Welcome to the Phish Tour Nobody Asked For

In March 2024, MGM Resorts was still tallying the damage from a social engineering attack that started with a single phone call. The threat actor convinced a help desk employee to reset credentials. Total estimated cost: over $100 million. That attack didn't start with malware or a zero-day exploit. It started with a conversation — the same way most phishing attacks do.

Think of this article as your guided phish tour — a stop-by-stop walkthrough of the tactics, lures, and infrastructure that modern phishing operations use to compromise organizations just like yours. I've spent years analyzing these campaigns, running phishing simulations, and training teams to spot them. What I keep seeing is that most people dramatically underestimate how sophisticated these attacks have become.

If you're responsible for protecting an organization — or even just your own inbox — this tour will show you exactly what you're up against and what to do about it.

Stop 1: The Bait — How Phishing Emails Get Past Your Filters

The days of Nigerian prince emails are long gone. Today's phishing emails are grammatically polished, visually branded, and often sent from compromised legitimate accounts. According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting accounted for over 70% of social engineering incidents.

Here's what I see in real campaigns every week: emails that spoof Microsoft 365 login pages, fake DocuSign requests timed to coincide with actual business transactions, and HR-themed lures around open enrollment season. Threat actors study your organization's rhythms and exploit them.

Why Spam Filters Alone Won't Save You

Modern phishing kits use techniques like URL randomization, redirect chains through legitimate services (think Google AMP or Cloudflare Workers), and time-delayed payload delivery. The email passes inspection at delivery, but the link becomes malicious minutes later. Your secure email gateway sees a clean URL. Your employee sees a credential theft page.

This is why layered defense matters. Technical controls catch a percentage, but your people need to catch the rest. Enrolling your team in phishing awareness training designed for organizations closes the gap that filters can't.

Stop 2: The Hook — Credential Theft at Scale

The most common goal of a phishing campaign isn't to install malware. It's to steal credentials. Once a threat actor has a valid username and password, they don't need to hack anything — they just log in.

I've investigated incidents where attackers held harvested credentials for weeks before using them. They wait. They watch. They learn the organization's email patterns, then launch business email compromise (BEC) attacks from inside the network. The FBI's Internet Crime Complaint Center (IC3) reported that BEC losses exceeded $2.9 billion in 2023 alone — see the 2023 IC3 Annual Report.

What Happens After the Click

Here's the typical sequence on this phish tour stop: the employee clicks a link, lands on a pixel-perfect replica of their company's login portal, enters credentials, and gets redirected to the real site. They never know anything happened. Meanwhile, the attacker now has their session token, their password, and often enough information to bypass security questions.

Multi-factor authentication helps — significantly. But even MFA isn't bulletproof. Adversary-in-the-middle (AiTM) phishing kits like EvilProxy and Evilginx2 can intercept MFA tokens in real time. This is why a zero trust architecture that continuously validates sessions matters more than a single authentication checkpoint.

Stop 3: The Infrastructure — Phishing-as-a-Service Is Booming

If you think phishing requires technical skill, I need to update your mental model. Phishing-as-a-service (PhaaS) platforms operate like SaaS businesses. They offer dashboards, campaign templates, hosting, and even customer support. Platforms like 16shop and BulletProofLink lowered the barrier to entry so dramatically that anyone with a credit card and criminal intent can launch sophisticated campaigns.

CISA has published multiple advisories on this evolution. Their cyber threats and advisories page is worth bookmarking if you want to stay current on emerging phishing infrastructure.

The Supply Chain of a Phishing Campaign

A modern phishing operation has distinct roles: the kit developer builds the tooling, the spammer distributes the emails, the hosting provider supplies bulletproof infrastructure, and the money mule network launders the proceeds. It's an organized supply chain. Understanding this helps you appreciate why phishing isn't going away — it's too profitable and too easy to scale.

What Exactly Is a Phish Tour?

A phish tour is a structured walkthrough of phishing attack methods, lures, and tactics used to educate security teams and employees about real-world threats. Unlike a single awareness email or a one-time training session, a phish tour takes participants through multiple attack scenarios — from initial bait to credential theft to post-compromise activity. Organizations use phish tours as part of ongoing security awareness programs to build recognition skills that actually stick.

Stop 4: The Target — Why Your Organization Is on the List

"We're too small to be targeted" is the most dangerous sentence in cybersecurity. Automated phishing campaigns don't discriminate by company size. They scrape email addresses from LinkedIn, data broker sites, and previous breaches. If your domain exists, you're on a list somewhere.

In my experience, small and mid-sized organizations actually face higher risk because they typically lack dedicated security operations teams. They rely on a single IT person who's also managing printers and VPN access. That's not a criticism — it's reality. And it's exactly why proactive training through a cybersecurity awareness training program becomes critical infrastructure for smaller teams.

The Human Factor Isn't a Weakness — It's an Attack Surface

Security professionals sometimes talk about humans as the "weakest link." I disagree. Humans are the most targeted link. There's a difference. Your employees aren't failing — they're being professionally deceived by people whose full-time job is manipulation. The fix isn't blame. The fix is realistic, repeated training and phishing simulation exercises that build pattern recognition over time.

Stop 5: The Defense — Building a Phishing-Resilient Organization

Here's the practical part of our phish tour. After seeing how attacks work, here's what actually reduces risk:

  • Run regular phishing simulations. Not once a year. Monthly or quarterly. Vary the lures. Track who clicks and, more importantly, who reports. Organizations using structured phishing simulation and training programs see measurable improvement in detection rates within 90 days.
  • Deploy phishing-resistant MFA. FIDO2 security keys and passkeys are significantly harder to intercept than SMS codes or push notifications. If AiTM attacks concern you (they should), hardware-based MFA is the answer.
  • Implement zero trust principles. Never trust a session just because the initial authentication succeeded. Continuous validation, least-privilege access, and network segmentation limit blast radius when — not if — credentials get compromised.
  • Establish a reporting culture. Your employees should feel comfortable reporting suspicious emails without fear of looking foolish. Every reported phish is a data point your security team can use. Make reporting easy — a one-click button in the email client is standard practice now.
  • Keep training current. Phishing tactics evolve quarterly. Your training content should too. A comprehensive cybersecurity awareness curriculum covers not just email phishing but also smishing, vishing, QR code phishing (quishing), and social media-based attacks.

The Ransomware Connection Most People Miss

Here's something I emphasize in every briefing: ransomware almost always starts with phishing. The initial access vector for the majority of ransomware incidents is a phishing email or stolen credential. By the time you're negotiating with a ransomware gang, you've already lost the phishing battle weeks or months earlier.

The Verizon DBIR consistently shows this pattern. Preventing phishing doesn't just protect against credential theft — it's your first line of defense against ransomware, data exfiltration, and full network compromise.

Your Phish Tour Doesn't End Here

The threat landscape in 2026 is more automated, more convincing, and more accessible to criminals than ever. AI-generated phishing content is making lures harder to distinguish from legitimate communications. Deepfake voice calls are augmenting traditional vishing attacks.

This phish tour gave you a look at the stops along a modern phishing attack chain — from bait to infrastructure to compromise. But knowledge without action is just trivia. Start running phishing simulations. Invest in ongoing security awareness training. Push for phishing-resistant MFA. Build a culture where reporting suspicious messages is rewarded, not ridiculed.

Your employees are your most targeted asset. Train them like it matters — because it does.