10 Wild Phishing (and Phish-Adjacent) Stories from 2024–2025 – including important Lessons Learned
QR codes turned into logins. AI impersonated your CFO on Zoom. “Internal” emails arrived from the great beyond. The past two years were a nonstop parade of inventive cons – equal parts brazen and brilliant. Below, we tour ten real incidents that defined the era and, more importantly, translate each one into plain-English guardrails you can put in place. Sources are linked throughout so you can go deeper whenever you like.
1) Change Healthcare: one portal, no MFA, and a very expensive lesson (Feb 2024)
In February 2024, attackers walked through the digital front door at Change Healthcare using stolen credentials—no alarms, no second factor, just a remote portal without MFA. The breach eventually spiraled into ALPHV/BlackCat ransomware and nationwide disruption in healthcare billing. Executives later testified that the compromised entry point did not have MFA enabled—an omission that reads like a plot twist you can see coming a mile away (Reuters; context via Cybersecurity Dive; sector wrap-ups from the AHA and HHS OCR).
Why did it work? Because one non-MFA’d app is a skeleton key in a world drenched in infostealer logs and password reuse. The countermeasure is gloriously unsexy: phishing-resistant MFA (FIDO2) everywhere the public can see you, ideally behind SSO + conditional access, with legacy protocols turned off. Add basic anomaly alerts—impossible travel, odd ASNs, strange hours—and you at least get a fighting chance to catch the first footsteps.
2) Pepco Group: classic BEC, polished like a diamond (Feb 2024)
Pepco’s Hungarian business lost about €15.5 million to what reads like a textbook—but extremely well executed—business email compromise. No malware extravaganza; just convincing messages, authority, urgency, and a payment process that trusted the inbox too much (company notice / PDF; coverage via Reuters and Help Net Security).
The fix is cultural as much as technical: treat money movement like a cockpit checklist. Dual approvals, callback verification to known numbers, supplier portals with 2FA, and a hold period for first-time bank-detail changes transform “please pay this urgently” into “sure—after we follow the process.”
3) The Arup deepfake boardroom: when faces lie (Jan–May 2024)
A finance employee at Arup joined a video call with the “CFO” and colleagues. They looked right, sounded right, moved right—and were AI deepfakes. Roughly $25 million left the building before reality caught up (Financial Times; CFO Dive; background via CNN/Yahoo).
We’ve trained people to “trust the face.” Deepfakes torch that instinct. The pragmatic fix is policy, not paranoia: no funds released on live calls alone. Require a ticketed approval plus a verbal callback to a number pulled from an internal directory—never from the email or the meeting invite. Teach teams to spot telltales (lip-sync drift, odd latencies) and to use backchannels when something feels off.
4) Paris 2024: the Olympics of fake ticketing (mid-2024)
Hype, scarcity, and immaculate branding make for superb phishing weather. Heading into Paris 2024, law enforcement and researchers flagged hundreds of fraudulent sites hawking tickets, hospitality, and “priority access.” At one point the French gendarmerie counted 338 suspect domains. The playbook was simple: SEO-poisoning, cloned logos, and urgency that makes even savvy buyers forget their rules (Proofpoint; consumer warnings via CBS News; official notices at Olympics.com).
If your staff travel or buy event access, front-load the safety briefing: type, don’t click, and only on official URLs. On the backend, watch for typosquats and block brand-new domains in high-risk categories for a cooling-off period. A little friction beats expensive FOMO.
5) Snowflake-linked breaches: one password to rule them all (spring–summer 2024)
Ticketmaster, Santander, and others reported data accessed via customer Snowflake environments, with a familiar villain: stolen credentials and missing MFA. Snowflake itself said its platform wasn’t breached; rather, attackers rode in on real keys to customer instances and got to querying (Dark Reading; The Verge; Google Threat Intelligence; Push Security).
If your data lives in SaaS, treat identity like your new network perimeter. Put SSO/SAML + MFA in front, add IP allowlists/VPN, and instrument for unusual query volumes or sudden role changes. Keys and tokens should rotate the way you change the batteries in a smoke alarm: regularly, before the fire.
