In January 2024, a finance employee at a multinational firm in Hong Kong wired $25 million to criminals after a video call with what appeared to be the company's CFO. Every person on that call was a deepfake. It started, like almost every attack of its kind, with a single phishing email. If you're asking what is a phishing attack, understand this: it's the single most common entry point for data breaches, ransomware infections, and financial fraud — and it's getting harder to spot every quarter.

This post breaks down exactly how phishing works, the variants you need to watch for, real incidents that show the damage, and the specific steps your organization should take right now. No theory. Just what actually happens and what actually works.

What Is a Phishing Attack, Exactly?

A phishing attack is a social engineering technique where a threat actor impersonates a trusted entity — a bank, a vendor, a coworker, your CEO — to trick you into handing over sensitive information, clicking a malicious link, or executing a harmful action. The "bait" usually arrives by email, but it also comes through text messages, phone calls, QR codes, and even collaboration platforms like Slack or Teams.

The goal varies by attacker. Some want your credentials. Some want to install malware or ransomware. Some want a direct wire transfer. But the method is always the same: exploit human trust faster than the victim can think critically.

According to the 2024 Verizon Data Breach Investigations Report, phishing and pretexting (a close cousin) accounted for over 70% of social engineering incidents. That number has been climbing for years.

The Anatomy of a Phishing Email

I've reviewed thousands of phishing emails across incident response engagements. The good ones share a pattern. Here's what a modern phishing email typically includes:

  • A spoofed or look-alike sender address. Instead of [email protected], it's [email protected]. One transposed letter. Most people never notice.
  • Urgency or authority. "Your account will be locked in 24 hours." "The CEO needs this wire completed before end of business." Pressure kills critical thinking.
  • A call to action. Click a link, open an attachment, scan a QR code, reply with information. There's always a next step designed to compromise you.
  • A convincing landing page. If there's a link, it usually leads to a credential harvesting page that looks identical to Microsoft 365, Google Workspace, or your company's VPN portal.

The days of obvious Nigerian prince emails are over. Today's phishing kits are sold as a service on dark web marketplaces, complete with real-time MFA bypass capabilities. Threat actors don't need to be sophisticated — they just need to buy the right tools.

The 6 Variants Every Security Team Should Know

1. Spear Phishing

This is targeted phishing aimed at a specific individual. The attacker researches you on LinkedIn, reads your company's press releases, and crafts a personalized message. Spear phishing is behind the majority of high-value breaches because it's convincing enough to fool experienced professionals.

2. Whaling

Spear phishing aimed at executives — CFOs, CEOs, board members. The stakes are higher, and so is the attacker's preparation. The Hong Kong deepfake incident I mentioned above started as a whaling campaign.

3. Smishing (SMS Phishing)

Phishing via text message. You've probably received one yourself: "USPS: Your package cannot be delivered. Update your address here." Smishing bypasses email security filters entirely, which is why it's surging.

4. Vishing (Voice Phishing)

Phone-based social engineering. The caller claims to be from IT support, your bank, or even law enforcement. Vishing attacks spiked during remote work because employees couldn't verify callers by walking down the hall.

5. Business Email Compromise (BEC)

The FBI's IC3 reported that BEC caused $2.9 billion in adjusted losses in 2023 — making it the costliest cybercrime category by dollar amount. BEC isn't about malware. It's about impersonating an executive or vendor and convincing someone to send money or sensitive data. No link required.

6. Quishing (QR Code Phishing)

A newer variant where attackers embed malicious QR codes in emails, PDFs, or even physical flyers. Your phone scans the code, opens a credential theft page, and most mobile browsers don't show full URLs — so you can't easily verify where you're going.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a breach at $4.88 million. Phishing was one of the top initial attack vectors. That number includes detection, containment, notification, lost business, and regulatory penalties.

But here's what the averages hide: for small and mid-sized businesses, a single successful phishing attack can be existential. I've seen a 50-person company lose $400,000 to a BEC attack that took seven minutes to execute. They never recovered the funds.

The math is brutally simple. The cost of security awareness training is negligible compared to one successful phishing email reaching the right inbox at the wrong time.

How Do Phishing Attacks Actually Succeed?

This is the question I get most from executives, and the answer is uncomfortable: phishing attacks succeed because they target people, not systems. Your firewall can't stop an employee from typing their password into a fake login page. Your endpoint detection can't prevent a CFO from approving a fraudulent wire transfer over the phone.

