A Single Email Cost Ubiquiti $46.7 Million
In 2015, networking giant Ubiquiti Networks disclosed that employees had been tricked into wiring $46.7 million to overseas accounts controlled by attackers. The weapon wasn't malware or a zero-day exploit. It was email. If you've ever asked what is a phishing attack, that incident is your answer distilled to its most expensive form.
Phishing remains the single most common attack vector used against organizations of every size. According to the FBI's Internet Crime Complaint Center (IC3), phishing complaints topped their list again in 2021, with over 323,000 reported incidents — nearly triple the number from 2019. And those are just the ones people actually reported.
This post breaks down exactly how phishing works, the variants you need to recognize, and the specific steps that actually reduce your risk. No theory. Just what I've seen work — and fail — across hundreds of organizations.
What Is a Phishing Attack, Exactly?
A phishing attack is a social engineering technique where a threat actor impersonates a trusted entity — a bank, a vendor, a coworker, your CEO — to trick a target into taking a specific action. That action is usually clicking a malicious link, opening an infected attachment, or handing over credentials.
The key distinction: phishing targets humans, not systems. Your firewall doesn't stop an employee from typing their password into a spoofed Microsoft 365 login page. That's what makes it so effective and so persistent.
The Core Mechanics
Every phishing attack relies on three ingredients:
- Impersonation: The attacker pretends to be someone or something the victim trusts.
- Urgency or Authority: The message creates pressure — "Your account will be locked," "The CEO needs this wire transfer now," "HR requires you to update your benefits."
- A Malicious Action: A link to a credential harvesting page, an attachment containing malware, or a direct request for sensitive data or money.
Strip any phishing email down to its skeleton and you'll find these three elements every time.
The Variants: Not All Phishing Looks the Same
When most people think about phishing, they picture the Nigerian prince email. That stereotype gets people killed — metaphorically and financially. Modern phishing is segmented, targeted, and increasingly sophisticated.
Spear Phishing
This is phishing aimed at a specific individual or small group. The attacker researches the target using LinkedIn, company websites, social media, and even prior data breaches. The 2020 Twitter hack that compromised high-profile accounts including Barack Obama and Elon Musk started with spear phishing phone calls to Twitter employees.
Spear phishing is far more dangerous than bulk phishing because the messages are personalized and believable. In my experience, even security-savvy employees fall for well-crafted spear phishing attempts.
Business Email Compromise (BEC)
BEC is spear phishing's lucrative cousin. The attacker either spoofs or actually compromises a business email account, then uses it to authorize fraudulent wire transfers or redirect payments. The FBI IC3's 2021 Internet Crime Report showed BEC accounted for nearly $2.4 billion in adjusted losses — the highest-dollar category by a wide margin.
That number should scare you. It scares me, and I've been doing this for years.
Smishing and Vishing
Smishing uses SMS text messages. Vishing uses voice calls. Same principle, different delivery channel. Smishing has surged in 2022 as organizations moved to mobile-first communication and attackers followed.
A common smishing lure right now: fake package delivery notifications from USPS, FedEx, or UPS. The link drops you on a credential harvesting site or installs mobile malware.
Clone Phishing
The attacker takes a legitimate email the target previously received — say, a real SharePoint notification — clones it, replaces the link with a malicious one, and resends it from a spoofed address. Because the victim recognizes the email format, they're far less likely to question it.
Why Phishing Still Works in 2022
I get this question constantly: "With all the technology we have, why does phishing still work?" Three reasons.
First, it targets the human layer. You can deploy the most advanced email gateway on the market, and a well-crafted phishing email will still occasionally get through. Verizon's 2022 Data Breach Investigations Report found that 82% of breaches involved the human element — including social engineering, errors, and misuse.
Second, the barrier to entry is almost zero. Phishing kits are sold on dark web marketplaces for pocket change. A threat actor with minimal technical skills can launch a convincing campaign in hours.
Third, it scales infinitely. An attacker can send 100,000 phishing emails in one batch. They only need a fraction of a percent to click. The math always works in their favor.
What Actually Happens After You Click
Understanding what is a phishing attack means understanding the kill chain that follows the initial click. Here's the typical sequence I see in incident response:
- Credential Theft: You enter your username and password on a spoofed login page. The attacker now has your credentials. If you reuse that password anywhere — and most people do — they have access to multiple accounts.
- Account Takeover: The attacker logs into your actual account, often within minutes. They set up mail forwarding rules to intercept password reset emails. They access internal systems, SharePoint, cloud storage, everything your account touches.
- Lateral Movement: Using your compromised account, the attacker sends internal phishing emails to your coworkers. These internal messages have a dramatically higher success rate because they come from a trusted sender.
