A Single Phishing Email Cost One Company $60 Million

In early 2025, Orion SA, a Luxembourg-based metals company, disclosed that a business email compromise (BEC) phishing attack had tricked employees into wiring approximately $60 million to attacker-controlled accounts. That's not a typo. One phishing campaign. Sixty million dollars. If you've been treating phishing news as background noise, this is the alarm that should snap you awake.

This post breaks down the most significant phishing developments in 2025, the tactics threat actors are using right now, and the specific steps your organization needs to take. I've spent years working in cybersecurity, and I can tell you: the phishing landscape in 2025 is fundamentally different from even two years ago. The attacks are faster, more personalized, and harder to detect. Here's what you need to know.

The Phishing News That Defined 2025

AI-Generated Phishing at Industrial Scale

The biggest story in phishing this year isn't a single breach — it's the weaponization of generative AI. Threat actors are using large language models to craft phishing emails that are grammatically flawless, contextually relevant, and nearly indistinguishable from legitimate business communication. The old advice of "look for spelling errors" is officially dead.

According to the FBI's IC3 2024 Annual Report, phishing remained the most reported cybercrime category, with over 193,000 complaints filed. That number only captures what gets reported — the real volume is orders of magnitude higher. In 2025, security vendors have reported a sharp increase in AI-crafted phishing campaigns targeting mid-market companies that lack sophisticated email filtering.

Microsoft 365 Credential Theft Hits Record Levels

If your organization runs Microsoft 365, you're a primary target. Throughout 2025, adversary-in-the-middle (AiTM) phishing kits like EvilProxy and Tycoon 2FA have been used extensively to bypass multi-factor authentication. These kits sit between the victim and the real Microsoft login page, capturing session tokens in real time.

The result? Even organizations with MFA enabled are getting breached. I've personally seen incident response cases this year where an attacker had full mailbox access within 90 seconds of the victim clicking a phishing link. Ninety seconds. That's not enough time for most security teams to even get an alert, let alone respond.

Quishing: QR Code Phishing Explodes

One of the more surprising trends in phishing news this year is the explosion of QR code phishing — dubbed "quishing." Attackers embed malicious QR codes in emails, PDF attachments, and even physical mailers. When scanned, the codes redirect to credential harvesting pages.

Why does this work so well? Most email security gateways don't scan QR code content. And when a user scans a QR code with their personal phone, the traffic bypasses the corporate network entirely — no proxy logs, no DNS filtering, no endpoint detection. It's a clean escape from your security stack.

Scattered Spider and the Rise of Helpdesk Social Engineering

The threat group Scattered Spider — responsible for the devastating 2023 MGM Resorts breach — continued its campaigns in 2024 and into 2025, targeting IT helpdesks with social engineering calls to reset credentials and enroll new MFA devices. CISA has repeatedly warned about these tactics, urging organizations to implement stricter identity verification for helpdesk interactions.

This isn't traditional email phishing, but it's the same playbook: manipulate a human into granting access. If your security awareness training only covers email, you're leaving the front door wide open.

What Is Phishing in 2025? It's Not What You Think

Phishing in 2025 is any attempt by a threat actor to manipulate a human into performing an action — clicking a link, scanning a QR code, calling a phone number, approving an MFA push, or wiring money. It arrives via email, SMS (smishing), voice calls (vishing), Teams messages, Slack DMs, LinkedIn InMail, and even physical mail.

The common denominator is social engineering. The attacker exploits trust, urgency, or authority to bypass technical controls by targeting the person. That's why phishing consistently accounts for the largest share of initial access vectors in data breaches. The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches — and phishing was the top action variety.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report 2024 pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector, and breaches caused by phishing took an average of 261 days to identify and contain. That's nearly nine months of an attacker living in your environment.

Here's what actually happens after a successful phishing attack in my experience:

  • Hour 1: Attacker captures credentials and session tokens. Gains mailbox access.
  • Hours 2-24: Attacker sets up inbox rules to hide their activity, reads email history, identifies high-value targets and financial processes.
  • Days 2-7: Attacker sends internal phishing emails from the compromised account to spread access laterally. Begins exfiltrating sensitive data.
  • Days 7-30: Attacker inserts themselves into financial conversations, redirects wire transfers, deploys ransomware, or sells access on dark web marketplaces.

By the time your security team notices, the damage is done. Prevention — not just detection — has to be the priority.

Five Defenses That Actually Work Against Modern Phishing

1. Phishing Simulation That Mirrors Real Attacks

Outdated phishing simulations that use obvious "click here to win an iPad" templates teach employees nothing. Your simulations need to mirror the actual tactics threat actors use in 2025: AiTM credential harvests, QR code payloads, and impersonation of internal executives.

If you need a place to start, our phishing awareness training for organizations uses realistic, scenario-based simulations that actually change employee behavior. I've seen organizations cut their click rates by more than half within 90 days of implementing structured phishing simulation programs.

