The Phishing Headlines Keep Getting Worse
In January 2024, a finance worker at engineering firm Arup wired $25 million to threat actors after a deepfake video call that impersonated the company's CFO. That single incident captures everything terrifying about the current phishing news cycle: attacks are smarter, faster, and far more damaging than even a year ago.
If you're trying to stay current on phishing threats — and you should be — this post is your briefing. I'll walk you through the biggest phishing stories of 2024, break down the tactics behind them, and give you concrete steps to protect your organization. No theory. Just what's actually happening and what actually works.
The Phishing News That Defined Early 2024
Microsoft Executive Accounts Compromised by Midnight Blizzard
In January 2024, Microsoft disclosed that the Russian state-sponsored group Midnight Blizzard (also known as Nobelium) had compromised email accounts belonging to senior Microsoft leadership. The attack vector? A password spray attack against a legacy test tenant that lacked multi-factor authentication.
Once inside, the threat actors pivoted to access corporate email accounts, including those of cybersecurity and legal staff. They were reading internal emails for weeks before detection. If Microsoft's own executive team can get caught, your organization is not immune.
The Arup Deepfake Wire Transfer
The Arup case I mentioned wasn't a crude Nigerian prince email. The attackers created a real-time deepfake video conference, impersonating multiple executives simultaneously. The finance employee saw familiar faces, heard familiar voices, and followed what appeared to be legitimate instructions.
This is social engineering at a level most security teams haven't prepared for. Traditional phishing simulation programs don't cover this. The $25 million loss proves that phishing has evolved well past suspicious email links.
Change Healthcare Ransomware Breach
In February 2024, the ALPHV/BlackCat ransomware group hit Change Healthcare, a subsidiary of UnitedHealth Group. The initial access? Stolen credentials — the classic output of a successful phishing campaign. The attack disrupted prescription processing for pharmacies across the United States for weeks.
UnitedHealth Group's CEO Andrew Witty confirmed during Congressional testimony in May 2024 that the compromised account did not have multi-factor authentication enabled. One set of stolen credentials led to what the AHA called the most significant cyberattack on the U.S. healthcare system in history.
What Is Driving the 2024 Phishing Surge?
The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the most-reported cybercrime in 2023, with nearly 300,000 complaints. The 2024 numbers will almost certainly be higher. Here's why the trend line keeps climbing.
AI-Generated Phishing Emails Have Eliminated Red Flags
Remember when you could spot a phishing email by its broken grammar? Those days are gone. Threat actors now use large language models to craft messages that are grammatically perfect, contextually relevant, and personalized to the target.
I've reviewed phishing emails in recent engagements that were indistinguishable from legitimate vendor communications. No misspellings. No awkward formatting. Perfect logo placement. The only giveaway was the sending domain — and even that was a convincing lookalike.
Phishing Kits Are Cheap and Sophisticated
Phishing-as-a-service platforms have matured dramatically. Kits like EvilProxy and Tycoon 2FA now offer adversary-in-the-middle capabilities that can intercept session tokens in real time, bypassing many forms of multi-factor authentication. These aren't custom tools built by nation-states. They're available on Telegram channels for a few hundred dollars a month.
Business Email Compromise Payouts Keep Climbing
The Verizon 2024 Data Breach Investigations Report found that the median loss for business email compromise (BEC) incidents is now approximately $50,000, with some cases reaching into the millions. The human element was involved in 68% of all breaches analyzed. Phishing and pretexting together dominate the social engineering category. You can review their findings at Verizon's 2024 DBIR page.
What Does the Latest Phishing News Mean for Your Organization?
Here's the blunt truth: every major breach in 2024's phishing news started with something simple. A clicked link. A stolen password. An MFA gap. The sophistication was in the setup, not in the exploit.
That means your defense has to start at the human layer. Technology alone won't stop an employee from authorizing a wire transfer on a deepfake video call. You need both technical controls and a workforce that knows what to look for.
What Is a Phishing Simulation and Why Does It Matter?
A phishing simulation sends realistic but harmless phishing emails to your employees to test their response. Employees who click receive immediate training. Over time, click rates drop and reporting rates rise. Organizations running regular phishing simulations see measurable improvement in their ability to catch real attacks. This is one of the most effective tools in a security awareness program, and it directly addresses the credential theft problem that enables most data breaches.
If you're looking for a structured phishing simulation program, our phishing awareness training for organizations provides exactly this — realistic scenarios tailored to current threat intelligence.
