In January 2024, a finance worker at engineering firm Arup wired $25 million to criminals after joining a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The attack started with what every phishing scam starts with: a single deceptive message that looked legitimate enough to act on.

Phishing scams aren't a nuisance anymore. They're the primary entry point for the most devastating cyberattacks happening right now. According to the FBI's 2023 Internet Crime Report, phishing was the most reported cybercrime category with nearly 300,000 complaints — and those are just the ones people reported. The real number is vastly higher.

This post breaks down how phishing scams actually work in 2024, why your current defenses are probably insufficient, and what specific steps stop them. No theory. Just what I've seen work in practice across organizations of every size.

Why Phishing Scams Keep Getting Worse

Here's what frustrates me about the industry conversation around phishing: everyone knows it's a problem, and it keeps getting worse anyway. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse. Phishing and pretexting dominate that category.

The economics explain everything. A threat actor can launch thousands of phishing emails for almost nothing. They only need one person to click. One set of stolen credentials opens the door to lateral movement, ransomware deployment, or a massive data breach.

And the messages have gotten disturbingly good. Gone are the days of obvious spelling errors and Nigerian prince schemes. Modern phishing scams use scraped LinkedIn data, spoofed domains that differ by one character, and AI-generated text that matches the tone of real executives. I've reviewed phishing emails during incident response engagements that I had to read three times before spotting the tells.

Business Email Compromise: The $2.9 Billion Problem

Business email compromise (BEC) is phishing's most profitable cousin. The FBI IC3 report tagged BEC losses at $2.9 billion in 2023 alone — making it the highest-loss cybercrime category by a wide margin. BEC works because it doesn't need malware. It just needs a convincing email from what looks like a trusted person, asking for a wire transfer or a change to payment details.

I've worked with companies that lost six figures in under an hour because a single accounts payable employee trusted an email that appeared to come from their CEO. No attachment. No link. Just a polite request to process an urgent payment. That's how sophisticated phishing scams have become.

The Anatomy of a Modern Phishing Attack

Understanding how phishing scams are constructed helps you spot them. Here's the typical kill chain I see in 2024:

  • Reconnaissance: The attacker researches your organization. They scrape employee names, roles, and reporting structures from LinkedIn, your website, and public filings.
  • Pretexting: They craft a believable scenario — a password reset, a DocuSign request, an invoice from a vendor you actually use.
  • Delivery: The phishing message arrives by email, SMS (smishing), or even Teams/Slack messages. It contains either a malicious link to a credential harvesting page or a weaponized attachment.
  • Credential theft: The victim enters their username and password on a fake login page. The attacker now has valid credentials.
  • Exploitation: With stolen credentials, the attacker accesses email, cloud storage, financial systems, or pivots deeper into the network. If multi-factor authentication isn't enabled, this step takes seconds.
  • Monetization: Data exfiltration, ransomware deployment, fraudulent wire transfers, or selling access on dark web marketplaces.

Every single step in that chain is a place where you can break the attack. The problem is that most organizations only defend at one or two of them.

What a Phishing Email Actually Looks Like Now

Let me describe a real-world example pattern I've encountered multiple times this year. The target receives an email that appears to come from Microsoft 365, complete with correct branding, a matching sender display name, and a subject line reading "Action Required: Unusual Sign-In Activity Detected."

The email contains a button labeled "Review Activity" that links to a page hosted on a legitimate cloud service — sometimes Azure Blob Storage, sometimes Google Sites. That page is a pixel-perfect replica of the Microsoft login screen. The URL doesn't say microsoft.com, but it doesn't say evil-hacker.ru either. It's something plausible like login-microsoftonline-verify.com.

The victim enters their credentials. The page even redirects them to the real Microsoft portal afterward, so they never realize anything happened. Meanwhile, the threat actor has their username, password, and — if they're running an adversary-in-the-middle (AitM) attack — their session token, which bypasses multi-factor authentication entirely.

This isn't hypothetical. AitM phishing toolkits like EvilProxy are widely available and actively used. CISA issued multiple advisories about these attacks in 2023 and 2024.

What Is the Most Effective Defense Against Phishing Scams?

The most effective defense against phishing scams is a layered approach combining security awareness training, phishing-resistant multi-factor authentication (like FIDO2/WebAuthn hardware keys), email filtering with advanced threat protection, and a zero trust architecture that limits what compromised credentials can access. No single technology stops phishing alone. You need humans and systems working together.

The $4.88M Lesson Most Businesses Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — an all-time high. Phishing was one of the top initial attack vectors. And here's the number that should keep you up at night: organizations with low security awareness training had breach costs significantly higher than those with mature training programs.

I've seen this play out firsthand. Companies that treat security awareness as a once-a-year checkbox exercise get breached. Companies that run regular phishing simulations and build a genuine security culture catch attacks before they cause damage.

This is exactly why I recommend enrolling your team in phishing awareness training designed specifically for organizations. It's not about scaring people with horror stories. It's about building the reflexes that make employees pause before clicking, verify before trusting, and report before ignoring.

