In March 2022, the FBI's Internet Crime Complaint Center reported that phishing was the number one cybercrime type in 2021 — with over 323,000 complaints filed by victims in a single year. That number dwarfed every other category. If you've ever asked what is a phishing scam, the short answer is this: it's the single most effective weapon threat actors use to compromise organizations and steal money, credentials, and data. And it's not slowing down.
I've spent years watching organizations of every size get hit by phishing. Fortune 500 companies, local school districts, healthcare providers — nobody is immune. The attacks keep working because they exploit something no firewall can patch: human trust. This post breaks down exactly how phishing scams work, what they look like in the wild, and what you can actually do to stop them.
What Is a Phishing Scam, Exactly?
A phishing scam is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a coworker, a vendor, a government agency — to trick you into revealing sensitive information or taking a harmful action. That action might be clicking a malicious link, opening an infected attachment, entering your credentials on a fake login page, or wiring money to a fraudulent account.
The word "phishing" is a play on "fishing." The attacker casts a wide net (or sometimes a very targeted lure) and waits for someone to bite. The bait is almost always urgency, fear, or authority. "Your account has been suspended." "The CEO needs this wire transfer now." "Your package couldn't be delivered."
Here's what makes phishing so dangerous: it doesn't require the attacker to break through your technical defenses. They just need one person to make one mistake.
The $4.88M Lesson Hiding in Your Inbox
According to IBM's 2022 Cost of a Data Breach Report, phishing was the second most common initial attack vector for data breaches, and breaches caused by phishing cost an average of $4.91 million. That's not a hypothetical number. That's what real organizations paid — in incident response, regulatory fines, lost business, and remediation — after a phishing email got through.
The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved a human element, including social engineering, errors, and misuse. Phishing and pretexting dominated the social engineering category. When I talk to security teams after an incident, the story is almost always the same: "Someone clicked a link they shouldn't have."
These aren't abstract risks. In 2020, the FTC took action against multiple companies for failing to protect consumer data after phishing-related breaches. If your organization handles customer data — and it almost certainly does — a successful phishing attack can put you in a regulator's crosshairs.
The Five Types of Phishing Scams You'll Actually Encounter
1. Mass Phishing Emails
The classic. A threat actor sends thousands or millions of emails impersonating a well-known brand — Microsoft, Amazon, DHL, a major bank. The email contains a link to a credential theft page that looks identical to the real login. The attacker harvests usernames and passwords at scale.
I've seen phishing kits that replicate Microsoft 365 login pages down to the pixel. They even pass through your real credentials to the actual site so you don't notice anything wrong — while the attacker captures everything in the background.
2. Spear Phishing
This is targeted phishing aimed at a specific person or organization. The attacker does reconnaissance — LinkedIn profiles, company websites, social media — and crafts a personalized message. "Hey Sarah, here's the Q3 budget spreadsheet Dave asked me to send you." Because it looks legitimate and references real context, spear phishing has a much higher success rate than mass campaigns.
The 2020 Twitter breach started with a spear phishing phone call targeting specific employees. Attackers gained access to internal tools and hijacked high-profile accounts including those of Barack Obama, Elon Musk, and Apple. The damage was measured in reputation and trust, not just dollars.
3. Business Email Compromise (BEC)
BEC is phishing's most expensive variant. The FBI IC3's 2021 report showed BEC losses totaled nearly $2.4 billion — making it the costliest cybercrime category by far. In a BEC attack, the threat actor impersonates an executive, vendor, or partner and requests a wire transfer, payment redirect, or sensitive data.
Sometimes the attacker actually compromises a real email account first. Other times they use a lookalike domain — swapping an "l" for a "1" or adding a subtle character. I've investigated cases where a single BEC email resulted in six-figure losses that were never recovered.
4. Smishing and Vishing
Phishing isn't limited to email. Smishing (SMS phishing) uses text messages, and vishing (voice phishing) uses phone calls. "This is your bank's fraud department. We've detected unusual activity. Please verify your account number." These attacks exploit the immediacy of a phone call or text and the trust people place in voice communication.
CISA has repeatedly warned about vishing attacks targeting remote workers, particularly since the shift to work-from-home in 2020. Attackers call employees pretending to be IT support and walk them through "security steps" that actually hand over VPN credentials.
5. Clone Phishing
The attacker takes a legitimate email you've already received — a real invoice, a real shipping notification — and creates an almost identical copy with a malicious link or attachment swapped in. Because the email looks exactly like something you've seen before, it's incredibly hard to spot without careful inspection.
How to Spot a Phishing Scam: Red Flags That Actually Matter
Forget the old advice about looking for typos. Modern phishing emails are polished and professional. Here's what I tell security teams to train their people on:
- Urgency or threats. "Your account will be locked in 24 hours." "Immediate action required." Legitimate organizations rarely demand instant action via email.
- Mismatched URLs. Hover over every link before clicking. Does the displayed URL match the actual destination? A link that says "microsoft.com" but points to "micros0ft-login.xyz" is a dead giveaway.
- Unusual sender addresses. The display name might say "PayPal" but the email address is [email protected]. Always check the actual address.