6) Star Blizzard’s WhatsApp pivot: your QR code is a session token (late 2024–Jan 2025)
FSB-linked Star Blizzard started corralling diplomats and policy folks into scanning WhatsApp QR codes, turning a simple handoff into account takeover. The move cleverly sidestepped email controls and shifted the conversation to a compromised app where trust is high and scrutiny is low (Microsoft; BleepingComputer; The Guardian).
The mindset shift is crucial: QR codes often are authentication. Train people to treat scans like passwords, restrict linking on unmanaged devices via MDM, and require number-matching MFA where available. Also, watch for new linked devices and suspicious location jumps—both are early smoke.
7) Quishing at scale: Microsoft Sway as a lure factory (Aug 2024)
Attackers leaned on Microsoft Sway to host slick, QR-code phishing pages that slipped past filters thanks to first-party halo effects. The QR image concealed the true destination, and scanners not built to decode images saw only a nice, clean file hosted by a trusted brand (BleepingComputer; original research from Netskope).
Defenders can answer in kind: add QR decoding to email/web security, scrutinize new Sway/Forms/Sites links, and lock identity down with passwordless MFA, conditional access, and continuous access evaluation. On mobile, teach people how to preview URLs before opening them—tiny skill, huge payoff.
8) Trezor: when your support desk becomes the social engineer (Jan 2024 & Jun 2025)
In January 2024, a third-party support portal tied to Trezor exposed contact details for ~66,000 users—jet fuel for follow-on phishing. By June 2025, adversaries went a step further, abusing Trezor’s support form to send convincing auto-replies that looked official enough to make even veterans blink (BleepingComputer; BleepingComputer).
Your support stack is part of your security perimeter. Treat it accordingly: rate-limit auto-replies, enforce strict DKIM/DMARC alignment, scan templated responses for risky language (especially around “recovery” and crypto), and publish clear safety PSAs so customers know what you’ll never ask them to do.
9) “Internal” without compromise: M365 Direct Send gets cheeky (Jun–Aug 2025)
Campaigns abusing Microsoft 365’s Direct Send made it possible to spoof internal users without actually taking over an account. That little detail matters, because “from IT@yourcompany” still carries psychological weight—even when the authentication story is mushy (Varonis; summaries via Dark Reading and Arctic Wolf).
Tighten your connector rules, limit the scope of Direct Send, and prefer authenticated SMTP where you can. Teach people that “internal” isn’t a magic word; if an email tries to move money or credentials, the verification should happen in a portal or via a known backchannel—not a convenient blue link.
10) AI site builders drafted into the phish factory: Lovable at scale (2025)
Finally, a very 2025 plot line: attackers using AI website builders—Lovable in particular—to crank out tens of thousands of phishing and malware pages with on-brand design and near-instant turnaround. Fresh domains plus pretty templates equals a steady drip of clicks before reputation systems catch up (Proofpoint; coverage via BleepingComputer and TechRadar).
Defensively, expand your URL intelligence to include time-since-registration and builder/hosting reputation, and don’t reflexively whitelist shiny new domains just because they look professional. Criminals can look professional now, too—it’s kind of their thing.
The pattern you can’t ignore
Across all ten stories, the same threads keep showing up. Credentials and session tokens are gold. MFA gaps are fatal. “Internal” is a feeling, not a control. And AI is both accelerant and firehose—it speeds up attackers and overwhelms defenders, but it also gives us better training and detection if we choose to use it.
If you only do a few things this quarter, make them these: roll out phishing-resistant MFA and retire legacy auth; add QR decoding to your email/web stack; stage realistic BEC and deepfake drills for finance and execs (with mandatory callbacks); and put support, marketing, and event workflows squarely in your threat model with rate limits, DMARC alignment, and pre-emptive warnings.
And if you want to practice safely, that’s our jam. AutoPhish can recreate the trends you’ve just read about—quishing, AI-style lures, “internal” spoofing, and meticulous BEC—then follow up with bite-sized training that actually sticks. Because seeing the trick once, in a safe environment, is how you stop it when it really counts.