In July 2021, a single phishing email gave attackers access to an employee's credentials at a Florida-based managed service provider, ultimately cascading into the massive Kaseya VSA supply-chain ransomware attack that hit over 1,500 businesses worldwide. One email. One click. Billions in damages. If you've ever asked what is a phishing scam, that incident is the answer distilled into its ugliest form — a threat actor tricks a human into handing over the keys, and everything collapses from there.
I've spent years analyzing breach reports, running phishing simulations, and helping organizations rebuild after incidents exactly like this. This post breaks down what phishing actually looks like in 2021, the psychology behind it, the real-world damage it causes, and — most importantly — the specific steps you can take to stop it from wrecking your business.
What Is a Phishing Scam, Exactly?
A phishing scam is a social engineering attack where a threat actor impersonates a trusted entity — your bank, your CEO, Microsoft, the IRS — to trick you into revealing sensitive information, clicking a malicious link, or downloading malware. The word "phishing" is a play on "fishing": attackers cast bait and wait for someone to bite.
But here's what most definitions leave out. Phishing isn't one thing. It's a category that includes spear phishing (targeted attacks on specific individuals), whaling (targeting executives), smishing (SMS-based phishing), vishing (voice phishing), and business email compromise (BEC). Each variant exploits the same human tendency: trust under pressure.
According to the FBI IC3 2020 Internet Crime Report, phishing was the most reported cybercrime by a staggering margin — 241,342 complaints, more than double the next category. And those are only the ones people reported.
The $4.88M Price Tag You Can't Ignore
IBM's 2021 Cost of a Data Breach Report puts the average cost of a data breach at $4.24 million globally. Phishing-initiated breaches ranked among the most expensive, largely because they grant attackers legitimate credentials that let them move laterally through networks undetected for weeks.
When a threat actor steals an employee's login through a phishing scam, they don't need to hack anything. They just log in. That's why credential theft is so devastating — and why multi-factor authentication (MFA) has become a non-negotiable baseline control.
I've worked cases where an attacker sat inside a compromised mailbox for 47 days, silently forwarding invoices to a lookalike domain and redirecting six-figure payments. The victim organization didn't learn about it from their security team. They learned about it from their vendor asking where the money went.
How a Phishing Attack Actually Works: Step by Step
1. Reconnaissance
Attackers don't always blast emails randomly. Sophisticated threat actors research your organization using LinkedIn, press releases, and even job postings. A job listing that mentions "We use Salesforce and Office 365" is a gift to an attacker who now knows exactly which login pages to spoof.
2. Crafting the Lure
The phishing email is designed to trigger urgency, fear, or curiosity. Common lures in 2021 include:
- COVID-19 vaccine appointment confirmations
- "Your Microsoft 365 password expires in 24 hours"
- Fake shipping notifications from UPS or FedEx
- HR policy updates requiring "immediate review"
- Voicemail transcription emails with malicious attachments
The best phishing emails are short, specific, and mimic internal communication styles. I've seen attackers copy a company's actual email signature block, complete with the right fonts and legal disclaimers.
3. The Payload
The victim clicks a link and lands on a pixel-perfect replica of a login page. They enter their username and password. The page redirects to the real site so the victim doesn't even realize anything happened. Meanwhile, the attacker now owns those credentials.
Alternatively, the email might contain an attachment — a macro-enabled Word doc, a weaponized PDF, or an HTML file that runs JavaScript locally. The goal is always the same: gain initial access.
4. Exploitation and Persistence
Once inside, attackers establish persistence. They create mail forwarding rules, harvest additional credentials from the mailbox, and pivot to other systems. In ransomware scenarios, this initial phishing foothold leads to full domain compromise, data exfiltration, and encrypted systems — often within 72 hours.
Why Your Spam Filter Isn't Enough
I hear this constantly: "We have email security, so we're covered." No, you're not.
The 2021 Verizon Data Breach Investigations Report (DBIR) found that 36% of breaches involved phishing — up from 25% the year before. These attacks are getting past technical controls because attackers constantly adapt. They use newly registered domains, compromised legitimate accounts, and cloud-hosted phishing kits that rotate URLs every few hours.
Technical controls are essential. But they're a layer, not a solution. The human element — your employees' ability to recognize and report suspicious messages — remains the last line of defense when the filters fail. And they will fail.
The Psychology That Makes Phishing Work
Phishing exploits cognitive biases that are hardwired into human decision-making. Understanding these is the first step toward building real security awareness.
Authority Bias
An email that appears to come from the CEO gets immediate attention. Employees are conditioned to comply with authority figures quickly and without question. BEC attacks exploit this ruthlessly — the FBI IC3 reports that BEC/EAC scams caused $1.8 billion in losses in 2020 alone, making it the most financially damaging cybercrime category by far.
