A Single Email Cost This Company $25 Million

In early 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million after a deepfake video call that started with one phishing email. That's not a hypothetical. That happened. And it began the same way nearly every phishing attack begins — a carefully crafted message that looked completely legitimate.

This post is your phish tour — a guided, stage-by-stage walkthrough of how a modern phishing attack actually unfolds. Not theory. Not vague warnings. I'm going to show you exactly what a threat actor does, what the victim sees at each step, and where the kill chain can be broken. If you're responsible for protecting an organization or just want to understand why phishing remains the number-one attack vector in 2024, this is the guide you need.

According to the 2024 Verizon Data Breach Investigations Report, phishing and pretexting together account for over 73% of social engineering breaches. That number has barely moved in three years. The attacks keep working because people don't understand how they work. Let's fix that.

What Is a Phish Tour? Understanding the Attack Lifecycle

A phish tour is a step-by-step examination of every phase in a phishing attack — from initial reconnaissance to data exfiltration. Think of it like a crime scene reconstruction. By walking through each stage, you see the decisions the attacker makes, the psychological levers they pull, and the technical mechanisms they exploit.

I use the term "phish tour" deliberately because it captures the journey. A phishing attack isn't a single event. It's a sequence. And defenders who only focus on the email itself miss most of the chain.

Here's the tour itinerary:

  • Stop 1: Reconnaissance and target selection
  • Stop 2: Crafting the lure
  • Stop 3: Delivery and inbox placement
  • Stop 4: The click — credential harvesting or payload delivery
  • Stop 5: Post-compromise exploitation
  • Stop 6: Lateral movement and data exfiltration

Let's walk each one.

Stop 1: Reconnaissance — They Already Know Your Name

Before a single email is drafted, the attacker does homework. LinkedIn profiles, company websites, press releases, court records, social media — it's all open-source intelligence (OSINT), and it's disturbingly effective.

I've run red team exercises where we identified the CFO, their assistant, the accounting software the company used, and the name of their external auditor — all in under 30 minutes. None of that required any hacking. It was all publicly available.

What Attackers Harvest

  • Employee names, titles, and reporting structures
  • Email formatting conventions ([email protected])
  • Vendors, partners, and software platforms in use
  • Recent company events — mergers, layoffs, new hires

This reconnaissance makes the eventual phishing email feel personal and urgent. That's the entire point. Social engineering works because the message fits the context of the victim's work life.

Stop 2: Crafting the Lure — Psychology, Not Technology

The lure is where art meets manipulation. A skilled threat actor doesn't need a zero-day exploit. They need the right emotional trigger.

The most effective phishing emails exploit one of five psychological levers:

  • Urgency: "Your account will be locked in 2 hours"
  • Authority: "The CEO needs this wire transfer completed today"
  • Fear: "Unusual login detected from Moscow"
  • Curiosity: "Your performance review is attached"
  • Reciprocity: "Here's the bonus information you requested"

In my experience, authority-based lures are the most dangerous inside organizations. When an email appears to come from the CEO or a senior VP, people skip their usual skepticism. They comply first, question later.

The Technical Details That Sell the Lie

Modern phishing kits are sophisticated. Attackers register lookalike domains — think "rnicrosoft.com" instead of "microsoft.com" — and use legitimate email services to pass SPF and DKIM authentication. They clone real login pages pixel-for-pixel. Some kits even relay credentials in real-time to bypass multi-factor authentication using adversary-in-the-middle techniques.

The EvilProxy phishing-as-a-service platform, widely documented by researchers in 2023 and 2024, automates this entire process. An attacker with no coding skills can deploy a credential-harvesting campaign against Microsoft 365 users in minutes.

Stop 3: Delivery — Getting Past the Gates

Email security tools catch a lot. But "a lot" isn't "all." According to CISA's threat advisories, phishing remains the most common initial access vector for ransomware incidents reported to federal agencies in 2024.

Attackers use several techniques to bypass secure email gateways:

  • QR code phishing (quishing): Embedding a malicious URL in a QR code image, which most email filters don't scan
  • HTML smuggling: Delivering payloads reconstructed in the browser from encoded HTML attachments
  • Legitimate service abuse: Hosting phishing pages on Google Docs, SharePoint, or Cloudflare Workers
  • Thread hijacking: Compromising one mailbox and replying within existing email threads

Thread hijacking is particularly devastating. When a phishing link arrives in a reply to a conversation you're already having with a trusted colleague, your guard drops to nearly zero. I've seen phishing simulation click rates jump from 12% to over 45% when the simulated email appeared within an existing thread.

Stop 4: The Click — Where Credential Theft Happens

This is the moment most people picture when they hear "phishing." The victim clicks a link and lands on a page that looks exactly like their Microsoft 365, Google Workspace, or banking login.

They type their username. They type their password. They might even enter their MFA code. And every keystroke is captured by the attacker's server in real time.