- Data Exfiltration or Ransomware Deployment: The end goal varies. Some attackers steal data for sale. Others deploy ransomware. Some do both — the "double extortion" model that dominated 2021 and 2022.
The entire sequence from initial click to ransomware deployment can happen in under four hours. I've seen it happen in under one.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report 2022 pegged the average cost of a data breach at $4.35 million globally. Phishing was the second most expensive initial attack vector, with breaches initiated by phishing averaging $4.91 million. That's not a theoretical number — it accounts for detection, escalation, notification, lost business, and remediation.
For small and mid-sized businesses, a breach that severe can be existential. I've personally worked with organizations that never fully recovered from a phishing-initiated incident.
How to Defend Against Phishing: The Practical Playbook
Enough about the problem. Here's what actually works.
1. Security Awareness Training That Doesn't Put People to Sleep
Annual compliance-checkbox training is worthless. I've seen organizations that complete their yearly training module in January and suffer a phishing breach in March. The training has to be continuous, scenario-based, and relevant to the threats your employees actually face.
If you're starting from scratch or rebuilding a stale program, our cybersecurity awareness training program covers the fundamentals your entire workforce needs — from recognizing social engineering to understanding credential theft.
2. Phishing Simulations That Measure and Improve
You have to test your people. Not to shame them — to identify gaps and measure progress. Regular phishing simulations show you exactly which departments, roles, or individuals need additional training.
The organizations I see with the lowest click rates run simulations monthly and follow up with immediate, targeted training for anyone who clicks. Our phishing awareness training for organizations is built to do exactly that — simulate realistic threats and turn each failure into a learning moment.
3. Multi-Factor Authentication (MFA) Everywhere
MFA is the single most impactful technical control against credential theft from phishing. Even if an employee gives up their password, the attacker can't log in without the second factor.
Deploy MFA on every externally facing service. Email, VPN, cloud applications, administrative portals — all of it. Prefer app-based authenticators or hardware tokens over SMS-based MFA, which is vulnerable to SIM swapping.
CISA has been clear on this. Their MFA guidance calls it one of the most important steps any organization can take to reduce cyber risk.
4. Email Authentication Protocols: DMARC, DKIM, SPF
These three protocols work together to prevent attackers from spoofing your domain in phishing emails. If you haven't implemented DMARC with a "reject" policy, attackers can send emails that appear to come from your exact domain — and your customers, partners, and employees will trust them.
Check your DMARC record today. If it says "p=none," it's doing nothing. Move to "p=quarantine" and eventually "p=reject."
5. Zero Trust Architecture
Zero trust assumes that any account, device, or network segment could be compromised at any time. Instead of trusting users because they're "inside the network," every access request is verified continuously.
This limits the blast radius of a successful phishing attack. Even if an attacker gets in, they can't move laterally without triggering additional authentication and authorization checks.
6. Incident Response Planning for Phishing
Your employees need a clear, frictionless way to report suspected phishing. A dedicated "Report Phish" button in the email client, a Slack channel, a phone number — whatever works for your culture. The faster a phishing email gets reported, the faster your security team can pull it from every inbox.
I've seen organizations cut their phishing exposure time from hours to minutes just by making reporting easy and removing the stigma from falling for a phish.
How Do I Identify a Phishing Email?
This is the question most people are really asking when they search what is a phishing attack. Here are the concrete red flags to look for:
- Sender address mismatch: The display name says "Microsoft Support" but the actual email address is [email protected].
- Generic greetings: "Dear Customer" instead of your actual name.
- Urgency or threats: "Your account will be suspended in 24 hours."
- Unexpected attachments: Especially .zip, .exe, .docm, or .html files you didn't request.
- Hover-check the links: Before clicking, hover over any link. If the URL doesn't match the supposed sender's domain, don't click.
- Spelling and grammar errors: Less reliable than it used to be — attackers are getting better — but still a flag.
- Requests for credentials or sensitive data: No legitimate service emails you asking for your password.
Train your people to pause for five seconds before acting on any email that triggers urgency. That five-second pause catches the majority of phishing attempts.
The Threat Isn't Slowing Down
Phishing attacks grew 61% in the twelve months ending June 2022, according to the Anti-Phishing Working Group's trend reports. Threat actors are combining phishing with adversary-in-the-middle techniques to bypass MFA in real time. They're using stolen OAuth tokens. They're targeting cloud collaboration platforms like Teams and Slack, not just email.
The attack surface is expanding. Your defenses have to expand with it.
Your Next Move
Understanding what is a phishing attack is step one. Step two is building a culture where every employee is a sensor — trained to recognize, report, and resist social engineering in all its forms.
Start with the fundamentals through our cybersecurity awareness training. Then operationalize that knowledge with realistic, measurable phishing simulations for your organization.
The threat actors are already in your employees' inboxes. The only question is whether your people are ready.