One Phishing Email Cost MGM Resorts $100 Million

In September 2023, a single social engineering phone call — preceded by a carefully crafted phishing email reconnaissance campaign — led to the breach that shut down MGM Resorts' operations across Las Vegas. Slot machines went dark. Hotel room keys stopped working. The estimated cost exceeded $100 million. The threat actors behind it? A loosely organized group called Scattered Spider, and most of them were under 25 years old.

That's the reality of a phishing email in 2025. It's not the laughable Nigerian prince scam from 2005. It's a precision weapon, and it's the single most common way attackers break into organizations of every size. According to the 2024 Verizon Data Breach Investigations Report, phishing and pretexting accounted for over 36% of all confirmed breaches. That number hasn't dropped this year — it's grown.

This post breaks down exactly what a modern phishing email looks like, why your employees still fall for them, and the specific steps I've seen actually reduce click rates by 80% or more. If you're responsible for protecting an organization — or just your own inbox — this is the guide that matters.

What a Phishing Email Actually Looks Like in 2025

Forget the typo-riddled messages from a decade ago. The phishing emails I analyze in incident response engagements today are nearly indistinguishable from legitimate communications. Threat actors use AI-assisted copywriting to match the tone, branding, and formatting of real vendors like Microsoft, DocuSign, and FedEx.

Here's what I'm seeing consistently this year:

  • QR code phishing (quishing): Emails contain a QR code instead of a clickable link. This bypasses most traditional email security gateways because there's no URL to scan. The user scans with their phone — which sits outside the corporate security perimeter — and enters credentials on a spoofed login page.
  • Thread hijacking: Attackers compromise one mailbox, then reply to real ongoing email threads with a malicious attachment or link. The recipient sees a message from a known contact, in an existing conversation, and trusts it immediately.
  • Multi-stage payloads: The first email contains nothing malicious. It builds rapport — a fake invoice inquiry, a meeting request. The second email, days later, delivers the credential theft link or ransomware dropper.
  • Business email compromise (BEC): These phishing emails impersonate a CEO, CFO, or vendor and request wire transfers or sensitive data. The FBI's IC3 reported BEC losses exceeding $2.9 billion in 2023 alone, making it the costliest cybercrime category by far.

Every one of these techniques exploits the same vulnerability: human trust. No firewall patches that.

Why Your Employees Still Click on Phishing Emails

I've run phishing simulations for organizations ranging from 50-person law firms to 10,000-employee healthcare systems. The baseline click rate on a well-crafted phishing simulation — before any training — averages between 25% and 35%. That means roughly one in three employees will click a malicious link or open a dangerous attachment.

Here's why, and it's not because your employees are careless.

Speed Kills Judgment

The average office worker receives 121 emails per day. They're triaging, not analyzing. A phishing email designed to look like a Zoom meeting invite or a SharePoint sharing notification gets processed in under two seconds. That's not enough time to notice the spoofed domain or the slightly off sender address.

Authority Bias Is Hardwired

When an email appears to come from the CEO or a senior partner with an urgent request, employees respond. Social engineering exploits this bias ruthlessly. The message creates urgency — "I need this handled before the board meeting" — and short-circuits the critical thinking that might catch the deception.

Training Gaps Are the Norm

Most organizations treat security awareness as an annual checkbox. A 30-minute video once a year does almost nothing to change behavior. I've reviewed the data across dozens of engagements: organizations that train once a year see less than a 5% reduction in phishing susceptibility. That's negligible.

What works is continuous reinforcement. Organizations using structured phishing awareness training for organizations that combines regular simulations with immediate feedback see click rates drop below 5% within six months.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. Let that sink in — the most expensive security incident your organization is likely to face probably starts with a single phishing email that one person clicks.

And the costs aren't just technical. They include regulatory fines, legal fees, customer notification, brand damage, and operational downtime. The FTC has increasingly pursued enforcement actions against companies that fail to implement reasonable security measures, including employee training. The FTC's case database is full of examples where inadequate security awareness programs contributed to enforcement actions.

Here's what actually drives the cost up: dwell time. When a phishing email leads to credential theft and nobody detects it, attackers sit inside your environment for an average of 194 days before discovery. Nearly seven months of access. That's enough time to exfiltrate everything, deploy ransomware, and compromise your backup systems.

What Is a Phishing Email? The Quick-Reference Answer

A phishing email is a fraudulent message designed to trick the recipient into revealing sensitive information, clicking a malicious link, downloading malware, or transferring money. It impersonates a trusted entity — a coworker, vendor, bank, or service provider — and uses urgency, authority, or curiosity to manipulate the target into acting without thinking. Phishing emails are the primary delivery mechanism for credential theft, ransomware, and business email compromise attacks.

Five Defenses That Actually Reduce Phishing Risk

I've tested dozens of approaches across real environments. Here are the five that consistently produce measurable results.