What Happens in the Next 60 Seconds

Speed is everything on the attacker's side. Within a minute of capturing credentials:

  • Automated scripts test the credentials against the real login portal
  • If MFA tokens were captured, the attacker authenticates immediately before the token expires
  • Session cookies are stolen and replayed from the attacker's browser
  • The victim is often redirected to the real login page, so they assume the first attempt "didn't work" and log in normally

That seamless redirect is why most phishing victims never realize they've been compromised. There's no error message, no warning banner, no obvious sign. The phish tour continues — silently, on the attacker's terms.

Stop 5: Post-Compromise — The Real Damage Begins

Credential theft is just the door. What happens after the attacker walks through it is where organizations bleed.

With access to a corporate email account, a threat actor can:

  • Set up mail forwarding rules to quietly copy all incoming email
  • Search the mailbox for passwords, financial data, or sensitive attachments
  • Impersonate the victim to send internal phishing emails to other employees
  • Access connected cloud applications — SharePoint, OneDrive, Teams, Slack
  • Initiate business email compromise (BEC) scams targeting finance teams

The FBI's 2023 Internet Crime Report shows BEC losses exceeded $2.9 billion that year alone. And nearly every BEC attack traces back to a compromised email account — which traces back to a phishing email.

Stop 6: Lateral Movement and Ransomware Deployment

In sophisticated attacks, the compromised account is a launchpad. The attacker pivots to other systems, escalates privileges, and maps the network. In a zero trust architecture, each of those steps would hit a verification checkpoint. In a flat, trust-everything network — which still describes too many mid-sized organizations — the attacker moves freely.

This is where phishing intersects with ransomware. Groups like Cl0p, BlackCat/ALPHV, and LockBit have all used phishing as an initial access vector before deploying ransomware across entire environments. The 2023 MGM Resorts breach, which caused an estimated $100 million in losses, started with a social engineering call to the help desk — a close cousin of email phishing.

The phish tour ends here, at the worst possible destination: encrypted systems, stolen data, and a ransom note on every screen.

Breaking the Chain: Where Your Defenses Fit

The good news is that every stop on this phish tour is a potential intervention point. You don't need to be perfect at all of them — you need to be good at enough of them.

Technical Controls That Actually Matter

  • Email authentication (DMARC, SPF, DKIM): Prevents direct domain spoofing
  • Phishing-resistant MFA: FIDO2/WebAuthn tokens resist adversary-in-the-middle attacks, unlike SMS or app-based codes
  • Conditional access policies: Restrict logins by device compliance, location, and risk score
  • Browser isolation: Renders suspicious URLs in a sandboxed environment
  • Zero trust network architecture: Limits lateral movement even after compromise

The Human Layer — Your Last and Best Defense

Technical controls are necessary but not sufficient. Every breach report I've read in the last five years confirms the same thing: well-trained employees catch what technology misses.

Effective security awareness training teaches people to recognize the psychological triggers — urgency, authority, fear — before they click. It builds the reflex to verify through a second channel, to hover before clicking, to report suspicious messages without embarrassment.

If your organization hasn't invested in structured cybersecurity awareness training, you're leaving your most important defensive layer untrained. And if you aren't running regular phishing awareness training with realistic simulations, you're guessing about your risk instead of measuring it.

How Often Should You Run a Phish Tour Exercise?

Quarterly phishing simulations are the minimum. Monthly is better. Here's why: the 2024 Verizon DBIR found that the median time for a user to click a phishing link is under 60 seconds after opening the email. You're not fighting ignorance — you're fighting speed and habit. That takes repetition to overcome.

The best programs I've seen combine three elements:

  • Baseline measurement: Run an initial phishing simulation before any training to establish click rates and reporting rates
  • Targeted training: Deliver training immediately to people who click, focused on the specific technique that fooled them
  • Progressive difficulty: Increase simulation sophistication over time — start with generic lures, escalate to spear-phishing scenarios

Organizations that run this cycle consistently see click rates drop from 25-35% to under 5% within 12 months. That's a measurable reduction in your data breach risk.

A phishing email is dangerous because it exploits human psychology rather than technical vulnerabilities. The most effective phishing emails combine a trusted sender identity, a contextually relevant message, and an emotional trigger like urgency or authority to compel the recipient to click a link, open an attachment, or transfer funds. Modern phishing kits can clone login pages and capture credentials — including MFA tokens — in real time, making even security-conscious users vulnerable without proper training and phishing-resistant authentication.

Your Organization's Phish Tour Starts Now

Every attack I've described in this post is happening right now, to organizations just like yours. The reconnaissance is running. The lures are being crafted. The phishing kits are deployed and waiting for clicks.

You have two options. Wait until a real phishing attack teaches your team an expensive lesson. Or take a proactive phish tour — educate your people, test their responses, and harden every link in the chain before an attacker finds the weak one.

Start with comprehensive cybersecurity awareness training that covers the full threat landscape. Then layer in dedicated phishing simulation and training to build the muscle memory that stops attacks at the click.

The tour is over. The work starts now.