In March 2022, the threat actor group Lapsus$ breached Okta, Microsoft, and Samsung — not through some sophisticated zero-day exploit, but through phishing scams and social engineering that tricked employees into handing over credentials. A group reportedly led by teenagers compromised some of the largest technology companies on the planet. If that doesn't make you rethink your organization's defenses, nothing will.
This post breaks down how phishing scams actually work in 2022, why your current email filters aren't enough, and the specific steps that reduce your risk by measurable amounts. I've spent years helping organizations build defenses against these attacks, and I'm going to share what actually moves the needle.
The $44 Million Problem You're Already Facing
The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most common cybercrime in 2021, with 323,972 complaints. Victims reported losses exceeding $44 million from phishing and related schemes. And those are just the cases people actually reported.
The 2022 Verizon Data Breach Investigations Report found that 82% of data breaches involved a human element — phishing, stolen credentials, or simple errors. The report specifically noted that phishing was present in 36% of breaches, up from 25% the prior year. That's not a trend line any security professional wants to see.
Here's what makes this worse: these numbers undercount the real damage. A successful phishing scam rarely stays contained. One stolen credential leads to lateral movement, ransomware deployment, data exfiltration, and regulatory penalties. The IBM Cost of a Data Breach Report 2022 pegged the average breach cost at $4.35 million globally — and phishing was the second most expensive initial attack vector at $4.91 million per breach.
How Modern Phishing Scams Actually Work
Forget the Nigerian prince emails. Today's threat actors run sophisticated operations that would impress most marketing departments.
Business Email Compromise (BEC)
BEC attacks don't even need malware. A threat actor researches your organization on LinkedIn, identifies the CFO and a vendor relationship, then spoofs an email requesting a wire transfer. The FBI reported BEC caused $2.4 billion in losses in 2021 — making it the single most financially damaging cybercrime category.
I've seen BEC attacks where the attacker monitored a compromised mailbox for weeks, studying communication patterns, before inserting a single fraudulent invoice into an existing email thread. The finance team had no reason to question it.
Credential Harvesting at Scale
The most common phishing scams in 2022 redirect victims to convincing login pages for Microsoft 365, Google Workspace, or banking portals. Toolkits like EvilProxy and Evilginx2 act as reverse proxies that capture credentials and session tokens in real time — defeating basic multi-factor authentication.
Once an attacker has valid credentials, they're no longer an outsider. They're inside your environment, reading email, accessing SharePoint, and pivoting to higher-value targets.
Smishing and Vishing Are Exploding
SMS-based phishing (smishing) surged in 2022. Fake delivery notifications from USPS, FedEx, and Amazon became so prevalent that the FTC issued specific consumer warnings. Voice phishing (vishing) is also growing — the Lapsus$ group used phone calls to IT help desks to reset passwords and bypass security controls.
Why Your Email Filter Isn't Saving You
Modern email security gateways catch a lot. They block known malicious domains, scan attachments, and flag suspicious senders. But they have a fundamental limitation: they're fighting yesterday's war.
Threat actors rotate domains every few hours. They host phishing pages on legitimate services like Google Forms, Microsoft Azure, and Amazon S3. They send links through trusted platforms like Dropbox and SharePoint. Your email filter sees a link to sharepoint.com and lets it through — because it is sharepoint.com. The malicious content sits one redirect away.
According to CISA's analysis, most phishing campaigns now use some form of legitimate infrastructure to evade detection. CISA's Shields Up guidance explicitly recommends layered defenses because no single technology stops all phishing attempts.
Technology is necessary but insufficient. The human layer is where most phishing scams succeed or fail.
What Is a Phishing Scam? (And Why Definitions Still Matter)
A phishing scam is a social engineering attack where a threat actor impersonates a trusted entity — via email, text, phone, or other communication — to trick a victim into revealing sensitive information, clicking a malicious link, or taking a harmful action like transferring funds. Phishing scams exploit human psychology (urgency, authority, fear) rather than technical vulnerabilities.
I define it this way because your employees need to understand the psychology, not just the technology. If they only learn to spot bad grammar and suspicious links, they'll miss the well-crafted BEC that reads exactly like their CEO's writing style.
Five Defenses That Actually Reduce Phishing Risk
I've worked with organizations that cut their phishing click rates from 35% to under 5% in twelve months. Here's what they did — and didn't do.
1. Run Continuous Phishing Simulations
One-and-done annual training doesn't work. The organizations that see real improvement run monthly phishing simulations with escalating difficulty. They start with obvious red flags and gradually introduce realistic scenarios — spoofed internal senders, urgent HR policy changes, fake MFA prompts.
