The Phishing Email That Cost Ubiquiti $46.7 Million

In 2015, networking giant Ubiquiti Networks disclosed that attackers used carefully crafted phishing emails to trick finance department employees into wiring $46.7 million to overseas accounts controlled by threat actors. The emails impersonated executives. They looked legitimate. And trained professionals fell for them.

That was seven years ago, and phishing has only gotten more sophisticated. The FBI IC3 2021 Internet Crime Report recorded over 323,000 phishing complaints — making it the number one reported cybercrime for the third consecutive year. If you're searching for phishing prevention tips, you're asking the right question. This post gives you the specific, tested strategies I've seen actually reduce phishing success rates in organizations of all sizes.

No theory. No hand-waving. Just what works.

Why Phishing Still Works in 2022

I get asked this constantly: with all the security tools available, why does phishing still work? The answer is brutally simple — phishing targets people, not systems. And people are predictable under pressure.

The 2022 Verizon Data Breach Investigations Report found that 82% of data breaches involved the human element. That includes social engineering, credential theft, and errors. Phishing is the primary delivery mechanism for ransomware, business email compromise, and account takeover attacks.

Here's what actually happens in a successful phishing attack: an employee receives an email that creates urgency — a fake invoice, a password reset, a message from the CEO. They click a link. They enter credentials on a spoofed login page. Within minutes, the attacker has access to email, cloud storage, financial systems, or customer data.

The cost? IBM's 2021 Cost of a Data Breach Report pegged the average at $4.24 million globally. For smaller organizations without deep pockets, a single successful phish can be an extinction-level event.

Phishing Prevention Tips From the Frontline

I've spent years helping organizations reduce their phishing click rates from 30%+ down to single digits. Here are the phishing prevention tips that consistently deliver results.

1. Run Realistic Phishing Simulations — Then Train on Failures

Most organizations either skip phishing simulations or run them once a year as a checkbox exercise. That's almost useless. Effective simulation programs are continuous, varied, and tied directly to training.

Here's the playbook: run monthly simulations that mirror real-world campaigns. Use current themes — package delivery alerts, Microsoft 365 login prompts, HR policy updates. When someone clicks, don't punish them. Route them immediately to targeted phishing awareness training for organizations that explains exactly what they missed and why.

Over three to six months, you'll see click rates drop dramatically. I've watched organizations go from a 28% click rate to under 4% using this approach.

2. Deploy Multi-Factor Authentication Everywhere

If I could implement only one technical control against phishing, multi-factor authentication (MFA) would be it. Even when an employee hands over their credentials on a phishing page, MFA creates a second barrier the attacker must bypass.

Prioritize MFA on email, VPN, cloud services, and any system with access to sensitive data. Hardware security keys (FIDO2/WebAuthn) are the gold standard — they're resistant to real-time phishing proxy attacks that can defeat SMS and app-based codes. At minimum, use app-based authenticators. SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping.

3. Implement Email Authentication Protocols

SPF, DKIM, and DMARC aren't optional anymore. These three protocols work together to verify that incoming emails actually come from the domains they claim to come from.

DMARC with a policy of "reject" tells receiving mail servers to block messages that fail authentication checks. This prevents attackers from spoofing your exact domain in phishing campaigns targeting your employees, customers, and partners. CISA's Binding Operational Directive 18-01 required all federal agencies to implement DMARC — your organization should too.

4. Kill the Click Reflex With Verification Procedures

Wire transfers, credential resets, sensitive data requests — any action with financial or security consequences needs a verification step that exists outside of email.

Establish a simple rule: if an email asks you to send money, change payment details, share credentials, or download a file from someone you weren't expecting, verify by phone or in person. Not by replying to the email. Not by using a phone number in the email. Use a known, trusted contact method.

This single procedural control would have prevented the Ubiquiti breach and countless business email compromise attacks.

5. Inspect URLs Before Clicking — Every Time

Train your people to hover over links before clicking. The display text in an email can say anything — what matters is the actual URL destination. Look for misspelled domains, suspicious subdomains, and unfamiliar hostnames.

A phishing link might display as login.microsoft.com but actually point to login-microsoft.com.attacker-domain.ru. That small difference is the entire attack. Building this habit takes consistent reinforcement through quality cybersecurity awareness training that uses real-world examples employees will actually encounter.

6. Use Conditional Access and Zero Trust Principles

Zero trust architecture assumes that no user, device, or network segment is inherently trusted. Applied to phishing prevention, this means even valid credentials shouldn't grant unrestricted access.

Implement conditional access policies that evaluate risk signals: is the login coming from an unfamiliar location? An unmanaged device? An impossible travel scenario? These policies can block or require step-up authentication for suspicious logins — even when the attacker has a valid username and password from a successful phish.

