In January 2024, a finance employee at a multinational engineering firm in Hong Kong wired $25.6 million to threat actors after a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The attack started with a single phishing email that lured the employee into the meeting. If you're asking what is phishing, that story is the answer stripped of all abstraction — it's a human being manipulated into trusting something fake. And it's the single most common way organizations lose data, money, and reputation in 2024.

This post breaks down exactly how phishing works, what the current threat landscape looks like, and what you can actually do to protect yourself and your organization. No theory. Just what I've seen work — and fail — over two decades in cybersecurity.

What Is Phishing, Exactly?

Phishing is a social engineering attack where a threat actor impersonates a trusted entity to trick you into taking a harmful action — clicking a malicious link, opening a weaponized attachment, entering credentials on a spoofed login page, or wiring money to a fraudulent account. It exploits human psychology, not software vulnerabilities.

The term dates back to the mid-1990s, but the technique has evolved dramatically. Modern phishing campaigns use AI-generated text, cloned websites that are pixel-perfect replicas, and even real-time adversary-in-the-middle proxies that intercept multi-factor authentication tokens. The goal is almost always one of three things: credential theft, malware delivery, or financial fraud.

According to the FBI's 2023 Internet Crime Report, phishing was the most reported cybercrime category for the fifth consecutive year, with nearly 300,000 complaints. And those are just the ones that got reported.

The 6 Types of Phishing You'll Actually Encounter

Not all phishing looks the same. Here's a breakdown of the variants I see most often in incident response engagements.

1. Email Phishing (Bulk Campaigns)

This is the classic. A threat actor sends thousands or millions of emails impersonating a brand — Microsoft, Amazon, a shipping company — hoping a small percentage of recipients will click. The emails typically drive victims to a credential harvesting page. These attacks are high volume, low effort, and still devastatingly effective.

2. Spear Phishing

Targeted phishing aimed at a specific individual or organization. The attacker researches you — your LinkedIn, your company website, your recent transactions — and crafts a message that feels personally relevant. The 2023 MGM Resorts breach, which cost the company over $100 million, reportedly started with a social engineering call to the help desk — a technique often paired with spear phishing emails for reconnaissance.

3. Business Email Compromise (BEC)

BEC is spear phishing's more expensive cousin. The attacker either compromises a real email account or spoofs one convincingly, then requests wire transfers, W-2 data, or gift card purchases. The FBI IC3 report shows BEC caused over $2.9 billion in reported losses in 2023 alone — making it the costliest cybercrime category by a wide margin.

4. Smishing (SMS Phishing)

Phishing via text message. You've probably received the fake USPS tracking link or the "your bank account has been locked" text. Smishing exploits the implicit trust people place in their phones and the smaller screen size that makes URL inspection harder.

5. Vishing (Voice Phishing)

Phone-based phishing. Attackers call pretending to be IT support, a bank, or law enforcement. Vishing has surged with the availability of AI voice cloning tools. In my experience, vishing is particularly effective against employees who don't have strong security awareness training.

6. Quishing (QR Code Phishing)

A newer technique that exploded in 2023 and 2024. Attackers embed malicious QR codes in emails, flyers, or even parking meters. When scanned, the code directs to a credential harvesting page. It's effective because most email security gateways don't scan QR code URLs.

How a Phishing Attack Actually Works: Step by Step

I've analyzed hundreds of phishing campaigns during incident response. The kill chain almost always follows this pattern:

  • Reconnaissance: The attacker identifies targets. For bulk campaigns, they buy email lists. For spear phishing, they scrape LinkedIn, company websites, and data breach dumps.
  • Weaponization: They build the lure — a spoofed email, a cloned login page, a malicious attachment. Phishing kits are sold on dark web marketplaces for as little as $50.
  • Delivery: The email, text, or call reaches the victim. Timing matters — attackers often send during busy periods like Monday mornings or end-of-quarter rushes.
  • Exploitation: The victim clicks the link, opens the attachment, or provides information. This is the human failure point.
  • Action on Objective: The attacker harvests credentials, deploys ransomware, establishes persistence, or initiates a fraudulent transaction. From initial click to full account compromise, the average time is under 60 minutes.

The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — and phishing remains the top initial access vector in that category. Your firewalls and endpoint detection tools are only as strong as the person deciding whether to click.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million — the highest figure ever recorded. Phishing was the most common initial attack vector, and phishing-initiated breaches took an average of 261 days to identify and contain.

Think about that. Nearly nine months of an attacker living inside your network because someone entered their credentials on a fake Microsoft 365 login page.

The organizations that catch these attacks faster have two things in common: layered technical controls and a workforce that knows what phishing looks like. You need both. Technology alone fails when a convincing email lands in someone's inbox and they make a split-second decision.

