In March 2021, a massive phishing campaign impersonating Microsoft Office 365 hit over 10,000 mailboxes across the financial services sector in a single week. The emails were nearly flawless — correct logos, legitimate-looking sender domains, and urgent language about password expiration. Dozens of employees handed over their credentials before anyone flagged it. If you're asking what is phishing, this is it in action: a deceptive message designed to trick a human into giving up something valuable. And it's the single most common way attackers get inside your organization.

The 2021 Verizon Data Breach Investigations Report found that phishing was present in 36% of all confirmed data breaches — up from 25% the year before. That's not a trend line. That's an escalation. I've spent years helping organizations respond to these incidents, and the pattern is always the same: one email, one click, one set of stolen credentials, and then the real damage begins.

What Is Phishing, Exactly?

Phishing is a social engineering attack where a threat actor sends a fraudulent message — usually email — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. The attacker pretends to be someone the victim trusts: a bank, a boss, a software vendor, a government agency.

The goal varies. Sometimes it's credential theft — harvesting usernames and passwords to access corporate systems. Sometimes it's deploying ransomware. Sometimes it's tricking someone in accounting into wiring money to a fraudulent account. But the mechanism is always the same: exploit human trust.

Here's what separates phishing from spam. Spam is annoying. Phishing is engineered. A good phishing email is built using reconnaissance — the attacker knows your name, your company, your role, and sometimes even your current projects. That level of targeting is what makes it so effective.

The Anatomy of a Phishing Email

I've analyzed thousands of phishing emails over the years. The effective ones share a consistent set of traits. Understanding these components is the first step to spotting them before they cause damage.

Spoofed Sender Identity

The "From" field looks legitimate. Attackers register domains like "micros0ft-support.com" or "paypa1-security.net" — close enough to fool a distracted employee scanning their inbox at 8 AM. In more sophisticated attacks, they compromise a real vendor's email account and send phishing messages from a genuinely trusted address.

Urgency and Fear

Almost every phishing email creates artificial pressure. "Your account will be locked in 24 hours." "Unauthorized login detected — verify now." "Your CEO needs this wire transfer completed before noon." The urgency short-circuits critical thinking. That's by design.

The payload is either a link to a credential-harvesting page that looks identical to a real login portal, or an attachment laced with malware. I've seen Word documents with embedded macros that deploy ransomware within seconds of being opened. The 2021 FBI IC3 report shows that business email compromise and phishing complaints resulted in over $4.2 billion in losses in 2020 — making it the most financially damaging cybercrime category by far.

Legitimate-Looking Landing Pages

When you click a phishing link, you land on a page that's often a pixel-perfect copy of a real login screen. Microsoft 365, Google Workspace, banking portals — attackers clone them all. The URL is the giveaway, but most people don't check URLs carefully. That's the whole bet.

Five Types of Phishing Your Team Needs to Recognize

Not all phishing looks the same. The threat landscape in 2021 includes several distinct variants, each targeting different vulnerabilities.

1. Email Phishing (Bulk)

The most common form. A threat actor blasts thousands of emails using a generic lure — fake shipping notifications, password resets, tax refund notices. The hit rate is low per message, but at volume, it works. One in every hundred recipients clicking is enough to compromise an organization.

2. Spear Phishing

This is targeted. The attacker researches a specific individual — their role, their colleagues, their recent activity on LinkedIn — and crafts a personalized message. Spear phishing is how the 2020 Twitter breach started. Attackers used phone-based social engineering and targeted phishing to compromise employee credentials, then took over high-profile accounts including Barack Obama and Elon Musk.

3. Whaling

Spear phishing aimed at executives. The CEO, CFO, or general counsel gets a carefully crafted message that references real business transactions or legal matters. The stakes — and the payoff for the attacker — are enormous. A single successful whaling attack can result in wire transfers worth millions.

4. Smishing and Vishing

Phishing via SMS (smishing) and voice calls (vishing) are surging in 2021. The shift to remote work made phone-based attacks more effective because employees can't walk over to a colleague's desk to verify a suspicious request. Attackers call pretending to be IT support, requesting VPN credentials or multi-factor authentication codes.

5. Business Email Compromise (BEC)

BEC is phishing's most expensive cousin. The attacker either spoofs or directly compromises a business email account, then uses it to request fraudulent payments, redirect payroll deposits, or steal sensitive data. The FBI has flagged BEC as the costliest form of cybercrime for multiple years running.

Why Phishing Still Works in 2021

You'd think that after decades of awareness campaigns, people would stop clicking. They don't. Here's why.

