In 2023, the FBI's Internet Crime Complaint Center received over 298,000 complaints about phishing — making it the most reported cybercrime for the fifth consecutive year. That number only accounts for what gets reported. The actual volume is staggering. So what is a phishing attack, and why does it keep working despite billions spent on cybersecurity technology? I've spent years responding to breaches that started with a single deceptive email, and the answer is simpler and more uncomfortable than most people expect.
This guide breaks down exactly how phishing attacks work, the different forms they take, real incidents that cost organizations millions, and — most importantly — what you can actually do to stop them. Whether you're an IT professional defending a network or a business owner trying to understand the threat landscape, this is the practical, no-fluff breakdown you need.
What Is a Phishing Attack, Exactly?
A phishing attack is a social engineering technique where a threat actor impersonates a trusted entity to trick someone into revealing sensitive information, clicking a malicious link, or downloading malware. The "trusted entity" could be your bank, your CEO, Microsoft, the IRS, or a shipping company. The delivery method is usually email, but it also happens through text messages, phone calls, and social media.
Here's the part that trips people up: phishing doesn't exploit a software vulnerability. It exploits human psychology — urgency, fear, trust, curiosity. That's why no firewall or antivirus tool catches every phishing attempt. The target isn't your server. It's your brain.
The Anatomy of a Phishing Email
I've dissected thousands of phishing emails during incident response investigations. They almost always follow the same playbook. Understanding that playbook is your first layer of defense.
The Sender Spoofing
The attacker forges the "From" address to look legitimate. Sometimes it's a perfect spoof. More often, it's a lookalike domain — think "micros0ft-support.com" instead of "microsoft.com." Your employees won't catch it unless they know to look.
The Emotional Hook
Every phishing email creates urgency or fear. "Your account has been compromised." "Your package couldn't be delivered." "The CEO needs this wire transfer completed in the next hour." The emotional pressure short-circuits critical thinking. That's by design.
The Malicious Payload
This is where the damage happens. The email either contains a link to a credential theft page that mimics a legitimate login portal, or it includes an attachment loaded with malware — often ransomware or a remote access trojan. One click, and the attacker has a foothold in your environment.
The Extraction
Once credentials are stolen or malware is deployed, the threat actor moves laterally through your network, escalates privileges, and exfiltrates data. The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade. Phishing is the number one way those credentials get stolen.
The 7 Types of Phishing You Need to Know
Phishing isn't a single tactic. It's a category. Here are the variants I see most often in the wild.
1. Email Phishing
The classic. Mass-distributed emails that cast a wide net. Low sophistication, high volume. Think "Your Netflix account is suspended" sent to 500,000 people.
2. Spear Phishing
Targeted phishing aimed at a specific individual or organization. The attacker researches the target using LinkedIn, company websites, and social media to craft a convincing, personalized message. This is how most major data breach incidents begin.
3. Whaling
Spear phishing aimed at senior executives — the "big fish." These attacks often impersonate board members, legal counsel, or regulators. The payoff is larger because executives have broader access and authority.
4. Smishing (SMS Phishing)
Phishing via text message. "USPS: Your package is waiting. Confirm delivery here." Smishing has exploded because people tend to trust text messages more than email.
5. Vishing (Voice Phishing)
Phone-based phishing. The attacker calls pretending to be tech support, your bank, or the IRS. AI-generated voice cloning has made vishing dramatically more convincing in 2025 and 2026.
6. Clone Phishing
The attacker takes a legitimate email you previously received — say, an invoice from a vendor — copies it exactly, replaces the attachment or link with a malicious version, and resends it. Extremely hard to detect.
7. Business Email Compromise (BEC)
The attacker compromises or impersonates a business email account and uses it to authorize fraudulent transactions. The FBI's IC3 reported that BEC losses exceeded $2.9 billion in 2023 alone. This is the most financially damaging form of phishing by a wide margin.
Real Breaches That Started With Phishing
Theory matters less than reality. Here are incidents that show what's actually at stake.
Twilio (2022)
Attackers sent smishing messages to Twilio employees, directing them to a fake login page that mimicked Twilio's identity provider. Several employees entered their credentials. The attackers used those credentials to access internal systems and data belonging to over 100 Twilio customers. This wasn't a technology failure — it was a social engineering success.
MGM Resorts (2023)
A threat actor called MGM's IT help desk, impersonated an employee found on LinkedIn, and convinced the help desk to reset credentials. That single vishing attack led to a ransomware deployment that disrupted MGM's operations for days and cost the company an estimated $100 million. One phone call.
