In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. Yet every week, I still talk to business owners who think phishing is just "those obvious Nigerian prince emails." It's not. So what is phishing, really? It's the single most effective technique threat actors use to breach organizations of every size, and it's responsible for more financial damage than any other attack vector.
If you clicked on this article, you're either trying to understand phishing for yourself or looking for a way to explain it to your team. Either way, I'm going to walk you through exactly how these attacks work, what they look like in the real world, and — most importantly — what you can do to stop them from costing your organization millions.
What Is Phishing? A Straight Answer
Phishing is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a coworker, a vendor, a government agency — to trick you into revealing sensitive information, clicking a malicious link, or downloading malware. The name comes from "fishing" because attackers cast bait and wait for someone to bite.
The critical thing to understand: phishing targets people, not systems. Your firewall doesn't stop it. Your antivirus often doesn't catch it. The attack exploits human trust, urgency, and inattention.
According to the Verizon Data Breach Investigations Report, the human element is involved in roughly 68% of breaches, with phishing and pretexting dominating the social engineering category. That's not a technology failure. That's a training failure.
How Phishing Attacks Actually Work
I've analyzed thousands of phishing campaigns over my career. Here's the anatomy of a typical attack, step by step.
Step 1: Reconnaissance
The attacker researches your organization. LinkedIn profiles, company websites, press releases, and social media give them names, titles, email formats, and reporting structures. In targeted attacks — called spear phishing — they know your CEO's name, your IT vendor, and when your quarterly reports drop.
Step 2: The Lure
They craft a message designed to trigger an emotional response. Fear works well: "Your account has been suspended." So does urgency: "Wire transfer needed before 3 PM." Authority is another lever: "This is from the CEO — handle it immediately."
The email, text, or message looks legitimate. Logos are copied. Domains are spoofed or use lookalike characters (like "rnicrosoft.com" instead of "microsoft.com"). The sender name matches someone you know.
Step 3: The Hook
The message contains either a malicious link pointing to a credential harvesting page, an infected attachment, or instructions to take an action — like wiring money or sharing login credentials. Once you click, type, or transfer, the attacker is in.
Step 4: Exploitation
With stolen credentials, threat actors move laterally through your network. They access email accounts, financial systems, customer databases, and intellectual property. In many cases, they deploy ransomware or exfiltrate data for sale on dark web markets. The median time to detect a breach is still measured in months, not minutes.
The 6 Types of Phishing You Need to Know
Not all phishing looks the same. Here are the variants I see most frequently targeting organizations right now.
Email Phishing
The classic. Mass emails sent to thousands of addresses, impersonating brands like Microsoft, Amazon, or shipping companies. Low sophistication, high volume. Most are caught by spam filters — but the ones that slip through only need one click.
Spear Phishing
Targeted attacks aimed at specific individuals using personalized information. These are dramatically more effective because they reference real projects, real colleagues, and real deadlines. A spear phishing email targeting your accounts payable team mentioning an actual vendor is far harder to spot than a generic "verify your account" message.
Whaling
Spear phishing aimed at executives. CFOs, CEOs, and board members are high-value targets because they have authority to approve wire transfers and access to sensitive strategic data.
Smishing and Vishing
Phishing via SMS (smishing) or voice calls (vishing). I've seen a sharp increase in smishing attacks that impersonate delivery services or two-factor authentication prompts. Vishing attacks often impersonate IT help desks — the 2022 Uber breach started with a vishing attack against an employee.
Business Email Compromise (BEC)
The most financially devastating variant. The FBI IC3's 2023 Internet Crime Report showed BEC accounted for over $2.9 billion in reported losses. Attackers either compromise or spoof an executive's email and instruct employees to wire funds, change payment details, or share sensitive data.
QR Code Phishing (Quishing)
A newer tactic gaining traction. Attackers embed malicious QR codes in emails, physical flyers, or even parking meters. When scanned, the code directs to a credential harvesting page. Traditional email security tools often can't scan QR code destinations, making this particularly dangerous.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was consistently among the top initial attack vectors. For small and mid-sized businesses, a breach of that magnitude can be an extinction event.
But the cost isn't just financial. I've watched organizations lose customer trust, face regulatory penalties, and deal with lawsuits that drag on for years. The FTC has taken action against companies that failed to implement reasonable security measures — and "reasonable" increasingly means having security awareness training in place.
Here's what frustrates me: most of these breaches are preventable. Not with expensive technology. With training.
Why Spam Filters Alone Won't Save You
Your email gateway catches a lot. But attackers constantly evolve. They use legitimate services like Google Forms, SharePoint, and Dropbox to host phishing pages — domains your spam filter is unlikely to block. They send from compromised accounts with clean sender reputations. They use URL shorteners and redirect chains to evade link scanning.
Microsoft reported that they block over 30 billion phishing emails per year. That sounds impressive until you realize that even a 99.9% detection rate means millions of phishing emails still reach inboxes globally. Your technical controls are necessary but insufficient.