Why Multi-Factor Authentication Isn't a Silver Bullet

I hear this constantly: "We have MFA, so we're covered." You're not. Adversary-in-the-middle (AiTM) phishing toolkits like EvilProxy and Evilginx2 proxy the victim's session in real time. The user enters their credentials and MFA token on a phishing page. The toolkit captures the authenticated session cookie and replays it. The attacker is now logged in as the victim, MFA and all.

Microsoft reported a campaign in 2023 that used AiTM phishing to compromise over 10,000 organizations' Azure AD accounts. MFA is still essential — it stops the vast majority of automated credential stuffing attacks. But it is not a replacement for security awareness. Your people need to recognize the phishing email before they reach the login page.

What Phishing Red Flags Actually Look Like in 2024

Forget the advice about "look for misspellings." Modern phishing emails are grammatically perfect, thanks to large language models. Here's what I tell my clients to watch for:

  • Urgency + action request: "Your account will be suspended in 24 hours" paired with a link or attachment.
  • Sender address mismatch: The display name says "Microsoft Support" but the email comes from support@msft-secure-alerts[.]com.
  • Unexpected attachments: Especially HTML files, .zip archives, or documents requesting you to "enable macros."
  • Login pages reached through email links: If an email sends you to a login page, stop. Navigate to the service directly through your browser.
  • QR codes in emails: There is almost no legitimate business reason to put a QR code in an email. Treat them as suspicious by default.
  • Domain lookalikes: paypa1.com instead of paypal.com, or micr0soft.com. These slip past distracted eyes.

How to Protect Your Organization: What Actually Works

After years of building security programs, here's the stack that reduces phishing risk in practice — not just on paper.

Technical Controls

  • Email filtering and sandboxing: Deploy a secure email gateway that detonates attachments and inspects URLs. This catches the bulk of commodity phishing.
  • DMARC, DKIM, and SPF: Properly configured email authentication prevents attackers from spoofing your domain. CISA has published clear guidance on implementing these protocols.
  • Phishing-resistant MFA: FIDO2 security keys or passkeys are immune to AiTM attacks because authentication is bound to the legitimate domain. Push notifications and SMS codes are not phishing-resistant.
  • Zero trust architecture: Assume breach. Verify every access request regardless of network location. Microsegmentation limits lateral movement after an initial compromise.
  • Browser isolation: Renders web content in a remote container so even if a user clicks a malicious link, the payload never reaches the endpoint.

Human Controls

  • Phishing simulation programs: Regular, realistic phishing simulations train your employees to recognize attacks under pressure. Not once a year — monthly at minimum. Our phishing awareness training for organizations provides structured simulation programs built around current attack techniques.
  • Security awareness training: Broad-based training that covers social engineering, credential theft, ransomware, and safe browsing habits. Your entire workforce needs a baseline understanding. Our cybersecurity awareness training program covers these fundamentals with practical, scenario-driven content.
  • Clear reporting culture: Make it easy and consequence-neutral for employees to report suspicious emails. Every unreported phishing email is a missed detection opportunity. The fastest way to stop a campaign is having five employees report it in the first ten minutes.

Process Controls

  • Out-of-band verification: Any request for a wire transfer, credential change, or sensitive data must be verified through a separate communication channel. Call the requester at a known phone number. Every time.
  • Least privilege access: Limit what a compromised account can reach. If a phished employee only has access to their own files, the blast radius shrinks dramatically.
  • Incident response playbook: Have a documented, rehearsed plan for phishing incidents. Who pulls the email from other inboxes? Who resets credentials? Who notifies affected parties? If you're figuring this out during an active incident, you've already lost time.

This question comes up constantly. Here's the immediate response checklist I give every client:

  • Disconnect from the network — Wi-Fi and ethernet. Don't power off the device; you may destroy forensic evidence.
  • Change your password immediately from a different, known-clean device. If you entered credentials on a phishing page, assume they're compromised.
  • Revoke active sessions in your email and cloud applications. Changing a password doesn't kill an existing session token.
  • Report to your IT/security team with the exact email, URL, and what actions you took. Speed matters — they need to check if other employees received the same email.
  • Monitor your accounts for unusual activity over the following 30 days. Watch for forwarding rules silently added to your email — a common post-compromise persistence technique.

Phishing Isn't Going Away — But Your Risk Doesn't Have to Stay the Same

Every year the lures get better. AI-generated phishing text is now indistinguishable from legitimate business communication. Deepfake video calls are no longer science fiction — they're active attack tools. QR code phishing bypasses email security filters entirely.

But here's what I've seen consistently: organizations that combine phishing-resistant technical controls with ongoing, realistic phishing awareness training reduce their click rates by 60-80% within six months. The attacks don't stop. The success rate does.

Understanding what is phishing is the first step. Building a culture where every employee acts as a sensor — recognizing, pausing, and reporting — is what actually moves the needle. Pair that with comprehensive security awareness training, enforce phishing-resistant MFA, implement zero trust principles, and verify every sensitive request out of band.

The threat actors only need one person to click. Your job is to make sure that person doesn't work for you.