The Lesson
In my experience, organizations that suffer these breaches almost always had security tools in place. What they lacked was a workforce trained to recognize social engineering in real time. Technology alone doesn't solve a human problem.
Why Phishing Keeps Working in 2026
You'd think that with all the awareness campaigns and email security gateways out there, phishing would be declining. It's not. Here's why.
AI-generated phishing emails are nearly flawless. The grammatical errors and awkward phrasing that used to be red flags are gone. Large language models let attackers produce polished, contextually accurate emails at scale.
Multi-factor authentication isn't bulletproof. Adversary-in-the-middle (AiTM) phishing kits can intercept MFA tokens in real time. I've responded to breaches where the victim had MFA enabled and still got compromised. MFA is essential — but it's not a silver bullet.
People are overwhelmed. Your employees handle hundreds of emails a week. Decision fatigue is real. One lapse in judgment at 4:45 PM on a Friday is all it takes.
How to Defend Your Organization Against Phishing
Here's where I shift from diagnosis to prescription. These are the measures that actually move the needle.
Build a Security Awareness Culture
Annual compliance training doesn't change behavior. Continuous, engaging security awareness training does. Your employees need to understand what phishing looks like across every channel — email, text, phone, social media. A structured cybersecurity awareness training program gives your team the baseline knowledge they need to spot social engineering before it succeeds.
Run Phishing Simulations Regularly
You can't measure what you don't test. Phishing simulation campaigns send realistic but harmless phishing emails to your workforce and track who clicks, who reports, and who enters credentials. This data tells you exactly where your vulnerabilities are — by department, role, and location. Enroll your organization in phishing awareness training built for real-world scenarios to turn testing into lasting behavior change.
Implement Layered Technical Controls
- Email filtering and sandboxing: Block known malicious senders, scan attachments, and detonate suspicious links in a sandbox before delivery.
- DMARC, DKIM, and SPF: These email authentication protocols help prevent domain spoofing. CISA has published detailed guidance on defending against ransomware and phishing that includes email authentication best practices.
- Multi-factor authentication: Deploy phishing-resistant MFA — FIDO2 hardware keys or passkeys — wherever possible. Traditional SMS-based MFA is better than nothing but vulnerable to AiTM attacks.
- Zero trust architecture: Operate on the assumption that any account or device could be compromised. Verify identity continuously, segment access, and enforce least privilege.
Create a Reporting Culture
If an employee suspects a phishing email, they need a one-click way to report it — and they need to know they won't get punished for reporting a false positive. In my experience, the organizations that suffer the least damage from phishing attacks are the ones where employees report suspicious messages immediately instead of ignoring them or feeling embarrassed.
Harden Your Identity Infrastructure
Credential theft is the goal of most phishing attacks. Protect your identity layer aggressively. Use a password manager organization-wide. Enforce unique, complex passwords. Monitor for credential exposure on dark web marketplaces. Disable legacy authentication protocols that bypass MFA.
What Should You Do If You've Been Phished?
Speed matters. Here's the immediate response checklist I walk clients through.
- Isolate the affected account. Reset the password immediately. Revoke all active sessions.
- Check for mail forwarding rules. Attackers often set up email forwarding rules to silently exfiltrate messages even after you reset the password.
- Scan for lateral movement. Review login logs across your environment. Did the attacker access other systems using the compromised credentials?
- Notify your team. If one person fell for a phishing email, others likely received the same campaign. Alert your organization immediately.
- Report it. File a complaint with the FBI's IC3 at ic3.gov. If you're in a regulated industry, check your breach notification obligations.
- Conduct a post-incident review. Figure out what got through your defenses and why. Update your email filtering rules, your training program, and your simulation scenarios based on what you learned.
Phishing Is a People Problem. Solve It Like One.
I've investigated breaches at organizations with seven-figure security budgets. Firewalls configured correctly. Endpoint detection in place. SIEM humming along. And the root cause was still a phishing email that one employee clicked at the wrong moment.
The technology matters. But the human layer is where phishing succeeds or fails. Every dollar you invest in training your workforce to recognize and report phishing attacks pays dividends that no single tool can match.
Start by understanding what a phishing attack actually looks like — not in a textbook, but in your inbox, on your phone, and in a voicemail from someone claiming to be your IT department. Then train your people accordingly. That's how you break the cycle.