The last line of defense is always the person reading the email.
How to Actually Protect Your Organization From Phishing
After two decades in this field, here's my proven framework for reducing phishing risk. It combines technology, training, and policy — because no single layer works alone. This is a zero trust mindset applied to email.
1. Deploy Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) is the single most impactful technical control against credential theft. Even when an employee enters their password on a phishing page, MFA blocks the attacker from using it. CISA recommends MFA as a baseline security measure for every organization. Prioritize phishing-resistant MFA like FIDO2 security keys over SMS-based codes, which can be intercepted.
2. Run Realistic Phishing Simulations
Phishing simulation is the closest thing to a fire drill for your inbox. Sending simulated phishing emails to your employees — and tracking who clicks — gives you real data on your organization's risk. More importantly, it creates teachable moments that stick.
I recommend running simulations monthly, varying the scenarios each time. Use BEC lures, fake IT alerts, spoofed vendor invoices, and seasonal themes. Our phishing awareness training for organizations includes simulation guidance designed around the tactics real attackers use right now.
3. Invest in Ongoing Security Awareness Training
Annual compliance training doesn't work. I've seen the data — click rates barely budge after a once-a-year slideshow. What does work is continuous, engaging training that keeps phishing top-of-mind.
Your employees need to recognize the psychological triggers — urgency, authority, fear, curiosity — that make phishing effective. They need to know what a lookalike domain looks like. They need a clear, no-blame process for reporting suspicious messages.
Our cybersecurity awareness training program covers phishing, social engineering, ransomware, credential theft, and more — built for organizations that want measurable risk reduction, not checkbox compliance.
4. Implement DMARC, DKIM, and SPF
These email authentication protocols prevent attackers from spoofing your domain to send phishing emails that appear to come from your organization. If you haven't configured DMARC with an enforcement policy, you're making it easy for threat actors to impersonate your brand to your own customers and partners.
5. Create a Phishing Response Playbook
When someone reports a suspicious email — and they will, if you train them — your security team needs a documented process. Who triages the report? How fast do you pull the email from all inboxes? When do you reset credentials? How do you communicate to the organization?
Speed matters. In many data breach cases, the window between initial phishing click and full network compromise is measured in hours.
6. Verify Out-of-Band for Financial Requests
Any email requesting a wire transfer, payment change, or sensitive data transfer should be verified through a separate communication channel — a phone call to a known number, a face-to-face confirmation, or a verified Slack message. Never verify using reply-to on the suspicious email itself.
What Does a Phishing Email Look Like? Red Flags to Watch
This is the section I want your employees to read. Here are the concrete signals that an email, text, or message might be a phishing attempt:
- Urgency or threats: "Your account will be locked in 24 hours." "Immediate action required."
- Mismatched sender info: The display name says "Microsoft Support" but the email address is from a random domain.
- Lookalike domains: "paypa1.com" instead of "paypal.com." Always hover over links before clicking.
- Unexpected attachments: Especially .zip, .exe, .html, or macro-enabled Office files from unknown senders.
- Generic greetings: "Dear Customer" or "Dear User" instead of your actual name.
- Requests for credentials: Legitimate organizations will never ask you to enter your password via email link.
- Too good to be true: Gift card offers, unexpected refunds, or prize notifications.
- Pressure to bypass normal procedures: "Don't tell anyone about this yet" or "Skip the usual approval process."
When in doubt, don't click. Report it. Every organization should have a dedicated phishing report button in their email client.
Phishing Is Evolving — AI Is Making It Worse
I need to be direct about what's coming. Generative AI has eliminated most of the telltale signs that phishing emails used to carry. Grammar mistakes, awkward phrasing, and formatting errors were once reliable red flags. Not anymore.
Threat actors now use large language models to craft phishing emails that are grammatically flawless, contextually appropriate, and personalized at scale. They use AI to clone voices for vishing attacks. They generate deepfake video for executive impersonation.
This means the old advice — "just look for typos" — is dangerously outdated. Your people need to understand the psychology of phishing, not just the surface-level indicators. They need to question why a message is creating urgency, not just whether it's spelled correctly.
What Should You Do Right Now?
If you've read this far, you understand the threat. Here's your action list for this week:
- Audit your MFA coverage. Every account that touches email, financial systems, or customer data needs multi-factor authentication. No exceptions.
- Schedule your first phishing simulation. You can't improve what you don't measure. Baseline your organization's click rate.
- Enroll your team in security awareness training. Start with our phishing-focused training and expand to the full cybersecurity awareness curriculum.
- Check your DMARC record. Use a DMARC lookup tool and verify you have an enforcement policy in place.
- Establish a reporting process. Make it easy and consequence-neutral for employees to report suspicious messages.
Phishing isn't going away. The attackers are getting better, the stakes are getting higher, and the only reliable defense is a workforce that knows what to look for and what to do about it. Now you know what is phishing — the question is what you're going to do about it before the next email lands.