1. Deploy Multi-Factor Authentication Everywhere

MFA won't stop a phishing email from arriving, but it neutralizes the most common outcome: stolen credentials being used to access your systems. Even if an employee enters their password on a spoofed page, the attacker can't log in without the second factor. CISA considers MFA one of the most critical security controls any organization can implement.

Use phishing-resistant MFA — hardware security keys or passkeys — whenever possible. SMS-based MFA is better than nothing but vulnerable to SIM swapping attacks.

2. Run Continuous Phishing Simulations

Monthly phishing simulations with immediate, constructive feedback are the single most effective way to change employee behavior. Not annual. Not quarterly. Monthly. The key is making it educational, not punitive. When someone clicks a simulated phishing email, they should immediately see a brief explanation of what they missed and how to spot it next time.

This is exactly the model built into structured cybersecurity awareness training programs — regular exposure combined with real-time coaching that builds pattern recognition over time.

3. Implement a Zero Trust Architecture

Zero trust means no user or device is inherently trusted, regardless of their location on the network. Even if a phishing email leads to a compromised account, zero trust principles — least-privilege access, continuous verification, micro-segmentation — limit what the attacker can reach. The damage from one compromised mailbox doesn't have to become an enterprise-wide breach.

4. Enable Advanced Email Filtering with AI-Based Detection

Modern email security gateways use machine learning to analyze sender behavior, message content, embedded URLs, and attachment characteristics. They catch a lot — but not everything. I've seen well-crafted phishing emails sail past every major email security platform. That's why filtering is necessary but never sufficient on its own.

Configure your email platform to flag external emails with a visible banner. Implement DMARC, DKIM, and SPF records to reduce domain spoofing. These are table stakes in 2025.

5. Build a Reporting Culture, Not a Blame Culture

Your employees are your last line of defense. When they report a suspicious phishing email, that's a win — not an annoyance. Organizations that make reporting easy (a one-click "Report Phish" button in the email client) and reward reporters see dramatically higher reporting rates. I've watched organizations go from 2% reporting rates to over 60% within a year simply by celebrating reporters instead of shaming clickers.

The Anatomy of a Real Phishing Attack Chain

Let me walk you through a real-world attack chain I've seen repeated across multiple incidents this year, with details generalized to protect the organizations involved.

Step 1: An employee receives a phishing email that appears to be from Microsoft 365, warning that their password will expire in 24 hours. The email includes a button labeled "Update Password Now."

Step 2: The employee clicks the link and lands on a page that looks exactly like the Microsoft login portal. They enter their email and password. The page even forwards them to the real Microsoft site afterward, so they never suspect anything.

Step 3: The attacker now has valid credentials. They log into the employee's mailbox, set up an email forwarding rule to BCC all messages to an external address, and begin studying the organization's communication patterns.

Step 4: Two weeks later, the attacker uses the compromised account to send a phishing email to the finance department — from a trusted internal address, referencing a real vendor relationship — requesting a change to wire transfer banking details.

Step 5: Finance processes the change. The next payment — $387,000 — goes to an account controlled by the threat actor. By the time anyone notices, the money has been laundered through three countries.

Every step in this chain had a point where training, technology, or process could have stopped it. Multi-factor authentication at Step 2. Phishing awareness training at Step 1. A verification callback procedure at Step 4. Defense in depth isn't a buzzword — it's what prevents a single phishing email from becoming a six-figure loss.

Metrics That Matter: Tracking Your Phishing Defense

If you're running a security awareness program, you need to measure it. Here are the four metrics I track for every client:

  • Click rate: Percentage of employees who click simulated phishing emails. Target: under 5%.
  • Report rate: Percentage of employees who report the simulated phishing email. Target: over 50%.
  • Time to report: How quickly the first report comes in after a simulation is sent. Faster is better — under 5 minutes is excellent.
  • Repeat clickers: Employees who click on multiple simulations. These individuals need targeted one-on-one coaching, not just more videos.

Track these monthly. Present them to leadership. When the board asks "How prepared are we for phishing?" you should have a data-driven answer, not a vague assurance.

Your Next Move Against Phishing Email Threats

The threat landscape in 2025 is defined by speed, sophistication, and scale. AI-generated phishing emails are harder to detect. Attackers are faster at exploiting compromised credentials. And remote work has expanded the attack surface beyond anything most security teams planned for.

But the fundamentals haven't changed. The organizations that survive phishing attacks are the ones that train their people consistently, layer their technical defenses, verify before they trust, and treat every suspicious email as an opportunity to improve.

Start with what moves the needle fastest: get your team enrolled in a structured phishing awareness training program and supplement it with a comprehensive cybersecurity awareness training course that covers the full spectrum of social engineering threats. Then implement MFA, tighten your email filtering, and build the reporting culture that turns every employee into a sensor.

The next phishing email headed for your inbox is already written. The question is whether your organization is ready for it.