Volume overwhelms vigilance. The average office worker receives over 120 emails per day. Phishing attackers only need one moment of inattention. Security awareness fades when people are rushing between meetings and managing overflowing inboxes.

Remote work expanded the attack surface. Since 2020, employees are working from home networks without enterprise-grade security controls. They're using personal devices, mixing work and personal email, and operating without the social cues that help detect fraud in an office environment.

Attackers are getting better. Phishing kits — prebuilt packages that let anyone launch a phishing campaign — are available on dark web marketplaces for under $50. These kits include templates, hosting, and even real-time credential relay tools that can bypass multi-factor authentication. The barrier to entry for launching a convincing phishing attack has never been lower.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's 2021 Cost of a Data Breach Report, the average cost of a data breach reached $4.24 million this year — the highest in 17 years. Phishing was the second most common initial attack vector, and breaches caused by phishing took an average of 213 days to identify and 80 days to contain.

Those aren't just numbers. I've watched small businesses shut down permanently after a phishing-initiated ransomware attack encrypted their systems and backups. I've seen hospitals divert patients because a phishing email gave an attacker access to the network. The financial cost is staggering, but the operational and reputational damage can be worse.

The organizations that recover fastest are the ones that invested in prevention before the incident. That means phishing awareness training for your entire organization — not a one-time checkbox, but an ongoing program with realistic phishing simulations and measurable outcomes.

How to Defend Against Phishing Attacks

Technical controls matter, but they aren't enough. Email filters catch a lot, but sophisticated phishing emails routinely bypass them. Here's a layered approach that actually works.

Build a Human Firewall

Your employees are the primary target, so they need to be the primary defense. Regular security awareness training — with hands-on phishing simulation exercises — reduces click rates dramatically. CISA's guidance on avoiding phishing and social engineering is a solid starting resource, but your team needs practical, repeated exposure to realistic phishing scenarios to build lasting habits.

If you're looking to build that capability, our cybersecurity awareness training program covers phishing recognition, reporting procedures, and safe email habits in a format designed for busy teams.

Implement Multi-Factor Authentication Everywhere

MFA won't stop all phishing — especially not real-time relay attacks — but it stops the vast majority of credential theft from being immediately exploitable. If an attacker steals a password but can't provide the second factor, you've bought critical time. Deploy MFA on email, VPN, cloud applications, and any system with access to sensitive data.

Deploy Email Authentication Protocols

SPF, DKIM, and DMARC aren't optional anymore. These protocols verify that emails actually come from the domains they claim to come from. A properly configured DMARC policy in enforcement mode blocks spoofed emails before they reach your users. Yet in 2021, a shocking number of organizations still haven't implemented these basic controls.

Adopt a Zero Trust Mindset

Zero trust means no user or device is automatically trusted, even inside the network. Every access request is verified. This limits the blast radius when phishing does succeed — a compromised account can't automatically move laterally through your entire environment. Network segmentation, least-privilege access, and continuous monitoring are all zero trust fundamentals.

Establish Clear Reporting Procedures

Most employees who suspect a phishing email don't report it. They just delete it. That's a missed opportunity. You need a one-click reporting mechanism — a button in the email client — and a culture that rewards reporting rather than punishing mistakes. Every reported phishing email is intelligence your security team can act on.

This is the question I get asked more than any other, so here's the direct answer.

Step 1: Disconnect from the network immediately. If you're on Wi-Fi, turn it off. If you're plugged in, pull the cable. This limits the attacker's ability to move through your network.

Step 2: Change your credentials — from a different, clean device. Start with the account that was targeted, then change passwords for any other account that uses the same or similar password.

Step 3: Report the incident to your IT or security team. Give them the email, the link you clicked, and a timeline of what happened. Speed matters here.

Step 4: Monitor your accounts for unusual activity. Watch for unauthorized logins, password reset requests you didn't initiate, or unfamiliar devices added to your accounts.

Step 5: If corporate data may have been exposed, your organization may have legal notification obligations. Loop in your compliance or legal team early.

Phishing Is a People Problem That Demands a People Solution

Every firewall, email gateway, and endpoint protection tool in your stack can be bypassed by a well-crafted phishing email and one distracted employee. I've seen it happen to Fortune 500 companies and to ten-person startups alike.

The organizations that beat phishing are the ones that treat security awareness as an ongoing discipline — not an annual compliance exercise. They run regular phishing simulations. They train employees to recognize social engineering tactics. They build a culture where reporting a suspicious email is celebrated, not stigmatized.

If your organization hasn't invested in structured phishing awareness training, 2021 is the year to start. The threat actors aren't slowing down. Your defenses shouldn't either.