In March 2022, Okta confirmed that the Lapsus$ threat actor group had compromised a support engineer's laptop — and the initial access vector was social engineering. A single employee interaction opened the door to a breach that rattled hundreds of downstream customers. If you're asking what is phishing, that incident is the short answer: it's the most common way attackers get inside your organization, and it works far more often than anyone wants to admit.
I've spent years responding to incidents and training teams, and I can tell you this: the technical definition of phishing barely scratches the surface. What matters is understanding how these attacks actually unfold, why they keep working, and what you can do about it starting today.
What Is Phishing, Really?
Phishing is a social engineering attack where a threat actor impersonates a trusted entity — a coworker, a vendor, a bank, your IT department — to trick you into handing over credentials, clicking a malicious link, or downloading malware. It arrives by email, text message (smishing), phone call (vishing), or even direct message on social platforms.
The goal is almost always one of three things: credential theft, malware delivery, or financial fraud. Sometimes all three at once.
According to the 2022 Verizon Data Breach Investigations Report (DBIR), phishing was involved in roughly 36% of all data breaches — up from the year before. That makes it the single most common initial attack vector, ahead of vulnerability exploitation and stolen credentials used independently.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2021 Cost of a Data Breach Report pegged the average cost of a data breach at $4.24 million globally. Phishing-initiated breaches were among the most expensive categories. By the time you factor in incident response, legal costs, regulatory fines, lost customers, and reputational damage, a single successful phishing email can become a multi-million-dollar event.
And it's not just enterprises. The FBI's 2021 Internet Crime Report (IC3) documented over 323,000 phishing complaints — making it the number one reported cybercrime category for the year. Business email compromise (BEC), a sophisticated cousin of phishing, accounted for nearly $2.4 billion in adjusted losses.
These aren't theoretical numbers. They're filed complaints from real organizations and real people.
How a Phishing Attack Actually Works: Step by Step
1. Reconnaissance
Attackers research your organization. They scrape LinkedIn for employee names, titles, and reporting structures. They check your website for vendor relationships, recent press releases, and executive bios. The more targeted the phishing (called spear phishing), the more homework they do.
2. The Lure
The attacker crafts a message designed to trigger urgency, curiosity, or fear. Common examples include:
- "Your password expires in 24 hours — click here to reset."
- "Invoice #4892 is overdue. Please review the attached document."
- "HR has updated the employee handbook. Sign the acknowledgment form."
- "The CEO needs you to wire funds for an acquisition — keep this confidential."
The sender address might be spoofed, or the attacker may use a lookalike domain — think "yourcompany-hr.com" instead of "yourcompany.com."
3. The Hook
The victim clicks a link and lands on a convincing fake login page, or opens an attachment that executes malicious code. Credential theft happens in seconds. The victim types in their username and password, the page redirects them to the real site, and they never realize anything happened.
4. Exploitation
With stolen credentials, the attacker logs into email, cloud storage, VPN, or financial systems. If multi-factor authentication isn't enabled, there's nothing standing in the way. Even with MFA, sophisticated attackers use real-time proxy tools to capture session tokens.
5. Expansion
Once inside, the attacker moves laterally. They read emails to understand financial processes. They set up mail forwarding rules to intercept future messages. They may deploy ransomware across the network or exfiltrate sensitive data for sale on dark web markets.
The entire kill chain — from email to full network compromise — can take less than an hour.
The Five Types of Phishing You Need to Know
Email Phishing
The classic. Mass-sent emails impersonating brands like Microsoft, Amazon, or DHL. Low effort per target, but massive volume means plenty of victims. These campaigns often use credential harvesting pages that mimic Microsoft 365 or Google Workspace login screens.
Spear Phishing
Targeted attacks aimed at specific individuals. The attacker references real projects, real colleagues, or real events to build trust. Spear phishing is how the majority of high-profile breaches begin — including the 2020 SolarWinds supply chain attack, where carefully crafted emails played a role in early-stage operations.
Whaling
Spear phishing aimed at executives — CFOs, CEOs, board members. The payoff is bigger, so the research is deeper. Whaling emails often impersonate legal counsel, auditors, or fellow executives.
Smishing and Vishing
Phishing via SMS (smishing) or voice calls (vishing). In my experience, vishing is underestimated. A caller claiming to be IT support asking an employee to "verify their credentials" works disturbingly well. The Lapsus$ group reportedly used phone-based social engineering extensively in 2022.
Business Email Compromise (BEC)
The attacker either compromises a real email account or spoofs one, then uses it to request wire transfers, payroll changes, or sensitive data. BEC doesn't always involve malware or malicious links — which is exactly why email filters miss it. It's pure social engineering.
