to send a company-wide reminder about SMS phishing. Tie your awareness program to real-world events.
Phishing News Should Change Your Training Program
Here's what I tell every organization I work with: your security awareness training should evolve as fast as the threats do. The phishing tactics that dominated 2021 are not the same ones dominating 2022. AiTM attacks, smishing campaigns, and phishing-as-a-service platforms have changed the game.
If your last training session used examples from two years ago, your employees are preparing for a threat that no longer exists in its original form. Regular, updated training is the single most cost-effective defense against phishing.
Our cybersecurity awareness training program covers the latest tactics — from credential theft and ransomware delivery to social engineering across every communication channel your employees use. It's built to keep pace with the phishing news that matters.
What the Rest of 2022 Will Bring
Based on the trajectory I'm seeing, expect more phishing attacks targeting identity providers. Okta, Azure AD, and Google Workspace are high-value targets because compromising them gives attackers access to dozens of downstream applications. The 0ktapus campaign proved this model works at scale.
Also expect more callback phishing — those emails that don't contain a malicious link at all, just a phone number. They bypass every email security filter because there's nothing technically malicious in the message. The attack happens when the victim picks up the phone.
And expect the volume to keep rising. Phishing is the lowest-effort, highest-reward attack vector available to cybercriminals. As long as humans make decisions about what to click, phishing will remain the dominant initial access method.
Your Move
Every piece of phishing news in 2022 points to the same conclusion: the human layer is your most attacked surface, and it's probably your least defended. Technology helps. Policies help. But training your people to recognize, resist, and report phishing is what actually moves the needle.
Don't wait for your organization to become the next headline. Start building phishing resilience today with a structured phishing simulation program and a comprehensive security awareness training curriculum that reflects the threats of 2022 — not 2019.