A Single Email Cost This Company $121 Million

In 2017, a Lithuanian man orchestrated a phishing scheme that tricked both Google and Facebook into wiring him over $121 million combined. He sent fake invoices from a spoofed email address impersonating a legitimate hardware vendor. Employees at two of the most technically sophisticated companies on the planet fell for it. So if you're asking what is phishing, the short answer is this: it's the single most effective cyberattack method in existence, and it works against everyone.

I've spent years watching organizations — from five-person startups to Fortune 500 firms — get burned by phishing. It's not because they lack firewalls or endpoint protection. It's because phishing targets the one vulnerability you can't patch: human judgment.

This post breaks down exactly how phishing works, the different forms it takes, the real-world damage it causes, and — most importantly — what you can do about it right now.

What Is Phishing, Exactly?

Phishing is a type of social engineering attack where a threat actor impersonates a trusted entity to trick a victim into taking a harmful action. That action is usually clicking a malicious link, opening an infected attachment, or handing over login credentials. The attacker doesn't break into your systems through brute force. They get invited in.

According to the FBI's 2021 Internet Crime Complaint Center (IC3) report, phishing was by far the most reported cybercrime category, with 323,972 complaints — nearly four times the next highest category. And those are just the ones that got reported.

The mechanics are deceptively simple. An attacker crafts a message that looks legitimate. It might appear to come from Microsoft, your bank, your CEO, or a package delivery service. The message creates urgency — your account is locked, your payment failed, your password expires in 24 hours. You click, you enter your credentials, and the attacker now owns your account.

The Five Types of Phishing You Need to Recognize

Not all phishing looks the same. Understanding the variations is critical because each one requires a slightly different defensive mindset.

1. Email Phishing (Bulk Phishing)

This is the classic. A threat actor sends thousands or millions of emails with a generic lure — a fake shipping notification, a password reset request, a tax refund notice. It's a numbers game. Even a 1% click rate on a million emails gives the attacker 10,000 victims.

2. Spear Phishing

This is targeted. The attacker researches a specific individual and crafts a personalized message. They might reference your job title, your recent LinkedIn post, or a project your company just announced. Spear phishing is behind most high-profile data breach incidents because it's far more convincing than bulk phishing.

3. Whaling

Spear phishing aimed at executives — CEOs, CFOs, board members. The payoff is bigger, so attackers invest more time in reconnaissance. In 2016, the CEO of Austrian aerospace parts manufacturer FACC was fired after a whaling attack tricked an employee into wiring €42 million to an attacker-controlled account.

4. Smishing (SMS Phishing)

Same concept, different channel. You get a text message claiming to be from your bank or a delivery service. Smishing exploits the trust people place in text messages and the smaller screen size that makes it harder to inspect URLs. In 2022, I've seen a massive spike in smishing campaigns impersonating USPS, UPS, and FedEx.

5. Vishing (Voice Phishing)

Attackers call you, posing as tech support, the IRS, or your bank's fraud department. They use caller ID spoofing to make the number look legitimate. Vishing is often combined with email phishing — an attacker sends an email with a phone number to call, leading the victim into a social engineering trap.

The $4.35 Million Problem You Can't Ignore

IBM's 2022 Cost of a Data Breach Report found that the global average cost of a data breach reached $4.35 million. Phishing was the second most common initial attack vector, responsible for 16% of breaches. And breaches that started with phishing had an average cost of $4.91 million — above the overall average.

Those numbers should alarm every business owner. But here's what I find even more troubling: the Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved a human element, including social engineering, errors, and misuse. Phishing is the front door for ransomware, credential theft, business email compromise, and network infiltration.

When a phishing email delivers ransomware, the costs multiply. You're not just dealing with credential theft. You're looking at operational shutdown, ransom payments, recovery costs, regulatory fines, and reputational damage. The Colonial Pipeline ransomware attack in 2021 — which caused fuel shortages across the U.S. Southeast — started with a single compromised credential.

How to Spot a Phishing Email: The Field Checklist

I train organizations through our phishing awareness training for organizations, and I always start with the same five-point checklist. These are the red flags that catch most phishing attempts before they do damage.

  • Sender address mismatch: The display name says "Microsoft Support" but the actual email address is something like [email protected]. Always check the full address.
  • Urgency and threats: "Your account will be suspended in 24 hours." "Unauthorized login detected — act now." Legitimate companies rarely threaten you over email.
  • Suspicious links: Hover over every link before clicking. If the URL doesn't match the supposed sender's domain, it's almost certainly phishing.
  • Generic greetings: "Dear Customer" instead of your actual name. Bulk phishing campaigns don't have your personal details.
  • Unexpected attachments: Especially .zip, .exe, or macro-enabled Office documents. If you weren't expecting it, don't open it.

