The Email That Cost One Company $121 Million
In 2019, a Lithuanian man was sentenced to five years in prison for phishing Google and Facebook out of over $121 million. He sent fake invoices from a spoofed vendor email address. Employees at two of the most technically sophisticated companies on Earth paid them without question. That's phishing — and if it works on Google, it will work on your organization.
So what is phishing, really? It's not some abstract concept from a cybersecurity textbook. It's the single most common attack method used to breach organizations today, and I've spent over a decade watching it evolve from crude Nigerian prince emails into precision-targeted campaigns that fool experienced professionals.
This guide breaks down how phishing actually works in the real world, the different forms it takes, the damage it causes, and — most critically — what you can do about it starting today.
What Is Phishing? The Real Definition
Phishing is a social engineering attack where a threat actor impersonates a trusted entity to trick you into revealing sensitive information, clicking a malicious link, or taking a harmful action. The "trusted entity" could be your bank, your CEO, Microsoft, the IRS, or a coworker.
The key word is impersonation. Every phishing attack relies on making you believe you're interacting with someone or something legitimate. The attacker doesn't hack your firewall. They hack your judgment.
According to the Verizon Data Breach Investigations Report, phishing is involved in over 36% of all data breaches. The FBI's Internet Crime Complaint Center (IC3) consistently ranks phishing as the most reported cybercrime category, with over 298,000 complaints in a single year.
Why Phishing Works Even on Smart People
I've run phishing simulations for organizations where the CEO clicked the test link within 90 seconds. This isn't about intelligence. It's about psychology.
Phishing exploits specific cognitive biases that every human shares:
- Authority bias: An email appearing to come from your boss or IT department triggers automatic compliance.
- Urgency: "Your account will be locked in 24 hours" short-circuits critical thinking.
- Curiosity: "Your delivery couldn't be completed" makes you click before you think.
- Fear: "Unusual login detected on your account" triggers an emotional response that overrides logic.
Threat actors study these patterns professionally. They A/B test subject lines. They time campaigns for Monday mornings when inboxes are overflowing. They research your company on LinkedIn to craft messages that reference real projects and real colleagues.
The Six Types of Phishing You'll Actually Encounter
1. Email Phishing (Bulk Campaigns)
The most common form. Attackers send thousands or millions of emails impersonating brands like Microsoft, Amazon, or DHL. The goal is usually credential theft — getting you to enter your username and password on a fake login page. These campaigns cast a wide net and rely on volume.
2. Spear Phishing
This is targeted phishing aimed at a specific individual or organization. The attacker researches you beforehand. They might reference your job title, a recent company announcement, or a project you're working on. Spear phishing has a dramatically higher success rate than bulk campaigns because the messages feel personal and relevant.
3. Business Email Compromise (BEC)
The most financially devastating variant. The attacker either spoofs or compromises an executive's email account, then instructs an employee to wire funds or change payment details. The FBI IC3 reports that BEC has caused over $50 billion in losses globally. I've personally helped organizations recover from six-figure BEC losses — and "recover" is a generous word, since the money is rarely returned.
4. Smishing (SMS Phishing)
Phishing via text message. You've probably received one: "USPS: Your package cannot be delivered. Update your address here." Smishing is exploding because people trust text messages more than email, and mobile screens make it harder to inspect URLs before tapping.
5. Vishing (Voice Phishing)
Phone-based phishing. The caller impersonates tech support, your bank, or a government agency. AI-generated voice cloning has made vishing significantly more dangerous — attackers can now replicate a specific person's voice from just a few seconds of audio.
6. Quishing (QR Code Phishing)
A newer tactic gaining traction. Attackers place malicious QR codes on parking meters, restaurant tables, flyers, or even inside phishing emails. Scanning the code redirects you to a credential-harvesting site. QR codes are particularly dangerous because you can't preview the URL before scanning.
Anatomy of a Phishing Attack: Step by Step
Here's what actually happens behind the scenes when a phishing campaign targets your organization:
Step 1: Reconnaissance. The threat actor identifies targets. They scrape LinkedIn for employee names, titles, and email formats. They check your company's website for vendor relationships, technology stack clues, and organizational structure.
Step 2: Infrastructure setup. They register a lookalike domain — maybe "rnicrosoft.com" instead of "microsoft.com" (that's an R-N, not an M). They clone a legitimate login page pixel-for-pixel and set up email servers that pass basic authentication checks.
Step 3: Delivery. The phishing email hits inboxes. It references something timely — a password expiration, a shared document, an invoice. The call to action is clear and urgent.
Step 4: Exploitation. The victim clicks the link and enters credentials on the fake page. Or they open an attachment that drops malware. Or they reply with sensitive information directly.
Step 5: Post-compromise. With stolen credentials, the attacker logs into the real account. They set up email forwarding rules to hide their activity. They move laterally through your network. They exfiltrate data, deploy ransomware, or initiate fraudulent wire transfers.
This entire sequence can take less than an hour from email delivery to full account compromise.
