The Email That Cost MGM Resorts $100 Million

In September 2023, a single social engineering attack — starting with a phone call but rooted in the same deception principles as phishing emails — led to a breach at MGM Resorts that cost the company over $100 million. The threat actors behind the Scattered Spider group didn't need sophisticated zero-day exploits. They needed a human who didn't recognize the signs of a scam.

Knowing how to spot phishing emails isn't a nice-to-have skill in 2025. It's your first line of defense against credential theft, ransomware, and data breaches that can obliterate a business. According to the Verizon 2024 Data Breach Investigations Report, phishing was involved in 15% of all breaches — and the human element factored into 68% of them.

This post gives you the exact red flags I look for after two decades in cybersecurity, the specific techniques threat actors are using right now, and the steps you can take to protect yourself and your organization today.

Why Phishing Still Works in 2025

You'd think that after years of headlines, people would stop clicking. They don't. Here's why.

Modern phishing emails don't look like the Nigerian prince scams of 2005. They're crafted using AI-generated text, they spoof legitimate brands pixel-for-pixel, and they arrive in your inbox at the exact moment you'd expect a real message — like right after you place an Amazon order or reset a password.

The FBI's 2023 Internet Crime Report logged nearly 300,000 phishing complaints, making it the most reported cybercrime category for the fifth consecutive year. The average cost of a data breach hit $4.88 million globally in 2024 according to IBM. Most of those breaches started with an email someone shouldn't have clicked.

How to Spot Phishing Emails: 9 Red Flags That Matter

I've analyzed thousands of phishing emails across incident response engagements, phishing simulations, and threat intelligence feeds. These are the nine indicators that consistently separate a phishing email from a legitimate one.

1. The Sender Address Doesn't Match the Brand

This is the single fastest check you can make. Hover over or tap the sender's email address. Does it say [email protected] or [email protected]? Threat actors register domains that look close but aren't exact. I've seen domains like paypa1.com (with a number one instead of the letter L) fool experienced professionals.

Always check the full domain — not just the display name. Email clients like Outlook and Gmail show the display name prominently but hide the actual address. That's exactly what attackers exploit.

2. Urgency That Feels Like Panic

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." "Your payment failed — update immediately."

Every one of these is designed to override your critical thinking. Legitimate companies rarely threaten instant consequences via email. When I run phishing simulations for organizations, urgency-based lures consistently achieve the highest click rates — often above 25%.

3. Generic Greetings Instead of Your Name

"Dear Customer" or "Dear User" in an email from a company that definitely knows your name is a signal. Your bank, your employer, your SaaS vendor — they all have your name on file. A generic greeting often means the attacker is blasting thousands of emails from a stolen list.

That said, more sophisticated spear-phishing attacks will use your actual name, job title, and company. So a personalized greeting doesn't automatically make an email safe. It just means this one red flag is absent.

This is the most dangerous element of any phishing email. Before you click any link, hover over it. On mobile, long-press without releasing. The URL preview should match the expected destination exactly.

Watch for subtle tricks: extra subdomains (like login.microsoft.com.attacker-site.com), URL shorteners (bit.ly, tinyurl), and homograph attacks using characters from non-Latin alphabets that look identical to English letters. If the link destination doesn't match the supposed sender, don't click.

5. Unexpected Attachments

If you didn't request a document, invoice, or file, treat any attachment with suspicion. Malicious attachments remain a primary ransomware delivery mechanism. Common file types used in attacks include .html, .zip, .iso, .doc (with macros), and .pdf files with embedded links.

In my experience, the most effective phishing campaigns combine urgency with an attachment — something like "Past due invoice attached — payment required by end of day." Your accounts payable team is especially vulnerable to this.

6. Spelling and Grammar Errors — But Not Always

This used to be the go-to indicator. Broken English, weird phrasing, obvious typos. In 2025, AI tools have largely eliminated this tell. Threat actors use large language models to generate flawless phishing copy in any language.

Still, errors do appear in less sophisticated campaigns. If you spot them, that's a strong signal. Just don't rely on perfect grammar as proof that an email is legitimate.

7. Requests for Credentials or Sensitive Data

No legitimate organization will ask you to reply to an email with your password, Social Security number, or credit card details. Period. If an email asks you to "verify your identity" by entering credentials on a linked page, that page is almost certainly a credential harvesting site.

Multi-factor authentication adds a critical layer of protection here. Even if you accidentally enter your password on a phishing page, MFA can prevent the attacker from accessing your account. But adversary-in-the-middle toolkits like EvilProxy can intercept MFA tokens in real time, so awareness is still essential.

8. The "From" and "Reply-To" Addresses Are Different

This is a subtle but powerful check. In legitimate emails, the "From" and "Reply-To" fields typically match. In phishing emails, the "From" address might be spoofed to look correct, but the "Reply-To" directs your response to an attacker-controlled address. Most email clients let you inspect these headers with a few clicks.

