The Attack That Cost MGM Resorts $100 Million Started With a Phone Call

In September 2023, a threat actor called the MGM Resorts IT help desk, impersonated an employee they found on LinkedIn, and talked their way into a password reset. Within hours, the attackers had deployed ransomware across MGM's systems. The company disclosed approximately $100 million in losses. That's phishing — not some abstract concept from a textbook, but a weapon that dismantles real organizations in real time.

So what is phishing, exactly? It's a social engineering attack where someone impersonates a trusted entity to trick you into handing over credentials, clicking a malicious link, or transferring money. It's the single most common attack vector in cybersecurity. And if you're reading this because you Googled the question, I want to give you the most practical, no-nonsense answer you'll find — drawn from years of watching these attacks succeed and helping organizations fight back.

What Is Phishing? The Direct Answer

Phishing is a cyberattack that uses deception — typically via email, text message, phone call, or fake website — to manipulate a person into taking a harmful action. That action might be entering a password on a spoofed login page, opening a malware-laced attachment, or wiring funds to a fraudulent account.

The term comes from "fishing" — the attacker casts bait and waits for someone to bite. Unlike brute-force hacking, phishing doesn't exploit a software vulnerability. It exploits human psychology: trust, urgency, fear, and authority.

According to the Verizon 2024 Data Breach Investigations Report (DBIR), the human element was involved in 68% of breaches, with phishing and pretexting (social engineering) dominating as initial access vectors. That number has held steady for years, which tells you something important: we're not solving this problem with technology alone.

The Five Types of Phishing You'll Actually Encounter

Not all phishing looks the same. Here are the variants I see hitting inboxes and phones in 2025, ranked by how frequently they show up in incident reports.

1. Email Phishing (Mass Campaigns)

This is the classic. An attacker sends thousands or millions of emails that look like they're from Microsoft, Amazon, a bank, or a shipping company. The email contains a link to a credential-harvesting page or a malicious attachment. These campaigns rely on volume — even a 1% click rate across a million emails is 10,000 victims.

2. Spear Phishing

Spear phishing targets a specific individual or organization. The attacker researches the target — job title, colleagues' names, recent projects — and crafts a message that feels personal. The MGM attack started this way. So did the 2020 Twitter breach, where attackers spear-phished employees to gain access to internal admin tools and hijacked high-profile accounts.

3. Smishing (SMS Phishing)

Text message phishing has surged. You've probably received one: a fake package delivery alert, a bogus bank fraud warning, or a toll payment scam. The FBI's Internet Crime Complaint Center (IC3) has flagged growing complaints about smishing targeting mobile users, particularly through fake government agency messages.

4. Vishing (Voice Phishing)

Phone-based phishing is devastatingly effective because it adds real-time pressure. The attacker calls pretending to be IT support, a bank, or law enforcement. They create urgency — "your account is compromised right now" — and walk the victim through handing over credentials or installing remote access software. Generative AI voice cloning has made vishing significantly more dangerous in 2025.

5. Business Email Compromise (BEC)

BEC is phishing's most expensive variant. The attacker impersonates a CEO, CFO, or vendor and instructs someone in finance to wire money or change payment details. The FBI IC3's 2023 report documented BEC losses exceeding $2.9 billion — making it the costliest cybercrime category they track, far exceeding ransomware in raw dollar losses.

Why Phishing Works: The Psychology Behind the Click

I've run hundreds of phishing simulations across organizations of every size. Here's what I've learned: smart people click. Educated people click. Security-aware people click. Phishing doesn't succeed because victims are stupid. It succeeds because attackers are skilled at exploiting cognitive shortcuts.

Authority

An email that appears to come from your CEO or your IT department triggers an automatic compliance response. You don't question authority under pressure — that's hardwired.

Urgency

"Your account will be locked in 24 hours." "This invoice is past due." Urgency short-circuits critical thinking. Attackers know that a person who pauses for 10 seconds probably won't click. So they make sure you don't pause.

Familiarity

Phishing emails mimic brands and people you interact with daily. When an email looks exactly like every other Microsoft 365 notification you've received, your brain categorizes it as safe before you consciously evaluate it.

Fear

Tax-season IRS phishing campaigns. Fake legal threats. Account compromise warnings. Fear overrides logic. The attacker doesn't need you to think — they need you to react.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — the highest ever recorded. Phishing was consistently one of the top initial attack vectors driving those costs.

But the financial hit is only part of the story. A successful phishing attack often leads to credential theft, which gives the attacker a foothold in your network. From there, they move laterally, escalate privileges, and deploy ransomware or exfiltrate data. The initial phish is just the door — what happens after is where the real damage occurs.

I've seen a single compromised email account lead to a full Active Directory takeover in under 48 hours. The employee had reused their password across systems. No multi-factor authentication was in place. The attacker pivoted from email to VPN to domain admin without triggering a single alert.

That's not a hypothetical. That's a Tuesday.

How to Recognize a Phishing Attempt

Here are the red flags I train people to spot. None of them are foolproof on their own, but together they form a reliable detection pattern.