The $4.88M Lesson Most Organizations Learn Too Late
According to IBM's Cost of a Data Breach Report, the global average cost of a data breach in 2024 reached $4.88 million. Phishing was the most common initial attack vector.
But the financial damage is just one dimension. I've watched organizations deal with the aftermath: weeks of incident response, mandatory breach notifications, regulatory investigations, lost customer trust, and executive terminations. One phishing email can trigger all of it.
Small and mid-sized businesses often fare worse proportionally. They lack dedicated security teams, they have fewer technical controls, and a single ransomware event can be existential. The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that small businesses are disproportionately targeted precisely because attackers know defenses are thinner.
How to Protect Your Organization From Phishing
Deploy Multi-Factor Authentication Everywhere
If an attacker steals credentials through phishing, multi-factor authentication (MFA) is your safety net. It won't stop every attack — adversary-in-the-middle techniques can bypass basic MFA — but it blocks the vast majority of credential theft attempts. Deploy phishing-resistant MFA like FIDO2 security keys wherever possible.
Implement a Zero Trust Architecture
Zero trust means no user or device is trusted by default, even inside your network. Every access request is verified. This limits the blast radius when phishing does succeed. If an attacker compromises one account, zero trust controls prevent them from freely moving through your environment.
Train Your People With Realistic Phishing Simulations
Security awareness training that relies on annual slide decks doesn't work. I've seen the data — click rates barely move. What does work is regular, realistic phishing simulation combined with immediate, contextual feedback when someone falls for a test.
Your employees need to practice recognizing phishing in the context where it actually happens: their inbox. That's why I recommend building a structured phishing awareness training program for your organization that runs ongoing simulations, tracks metrics, and adapts to your specific threat landscape.
Build a Security-First Culture
Technical controls fail without culture. Your employees need to feel safe reporting suspicious emails without fear of looking foolish. Organizations that punish people for clicking phishing links get fewer reports and worse outcomes. Organizations that celebrate reporting get early warnings that stop attacks cold.
If you're building a security awareness program from scratch, a comprehensive cybersecurity awareness training course can give your team the foundational knowledge they need — covering not just phishing, but social engineering, credential hygiene, ransomware prevention, and safe browsing habits.
Harden Your Email Infrastructure
Technical email controls are your first line of defense:
- SPF, DKIM, and DMARC: These email authentication protocols help prevent attackers from spoofing your domain. DMARC in enforcement mode is critical.
- Email filtering and sandboxing: Modern email gateways can detonate attachments in sandboxes and analyze URLs before delivery.
- External email banners: Tag emails from outside your organization with a visible warning. This simple step catches impersonation attempts.
- Disable auto-forwarding to external domains: This blocks a common post-compromise technique.
Establish a Clear Incident Response Process
When someone reports a phishing email — and they will, if your training works — you need a documented process. Who investigates? How quickly? What's the escalation path? Can you pull the email from all inboxes company-wide within minutes? The NIST Cybersecurity Framework provides excellent guidance for building incident response capabilities.
How to Spot a Phishing Email: Quick Reference
Your employees should know these red flags instinctively:
- Sender mismatch: The display name says "Microsoft Support" but the actual email address is from a random domain.
- Urgency and threats: "Act within 24 hours or your account will be permanently deleted."
- Suspicious links: Hover before clicking. Does the URL match the claimed sender? Look for misspellings, extra subdomains, or unfamiliar top-level domains.
- Unexpected attachments: Especially .zip, .exe, .html, or macro-enabled Office documents from unknown senders.
- Requests for credentials or payment changes: Legitimate organizations rarely ask for passwords via email. Wire transfer changes should always be verified by phone using a known number.
- Generic greetings: "Dear Customer" or "Dear User" instead of your actual name — though spear phishing will use your name.
- Grammar and formatting issues: Not always present in sophisticated attacks, but still a useful signal in bulk campaigns.
Phishing Is Evolving — Your Defenses Must Too
The phishing landscape in 2026 looks nothing like it did five years ago. AI-generated phishing emails are grammatically flawless and contextually convincing. Deepfake voice calls can impersonate executives in real time. Phishing kits are sold as a service on dark web marketplaces for a few hundred dollars, complete with real-time MFA bypass capabilities.
Attackers are also increasingly targeting cloud collaboration platforms — Microsoft Teams, Slack, and Google Workspace — not just traditional email. If your security awareness training only covers email phishing, you're leaving massive gaps.
The organizations that survive this environment share three traits: they train continuously, they layer technical controls with human vigilance, and they treat every employee as part of the security team rather than the weakest link.
Your Next Step
If someone on your team searched "what is phishing" today, that's actually good news — it means they're paying attention. Channel that attention into action. Audit your current email security controls. Run a baseline phishing simulation. Measure your click rate. Then build a training program that actually changes behavior over time.
Phishing isn't going away. But organizations that take it seriously — with real training, real simulations, and real technical defenses — dramatically reduce their risk. The ones that treat it as a checkbox exercise become the next case study the rest of us learn from.