The point isn't to punish people who click. It's to build pattern recognition. Every simulation should include immediate feedback: "Here's what you missed. Here's what to look for next time." Our phishing awareness training for organizations is built around this exact model — practical, scenario-based learning that mirrors real-world attacks.
2. Deploy Phishing-Resistant MFA
Standard MFA (SMS codes, push notifications) is better than passwords alone, but it's not phishing-proof. The Lapsus$ attacks proved that MFA fatigue — bombarding a user with push notifications until they approve one — actually works against organizations.
Move to phishing-resistant MFA: FIDO2 security keys or certificate-based authentication. NIST recommends hardware-based authenticators as the strongest option. If FIDO2 keys aren't feasible across your entire organization, at minimum deploy them for privileged accounts, finance teams, and IT administrators.
3. Implement a Zero Trust Architecture
Zero trust assumes breach. Every access request gets verified regardless of network location. This means even if a phishing scam compromises one credential, the blast radius stays limited.
Practical zero trust steps for mid-size organizations: segment your network, enforce least-privilege access, require device health checks before granting access, and monitor for anomalous behavior. You don't need to buy a "zero trust platform" — you need to apply the principles systematically.
4. Build a Reporting Culture, Not a Blame Culture
The single most underrated defense against phishing scams is a workforce that reports suspicious emails quickly. In my experience, organizations that punish or shame employees for clicking links end up with a worse problem: employees who click and don't tell anyone.
Make reporting easy — a one-click button in the email client. Celebrate reports publicly. Track "report rate" as a metric alongside "click rate." A high report rate means your security culture is working, even if a few people still click.
5. Train Every Person, Not Just Employees
Contractors, vendors, and temporary staff often have access to your systems but skip your training. They're prime phishing targets. Extend your cybersecurity awareness training to everyone with a login — no exceptions. The weakest link in your chain isn't always who you expect.
The Ransomware Connection Most People Miss
Phishing is the front door for ransomware. The Conti ransomware group's leaked playbooks — published in early 2022 after a disgruntled affiliate dumped internal communications — showed that phishing emails delivering BazarLoader and TrickBot were standard initial access methods. Once inside, the group would spend days or weeks mapping the network before encrypting everything.
The Colonial Pipeline attack in May 2021, which caused fuel shortages across the U.S. East Coast, started with a single compromised credential. While the exact initial access method involved a legacy VPN account, the incident underscored a critical reality: one credential is all it takes. Phishing scams are the most common way attackers get that first credential.
Stopping phishing at the inbox level disrupts the entire ransomware kill chain before it starts.
Metrics That Tell You If Your Defenses Work
Too many organizations measure security awareness by completion rates — "98% of employees finished the training module." That tells you nothing about actual resilience.
Track these instead:
- Phishing simulation click rate: Measure monthly. Industry average hovers around 15-20% on initial tests. Target under 5% within a year.
- Report rate: What percentage of simulated phishing emails get reported? Aim for higher than your click rate.
- Time to report: How quickly do employees flag suspicious emails? Under 10 minutes for the first report is strong.
- Repeat clickers: Identify individuals who click across multiple simulations. They need targeted, one-on-one coaching — not more generic videos.
- Credential exposure: Monitor dark web marketplaces and paste sites for your organization's credentials. Services exist that automate this.
These metrics give your board and leadership team real data, not compliance theater.
What To Do This Week
If you're reading this and wondering where to start, here's a five-day action plan:
Monday: Audit who has access to your environment — employees, contractors, vendors. Identify anyone who hasn't completed security awareness training.
Tuesday: Send your first phishing simulation. Use a realistic scenario — a password reset email from your actual email provider. Measure who clicks.
Wednesday: Review your MFA deployment. Identify privileged accounts still using SMS-based codes and make a plan to upgrade them.
Thursday: Set up a phishing report button in your email client if you don't have one. Communicate to all staff how to use it.
Friday: Enroll your team in structured training. Our phishing awareness program focuses on realistic scenarios and measurable improvement, and our cybersecurity awareness training covers the broader threat landscape including social engineering, credential theft, and ransomware defense.
Phishing Scams Won't Stop — But Your People Can Get Smarter
Threat actors will keep evolving their tactics. The phishing emails of 2023 will look different from those of 2022. AI-generated text will make bad grammar a thing of the past. Deepfake voice calls will make vishing harder to detect.
But the fundamentals don't change: verify before you trust, report what looks suspicious, and assume that any unsolicited request for credentials or money is a social engineering attempt until proven otherwise.
The organizations that invest in continuous training, phishing simulation, phishing-resistant MFA, and zero trust architectures will be the ones that don't end up in the next Verizon DBIR case study. The ones that rely on email filters and annual compliance videos will keep writing very large checks to incident response firms.
Which one are you going to be?