- Unexpected attachments. Especially .zip, .exe, .docm, or .html files from someone you didn't expect to hear from.
- Requests for credentials or payment changes. Any email asking you to enter your password, update payment information, or change wiring instructions should trigger immediate verification through a separate channel — not by replying to the email.
- Generic greetings in targeted contexts. An email claiming to be from your CEO that starts with "Dear Employee" instead of your name.
No single indicator is definitive. Skilled attackers can bypass most of these tells. That's why technical controls and training need to work together.
What Actually Stops Phishing Attacks
Multi-Factor Authentication Is Non-Negotiable
If a phishing scam captures your employees' credentials — and eventually one will — multi-factor authentication (MFA) is the control that prevents the attacker from using them. According to Microsoft, MFA blocks over 99.9% of account compromise attacks. If you've done nothing else after reading this post, enable MFA everywhere.
A word of caution: not all MFA is equal. SMS-based codes are better than nothing but vulnerable to SIM swapping. App-based authenticators or hardware security keys like YubiKeys are significantly stronger. Push-notification MFA can be defeated by "MFA fatigue" attacks — where the attacker spams approval requests until the user clicks "Accept" out of frustration. The 2022 Uber breach used exactly this technique.
Phishing Simulations Build Muscle Memory
You can't train people once a year with a PowerPoint and expect them to recognize a well-crafted phishing email on a random Tuesday. Phishing simulations — realistic, recurring, and varied — build the instinct to pause and evaluate before clicking. Organizations that run consistent phishing simulation programs see measurable drops in click rates over time.
If you're looking to build a phishing simulation and training program, our phishing awareness training for organizations gives you the structure and content to make it happen. Simulations work best when they're paired with immediate, constructive feedback — not punishment.
Email Security Controls: Layers Matter
Deploy SPF, DKIM, and DMARC on your domains. Use an email security gateway that scans links and attachments in real time. Enable safe link policies that rewrite URLs and check them at click time, not just at delivery. Quarantine emails from newly registered domains. These technical controls won't stop everything, but they'll eliminate the low-effort attacks and buy your people time to focus on the sophisticated ones.
Zero Trust Architecture
A zero trust approach assumes that any user or device could be compromised at any time. Instead of granting broad access after a single login, zero trust verifies every request, limits lateral movement, and enforces least-privilege access. If a phishing attack compromises one account, zero trust principles limit the blast radius. NIST's Zero Trust Architecture publication (SP 800-207) is the foundational reference.
Security Awareness Training That Sticks
The best defense against phishing scams is a workforce that knows what to look for and has practiced responding. Not a one-time compliance checkbox — ongoing training that evolves with the threat landscape. Our cybersecurity awareness training program covers phishing, social engineering, credential theft, ransomware, and more in a format that actually engages employees.
In my experience, the organizations that get breached aren't the ones that lack firewalls. They're the ones that underinvest in their people.
What Should You Do If You Fall for a Phishing Scam?
Speed matters. Here's the response sequence I recommend:
- Disconnect. If you clicked a link or opened an attachment on a work device, disconnect from the network immediately. Don't shut down the machine — your incident response team may need forensic artifacts from memory.
- Report it. Contact your IT or security team right away. Forward the phishing email as an attachment (not inline) so they can analyze headers and links. If your organization has a phishing report button in the email client, use it.
- Change credentials. If you entered your username and password anywhere, change them immediately — and change them on any other site where you used the same password. This is why password reuse is so dangerous.
- Monitor accounts. Watch for unauthorized access, unusual logins, or changes to account settings. Enable login alerts where available.
- File a report. For significant incidents, report to the FBI's Internet Crime Complaint Center (IC3) and to CISA. Your reports help law enforcement track campaigns and warn other potential victims.
The worst thing you can do is stay silent. Every minute an attacker has undetected access, the damage compounds.
Phishing Is an Evolving Arms Race
Threat actors aren't standing still. In 2022, we're seeing a surge in adversary-in-the-middle (AiTM) phishing attacks that can intercept session tokens and bypass even MFA. We're seeing phishing kits sold as a service on underground forums for a few hundred dollars. We're seeing attackers use legitimate cloud services — Google Docs, SharePoint, OneDrive — to host phishing content, making it harder for email filters to block.
The Verizon DBIR has tracked phishing as a top attack vector for years running. That won't change in 2023. What can change is how prepared your organization is to detect, resist, and respond to it.
The Bottom Line on Phishing Scams
So, what is a phishing scam? It's the most reliable, scalable, and profitable attack method in a threat actor's playbook. It bypasses your technology by targeting your people. It costs organizations billions every year. And it's completely preventable — with the right combination of technical controls, security awareness training, and a culture that treats phishing reports as valuable intelligence rather than embarrassing mistakes.
Start with MFA. Run phishing simulations. Train your people consistently. Build layered email defenses. Adopt zero trust principles. These aren't aspirational goals — they're table stakes in 2022.
Your employees are either your biggest vulnerability or your strongest defense. The difference is whether you invest in preparing them before the next phishing email lands.