  • Sender address doesn't match the display name. The email says "Microsoft Support" but the address is [email protected].
  • Unexpected urgency. Legitimate organizations rarely threaten account closure within hours via email.
  • Generic greetings. "Dear Customer" or "Dear User" instead of your actual name — though spear phishing often uses your real name.
  • Suspicious links. Hover before you click. If the URL doesn't match the expected domain, don't touch it.
  • Attachments you didn't request. Especially .zip, .exe, .html, or macro-enabled Office documents.
  • Requests for credentials or payment changes. Any email asking you to enter a password or update banking details should be verified through a separate channel.

Train your employees on these indicators through regular phishing awareness training for organizations that includes simulated attacks. Simulations build muscle memory — which matters far more than a once-a-year slide deck.

How to Defend Against Phishing: Practical Steps That Actually Work

I'm going to skip the generic advice and give you the specific controls that move the needle, based on what I've seen work across real organizations.

Deploy Multi-Factor Authentication Everywhere

MFA is the single most effective control against credential theft from phishing. Even if an employee enters their password on a fake login page, the attacker can't use it without the second factor. CISA calls MFA one of the most important cybersecurity practices, and they're right. Prioritize phishing-resistant MFA (FIDO2 security keys or passkeys) over SMS-based codes, which are vulnerable to SIM-swapping.

Implement Email Authentication Protocols

Configure SPF, DKIM, and DMARC for your domain. These protocols make it harder for attackers to spoof your email address and reduce the volume of phishing that reaches your employees' inboxes. DMARC with a policy of "reject" is the goal — anything less gives you visibility without protection.

Run Continuous Phishing Simulations

One-time training doesn't work. People forget. Threats evolve. Regular phishing simulations — monthly or quarterly — keep security awareness sharp and give you data on who needs additional coaching. The organizations I work with that run consistent simulations see click rates drop from 25-30% to under 5% within a year.

Adopt Zero Trust Architecture

Zero trust assumes the network is already compromised. Every access request is verified, regardless of whether it comes from inside or outside the network. This limits the blast radius when a phishing attack does succeed. You can't prevent every click, but you can prevent a single click from becoming a full breach.

Build a Security-Aware Culture

Technology handles some phishing. People handle the rest. Invest in ongoing cybersecurity awareness training that covers phishing, social engineering, credential hygiene, and incident reporting. Make reporting easy and consequence-neutral. If employees fear punishment for clicking, they'll hide incidents — and hidden incidents become catastrophic breaches.

Verify Out-of-Band

For any request involving money, credentials, or sensitive data, verify through a separate communication channel. If your CFO emails asking for a wire transfer, pick up the phone and call them. This single habit would eliminate the majority of BEC losses overnight.

What Happens After You Click: The Attack Chain

Understanding what happens post-click helps explain why phishing is so dangerous. Here's a typical sequence I've observed in incident response:

  • Credential Harvesting: The victim enters their username and password on a spoofed login page. The page redirects them to the real site, so they never realize anything happened.
  • Account Takeover: The attacker logs in, sets up email forwarding rules to hide their activity, and begins reading messages to understand the organization.
  • Lateral Movement: Using the compromised account, the attacker sends internal phishing emails or accesses connected systems like SharePoint, VPN, or cloud storage.
  • Data Exfiltration or Ransomware: The attacker either steals sensitive data for sale or extortion, or deploys ransomware to encrypt systems and demand payment.

This entire chain can unfold in hours. The median time from initial access to data exfiltration is shrinking every year. Speed matters — both for attackers and defenders.

Phishing in 2025: What's Changed

Phishing has evolved significantly. Here's what's different right now compared to even two years ago.

AI-generated phishing emails have eliminated the grammatical errors and awkward phrasing that used to be reliable detection signals. Attackers use large language models to write flawless, context-aware messages in any language.

Adversary-in-the-middle (AiTM) attacks can now intercept MFA tokens in real time. Frameworks like EvilProxy and Evilginx allow attackers to sit between the victim and the real login page, capturing both passwords and session tokens. This is why phishing-resistant MFA (hardware keys, passkeys) matters more than ever.

QR code phishing (quishing) has exploded. Attackers embed malicious QR codes in emails and physical documents. Since QR codes bypass traditional email link scanning, they've become a favorite delivery mechanism.

Deepfake vishing uses AI-cloned voices to impersonate executives on phone calls. I've seen cases where finance teams authorized six-figure transfers based on calls that sounded exactly like their CEO.

Your Next Step

If you're an individual trying to protect yourself, start by enabling MFA on every account you own, learning to spot the red flags listed above, and never acting on urgency in an email without verifying independently.

If you're responsible for an organization, the calculus is different. You need layered defenses: email filtering, endpoint protection, MFA, zero trust, and — critically — people who can recognize and report phishing attempts. That last piece requires structured, ongoing training. Explore phishing simulation and awareness training to build that capability, and equip your entire team with foundational cybersecurity awareness training that covers the full threat landscape.

Phishing isn't going away. The technology behind it is getting better. The only durable defense is a workforce that recognizes the attack before the damage is done.