Urgency and Scarcity
"Your account will be locked in 2 hours." "Only 3 vaccine slots remaining." Attackers manufacture time pressure because stressed people skip verification steps. When you feel rushed, your prefrontal cortex — the part of your brain responsible for critical thinking — takes a back seat.
Familiarity and Trust
Phishing emails often impersonate brands you interact with daily. A fake Microsoft Teams notification doesn't raise alarms because you get real ones constantly. Attackers hide in the noise of your normal workflow.
Real Phishing Incidents That Changed Everything
The Twitter Bitcoin Scam (July 2020)
Attackers used phone-based social engineering (vishing) to trick Twitter employees into providing access to internal tools. They then hijacked verified accounts belonging to Barack Obama, Elon Musk, and Apple to promote a Bitcoin scam. The technical exploit was zero. The human exploit was total.
SolarWinds (December 2020)
While the SolarWinds attack was a supply-chain compromise, investigations revealed that credential theft and phishing-style techniques were used throughout the campaign to expand access across victim networks, including U.S. government agencies.
Colonial Pipeline (May 2021)
A compromised VPN credential — believed to have been obtained through a previous data breach or credential reuse — allowed attackers to deploy DarkSide ransomware, shutting down fuel delivery across the U.S. East Coast. The initial access vector underscores why credential theft and weak authentication remain existential risks.
7 Defenses That Actually Work Against Phishing
Theory is nice. Here's what stops phishing scams in practice, ranked by impact.
1. Deploy Multi-Factor Authentication Everywhere
MFA blocks over 99% of automated credential attacks, according to CISA's MFA guidance. If an attacker steals a password through phishing, MFA prevents them from using it. Hardware tokens or app-based authenticators are far more secure than SMS codes.
2. Run Continuous Phishing Simulations
One-and-done training doesn't work. Regular phishing simulations keep employees sharp and give you measurable data on organizational risk. Start with our phishing awareness training for organizations to build a program that creates lasting behavioral change — not just checkbox compliance.
3. Implement a Zero Trust Architecture
Zero trust assumes breach. Every access request is verified regardless of location or network. This limits the blast radius when a phishing attack succeeds. Micro-segmentation, least-privilege access, and continuous authentication are core principles.
4. Enable Email Authentication Protocols
Configure SPF, DKIM, and DMARC for all your domains. DMARC in enforcement mode (p=reject) prevents attackers from spoofing your domain to phish your partners and customers. Surprisingly few organizations have done this — a 2021 analysis found that less than 15% of Fortune 500 domains had DMARC at enforcement.
5. Establish a Phishing Reporting Culture
Give employees a one-click button to report suspicious emails. Reward reporting, even for false positives. The goal is a culture where reporting a suspicious message is as natural as locking the office door. Every reported phish gives your security team threat intelligence.
6. Train for Recognition, Not Just Awareness
Most security awareness programs teach people that phishing exists. That's not enough. Effective training teaches people to recognize specific indicators: mismatched sender domains, unusual urgency, unexpected attachments, and URLs that don't match the purported sender. Our cybersecurity awareness training program focuses on exactly these recognition skills through scenario-based learning.
7. Harden Endpoint and Browser Security
Web browser isolation, endpoint detection and response (EDR), and disabling macros by default all reduce the impact of phishing payloads that get through. These technical controls won't prevent every phishing scam, but they dramatically limit what happens after a click.
How to Spot a Phishing Email: A Quick-Reference Checklist
This is what I teach every organization I work with. Print it. Post it. Share it with your team.
- Check the sender address carefully. "[email protected]" is not Microsoft.
- Hover over links before clicking. Does the URL match where the email claims to send you?
- Look for urgency or threats. "Act now or lose access" is a red flag, not a business practice.
- Unexpected attachments are suspicious. Especially .zip, .docm, .html, or .iso files.
- Verify out-of-band. Got a wire transfer request from your CEO? Call them directly using a known number.
- Trust your gut. If something feels off, report it. You're probably right.
The Difference Between Surviving and Suffering
Every organization will face a phishing scam. That's not pessimism — it's the statistical reality when 36% of breaches start with phishing and your employees receive hundreds of emails per day.
The difference between organizations that survive phishing and organizations that suffer catastrophic breaches comes down to preparation: layered technical controls, well-trained employees who report suspicious messages, MFA on every account, and incident response plans that are tested — not just written.
Understanding what is a phishing scam is the starting point. Building defenses against it is the work. And that work never stops because the threat actors never stop adapting.
Start today. Deploy MFA this week. Run your first phishing simulation this month. Get your team enrolled in structured security awareness training and hands-on phishing defense exercises. The next phishing email targeting your organization is already being written. The only question is whether your people are ready for it.