A Single Email Cost This Company $121 Million
In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $121 million from Google and Facebook. His weapon wasn't malware. It wasn't a zero-day exploit. It was phishing — forged emails impersonating a legitimate hardware vendor, complete with fake invoices and fraudulent contracts. Two of the most technically sophisticated companies on earth fell for it.
So what is phishing, exactly? It's a social engineering attack where a threat actor impersonates a trusted entity — via email, text, phone call, or fake website — to trick you into handing over credentials, financial information, or access. It's the single most common attack vector in cybersecurity, and it's responsible for more data breaches than any other technique.
If you've landed on this page, you're either trying to understand phishing for yourself or figuring out how to protect your organization. Either way, I'm going to walk you through how these attacks actually work, why they succeed at alarming rates, and what you can do about it today.
How Phishing Attacks Actually Work
I've investigated hundreds of phishing incidents over my career. The mechanics are almost always the same, even when the sophistication varies wildly.
Here's the basic playbook a threat actor follows:
- Reconnaissance: The attacker researches the target. LinkedIn profiles, company websites, and social media provide names, titles, email formats, and vendor relationships.
- Crafting the lure: They create a convincing message — an urgent invoice, a password reset, a CEO requesting a wire transfer. The email spoofs a real domain or uses a lookalike (think "micros0ft.com" instead of "microsoft.com").
- Delivery: The message hits your inbox. It includes a malicious link, a weaponized attachment, or a request for sensitive information.
- Exploitation: You click, you enter your credentials on a fake login page, or you open an attachment that installs malware. The attacker now has what they need.
- Monetization: Stolen credentials get used for credential theft across other accounts, business email compromise, ransomware deployment, or direct financial fraud.
The entire chain can take less than 60 seconds from the victim's perspective. According to Verizon's 2024 Data Breach Investigations Report, the median time for a user to fall for a phishing email is under 60 seconds — and the median time to click a malicious link is under 21 seconds.
The 5 Types of Phishing You'll Actually Encounter
Not all phishing looks the same. Here are the variants I see most frequently in the wild:
1. Email Phishing
The classic. Mass-sent emails designed to look like they come from Microsoft, your bank, or a shipping company. They cast a wide net and rely on volume. Even a 1% click rate on 100,000 emails gives an attacker 1,000 victims.
2. Spear Phishing
Targeted attacks aimed at specific individuals. These messages reference real projects, real colleagues, and real deadlines. They're devastatingly effective because they feel personal. The Google and Facebook attack I mentioned above was spear phishing at scale.
3. Smishing (SMS Phishing)
Text messages claiming to be from your bank, the IRS, or a delivery service. "Your package couldn't be delivered — click here to reschedule." These have exploded since 2022 because people trust text messages more than email.
4. Vishing (Voice Phishing)
Phone calls from attackers pretending to be IT support, government agencies, or vendors. AI-generated voice cloning has made this significantly more dangerous in 2025 and 2026.
5. Business Email Compromise (BEC)
The most financially destructive variant. An attacker compromises or spoofs an executive's email and instructs an employee to wire funds or change payment details. The FBI's Internet Crime Complaint Center (IC3) has consistently reported BEC as the costliest cybercrime category, with adjusted losses exceeding $2.9 billion in 2023 alone.
Why Phishing Still Works in 2026
You'd think that after decades of awareness campaigns, people would stop clicking. They haven't. Here's why.
Urgency overrides judgment. Phishing emails create artificial pressure — "Your account will be locked in 24 hours," "The CEO needs this wire today." When people feel rushed, they skip verification steps.
The attacks look legitimate. Modern phishing kits clone real login pages pixel-for-pixel. Attackers use valid SSL certificates. They register domains that pass a quick glance. The visual cues people were taught to look for — bad grammar, suspicious URLs — aren't reliable anymore.
People are the target, not technology. Email filters catch a huge percentage of phishing attempts. But it only takes one message getting through to one person having a bad day. Social engineering exploits human psychology, not software vulnerabilities.
Credential reuse amplifies the damage. When an attacker phishes one password and the victim uses that same password across multiple platforms, a single successful phishing email becomes a full-scale data breach.
What Is Phishing's Real Cost to Organizations?
This is the question I get from every executive I brief. The answer is ugly.
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. For small and mid-sized businesses, a single phishing-driven breach can be an extinction-level event.
Beyond direct financial losses, you're looking at:
- Regulatory fines and FTC enforcement actions
- Forensic investigation and legal costs
- Customer notification and credit monitoring expenses
- Reputational damage that takes years to repair
- Operational downtime — especially if the phishing leads to ransomware
The math is simple. Prevention is orders of magnitude cheaper than recovery.
How to Defend Against Phishing: What Actually Works
I'm not going to tell you to "think before you click" and call it a day. Here's what actually reduces phishing risk in organizations I've worked with.
Deploy Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) is the single most effective technical control against credential theft from phishing. Even if an attacker captures a password, MFA blocks them from accessing the account. CISA recommends MFA as a foundational security measure for every organization, regardless of size.
Use phishing-resistant MFA — hardware keys or FIDO2 passkeys — not just SMS codes, which can be intercepted.
Run Realistic Phishing Simulations
Security awareness training without phishing simulation is like a driving course without a car. Your employees need to practice recognizing attacks in a safe environment. Regular simulations identify who's vulnerable and give you targeted data to focus your training.
Our phishing awareness training for organizations provides exactly this — realistic scenarios that mirror actual attacks your employees will face.
Implement a Zero Trust Architecture
Zero trust means no user, device, or application gets implicit trust. Every access request is verified. Even if a phished credential gets used, zero trust principles like least-privilege access and continuous verification limit the blast radius dramatically.
Train Continuously, Not Annually
One compliance checkbox training per year doesn't change behavior. I've seen this repeatedly. The organizations that actually reduce phishing click rates train monthly, with short modules reinforced by simulations and real-time coaching.
If you're building out your security awareness program, our cybersecurity awareness training covers phishing, social engineering, ransomware, and more — designed for ongoing engagement, not one-and-done compliance.
Harden Your Email Infrastructure
Technical controls should layer behind your human defenses:
- SPF, DKIM, and DMARC: These email authentication protocols prevent domain spoofing. If you haven't configured DMARC enforcement, attackers can send emails that appear to come from your domain.
- Advanced threat protection: Sandboxing attachments and scanning URLs at time-of-click catches threats that slip past static filters.
- External email banners: A simple "This email originated outside your organization" warning gives employees a visual cue to slow down.
The 60-Second Rule That Stops Most Phishing
Here's what I tell every employee I train: if an email asks you to do something urgent — click a link, open an attachment, send money, share credentials — take 60 seconds to verify through a different channel. Call the person who supposedly sent it. Use a phone number you already have, not one in the email.
That single habit stops the vast majority of phishing attacks dead. Threat actors depend on speed and impulse. Verification kills the attack chain.
Phishing Isn't Going Away — Your Response Has to Evolve
AI-generated phishing emails are now nearly indistinguishable from legitimate business communication. Deepfake voice calls are being used in vishing attacks against finance teams. Phishing-as-a-service kits let amateur criminals launch sophisticated campaigns for pocket change.
The question isn't whether your organization will be targeted. It's whether your people, processes, and technology are ready when it happens.
Start with the fundamentals: deploy MFA, train your people with realistic simulations, harden your email, and adopt zero trust principles. These aren't theoretical recommendations — they're the controls that I've seen actually stop breaches in real organizations.
Your attackers are evolving. Your defenses need to evolve faster.