The Email That Cost One Company $100 Million

In 2019, Toyota Boshoku Corporation lost $37 million in a single business email compromise attack. A threat actor impersonated a senior executive, convinced a finance employee to change wire transfer details, and the money vanished. That attack started with something deceptively simple — a phishing email. If you're asking what is phishing, that story is the answer stripped to its core: deception delivered digitally, designed to make you act before you think.

Phishing remains the number one initial access vector for data breaches worldwide. According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting together accounted for over 73% of social engineering breaches. I've spent years training organizations to recognize and resist these attacks, and I can tell you — the problem isn't getting better on its own.

What Is Phishing, Exactly?

Phishing is a social engineering attack where a threat actor sends a fraudulent message — usually email, but also text, voice, or social media — designed to trick the recipient into revealing sensitive information, clicking a malicious link, or downloading malware. The attacker pretends to be someone you trust: your bank, your boss, Microsoft, the IRS.

The goal varies. Sometimes it's credential theft — harvesting your username and password through a fake login page. Sometimes it's installing ransomware. Sometimes it's convincing you to wire money to a fraudulent account. But the mechanism is always the same: exploit human trust and urgency.

Why Phishing Works So Well

Phishing doesn't exploit software vulnerabilities. It exploits human psychology. Attackers leverage authority ("Your CEO needs this now"), urgency ("Your account will be locked in 24 hours"), and familiarity ("Here's the invoice you requested"). These triggers bypass rational thinking and push people toward impulsive action.

I've run hundreds of phishing simulations for organizations of all sizes. Even after training, between 3% and 15% of employees will click a well-crafted phishing email. Without training, that number jumps dramatically. The gap between those two numbers is where breaches happen — or don't.

The Five Types of Phishing You'll Actually Encounter

1. Email Phishing (Bulk Phishing)

The classic. A threat actor sends thousands or millions of emails impersonating a trusted brand — Netflix, Amazon, your bank. The email contains a link to a credential harvesting page. These attacks cast a wide net and rely on volume. Even a 1% success rate across a million emails yields 10,000 compromised accounts.

2. Spear Phishing

Targeted phishing aimed at a specific individual or organization. The attacker researches you — your LinkedIn profile, your company's org chart, your recent projects. The email is personalized and convincing. Spear phishing is behind most high-profile data breach incidents because it's extremely difficult to detect.

3. Whaling

Spear phishing aimed at executives — the "big fish." These attacks often impersonate board members, legal counsel, or regulators. The stakes are higher, and so is the sophistication. Whaling attacks frequently involve business email compromise (BEC) and fraudulent wire transfers.

4. Smishing and Vishing

Smishing uses SMS text messages. Vishing uses voice calls. Both are exploding in volume. The FBI's Internet Crime Complaint Center (IC3) has documented a sharp rise in vishing attacks, particularly those impersonating government agencies and tech support.

5. Clone Phishing

The attacker takes a legitimate email you've already received — a real invoice, a real shipping notification — and creates a near-perfect copy with a malicious link or attachment swapped in. Because the email looks identical to something you've seen before, your guard drops.

How to Spot a Phishing Attack: The 60-Second Check

Here's what I teach every organization I work with. Before you click, open, or reply to any unexpected message, run through this checklist:

  • Sender address: Does the domain match the real organization? Look for subtle misspellings — "micros0ft.com" instead of "microsoft.com."
  • Urgency or threats: "Act now or your account will be suspended" is almost always a red flag.
  • Links: Hover before you click. Does the URL match where the email says it's going?
  • Attachments: Were you expecting this file? Unsolicited attachments are a primary malware delivery method.
  • Requests for credentials or payment: Legitimate organizations rarely ask for passwords or payment changes via email.
  • Grammar and tone: Not always reliable — AI-generated phishing is grammatically flawless — but mismatched tone or unusual phrasing still matters.

This 60-second check stops the vast majority of phishing attempts. But it only works if it becomes a habit, and habits require training and reinforcement. That's why ongoing phishing awareness training for your organization is non-negotiable.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was one of the most common initial attack vectors. That's not a theoretical number — it includes incident response, legal fees, regulatory fines, lost business, and reputational damage.

Here's what actually happens after a successful phishing attack in your organization:

  • An employee enters credentials on a fake login page.
  • The attacker uses those credentials to access your email system or cloud applications.
  • They establish persistence — setting up mail forwarding rules, creating new admin accounts.
  • They move laterally, escalating privileges and exfiltrating data.
  • If ransomware is the goal, they deploy it after maximizing their access.

The entire chain — from initial phishing email to full compromise — can take as little as 48 hours. In many cases I've investigated, organizations didn't detect the breach for weeks or months.

Why Traditional Email Filters Aren't Enough

Yes, you need email security tools. Secure email gateways, DMARC, SPF, and DKIM are baseline requirements. But they're not sufficient. Modern phishing attacks use legitimate cloud services to host malicious pages, exploit trusted domains, and leverage zero-day URLs that haven't been flagged yet.

CISA consistently emphasizes that technology alone cannot stop phishing. You need a layered defense strategy that includes multi-factor authentication, zero trust architecture, endpoint detection, and — critically — security awareness training that actually changes behavior.

Building a Human Firewall That Holds

I've seen organizations slash their phishing click rates by 80% within a year. The ones that succeed share three things:

Consistent Phishing Simulation

Running a single phishing test per year is theater. Effective organizations run monthly simulations with varied difficulty levels and attack types. Employees who click receive immediate, non-punitive coaching. Over time, muscle memory develops.

Role-Based Training

Your finance team faces different threats than your developers. Your executives face different threats than your front desk staff. Training must reflect the actual attacks each group encounters. Generic, one-size-fits-all programs waste time and budget.

Culture, Not Compliance

The goal isn't to check a box for your auditor. The goal is to create an environment where reporting a suspicious email is celebrated, not embarrassing. When employees feel safe reporting, your detection speed improves dramatically. A comprehensive cybersecurity awareness training program builds exactly this kind of culture.

What Should You Do Right Now?

If you're responsible for security at your organization — even partially — here are three things you can do this week:

  • Enable multi-factor authentication everywhere. MFA stops the vast majority of credential theft from succeeding, even when an employee falls for a phishing email.
  • Run a baseline phishing simulation. You can't improve what you don't measure. Find out where your organization actually stands.
  • Start ongoing security awareness training. Not a single annual video. A continuous program with real-world scenarios, regular testing, and measurable outcomes.

Phishing isn't going away. Generative AI is making attacks more convincing, more personalized, and harder to detect. The organizations that survive are the ones that treat phishing defense as a continuous process — not a one-time project.

Now you know what is phishing, how it works, and what it costs. The only remaining question is whether your organization will be ready when the next attack arrives.