These checks take seconds. Train your brain — and your employees — to run through them on every email that requests action.

Why Technology Alone Won't Save You

I've talked to countless IT directors who believe their email gateway catches everything. It doesn't. In my experience, even the best email security tools miss approximately 10-15% of phishing emails. Attackers constantly evolve their techniques — using legitimate cloud services to host phishing pages, leveraging compromised email accounts for distribution, and crafting messages that bypass keyword-based filters.

Multi-factor authentication (MFA) helps significantly. Even if an attacker steals credentials through a phishing page, MFA adds a second barrier. But MFA isn't bulletproof either. Adversary-in-the-middle toolkits like EvilProxy and Evilginx2 can intercept MFA tokens in real time. I've seen this in the wild in 2022.

A zero trust architecture reduces the blast radius of a compromised account. By requiring continuous verification and limiting access to only what each user needs, zero trust ensures that a single phished credential doesn't give an attacker the keys to your entire kingdom. CISA's Zero Trust Maturity Model is a practical starting point for organizations of any size.

But none of these technical controls replace the need for security awareness. Technology is a safety net. Trained employees are the first line of defense.

Phishing Simulation: The Training Method That Actually Works

Telling employees "don't click suspicious links" accomplishes almost nothing. I've seen it fail over and over. What works is phishing simulation — sending realistic but harmless phishing emails to your own employees, then providing immediate feedback to those who click.

Here's why this approach is effective: it creates a consequence without a catastrophe. When someone clicks a simulated phishing email and immediately sees a training message explaining what they missed, that lesson sticks far longer than any slide deck or annual compliance video.

Organizations that run regular phishing simulations see measurable improvement. The key is consistency. Monthly or quarterly simulations, combined with ongoing security awareness education, build a reflex. Your employees start scrutinizing emails instinctively.

Our cybersecurity awareness training covers phishing recognition alongside other critical topics like credential theft, ransomware defense, and safe browsing practices. Pair that with our phishing awareness training for organizations to get simulation-based learning that actually changes behavior.

What Should You Do If You've Been Phished?

Speed matters. If you or one of your employees clicked a phishing link or entered credentials on a suspicious page, take these steps immediately:

  • Change the compromised password now. If the same password was reused anywhere else — change those too. This is why password managers and unique passwords matter.
  • Enable MFA on the affected account if it wasn't already active.
  • Report it to your IT/security team. They need to check for unauthorized access, email forwarding rules the attacker may have set, and lateral movement within your network.
  • Notify affected parties. If customer data or partner data may have been exposed, your legal and compliance teams need to be involved immediately.
  • File a report with the FBI IC3 at ic3.gov if financial loss occurred.
  • Preserve evidence. Don't delete the phishing email. Forward it to your security team and, if applicable, to the Anti-Phishing Working Group at [email protected].

The first 60 minutes after a phishing compromise are critical. Having an incident response plan that everyone knows — before an incident happens — makes the difference between a minor event and a full-blown data breach.

Why Phishing Gets Worse During the Holidays

You're reading this on Christmas Day, and I want to flag something timely. Holiday seasons see significant spikes in phishing activity. Attackers exploit the flood of shipping notifications, order confirmations, and promotional emails that people expect this time of year. A fake "Your package couldn't be delivered" email blends in perfectly when you're expecting five deliveries.

The CISA advisory from November 2021 warned that threat actors frequently launch attacks during holidays and weekends when security teams are short-staffed. This pattern held true through 2022.

Tell your employees. Remind your family. The holiday inbox is a hunting ground.

Building a Phishing-Resistant Organization

If you've read this far, you already know that answering what is phishing is only the beginning. The real question is: what are you going to do about it?

Here's your action plan for Q1 2023:

  • Baseline your risk. Run an initial phishing simulation to see where your organization stands. You can't improve what you don't measure.
  • Launch ongoing training. One-time training doesn't work. Enroll your team in cybersecurity awareness training that reinforces lessons throughout the year.
  • Implement phishing simulations. Use realistic phishing simulations to build muscle memory across your workforce.
  • Deploy MFA everywhere. Especially on email, VPNs, and any system accessible from the internet.
  • Adopt zero trust principles. Limit access. Verify continuously. Assume breach.
  • Create an incident response plan. Document exactly what happens when someone reports a phishing email. Test the plan quarterly.

Phishing isn't going away. The attacks are getting more sophisticated, more targeted, and more expensive for victims. But organizations that invest in their people — not just their technology — consistently outperform those that don't.

Your firewall can't read a phishing email. Your employees can. Train them.