2. Phishing-Resistant MFA

Standard MFA — push notifications, SMS codes, TOTP apps — can be bypassed by AiTM kits. Phishing-resistant MFA uses hardware security keys (FIDO2/WebAuthn) or certificate-based authentication that cryptographically binds the authentication to the legitimate domain. Google mandated hardware security keys for all employees back in 2017 and reported zero successful phishing attacks on employee accounts afterward.

If you can't deploy hardware keys everywhere, start with your highest-risk users: executives, finance teams, IT administrators, and anyone with access to sensitive data or systems.

3. Conditional Access and Zero Trust Architecture

Zero trust isn't a product — it's an architecture. Every access request should be evaluated based on user identity, device health, location, and risk level. Conditional access policies in your identity provider can block logins from unmanaged devices, unfamiliar locations, or sessions that exhibit signs of token theft.

I've worked with organizations that reduced their phishing-related compromise rate by over 70% simply by implementing conditional access policies that required compliant devices for email access. No compliant device, no access. It's that straightforward.

4. Continuous Security Awareness Training

Annual compliance training doesn't stop phishing. Continuous, role-based training does. Your finance team needs training on BEC wire fraud scenarios. Your IT helpdesk needs training on social engineering calls. Your executives need training on whale phishing and deepfake impersonation.

Our cybersecurity awareness training program covers these exact scenarios with regularly updated content that reflects the current threat landscape. The key word is "current" — if your training material is more than six months old, it's already outdated given the pace of phishing innovation in 2025.

5. Email Authentication: DMARC, SPF, and DKIM at Enforcement

If your domain doesn't have DMARC set to "reject," attackers can spoof your domain to phish your customers, partners, and employees. I still see organizations in 2025 running DMARC in "none" mode — which means they're monitoring but not blocking anything. That's like having a security camera but no locks on the doors.

Implement SPF, DKIM, and DMARC at enforcement. Then monitor your DMARC reports for unauthorized senders. This won't stop all phishing, but it eliminates one of the easiest impersonation vectors.

Deepfake Voice and Video Phishing

In early 2024, a finance worker at Arup, the British engineering firm, was tricked into transferring $25 million after a video call with what appeared to be the company's CFO and other colleagues — all deepfakes generated in real time. This wasn't science fiction. It happened. And the technology has only gotten cheaper and more accessible since.

I expect deepfake-assisted vishing and video phishing to become a standard technique for high-value BEC attacks through the remainder of 2025. Your verification procedures for financial transactions need to account for the possibility that the person on the other end of a call isn't who they appear to be.

Supply Chain Phishing

Instead of phishing your organization directly, threat actors are compromising your vendors and suppliers, then using legitimate email accounts from those organizations to send phishing emails to your employees. These messages come from trusted domains, pass email authentication checks, and reference real ongoing projects. They're devastatingly effective.

Your security awareness program needs to teach employees that trust shouldn't be based solely on who sent the email. Even messages from known contacts can be malicious if that contact's account has been compromised.

Phishing-as-a-Service Platforms

The barrier to entry for phishing has collapsed. Platforms like Caffeine, Greatness, and other phishing-as-a-service (PhaaS) offerings provide turnkey phishing kits with AiTM capabilities, hosting, and even customer support. A technically unsophisticated criminal can now launch a credential harvesting campaign that bypasses MFA for a few hundred dollars a month.

This democratization of phishing means the volume and variety of attacks will only increase. Your defenses can't rely on the assumption that attackers are unsophisticated.

What Your Board Needs to Hear About Phishing Risk

If you're a security leader trying to get budget and attention for phishing defense, here's the business case in plain language:

  • Phishing is the #1 initial access vector for data breaches. Verizon's DBIR has confirmed this consistently.
  • The average breach costs $4.88 million. A structured phishing defense program costs a fraction of that.
  • Regulatory exposure is real. The FTC, SEC, and state attorneys general have all taken enforcement actions against organizations with inadequate security awareness programs. The FTC's actions against Drizly and CafePress specifically cited failures in employee security training.
  • Cyber insurance underwriters now require phishing simulation and security awareness training. If you can't demonstrate these controls, you'll pay higher premiums — or get denied coverage entirely.

Frame phishing defense as risk reduction and insurance compliance, not just IT housekeeping. That's the language that moves budgets.

Your Next Move

Every piece of phishing news in 2025 points to the same conclusion: technical controls alone aren't enough. Attackers are designing campaigns specifically to bypass your email gateway, your MFA, and your endpoint detection. The human layer is the last line of defense — and it's the one most organizations invest in the least.

Start with a realistic assessment of your current phishing exposure. Run a phishing simulation that mirrors actual 2025 attack techniques. Implement phishing-resistant MFA for your highest-risk users. Build a continuous training program that evolves with the threat landscape.

If you're looking for structured, up-to-date training that reflects the threats covered in this post, explore our phishing awareness training for organizations and our comprehensive cybersecurity awareness training. Both programs are built around the real-world attack patterns I see in incident response engagements every week.

The threat actors aren't waiting. Neither should you.