In March 2022, a single employee at Okta clicked a link in what appeared to be a routine IT notification. That one click gave the Lapsus$ threat actor group access to internal systems, ultimately affecting roughly 2.5% of Okta's customer base — hundreds of organizations. The attack didn't start with some sophisticated zero-day exploit. It started with a phishing link. If you've ever wondered what is a phishing link and why security professionals lose sleep over them, that incident is your answer in a single sentence: it's a weaponized URL designed to trick a human into handing over the keys to the kingdom.

This post breaks down exactly how phishing links work, what happens when someone clicks one, and — most importantly — what your organization can do right now to reduce the risk. I've spent years dissecting these attacks, and the mechanics are both simpler and more dangerous than most people realize.

A phishing link is a URL crafted by a threat actor to deceive the person who clicks it. The link typically leads to a fake login page, a malware download, or a credential-harvesting form that mimics a legitimate website. The goal is always the same: get the victim to take an action that benefits the attacker — entering a password, downloading a file, or authorizing an OAuth token.

These links arrive through email, SMS (smishing), social media direct messages, QR codes, and even collaboration tools like Slack or Microsoft Teams. According to the 2022 Verizon Data Breach Investigations Report (DBIR), 82% of breaches involved a human element, and phishing was the top action variety in social engineering incidents. The link is the delivery mechanism for that human exploitation.

To your browser, there's no difference. Both are just HTTP requests. The distinction is intent and destination. A phishing link might look like https://microsoft-login.account-verify.com — close enough to fool someone who isn't inspecting the domain carefully. The actual domain there is account-verify.com, not microsoft.com. Attackers register lookalike domains, use URL shorteners, embed links behind HTML text that says one thing while pointing somewhere else, or hijack legitimate domains through open redirects.

I've seen phishing links that passed every visual inspection. The only giveaway was hovering over the link and reading the actual URL character by character. That's not a skill most employees have developed — which is exactly why phishing awareness training for organizations exists.

Understanding what happens behind a phishing link helps you understand why they're so effective. Here's the typical kill chain, step by step.

Step 1: Reconnaissance and Pretext

The attacker researches the target. For a spear phishing campaign, this means LinkedIn profiles, company press releases, vendor relationships, and organizational charts. They build a pretext — a believable story. Maybe it's a password expiration notice, a DocuSign request, or a shipping notification from a vendor your company actually uses.

The threat actor registers a domain that resembles the target brand. They set up a cloned login page using widely available phishing kits — some even sold as a service on dark web marketplaces. The page looks pixel-perfect. It captures credentials in real time and can even relay them to the real site to generate a valid session, defeating basic two-factor authentication. These are called adversary-in-the-middle (AiTM) attacks, and they've become disturbingly common in 2022.

Step 3: Delivery

The link arrives in an email, an SMS, or a message on a platform the victim trusts. The email might spoof an internal address or come from a compromised vendor account — making it nearly impossible to detect by sender alone. The social engineering is the weapon. The link is just the trigger.

Step 4: The Click

The victim clicks. Their browser loads the fake page. They enter their username and password. In many cases, the attacker also captures the MFA token in real time. Within seconds, the attacker has valid credentials.

Step 5: Exploitation

Now the attacker is inside. They access email, internal systems, cloud storage, or financial platforms. From here, the playbook varies: deploy ransomware, exfiltrate data, send fraudulent wire transfers, or establish persistence for a longer campaign. The 2022 FBI IC3 report documented $10.3 billion in cybercrime losses, with business email compromise and phishing consistently ranking among the top reported categories. Much of it starts with a single link.

You might think phishing is a solved problem. It isn't. Here's why these links keep working even against well-defended organizations.

Trust Is the Vulnerability

Phishing links exploit trust — trust in the sender, trust in the brand being impersonated, trust in the platform delivering the message. No firewall patches trust. No endpoint agent scans for it. Social engineering targets the one system you can't automate: human judgment.

Sophistication Has Skyrocketed

Gone are the days of Nigerian prince emails riddled with typos. Modern phishing links use valid HTTPS certificates (Let's Encrypt made that trivial), pixel-perfect page clones, and real-time credential relay. Some campaigns use CAPTCHA gates on their phishing pages to prevent security scanners from analyzing them. Attackers are running professional operations.

Volume Overwhelms Defenses

According to CISA, phishing remains the most common initial access vector for both criminal and nation-state actors. The sheer volume of phishing emails — billions per day globally — means even a tiny click rate generates enormous attacker ROI. Your email filter catches 99%? That remaining 1% of a large campaign still puts dozens of malicious links in front of your employees.

Here are the specific techniques I teach in every security awareness session. These aren't theoretical — they're the exact checks that stop real attacks.

