The Phishing Email That Cost One Company $60 Million
In January 2024, a finance employee at the engineering firm Arup wired $25 million after attending a video call with what appeared to be the company's CFO and other colleagues. Every person on that call was a deepfake. That single incident captures what phishing scams look like in 2025 — they're no longer riddled with typos and Nigerian prince narratives. They're polished, AI-generated, and devastatingly effective.
This post breaks down which phishing tactics are actually landing in 2025, why your current defenses probably aren't enough, and the specific steps that reduce your organization's risk. If you're responsible for protecting people or data, this is the reality check you need right now.
The Numbers That Should Keep You Up at Night
The FBI's Internet Crime Complaint Center (IC3) reported that phishing and spoofing were the most-reported cybercrime type in 2023, with over 298,000 complaints. The 2023 IC3 Annual Report showed business email compromise (BEC) alone accounted for $2.9 billion in adjusted losses. And those numbers only reflect reported incidents — I've worked with organizations that never filed a complaint.
The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse. Phishing remains the top initial access vector for threat actors. The median time for a user to fall for a phishing email? Less than 60 seconds, according to the same DBIR.
These aren't abstract numbers. They represent real companies — some of which no longer exist.
What Are Phishing Scams, Exactly?
Phishing scams are deceptive communications — usually emails, but increasingly texts, voice calls, and even video — designed to trick you into revealing credentials, transferring money, or installing malware. The attacker impersonates someone you trust: your bank, your boss, Microsoft, the IRS.
The goal is almost always one of three things: credential theft, financial fraud, or deploying ransomware. What makes phishing so persistent is that it targets the one vulnerability you can't fully patch — human judgment.
Five Phishing Tactics Dominating 2025
1. AI-Generated Spear Phishing at Scale
Threat actors now use large language models to craft hyper-personalized emails that reference real projects, real colleagues, and real deadlines. In my experience, these AI-generated messages bypass the gut-check that used to catch poorly written scams. They read like something your actual manager would send at 4:47 PM on a Friday.
The volume has exploded too. What used to require a dedicated attacker spending hours researching a target now takes seconds. Every employee in your org can receive a tailored, convincing phishing email simultaneously.
2. QR Code Phishing (Quishing)
QR codes embedded in emails and even physical mail have become a favorite delivery mechanism. The user scans a code that redirects to a credential harvesting page. Most email security gateways don't inspect QR code URLs the way they inspect hyperlinks. I've seen organizations with mature email filtering get caught flat-footed by this because their defenses simply weren't designed for it.
3. Multi-Factor Authentication Fatigue Attacks
Attackers who already have stolen credentials will bombard a target with MFA push notifications — sometimes dozens in a row — until the exhausted user hits "Approve" just to make it stop. The 2022 Uber breach used exactly this tactic. Multi-factor authentication is critical, but it's not bulletproof when the human behind it breaks under pressure.
4. Callback Phishing
The email doesn't contain a malicious link at all. Instead, it includes a phone number and an urgent reason to call — a fake invoice, a subscription renewal, a fraud alert. When the target calls, a live social engineering operator walks them through installing remote access software. No URL to scan. No attachment to detonate. Just a phone call and a convincing voice.
5. Business Email Compromise via Compromised Vendors
The most expensive phishing scams in 2025 don't spoof email addresses — they use real ones. A threat actor compromises a vendor's email account, monitors ongoing invoice threads, and then inserts updated wire transfer instructions at exactly the right moment. The email comes from a legitimate address, references a real transaction, and the only change is the bank account number. I've investigated cases where the victim organization did everything "right" except verify the banking change by phone.
Why Your Email Filter Isn't Saving You
Modern email security platforms catch a lot. Microsoft Defender for Office 365, Proofpoint, Mimecast — they're all significantly better than they were five years ago. But here's what I keep seeing in the field: organizations treat their email filter as a complete solution rather than a first layer.
Filters excel at catching known-bad indicators — blacklisted domains, malware signatures, URLs in threat intelligence feeds. They struggle with zero-day phishing pages, QR codes, legitimate-but-compromised sender accounts, and plain-text social engineering with no payload at all.
A zero trust approach to email means assuming that some phishing scams will reach inboxes. The question becomes: what happens next? That's where your people matter more than your technology.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. Organizations that had security awareness training and incident response testing in place consistently saw lower breach costs — sometimes by over a million dollars.
The math is simple. Training your workforce to recognize and report phishing scams costs a fraction of what a single successful breach will extract from your budget, reputation, and operational capacity.
If your organization hasn't implemented structured phishing awareness training for your team, you're operating on borrowed time. The threat actors aren't waiting for you to catch up.