5 Actions That Actually Reduce Phishing Risk Right Now
1. Enforce Phishing-Resistant MFA Everywhere
The Change Healthcare breach happened because one account lacked MFA. Standard SMS or app-based MFA is better than nothing, but adversary-in-the-middle kits like EvilProxy can bypass it. FIDO2 hardware keys (YubiKeys, for example) are the gold standard right now.
CISA has published detailed guidance on implementing phishing-resistant MFA. Their recommendations are practical and vendor-neutral: CISA's MFA guidance.
2. Run Phishing Simulations Monthly, Not Quarterly
Quarterly simulations aren't frequent enough. Threat actors evolve tactics weekly. Monthly simulations keep security awareness top-of-mind and give you useful trend data. Vary the scenarios: credential harvesting pages, fake invoice attachments, QR code phishing (quishing), and executive impersonation.
3. Implement a Zero Trust Architecture
Zero trust assumes no user or device is trustworthy by default. Every access request gets verified. This limits the blast radius when a phishing attack succeeds. If an attacker steals credentials but can't move laterally, the damage stays contained.
NIST Special Publication 800-207 provides a solid framework for zero trust adoption: NIST SP 800-207.
4. Train Employees on Voice and Video Phishing
The Arup deepfake attack signals a shift. Your security awareness training must now cover vishing (voice phishing) and deepfake video calls. Teach employees to verify wire transfer requests through a separate, pre-established communication channel — never through the same channel the request arrived on.
Our cybersecurity awareness training program covers these emerging phishing vectors alongside traditional email-based threats. It's designed for real employees, not security professionals.
5. Deploy Email Authentication Protocols
DMARC, DKIM, and SPF remain underutilized. Properly configured, these protocols prevent attackers from spoofing your domain to target your customers, partners, and employees. Google and Yahoo began enforcing stricter DMARC requirements for bulk senders in February 2024. If you haven't configured these yet, you're both vulnerable and potentially non-compliant.
The Phishing Tactics to Watch for the Rest of 2024
QR Code Phishing Is Exploding
Quishing — phishing via QR codes — surged in late 2023 and has accelerated into 2024. Attackers embed malicious QR codes in emails, PDF attachments, and even physical mailers. The codes direct victims to credential harvesting sites. Traditional email security filters struggle to scan QR code payloads, making this a particularly dangerous vector.
Multi-Channel Phishing Attacks
I'm seeing more attacks that combine email, SMS, and voice calls in coordinated campaigns. An employee receives a legitimate-looking email, then gets a follow-up phone call from someone impersonating IT support. The phone call adds perceived legitimacy and pressures the target into acting fast. This layered approach defeats single-channel defenses.
Supply Chain Phishing
Attackers are compromising vendor email accounts and using them to send phishing emails to downstream customers. Because the emails come from legitimate, trusted domains, they bypass most security filters. The 2024 DBIR highlighted supply chain as a growing vector, with incidents involving third-party partners increasing significantly year over year.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report 2024, released in July, put the global average cost of a data breach at $4.88 million — the highest ever recorded. Phishing was identified as one of the most common initial attack vectors.
That number includes direct costs like forensics and legal fees, plus indirect costs like lost business and reputational damage. For small and mid-sized businesses, a single successful phishing attack can be existential.
I've worked with organizations that had solid firewall configurations, endpoint detection, and encrypted backups — but still got breached because an employee entered their credentials on a spoofed login page. The human layer is the most targeted and the least funded part of most security programs.
Your Phishing News Action Plan
Staying informed on phishing news is only useful if you act on what you learn. Here's what I'd do this week if I were in your shoes:
- Audit MFA coverage. Identify every account without phishing-resistant MFA enabled. Prioritize email, VPN, and cloud admin accounts.
- Schedule your next phishing simulation. Use current, realistic scenarios. Our organizational phishing awareness training can help you design and execute these.
- Brief your finance team. Wire transfer fraud through business email compromise is at an all-time high. Establish out-of-band verification protocols today.
- Review your DMARC policy. If it's set to "none," you're monitoring but not protecting. Move to "quarantine" or "reject."
- Invest in security awareness training that covers emerging threats, not just last year's playbook. Our cybersecurity awareness training stays updated with current phishing tactics and social engineering techniques.
The phishing landscape in 2024 is more dangerous than any year I've seen in two decades of security work. Threat actors are better funded, better tooled, and moving faster. But the organizations that train consistently, enforce strong authentication, and build a culture of skepticism are the ones that don't end up in the next round of phishing news headlines.
Don't wait for your own breach to take this seriously.