Here's what actually happens in a typical credential theft scenario:

  • Step 1: The employee receives an email that appears to be from Microsoft, warning that their password expires today.
  • Step 2: They click the link, which opens a pixel-perfect replica of the Microsoft 365 login page.
  • Step 3: They enter their username and password. Some advanced phishing kits also capture the MFA token in real time using adversary-in-the-middle (AiTM) techniques.
  • Step 4: The attacker now has valid credentials. They log in, set up email forwarding rules, and begin reconnaissance — reading emails, identifying financial processes, mapping the org chart.
  • Step 5: Days or weeks later, the attacker strikes. They send a BEC email from the compromised account, or they deploy ransomware across the network.

The entire chain starts with one click. That's why phishing simulation programs are critical — they give employees practice recognizing these scenarios before real money is on the line.

What Actually Stops Phishing Attacks

I'm not going to give you a generic "defense in depth" lecture. Here are the specific controls that actually reduce phishing risk, ranked by impact based on what I've seen work in practice.

1. Continuous Security Awareness Training

One-and-done annual training doesn't work. Threat actors evolve monthly; your training cadence needs to match. Effective programs combine short, frequent lessons with realistic phishing simulations that test real employee behavior. If you don't have a program yet, our cybersecurity awareness training course covers the fundamentals your entire workforce needs.

2. Phishing Simulations That Mirror Real Attacks

Simulations train pattern recognition. Your employees need to experience realistic phishing emails in a safe environment so they build the reflex to pause and verify. The organizations I've worked with that run monthly simulations see click rates drop from 30%+ to under 5% within six months. Start with a structured phishing awareness training program designed specifically for organizations.

3. Phishing-Resistant Multi-Factor Authentication

Standard SMS-based MFA is better than nothing, but AiTM phishing kits can bypass it. FIDO2 security keys and passkeys are phishing-resistant by design — they won't authenticate to a fake domain. CISA's MFA guidance is a strong starting point for implementation planning.

4. Email Authentication Protocols (DMARC, DKIM, SPF)

These protocols make it harder for attackers to spoof your domain. If you haven't enforced DMARC at "p=reject," attackers can send emails that appear to come from your exact domain. This protects your customers and partners, not just your employees.

5. Zero Trust Architecture

Zero trust assumes every request — internal or external — could be malicious. It limits the blast radius of compromised credentials by enforcing least-privilege access, continuous verification, and micro-segmentation. Phishing might get the attacker a password, but zero trust prevents that password from being the keys to the kingdom.

6. Incident Response Playbook for Phishing

Your employees need to know exactly what to do when they suspect a phishing email: who to report it to, how to report it (a one-click button in the email client is ideal), and what happens next. If reporting feels cumbersome, people won't do it. Make it frictionless.

This is the single most searched follow-up question, and the answer needs to be fast and specific:

  • Disconnect from the network immediately. Wi-Fi off, Ethernet unplugged. This limits lateral movement if malware was delivered.
  • Do not enter any credentials. If you already did, change that password from a different, known-clean device right now.
  • Report it to your IT or security team. Speed matters. The faster they know, the faster they can check logs, revoke sessions, and block the attacker's infrastructure.
  • Enable or reset MFA. If the attacker captured your MFA token, revoke all active sessions for that account.
  • Preserve evidence. Don't delete the email. Forward it as an attachment to your security team so they can analyze headers and URLs.

If your organization doesn't have a clear process for this, that's a gap you need to fix today — not after the next incident.

Why Phishing Isn't Going Away

Generative AI has made phishing emails more convincing, more personalized, and available in every language without grammatical errors. The barrier to entry for threat actors has never been lower. Phishing-as-a-service platforms sell turnkey kits for a few hundred dollars, complete with hosting, templates, and real-time credential capture.

At the same time, organizations are expanding their attack surface with cloud applications, remote workforces, and third-party integrations. Every new SaaS login page is another opportunity for credential theft.

The only sustainable defense is a workforce that can recognize and report phishing attempts instinctively. Technology catches most attacks. People catch the rest — the ones that matter most.

Your Next Move

If you're reading this because you're building a security program, evaluating training options, or recovering from an incident, here's my advice: start with the human layer. Deploy phishing awareness training that uses real-world scenarios. Pair it with broad cybersecurity awareness education that covers credential hygiene, social engineering tactics, and incident reporting.

Then harden the technical stack: phishing-resistant MFA, DMARC enforcement, zero trust segmentation, and a tested incident response plan.

Phishing attacks are simple by design. Your defense doesn't need to be complicated — it needs to be consistent, realistic, and relentless. The threat actors certainly are.