  • Hover before you click. On desktop, hover your mouse over any link and read the actual destination URL in the bottom-left corner of your browser or email client. Does the domain match who supposedly sent it?
  • Check the root domain. In https://login.microsoft.com.evil-site.net/auth, the root domain is evil-site.net, not microsoft.com. Read right to left from the first single slash.
  • Be suspicious of urgency. "Your account will be locked in 24 hours" is designed to make you click without thinking. Legitimate organizations rarely threaten immediate consequences via email link.
  • Verify through a separate channel. If an email asks you to log in somewhere, open a new browser tab and navigate to the site directly. Never follow the link in the email.
  • Inspect shortened URLs. Use a URL expander tool to reveal the true destination of shortened links (bit.ly, t.co, etc.) before clicking.
  • Watch for lookalike characters. Attackers use internationalized domain names (IDN homograph attacks) — replacing an "a" with a Cyrillic "а" that looks identical. Modern browsers have some protections, but they're not foolproof.

Building these habits across your entire workforce requires more than a single email reminder. It requires structured, ongoing training — exactly what a dedicated cybersecurity awareness training program delivers.

The $4.88M Lesson: What Happens After Someone Clicks

The average cost of a data breach in 2022 reached $4.35 million globally, according to IBM's Cost of a Data Breach Report. In the United States, that number hit $9.44 million. Phishing was the second most expensive initial attack vector, trailing only business email compromise — which itself almost always starts with a phishing link or credential theft.

Here's what I've seen happen in real incidents after an employee clicks a phishing link:

  • Credential theft leads to email account takeover. The attacker reads email, identifies financial processes, and inserts themselves into wire transfer conversations. The FBI's IC3 has documented billions in losses from this pattern.
  • Ransomware deployment within hours. Once inside the network, attackers move laterally, escalate privileges, and encrypt critical systems. The Colonial Pipeline attack in 2021 — which disrupted fuel supplies across the U.S. East Coast — began with a compromised credential.
  • Data exfiltration triggering regulatory penalties. Healthcare, financial, and education organizations face HIPAA, GLBA, and FERPA obligations. A phishing-initiated breach can trigger FTC enforcement actions and state attorney general investigations.

The click takes half a second. The recovery takes months or years.

Technical Defenses That Complement Training

Training alone isn't enough, and technology alone isn't enough. You need both. Here's the layered defense stack I recommend against phishing links specifically.

Email Authentication: DMARC, DKIM, SPF

These three protocols verify that incoming email actually comes from the domain it claims to come from. If your organization hasn't implemented DMARC at enforcement level (p=reject), spoofed emails using your domain are hitting your partners and customers right now. NIST's SP 800-177 Rev. 1 provides detailed guidance on trustworthy email implementation.

Multi-Factor Authentication (MFA)

MFA doesn't stop phishing links from working — the user still enters credentials on the fake page. But phishing-resistant MFA, like FIDO2 hardware keys, prevents AiTM relay attacks because the authentication is bound to the legitimate domain. If the domain doesn't match, the key won't respond. This is the direction zero trust architectures are heading, and for good reason.

URL Filtering and Sandboxing

Modern secure email gateways and web proxies can detonate suspicious links in sandboxed environments, checking destinations before the user's browser ever loads them. These tools catch known malicious domains and many newly registered ones. They won't catch everything — attackers increasingly use compromised legitimate domains — but they reduce volume significantly.

Phishing Simulation Programs

Regular phishing simulations train employees to recognize and report suspicious links in a controlled environment. The data from these simulations tells you which departments, roles, or individuals need additional coaching. It turns a vague risk into a measurable metric. If you're not running simulations yet, the phishing awareness training at phishing.computersecurity.us is built specifically for this purpose.

This is the question I get asked most often, so here's the direct answer for anyone who needs it right now.

  • Disconnect from the network immediately. If you're on corporate Wi-Fi or VPN, disconnect. This limits lateral movement if malware was delivered.
  • Change your password from a different device. Use a known-clean device to change the password for any account you entered on the phishing page. Change it everywhere you reused that password (and stop reusing passwords).
  • Enable or reset MFA. If MFA was already enabled, revoke all active sessions and re-enroll. If it wasn't enabled, now is the time.
  • Report it to your IT/security team. Speed matters. Your security team can check logs, block the phishing domain, and alert other employees who may have received the same link.
  • Monitor your accounts. Watch for unauthorized access, password reset emails you didn't request, or new forwarding rules in your email.

The faster you act, the smaller the blast radius. I've seen organizations contain phishing incidents in under an hour when employees reported immediately — and I've seen others discover the breach months later after millions in damage.

The organizations I've seen handle phishing best aren't the ones with the biggest security budgets. They're the ones where employees feel empowered — and expected — to question suspicious messages without fear of looking foolish. That culture starts with leadership and gets reinforced through consistent training.

Security awareness isn't a checkbox exercise you complete once a year. It's a continuous process that adapts to the current threat landscape. The phishing links your employees see today look nothing like the ones from even two years ago. Your training needs to reflect that reality. A comprehensive cybersecurity awareness training program keeps your workforce current on evolving tactics.

Every phishing link that arrives in your organization's inbox is a test — of your technology, your training, and your culture. The technology will catch most of them. Training handles the rest. And the cost of getting it wrong has never been higher.