A Single Email Cost This Company $100 Million

In 2017, a Lithuanian man tricked Google and Facebook employees into wiring over $100 million to bank accounts he controlled. His weapon wasn't malware. It wasn't a zero-day exploit. It was email. He sent invoices that looked like they came from a legitimate hardware vendor, and people paid them. That's phishing at scale — and it worked against two of the most technically sophisticated companies on the planet.

So what is phishing, exactly? It's a social engineering attack where a threat actor impersonates a trusted entity to trick you into handing over credentials, financial information, or access. It's the most common initial attack vector in data breaches worldwide, and it's not slowing down.

I've spent years watching organizations get hit by these attacks, and the pattern is always the same: someone clicks something they shouldn't have, and everything unravels from there. This post breaks down how phishing actually works, what forms it takes, why your team is vulnerable, and what you can do about it starting today.

What Is Phishing? The Straight Answer

Phishing is a cyberattack that uses deceptive messages — usually email — to manipulate people into revealing sensitive information, clicking malicious links, or downloading malware. The attacker pretends to be someone the victim trusts: a bank, a boss, a vendor, a cloud service provider.

The term dates back to the mid-1990s, when attackers "fished" for AOL passwords using spoofed messages. The concept hasn't changed much since then. The sophistication has.

According to the Verizon Data Breach Investigations Report, phishing and pretexting together account for the vast majority of social engineering incidents. The FBI's Internet Crime Complaint Center (IC3) consistently ranks phishing as the most reported cybercrime category, with hundreds of thousands of complaints filed each year.

The Five Flavors of Phishing You'll Actually Encounter

1. Email Phishing (The Classic)

Bulk emails sent to thousands or millions of people. They mimic brands like Microsoft, Amazon, or your bank. The goal is usually credential theft — get you to log in to a fake portal so the attacker captures your username and password.

2. Spear Phishing (The Targeted Strike)

This is phishing aimed at a specific person or organization. The attacker researches you. They know your name, your role, your recent projects. The email feels personal because it is. Spear phishing is how most serious data breaches start.

3. Whaling (Going After the C-Suite)

A subset of spear phishing that targets executives. CFOs get fake wire transfer requests. CEOs get spoofed board communications. The stakes are enormous because these people have the authority to move money and approve access.

4. Smishing and Vishing (Beyond Email)

Smishing uses SMS text messages. Vishing uses voice calls. That "fraud alert" text from your bank? Possibly smishing. That call from "IT support" asking for your password? Classic vishing. These channels bypass email security filters entirely.

5. Business Email Compromise (BEC)

The threat actor either spoofs or actually compromises a legitimate business email account, then uses it to request payments, redirect invoices, or steal data. BEC attacks caused over $2.7 billion in reported losses in a single year according to FBI IC3 data. It's the most financially devastating form of phishing.

Why Phishing Still Works in 2026

I hear this all the time: "Our employees are smart. They wouldn't fall for that." Then I run a phishing simulation and 15-30% of the organization clicks the link. Every single time.

Here's why phishing keeps winning:

  • Emotional manipulation: Attackers create urgency, fear, or curiosity. "Your account will be locked in 24 hours" bypasses rational thinking.
  • Visual perfection: Modern phishing sites are pixel-perfect clones of real login pages. Your employees can't spot the difference visually.
  • Contextual timing: Attackers send fake shipping notifications during holiday seasons, fake tax documents in April, and fake HR communications during open enrollment.
  • AI-generated content: Generative AI has eliminated the grammar mistakes and awkward phrasing that used to be reliable red flags. Phishing emails in 2026 read like professional communications.
  • Volume: If an attacker sends 10,000 emails and only 1% click, that's 100 compromised accounts. The math always favors the attacker.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was one of the most common initial attack vectors. For small and mid-sized businesses, a single successful phishing attack can mean ransomware deployment, operational shutdown, regulatory fines, and reputational damage that takes years to repair.

And here's what keeps me up at night: the breach usually isn't detected for months. The attacker gets in through a phished credential, moves laterally, escalates privileges, and exfiltrates data — all while your team thinks everything is fine.

What Actually Stops Phishing Attacks

No single control stops phishing. You need layers. Here's what I recommend based on what I've seen work in real organizations.

Multi-Factor Authentication Is Non-Negotiable

Even when an employee hands over their password to a phishing site, multi-factor authentication (MFA) can block the attacker from logging in. Implement phishing-resistant MFA — hardware keys or passkeys — wherever possible. SMS-based MFA is better than nothing but vulnerable to SIM swapping.

Email Filtering and DMARC

Deploy email security gateways that scan links and attachments. Implement DMARC, DKIM, and SPF to prevent domain spoofing. CISA has pushed hard for DMARC adoption across government and critical infrastructure — your organization should follow suit.

Zero Trust Architecture

Stop trusting devices and users just because they're inside your network perimeter. Zero trust means verifying every access request, every time. If a phished credential gets used from an unfamiliar device or location, zero trust policies can flag and block the attempt.

Ongoing Security Awareness Training

This is where most organizations fail. They do a one-time training during onboarding and never revisit it. That doesn't work. Phishing tactics evolve constantly, and your training has to keep pace.

Regular phishing simulation campaigns — where you send realistic test phishing emails to your own employees — are the most effective way to build muscle memory. People who experience a simulated attack and get immediate feedback learn faster than people who sit through a slide deck.

If you're looking to build a structured program, our phishing awareness training for organizations provides realistic simulations and targeted education that actually changes behavior. For broader foundational training across your workforce, our cybersecurity awareness training program covers phishing alongside other critical threats like ransomware, credential theft, and social engineering.

How to Spot a Phishing Email: The Quick Checklist

Train your people to check these things before clicking anything:

  • Sender address: Does the domain match the real organization? Look closely — "rnicrosoft.com" is not "microsoft.com."
  • Urgency and threats: "Act now or your account will be suspended" is a manipulation tactic, not standard business communication.
  • Links before clicking: Hover over any link. Does the URL match the claimed destination? If not, don't click.
  • Unexpected attachments: You didn't request a document? Don't open it. Verify with the sender through a separate channel.
  • Requests for credentials or payments: Legitimate organizations don't ask for passwords via email. Period.

What Should You Do If You Clicked?

Speed matters. If you or an employee clicked a phishing link or entered credentials on a suspicious site, here's the immediate playbook:

  • Change the compromised password immediately — and any other account where that password was reused.
  • Enable MFA on the affected account if it wasn't already active.
  • Report it to your IT or security team. No shame, no punishment. Delayed reporting is what turns a phishing click into a full breach.
  • Monitor for unusual activity — unexpected login locations, email forwarding rules, or new app authorizations.
  • File a report with the FBI's IC3 at ic3.gov if financial loss or sensitive data is involved.

Phishing Isn't Going Away — But You Can Get Ahead of It

Every year, phishing gets more sophisticated. AI-generated lures, deepfake voice calls, and multi-channel attacks are the new normal. The organizations that survive are the ones that treat security awareness as an ongoing discipline, not a checkbox.

You already have firewalls and endpoint protection. That's the baseline. The gap is almost always human. Your people are either your strongest defense or your biggest vulnerability — and the difference comes down to training, practice, and a culture where reporting suspicious messages is encouraged, not punished.

Start building that culture now. Because the next phishing email targeting your organization has probably already been drafted.