Why Phishing Still Works in 2022
I get this question constantly. With all the security tools available, why does phishing keep succeeding?
Three reasons:
Humans are the attack surface. No firewall blocks an employee who willingly types their password into a fake login page. Attackers know this — they target people, not infrastructure.
Phishing evolves faster than defenses. Attackers now use legitimate cloud services to host phishing pages — Google Forms, Azure Blob Storage, AWS S3 buckets. These URLs pass reputation checks because the hosting domains are trusted.
Organizations underinvest in security awareness. Many companies treat training as a once-a-year compliance checkbox. That's not training — it's theater. Effective security awareness requires ongoing phishing simulation, real-time feedback, and measurable behavior change.
Practical Steps to Defend Against Phishing
Deploy Multi-Factor Authentication Everywhere
MFA won't stop every phishing attack, but it stops the vast majority of credential theft from being immediately useful. Prioritize MFA on email, VPN, cloud applications, and any system that touches financial transactions. Use app-based authenticators or hardware keys — avoid SMS codes when possible.
Run Realistic Phishing Simulations
You can't improve what you don't measure. Regular phishing simulations show you which employees click, which departments are most vulnerable, and whether your training is actually working. Our phishing awareness training for organizations includes simulation tools and reporting that give you hard data instead of assumptions.
Implement Email Authentication Protocols
Configure SPF, DKIM, and DMARC for your domain. These protocols help receiving mail servers verify that messages claiming to be from your domain are legitimate. DMARC in enforcement mode (p=reject) dramatically reduces the chance of your domain being spoofed in attacks against your partners and customers. CISA's Binding Operational Directive 18-01 required federal agencies to implement DMARC — your organization should too.
Train Continuously, Not Annually
Annual security awareness training is the bare minimum, and the bare minimum isn't enough. Effective programs deliver short, frequent training modules throughout the year. They tie training to simulated phishing results so employees learn from their own mistakes. Our cybersecurity awareness training program is built around this continuous learning model — practical content delivered in digestible sessions, not a four-hour slideshow once a year.
Adopt Zero Trust Principles
Zero trust means verifying every access request regardless of whether it comes from inside or outside your network perimeter. If an attacker steals credentials via phishing, zero trust architecture limits what those credentials can access. Microsegmentation, least-privilege access, and continuous authentication all reduce the blast radius of a compromised account.
Establish a Clear Reporting Process
Your employees need to know exactly what to do when they receive a suspicious message. Make reporting easy — a one-click button in the email client, a dedicated Slack channel, a specific email address like [email protected]. Then actually respond when people report. Nothing kills a reporting culture faster than silence.
How Do You Spot a Phishing Email?
This is the question I hear most from employees, so here's a concise answer designed for quick reference:
- Check the sender address carefully. Hover over the display name. Look for misspellings or unusual domains.
- Look for urgency or threats. "Your account will be locked," "Immediate action required," and "You have 24 hours" are classic pressure tactics.
- Hover over links before clicking. Does the URL match the claimed destination? Does it use HTTP instead of HTTPS? Is there a subtle misspelling?
- Be suspicious of unexpected attachments. Especially .zip, .exe, .docm, or .html files from people you weren't expecting to hear from.
- Verify out-of-band. If your "CEO" emails asking for a wire transfer, pick up the phone and call them directly. Use a known number, not one from the email.
- Trust your instinct. If something feels off, it probably is. Report it.
The Real Cost of Doing Nothing
Here's what I've seen play out dozens of times: an organization assumes their spam filter handles phishing. An employee clicks a link. Credentials are harvested. The attacker sits in the email system for weeks, studying financial processes. Then they execute a BEC attack — redirecting a $380,000 vendor payment to a mule account. By the time anyone notices, the money is gone.
That scenario isn't hypothetical. It's a composite of real cases I've been involved in, and it matches patterns the FBI IC3 documents year after year.
The organizations that avoid this outcome share a few traits: they train their people consistently, they test with realistic phishing simulations, they enforce MFA, and they treat security awareness as a business priority — not a compliance afterthought.
Your Next Move
If you've read this far, you already understand that phishing is the front door for most cyberattacks. The question isn't whether your organization will be targeted — you already are. The question is whether your people will recognize the attack when it lands in their inbox.
Start building that muscle now. Explore our phishing awareness training to deploy simulations and targeted education across your team. And if you need a broader foundation, our cybersecurity awareness training covers the full threat landscape — from ransomware to credential theft to social engineering tactics that go beyond email.
Phishing isn't going away. But your vulnerability to it can shrink dramatically with the right approach.