In 2023, the FBI's Internet Crime Complaint Center received over 298,000 phishing complaints — making it the most reported cybercrime for the fifth consecutive year. And those are just the ones people reported. I've spent years helping organizations respond to breaches, and the vast majority start the same way: someone clicked a link they shouldn't have. So if you're asking what is phishing, you're asking the right question — because understanding this single attack vector could prevent most of the security incidents your organization will ever face.
This isn't a glossary entry. I'm going to walk you through how phishing actually works in the real world, the variants you need to watch for, why technical controls alone won't save you, and the specific steps that actually reduce your risk.
What Is Phishing, Really?
Phishing is a social engineering attack where a threat actor impersonates a trusted entity — your bank, your boss, a vendor, Microsoft — to trick you into handing over credentials, installing malware, or transferring money. It typically arrives by email, but it also shows up via text messages (smishing), phone calls (vishing), and even QR codes.
The key mechanism isn't technical sophistication. It's psychological manipulation. The attacker creates urgency, authority, or fear to short-circuit your critical thinking. "Your account will be locked in 24 hours." "The CEO needs this wire transfer before end of day." "HR has shared your updated benefits package."
I've reviewed thousands of phishing emails in incident response engagements. The ones that succeed almost never look like the Nigerian prince scams people joke about. They look like Tuesday morning.
The $4.88M Lesson Most Organizations Learn Too Late
According to IBM's 2024 Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million. Phishing was consistently among the top initial attack vectors. The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches, with phishing and pretexting (social engineering) dominating that category.
These aren't abstract numbers. I've watched a 200-person company lose six figures in a single business email compromise because an accounts payable clerk followed instructions that appeared to come from the CFO. The email was a phishing message. The "CFO" was a threat actor using a lookalike domain — one letter off from the real thing.
The damage goes beyond the immediate financial loss. Regulatory penalties, legal fees, customer notification costs, and reputational harm compound quickly. The FTC has taken enforcement action against companies that failed to implement reasonable security measures, including adequate employee training around phishing threats.
The 5 Phishing Variants You'll Actually Encounter
1. Email Phishing (Bulk)
This is the classic. A threat actor sends thousands or millions of emails with a malicious link or attachment. They're casting a wide net. The emails impersonate brands like Microsoft, Amazon, DHL, or DocuSign. According to CISA's threat advisories, these campaigns frequently exploit current events — tax season, pandemic relief, shipping delays — to increase click rates.
2. Spear Phishing
Targeted phishing aimed at a specific individual or organization. The attacker does reconnaissance — LinkedIn profiles, company websites, social media — to craft a convincing, personalized message. This is how most high-value breaches begin. The 2020 Twitter breach started with spear phishing phone calls to employees.
3. Business Email Compromise (BEC)
The FBI's IC3 reported that BEC caused over $2.9 billion in losses in 2023 alone. The attacker either compromises or spoofs an executive's email account and instructs someone to wire funds, change payment details, or share sensitive data. No malware required — just trust and urgency.
4. Smishing and Vishing
Phishing via SMS (smishing) and voice calls (vishing) are surging. You've probably received a fake "USPS delivery" text or a call claiming to be from your bank's fraud department. These attacks bypass email security controls entirely, which is why organizations need security awareness training that covers more than just email.
5. Quishing (QR Code Phishing)
A newer variant where threat actors embed malicious URLs in QR codes — on printed flyers, in emails, even on fake parking meter stickers. When scanned, the code directs to a credential theft page. I started seeing these in real incident reports in 2023, and they've escalated since.
Why Your Spam Filter Isn't Enough
I hear this constantly: "We have email security, so we're covered." Here's what actually happens. Modern phishing campaigns use legitimate services — Google Docs, SharePoint, Dropbox — to host malicious content. Your email gateway sees a link to google.com and lets it through. The credential harvesting page lives behind that legitimate URL.
Threat actors also rotate domains rapidly, use HTTPS (so the padlock icon means nothing), and craft emails that pass SPF, DKIM, and DMARC checks by using compromised accounts at real organizations. Technical controls catch a lot, but they'll never catch everything.
This is why a layered defense — combining email filtering, multi-factor authentication, endpoint detection, and trained humans — is the only approach that works. The NIST Cybersecurity Framework explicitly calls for security awareness and training as a core protective measure. Not optional. Core.
What Makes People Click? The Psychology of Phishing
I've run hundreds of phishing simulations for clients. The emails that get the highest click rates share three traits:
- Authority: The message appears to come from someone with power — a CEO, IT department, or government agency. People comply with authority figures without questioning.
- Urgency: "Your password expires in 2 hours." "This invoice is past due." Time pressure kills critical thinking.
- Relevance: The message aligns with something the target expects. During open enrollment season, a fake benefits email gets clicked at 3-4x the normal rate.