9. Too-Good-to-Be-True Offers

"You've won a $500 gift card." "Your tax refund of $3,247 is ready." "Claim your employee bonus here." These lures work because they trigger excitement, which is just as effective as fear at bypassing rational thought. If you weren't expecting a reward, assume it's a trap.

What Actually Happens When You Click

Understanding the kill chain makes the threat real. Here's the typical sequence I see in incident response.

Step 1: You click a link and land on a convincing login page — a pixel-perfect copy of Microsoft 365, Google Workspace, or your company portal.

Step 2: You enter your credentials. The page may even redirect you to the real site afterward so you don't suspect anything.

Step 3: Within minutes, the threat actor logs into your account. If you don't have multi-factor authentication enabled, they're in immediately.

Step 4: They set up email forwarding rules, harvest your contact list, and launch internal phishing attacks using your identity. Your colleagues trust emails from you.

Step 5: The attacker moves laterally — accessing shared drives, financial systems, or customer databases. If it's a ransomware operation, encryption begins within hours.

This entire chain starts with one email. That's why learning how to spot phishing emails matters more than almost any other security skill you can develop.

The $4.88M Lesson Most Organizations Learn Too Late

Technical controls catch a lot. Email gateways, DMARC policies, endpoint detection — they're essential. But they don't catch everything. The Verizon DBIR consistently shows that the human element remains the top factor in breaches.

The organizations I've seen handle phishing best invest in two things: robust phishing awareness training for their teams and regular phishing simulations that test real-world scenarios, not obvious fakes. Simulations that are too easy teach employees nothing. Simulations that mirror actual threat actor tactics build genuine muscle memory.

CISA's guidance on recognizing and reporting phishing emphasizes reporting as a critical organizational behavior. Every reported phishing email is an opportunity for your security team to block the threat before someone else clicks.

Quick-Reference: Is This Email Phishing?

If someone searches "how to spot phishing emails," they probably want a fast answer. Here it is.

Check these nine things before clicking anything:

  • Does the sender's full email address match the claimed organization?
  • Is the email creating artificial urgency or fear?
  • Does it use a generic greeting instead of your name?
  • Do the links point to the expected domain when you hover?
  • Is there an unexpected attachment?
  • Are there spelling or grammar errors?
  • Does it ask for credentials, financial info, or personal data?
  • Do the "From" and "Reply-To" addresses match?
  • Does it offer something too good to be true?

If any answer raises doubt, don't click. Forward the email to your IT or security team and delete it.

Beyond the Inbox: Building a Zero Trust Mindset

Spotting phishing emails is a skill. But it's one layer of a broader security mindset — what the industry calls zero trust. Zero trust means you verify everything and trust nothing by default, whether it's an email, a login request, or an internal network connection.

Here's what that looks like in practice for everyday users:

  • Verify out-of-band. If your CEO emails asking for a wire transfer, call them on a known number. Don't reply to the email.
  • Enable MFA everywhere. Hardware security keys or authenticator apps — not SMS when you can avoid it.
  • Use a password manager. It won't autofill your credentials on a phishing domain because the URL won't match. This is an underappreciated anti-phishing tool.
  • Report, don't just delete. Your security team needs to see the threat to protect everyone else.

Building these habits across an entire workforce requires structured cybersecurity awareness training — not a once-a-year compliance checkbox, but ongoing education that adapts to the latest threat actor tactics.

What's Different About Phishing in 2025

Three trends are making phishing harder to detect this year.

AI-Generated Phishing at Scale

Threat actors are using generative AI to write phishing emails that are grammatically flawless, contextually relevant, and available in any language. The barrier to entry for sophisticated phishing campaigns has dropped to nearly zero. Research from multiple security vendors throughout 2024 and 2025 has shown a significant increase in AI-crafted phishing volume.

QR Code Phishing (Quishing)

Phishing emails now frequently embed QR codes instead of clickable links. Your email security gateway can analyze URLs in text — it can't easily scan a QR code image. When you scan the code with your phone, you're taken to a credential harvesting page on a device that likely has fewer security controls than your work laptop.

Business Email Compromise Gets Smarter

BEC attacks — where an attacker impersonates an executive, vendor, or partner — caused over $2.9 billion in losses in 2023 according to the FBI IC3 report. These emails often contain no links and no attachments, just a convincing request from a trusted identity. They're nearly invisible to traditional email filters.

Your Next Step: Train Like the Threat Is Real

Because it is. Every inbox in your organization is an attack surface. Every employee who can't distinguish a phishing email from a legitimate one is a vulnerability that no firewall can patch.

I've seen organizations cut phishing click rates by over 80% within 12 months through consistent training and simulation programs. The key is making it realistic, frequent, and blame-free. People learn from mistakes — but only if they're given the chance to make them safely.

Start building that capability today with phishing simulation and awareness training designed for real-world threats, or explore the full cybersecurity awareness training curriculum to cover social engineering, ransomware prevention, credential security, and more.

The threat actors aren't waiting. Neither should you.