Building a Human Firewall: What Actually Works
Step 1: Run Realistic Phishing Simulations
Monthly phishing simulations are the single most effective tool I've seen for reducing click rates. But they have to be realistic. Sending obviously fake "You've won a cruise!" emails and calling it training is a waste of everyone's time. Use simulations that mirror the actual tactics hitting your industry — BEC emails, fake MFA alerts, QR codes, callback scenarios.
Track metrics over time: click rate, report rate, and time-to-report. The goal isn't to punish people who click. It's to build the reflex to pause and verify.
Step 2: Teach the "Verify by Another Channel" Habit
The single behavior change that prevents more financial loss than any other: when someone asks you to do something involving money, credentials, or sensitive data, verify the request through a different communication channel. Got an email asking you to wire funds? Call the sender at a known number. Got a text from "IT" asking for your password? Walk to the help desk.
This one habit would have prevented nearly every BEC incident I've investigated.
Step 3: Deploy Layered Technical Controls
Security awareness doesn't replace technology — it complements it. Your stack should include:
- DMARC, DKIM, and SPF properly configured on all your domains
- Multi-factor authentication on every account — preferably phishing-resistant methods like FIDO2 keys, not just SMS or push
- Endpoint detection and response (EDR) to catch payloads that make it past email filters
- Web filtering that blocks newly registered domains used in credential harvesting
- A clearly marked external email banner so employees know when a message originated outside the organization
CISA's guidance on Shields Up provides additional hardening recommendations that are especially relevant for organizations in critical infrastructure sectors.
Step 4: Make Reporting Easy and Rewarded
Most organizations punish phishing clicks but ignore phishing reports. Flip that equation. Install a one-click report button in your email client. Publicly recognize employees who report suspicious messages. Build a culture where reporting a phishing attempt is treated like catching a shoplifter — not like admitting a mistake.
Organizations with high report rates catch active phishing campaigns faster, sometimes before a single credential is compromised.
Step 5: Invest in Ongoing Security Awareness Education
A one-time annual training video doesn't change behavior. Effective security awareness programs deliver short, frequent content — monthly at minimum. They cover current threats, not last year's tactics. And they test retention through simulations and assessments.
If you're building a program from scratch or refreshing a stale one, cybersecurity awareness training resources at computersecurity.us offer a structured starting point that covers phishing, social engineering, ransomware, and more.
How to Spot Phishing Scams: A Quick Reference
This section answers one of the most common search questions directly. Here's how to identify phishing scams in 2025:
- Urgency or fear: "Your account will be locked in 24 hours." Threat actors manufacture panic to short-circuit critical thinking.
- Unusual sender address: The display name says "Microsoft Support" but the email address is [email protected].
- Requests for credentials or payment changes: Legitimate organizations rarely ask for passwords via email. Wire transfer changes should always be verified by phone.
- Mismatched URLs: Hover over links before clicking. If the displayed text says "bankofamerica.com" but the actual URL points elsewhere, it's a phishing page.
- Unexpected attachments: Especially .zip, .html, or macro-enabled Office documents from contacts who don't normally send them.
- QR codes in emails: Treat any QR code in an email with extreme suspicion. Legitimate organizations almost never need you to scan a QR code from an email.
- Too-good-to-be-true offers: Refund notifications, prize winnings, or unexpected job offers are classic lures.
When in doubt, don't click, don't call the number in the message, and don't scan the code. Go directly to the organization's website by typing the URL yourself, or call a verified phone number.
What Happens After Someone Clicks
Even with the best training, someone will eventually click. Your incident response plan needs to account for this reality. Here's the playbook I recommend:
First 15 minutes: The employee reports the click immediately (because your culture rewards reporting). Your SOC or IT team isolates the affected endpoint and resets the user's credentials. If MFA was not in place, assume the account is compromised.
First hour: Check email rules on the compromised account — attackers often set up forwarding rules to maintain access. Review recent login activity for impossible travel or unfamiliar IPs. Scan the endpoint for malware.
First 24 hours: Notify potentially impacted parties. If credentials were harvested, check for lateral movement. If a data breach occurred, engage legal counsel and begin regulatory notification assessment.
The difference between a minor incident and a catastrophic breach often comes down to how fast your team responds. That speed is a direct function of preparation and training.
Phishing Scams Aren't Going Away — But You Can Get Ahead
Threat actors will keep refining their tactics because phishing works. It's cheap, scalable, and targets the hardest thing to secure — human behavior. The organizations that thrive aren't the ones with the biggest security budgets. They're the ones that build a culture where every employee understands they're part of the defense.
Start with an honest assessment. When was your last phishing simulation? How many of your employees could identify a callback phishing attempt? Does your executive team know what BEC looks like?
If the answers make you uncomfortable, that's useful information. Act on it. Implement regular phishing simulations, adopt phishing-resistant MFA, and invest in continuous security awareness education. The threat landscape in 2025 demands nothing less.