Phishing has been around forever, and honestly, it’s still the number one way attackers get into systems. You’d think by now with all the awareness campaigns and security products out there, it would have faded out but the truth is, phishing works. It works because it doesn’t go after firewalls or antivirus; it goes after people. And people will always be the weakest link, no matter how much tech you throw at the problem.
From an attacker’s perspective, phishing is cheap, easy, and scales ridiculously well. You can spin up a phishing kit, rent some shady hosting, and push out thousands of emails for basically nothing. Even if only a tiny fraction of people fall for it, you’ve got stolen creds, session cookies, or malware deployed. The ROI for attackers is insane compared to burning a zero-day or chaining exploits. And phishing has matured way past the old-school “Nigerian prince” stuff. Today we’re talking about fake Microsoft 365 login portals with valid TLS certs, adversary-in-the-middle proxies that can capture MFA tokens, and BEC scams that look like a legit CFO asking for a wire transfer. Add in smishing (SMS phishing) and vishing (phone-based social engineering), and the attack surface is huge.
What makes phishing even more effective is that credentials are still king. Once an attacker has a set of valid creds, they’re basically logging in like a normal user. No alarms, no flashy malware signatures. Just a standard login that slips right past traditional defenses. And with so many businesses running hybrid environments, cloud apps, and SaaS platforms, credentials are the skeleton key that unlocks everything. Even strong endpoint security doesn’t help much if the attacker is simply using your VPN or cloud account with the right password.
That being said, phishing isn’t the only way attackers get in. Unpatched software is still a massive problem. How many times have you seen an environment sitting on a six-month-old patch cycle “because uptime is critical”? Those systems are low-hanging fruit. Then there’s password reuse and weak authentication policies that make credential stuffing attacks almost trivial. Supply chain attacks are another big one.. instead of hitting you directly, adversaries compromise a vendor or MSP and use that trust relationship to walk right in. Drive-by downloads, malvertising, and even physical vectors like infected USBs still show up in targeted campaigns. And let’s not forget insider threats. A malicious or careless employee with legitimate access can cause just as much damage as an external attacker.
So why do attackers still prefer phishing when they have all these options? It’s the path of least resistance. Crafting an exploit chain takes effort, skill, and sometimes luck. Sending a convincing email takes five minutes and a Mailchimp clone. And here’s the thing, human error is never going away. Even with regular security training, someone eventually clicks the wrong link or downloads the wrong attachment. Attackers know this, and they keep iterating. They’ll tailor lures to current events, imitate trusted brands, or even spoof internal communications. And because phishing depends on voluntary user action, it bypasses many traditional controls that are great at stopping automated exploits but useless if the “attack” is just someone typing their credentials into a fake login page.
For defenders, the takeaway is not “we need to stop phishing” because you won’t. It’s about reducing how effective it is when it does get through. MFA is a must, but you can’t stop there because modern phishing kits can proxy logins and steal session tokens in real time. You need adaptive MFA, conditional access, and risk-based authentication policies. User awareness training still matters, but it needs to be combined with regular phishing simulations to make the lessons stick. Email security filters, DMARC, DKIM, and SPF can cut down a lot of noise, but attackers are always adapting, so don’t rely on those alone. Most importantly, you need visibility. Logging and monitoring for things like impossible travel, logins from new devices, and unusual access patterns can tip you off when phishing has succeeded. And don’t forget about response. Having a solid IR plan is just as important as prevention.
At the end of the day, phishing is still king because it exploits the one thing technology can’t patch.. human trust. If you’re in IT or security, the job isn’t to magically eliminate phishing, it’s to build enough layers of defense that when it does happen (and it will), the damage is limited and the breach is contained quickly. Phishing isn’t going away, but how you prepare for it determines whether it’s just a minor incident or a business ending event.
Business Email Compromise Continues To Be Big Money
FACC (€50 million CEO impersonation)
A classic, sophisticated BEC attack hit Austrian aerospace supplier FACC. Attackers spoofed emails from the company’s CEO and directed finance staff to wire €50 million to a fraudulent account. While FACC managed to stop a portion of the transfer, most of it vanished, resulting in one of Europe’s most costly BEC incidents.
Lexington, Kentucky – $4 million fraud via bogus vendor invoice
City officials in Lexington received an email that looked like it came from a local housing agency requesting updated bank info. They complied and transferred approximately $4 million in federal rental assistance—straight into the attackers’ accounts.
Unatrac / Invictus Obi – $11 million global scam
This one’s wild: Obinwanne “Invictus Obi” Okeke, a Nigerian businessman, pulled off a BEC scheme targeting Unatrac (Caterpillar’s export arm). He launched nearly 15 fraudulent wire transfers from the CFO’s Office 365 account, totaling around $11 million. Okeke was caught, tried, and handed a 10-year federal sentence.
SilverTerrier – Nigeria-based BEC syndicate
Not a single case, but a whole wave—SilverTerrier is a notorious Nigerian BEC syndicate. From 2014 onward, this group and its affiliates flooded businesses globally with spear-phishing attacks, email takeovers, and invoicing scams. Interpol, along with other agencies, has arrested key operators—but they leveraged over 800,000 stolen credentials and compromised thousands of organizations.
Children’s hospital – $17.2 million CEO & lawyer impersonation
In one jaw-dropping BEC attack, scammers impersonated both the CEO and a KPMG lawyer and prompted staff to transfer $17.2 million to fraudulent accounts in Shanghai. The impersonated emails made the request seem highly official and urgent triggers many staff felt they couldn’t ignore .
NSW Government, Australia – $3.5 million fake contractor scam
In November 2024, an Australian government agency received an email that appeared to be from a legitimate contractor. The impostor had even set up a near-identical vendor name and bank account. The agency wired $3.58 million—most was recovered, but nearly $12,000 disappeared. The suspect was identified, charged, and faces up to 12 years in prison.
Gold Coast couple – $250,000 home purchase scam
A heartbreaking case: a couple in Queensland lost $250,000 when criminals hijacked their email thread during a property purchase. The scammers swapped the bank details for the deposit fund—by the time the fraud was detected, $170,000 was gone. Police are investigating, and the couple’s seeking help from financial ombudsman channels.
Valladolid, Spain – intercepted supplier invoice (€3,100)
Here’s a detail-focused, low-volume BEC case. Attackers intercepted a company’s email chain with their supplier, altered the bank details, and successfully diverted a €3,100 invoice payment to their own account. Fortunately, investigators acted quickly and recovered the money .
Why These Cases Matter
Each of these incidents showcases a core truth: BEC isn’t about flashy malware, it’s about social engineering. Attackers impersonated trusted figures, mimicked vendor domains, injected urgency, and weaponized trust to trick legit staff. From small sums in Spain to tens of millions in Austria, the attack vectors and outcomes vary, but it’s the same objective. In these examples, we are talking about cybercriminals on the scale targeting small and medium sized businesses for financial gain.
There are many threat actors out there with varying degrees of purpose, but phishing still remains a large vector for most cyber threat actors.