7. Enable Advanced Email Filtering

Modern email security gateways and cloud-native protections (like Microsoft Defender for Office 365 or Google Workspace security) can detect and quarantine phishing emails using machine learning, URL sandboxing, and attachment detonation.

Configure these tools aggressively. Enable safe links and safe attachments. Block file types commonly used in phishing payloads — .iso, .html, .js, .exe, .scr. Quarantine messages with suspicious characteristics rather than delivering them with a warning banner that everyone ignores.

What Are the Most Effective Phishing Prevention Tips?

The most effective phishing prevention tips combine technical controls with continuous human training. Specifically: deploy multi-factor authentication on all critical systems, implement DMARC email authentication, run monthly phishing simulations with immediate remedial training, establish out-of-band verification procedures for financial and sensitive requests, and apply zero trust conditional access policies. No single control is sufficient. Layered defense is what actually reduces risk.

The Training Gap That Creates Breaches

Here's a pattern I see constantly: an organization buys expensive security tools, configures them reasonably well, and then does almost nothing to train the people who use those systems every day. The tools catch 95% of phishing emails. The 5% that get through land in inboxes of employees who can't recognize them.

That 5% is where breaches happen.

Security awareness isn't a one-time onboarding video. It's an ongoing program that adapts to current threats. The phishing lures your employees see in January look different from the ones they'll see in June. Tax season brings W-2 scams. The holidays bring fake shipping notifications. Current events get weaponized within hours.

Your training program needs to reflect this reality. Invest in phishing awareness training that updates regularly and uses realistic scenarios. Pair it with broader cybersecurity awareness training that covers social engineering, credential theft, ransomware, and safe browsing habits.

Build a Reporting Culture, Not a Blame Culture

One of the most underrated phishing prevention tips I can offer: make it easy and safe for employees to report suspicious emails. If people fear punishment for clicking a link, they'll hide it. And hidden compromises turn into massive breaches.

Deploy a "Report Phish" button directly in your email client. Celebrate reports — even false positives. Track reporting rates as a key metric alongside click rates. An organization where 60% of employees report a phishing simulation within the first ten minutes is far more resilient than one with a low click rate but zero reports.

When someone does click a phishing link and reports it immediately, your incident response team can act within minutes — resetting credentials, blocking the attacker's infrastructure, and containing the damage before it spreads.

Technical Checklist: Your Phishing Prevention Stack

  • MFA: Enforced on all email, VPN, cloud, and financial systems. Hardware keys preferred.
  • DMARC: Configured with a "reject" policy for your domains.
  • Email filtering: Advanced threat protection with URL sandboxing and attachment analysis enabled.
  • Conditional access: Risk-based policies blocking logins from unmanaged devices and impossible travel.
  • DNS filtering: Block known malicious domains at the network level.
  • Password manager: Auto-fill only works on legitimate domains, providing a natural phishing defense.
  • Endpoint detection and response (EDR): Catches malware payloads that arrive via phishing.
  • Automated alerting: SIEM rules that flag credential harvesting indicators.

Measure What Matters

You can't improve what you don't measure. Track these metrics monthly:

  • Phishing simulation click rate: Your primary indicator of human risk. Aim for under 5%.
  • Report rate: Percentage of employees who report simulated phishes. Higher is better.
  • Time to report: How quickly employees flag suspicious messages after delivery.
  • Training completion rate: Percentage of staff who've completed current security awareness modules.
  • Real phish detection rate: How many actual phishing emails are caught by employees vs. tools.

Present these metrics to leadership quarterly. Tie them to business risk in dollar terms. When the board sees that your click rate dropped from 22% to 3% over six months, they understand the ROI of security awareness investment.

Phishing Gets More Dangerous Every Quarter

In early 2022, we've seen a surge in phishing campaigns exploiting the Ukraine conflict, COVID booster communications, and cryptocurrency platforms. Threat actors are using legitimate services — Google Docs, SharePoint, Dropbox — to host phishing pages, making URL-based detection harder.

Attackers are also increasingly using adversary-in-the-middle (AiTM) phishing toolkits that can intercept MFA tokens in real time. This doesn't make MFA useless — it raises the bar significantly and stops the vast majority of credential theft — but it means you can't rely on any single control.

That's why these phishing prevention tips emphasize layers. Technical controls catch what they can. Trained humans catch the rest. Verification procedures limit blast radius. And monitoring catches what slips through.

Start with the items on this list that you haven't implemented yet. If you're doing none of them, start with MFA and phishing simulations — they deliver the fastest risk reduction per dollar spent. Then layer in the rest systematically.

The organizations that take phishing seriously don't just avoid breaches. They build a security culture that becomes a genuine competitive advantage. That's worth every minute you invest.