Training That Actually Changes Behavior

Most security awareness training fails because it's boring, generic, and disconnected from real threats. I've sat through enough death-by-PowerPoint compliance modules to know what doesn't work.

What does work:

  • Regular phishing simulations that mimic the actual attacks your employees will face. Not once a year — monthly, at minimum.
  • Immediate feedback when someone clicks a simulated phish. The teachable moment is right then, not three weeks later in a group meeting.
  • Role-specific training. Your finance team faces different phishing scams than your developers. Train accordingly.
  • Metrics and tracking. Measure click rates, reporting rates, and time-to-report. Improve continuously.

If you're looking for a comprehensive starting point, the cybersecurity awareness training program at computersecurity.us covers phishing, social engineering, credential protection, and more — structured for real-world application, not just compliance checkboxes.

Technical Controls That Actually Matter

Training is essential but not sufficient. You need technical controls that reduce exposure even when someone makes a mistake. Here's what I prioritize:

Phishing-Resistant MFA

Standard SMS or app-based multi-factor authentication is better than nothing, but AitM phishing kits bypass it routinely. Phishing-resistant MFA — specifically FIDO2 hardware keys or platform authenticators using WebAuthn — is the gold standard. Google reported zero successful phishing attacks against its 85,000+ employees after mandating hardware security keys. That was back in 2018, and the data has held up.

If you can't deploy hardware keys across your entire organization immediately, start with high-value targets: executives, finance, IT administrators, and anyone with access to sensitive data.

Email Authentication: DMARC, SPF, and DKIM

Properly configured DMARC, SPF, and DKIM records prevent attackers from spoofing your exact domain in phishing emails. This won't stop all phishing scams — attackers can use lookalike domains — but it closes a massive gap.

Check your DMARC policy right now. If it's set to "none," it's monitoring only and not blocking anything. Move it to "quarantine" or "reject" after verifying your legitimate email sources are properly authenticated.

Zero Trust Architecture

Zero trust means no user or device is trusted by default, even inside your network. Every access request is verified based on identity, device health, location, and behavior. If a phishing attack compromises one employee's credentials, zero trust limits the blast radius dramatically.

This isn't a product you buy. It's an architectural approach. Start with conditional access policies in your identity provider: block logins from unmanaged devices, require MFA for every session, and flag impossible travel scenarios.

DNS Filtering and URL Sandboxing

Block known malicious domains at the DNS level and sandbox suspicious URLs before they reach inboxes. This catches a significant percentage of commodity phishing scams. It won't stop a targeted, zero-day phishing site, but it raises the cost and effort for attackers substantially.

What To Do When Someone Clicks

Even with strong defenses, someone will eventually click. Your incident response plan needs to account for this reality. Here's the playbook I recommend:

  • Immediate credential reset. The compromised user's password changes within minutes, not hours. Revoke all active sessions.
  • Check for mail forwarding rules. One of the first things attackers do after compromising an email account is set up hidden forwarding rules to maintain access. Check for them immediately.
  • Review recent account activity. Look at login locations, accessed files, and sent emails. Determine if the attacker moved laterally.
  • Notify potentially affected parties. If the compromised account sent phishing emails to others internally or externally, alert those recipients before they become the next victims.
  • Preserve evidence. Don't delete the phishing email or wipe the endpoint before your IR team has what they need for investigation.
  • Conduct a blameless post-mortem. If employees fear punishment for reporting phishing, they'll hide incidents. You want a culture where reporting is rewarded, not penalized.

Several emerging patterns are making phishing scams harder to detect this year:

QR code phishing (quishing): Attackers embed malicious QR codes in emails, bypassing traditional link-scanning tools. The victim scans the code with their phone — which is often outside your corporate security controls — and lands on a credential harvesting site. I've seen a sharp increase in this technique targeting corporate environments.

AI-generated voice phishing (vishing): The Arup deepfake incident I mentioned at the top isn't an outlier. Voice cloning technology is accessible and cheap. Attackers are using it to impersonate executives on phone calls, requesting urgent wire transfers or credential information.

Multi-channel attacks: The initial phishing email is just the first touch. Attackers follow up with a phone call, a text message, or even a physical letter to build credibility. Each additional contact makes the scam more convincing.

Supply chain phishing: Instead of targeting your organization directly, threat actors compromise a vendor or partner and send phishing from their legitimate email accounts. Your email filters won't flag it because the sender domain is real and trusted.

Build the Reflex, Not Just the Filter

I've been in this industry long enough to know that no technology stack stops every phishing scam. The attack surface is too human, too dynamic, and too creative for any single tool to cover.

What works is layering. Technical controls catch the bulk. Training catches what slips through. Incident response limits the damage when something gets past both. And a zero trust posture ensures that a single compromised credential doesn't hand over the keys to your entire kingdom.

Start today. Run a phishing simulation. Check your DMARC record. Evaluate whether your MFA is actually phishing-resistant. Enroll your team in structured phishing awareness training that goes beyond annual compliance. And build a culture where the employee who reports a suspicious email is treated like the hero they are.

Phishing scams aren't going away. But the organizations that take them seriously — with real training, real technology, and real commitment — are the ones that don't end up in the next breach headline.