Attackers aren't stupid. They study human behavior. Your defense needs to account for that by building a workforce that recognizes manipulation tactics — not just suspicious links. Comprehensive phishing awareness training for organizations teaches employees to spot these psychological triggers before they react.
How a Phishing Attack Actually Unfolds — Step by Step
Here's a realistic scenario I've reconstructed from dozens of incidents:
Step 1: The attacker registers a domain like "m1crosoft-security.com" and sets up a login page that's pixel-perfect copy of Microsoft 365's sign-in screen.
Step 2: They send an email to your accounts team: "Action Required: Unusual sign-in activity on your account. Verify your identity now." The sender address is spoofed or sent from a compromised third-party account.
Step 3: An employee clicks the link, sees a familiar login page, and enters their credentials. The page even redirects them to the real Microsoft 365 dashboard afterward, so nothing seems wrong.
Step 4: The attacker now has valid credentials. If multi-factor authentication isn't enabled, they log in immediately. If MFA is enabled, they may use an adversary-in-the-middle (AiTM) proxy to capture the session token in real time.
Step 5: From inside the mailbox, they set up forwarding rules, search for financial data, and launch internal phishing emails to other employees — now from a legitimate internal address. Trust escalates. The blast radius grows.
This entire sequence can happen in under 30 minutes. I've seen it take less than 10.
7 Practical Steps to Defend Against Phishing
1. Deploy Multi-Factor Authentication Everywhere
MFA is the single most impactful control against credential theft from phishing. It won't stop every attack — AiTM techniques can bypass basic MFA — but it eliminates the vast majority. Prioritize phishing-resistant MFA methods like FIDO2 security keys where possible.
2. Run Regular Phishing Simulations
You can't improve what you don't measure. Conduct phishing simulations monthly, vary the scenarios, and track click rates and reporting rates over time. The goal isn't to punish people who click. It's to build muscle memory. Organizations that run consistent simulations see measurable reductions in real phishing success rates.
3. Train Employees — But Make It Practical
Annual compliance videos don't change behavior. Effective security awareness training is frequent, scenario-based, and relevant to each employee's role. Your finance team faces different phishing threats than your engineering team. Programs like the cybersecurity awareness training at computersecurity.us are built around real-world attack scenarios, not abstract theory.
4. Implement a Zero Trust Architecture
Zero trust means no user, device, or connection is trusted by default — even inside your network. This limits what an attacker can do even if they successfully phish one employee. Microsegmentation, least-privilege access, and continuous verification are the pillars.
5. Enable Email Authentication Protocols
Configure SPF, DKIM, and DMARC for your domains. Set your DMARC policy to "reject" — not just "monitor." This prevents attackers from sending emails that appear to come from your domain. It won't stop all phishing, but it protects your brand from being weaponized against your own employees and customers.
6. Create a Reporting Culture
Make it dead simple for employees to report suspicious emails — a one-click button in their email client. Then actually respond to those reports quickly. When people see that reporting leads to action, they report more. When they see nothing happen, they stop.
7. Monitor for Lookalike Domains
Threat actors register domains that look like yours — one transposed letter, a hyphen added, a different TLD. Use domain monitoring services to detect these registrations early. When you find one, report it and get it taken down before it's used in a campaign against your employees or customers.
What Should You Do If You've Been Phished?
This is the section most guides leave out. Here's exactly what to do:
- Immediately change your password for the affected account and any account that shares the same credentials. Yes, people still reuse passwords.
- Revoke active sessions. Changing a password doesn't kick out an attacker who already has an active session token. Force sign-out from all devices.
- Report the incident to your IT or security team. Speed matters — the faster they know, the faster they can contain the damage.
- Check for email forwarding rules. Attackers almost always set up mail forwarding or inbox rules to maintain access and hide their activity. Look for rules you didn't create.
- Report to the FBI's IC3 at ic3.gov if there's a financial loss or if you're a business dealing with BEC.
Don't be embarrassed. Sophisticated phishing attacks fool experienced security professionals. The only mistake that matters is not reporting it.
Phishing Isn't Slowing Down — Your Defenses Shouldn't Either
Generative AI has made phishing dramatically more dangerous. Threat actors now use large language models to write flawless phishing emails in any language, at scale, with none of the grammar mistakes that used to be a red flag. Voice cloning technology makes vishing calls almost indistinguishable from real ones. Deepfake video has already been used in at least one documented BEC case where an employee was tricked during a live video call.
The barrier to entry for launching a convincing phishing campaign has never been lower. That means the volume and quality of attacks will only increase. Your organization needs defenses that evolve at the same pace — continuous training, regular phishing simulations, and a security culture where every employee understands they're a target.
Understanding what is phishing is step one. Building an organization that can detect, report, and resist phishing attacks is the real goal. Start with your people — they're both your biggest vulnerability and your strongest defense.