In January 2024, a finance employee at a multinational firm in Hong Kong wired $25.6 million to criminals after a video call with what appeared to be the company's CFO. Every person on that call was a deepfake. The attack started with a single phishing email. If you're asking what is phishing, this is it — and understanding it might be the most important thing you do for your organization this year.

Phishing is the number one initial access vector in data breaches worldwide. The Verizon 2024 Data Breach Investigations Report found that phishing and pretexting accounted for the vast majority of social engineering incidents. It's not a theoretical risk. It's likely hitting your inbox right now.

What Is Phishing, Exactly?

Phishing is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a boss, a vendor, a government agency — to trick you into taking a dangerous action. That action is usually clicking a malicious link, opening an infected attachment, or handing over credentials.

The mechanics are simple. The psychology is sophisticated. Attackers exploit urgency, authority, and fear. A message that says "Your account will be locked in 24 hours" bypasses your rational brain and hits your panic button.

I've investigated hundreds of these incidents. The victims are rarely careless. They're busy professionals who encountered a well-crafted message at exactly the wrong moment.

The 5 Types of Phishing You'll Actually Encounter

1. Email Phishing (Bulk Campaigns)

This is the classic. Attackers send thousands or millions of emails mimicking brands like Microsoft, Amazon, or DHL. They cast a wide net. Even a 1% click rate on a million emails delivers 10,000 victims. These campaigns fuel credential theft at an industrial scale.

2. Spear Phishing

Targeted attacks aimed at a specific person or organization. The attacker researches you on LinkedIn, reads your company's press releases, and crafts a message that feels personal. "Hey Sarah, here's the updated Q3 budget spreadsheet Jim mentioned in the meeting yesterday." These are devastatingly effective.

3. Business Email Compromise (BEC)

The FBI's IC3 has consistently ranked BEC among the costliest cybercrimes. In their Internet Crime Complaint Center reports, BEC losses have reached billions annually. The attacker either spoofs or actually compromises an executive's email, then requests wire transfers or sensitive data from employees who don't question the boss.

4. Smishing and Vishing

Phishing isn't limited to email. Smishing uses SMS text messages. Vishing uses phone calls. That "USPS package delivery" text you got last week? Smishing. The call from "Microsoft Support" about a virus on your computer? Vishing. Same playbook, different channel.

5. Quishing (QR Code Phishing)

This one's exploding in 2026. Attackers place malicious QR codes in emails, parking meters, restaurant menus, and even physical mail. Your phone scans the code and loads a credential-harvesting page. Most mobile devices don't preview URLs well, making this particularly dangerous.

Why Phishing Works: The Psychology You Can't Patch

Firewalls don't stop phishing. Antivirus misses it. The attack targets humans, not systems. Here's what makes it work:

  • Authority: Messages appear to come from CEOs, IT departments, or government agencies.
  • Urgency: "Act now or lose access." Deadlines eliminate careful thinking.
  • Fear: "Your account has been compromised." Ironic, since responding to the message is what actually compromises it.
  • Familiarity: Attackers mimic tools your team uses daily — Microsoft 365 login pages, DocuSign requests, Slack notifications.

I've run phishing simulations for organizations where seasoned IT professionals clicked the link. It's not about intelligence. It's about the moment.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector — and breaches that started with phishing took an average of 261 days to identify and contain.

Two hundred and sixty-one days. That means a threat actor who phished your employee in January might still be inside your network come September, exfiltrating data, planting ransomware backdoors, and escalating privileges.

This is why security awareness isn't optional. It's a core business function. If you haven't enrolled your team in phishing awareness training for organizations, you're leaving your front door open and hoping nobody walks in.

How to Spot a Phishing Attack: A Practical Checklist

Train your eye for these red flags. Train your employees, too.

  • Sender mismatch: The display name says "Microsoft" but the email address is [email protected].
  • Generic greetings: "Dear Customer" or "Dear User" instead of your actual name.
  • Urgency or threats: "Your account will be suspended immediately."
  • Suspicious links: Hover before you click. Does the URL actually go where it claims?
  • Unexpected attachments: Especially .zip, .exe, .html, or macro-enabled Office files.
  • Requests for credentials or payment: Legitimate companies don't ask for passwords via email.
  • Too good to be true: You didn't win a prize. You aren't getting an unexpected refund.

When in doubt, verify through a separate channel. Call the person. Walk to their desk. Don't reply to the suspicious email itself.

What Happens After You Click: The Attack Chain

Understanding the post-click sequence helps you grasp why phishing is so dangerous.

Step 1: Credential Harvesting. You land on a fake login page. You enter your username and password. The attacker now owns your credentials.

Step 2: Account Takeover. The attacker logs into your actual account. If you haven't enabled multi-factor authentication, there's nothing stopping them.

Step 3: Lateral Movement. From your compromised account, the attacker sends internal phishing emails to your colleagues. These messages come from a trusted address — yours — so click rates skyrocket.

Step 4: Data Exfiltration or Ransomware Deployment. The attacker either steals sensitive data or deploys ransomware across the network. Sometimes both. This is where a phishing email becomes a multi-million-dollar incident.

Proven Defenses That Actually Reduce Phishing Risk

Layer 1: Technical Controls

  • Multi-factor authentication (MFA): This single control stops the majority of credential theft attacks. Deploy it everywhere. Not just email — every SaaS application, VPN, and admin panel.
  • Email filtering and DMARC: Configure SPF, DKIM, and DMARC to reduce spoofed emails. CISA's guidance on email security is a solid starting point.
  • Zero trust architecture: Assume every request is potentially malicious. Verify identity and device posture continuously, not just at login.

Layer 2: Human Defenses

Technical controls fail without trained humans. A well-crafted phishing email can bypass filters. Your employees are the last line of defense — or the weakest link.

Regular phishing simulation programs are essential. Not once-a-year compliance checkboxes. Ongoing, realistic exercises that teach employees to recognize and report threats. Our cybersecurity awareness training program covers exactly this — building the reflexes that stop attacks before they succeed.

Layer 3: Incident Response

Make reporting easy. If an employee clicks a suspicious link, they need to know exactly who to call and what to do — without fear of punishment. A blame culture guarantees that compromises go unreported until the ransomware note appears on every screen.

Quick Answer: What Is Phishing?

Phishing is a cyberattack where criminals impersonate trusted entities through email, text messages, phone calls, or fake websites to trick victims into revealing passwords, financial information, or other sensitive data. It is the most common method threat actors use to gain initial access to organizations and individuals, and it is the leading cause of data breaches globally.

Your Inbox Is a Battlefield

Every email your team opens is a decision point. Phishing isn't going away — it's evolving. Deepfake video calls, AI-generated messages with perfect grammar, QR codes in parking garages. The attack surface is expanding faster than most defenses can keep up.

But here's what I've seen work: organizations that combine strong technical controls with consistent, realistic training cut their phishing click rates dramatically within months. Not years. Months.

Start with MFA. Implement DMARC. Build a zero trust posture. And invest in your people — because they're the ones who will decide whether that next phishing email becomes a near-miss or a catastrophe.