Phishing in 2025: Why 82% of businesses will be phished this year (and how to avoid being phished)

Introduction

Phishing is sold as a problem of stupid users clicking on anything. The classic CIO line: "All you have to do is train people not to click on suspicious links". The brutal reality: in 2025, phishing attacks are so sophisticated that they fool even cybersecurity experts. We're no longer talking about "Dear Sir, you've won 1 million euros" with 47 spelling mistakes sent from nigeriaprinc@yahoo.com. We're talking about perfectly worded e-mails, with your exact company logo, sent from a domain one letter off the original (mircosoft.com instead of microsoft.com), targeting the CFO by name with references to real projects in progress. The average success rate of a targeted corporate phishing campaign: 32% in 2024 (Verizon DBIR). One third of your employees will click. Whatever their level of training. The average cost of a successful phishing incident: 4.9 million euros (IBM Cost of a Data Breach 2024). This article debunks phishing myths, exposes real modern attack techniques (spoiler: you're not protected), calculates the ROI of different protection solutions, and above all explains why "user awareness" alone is a strategy doomed to failure. Because between ridiculous phishing tests that measure nothing and technical solutions sold as miracles, there's a defense-in-depth strategy that 90% of companies don't apply.

Phishing in 2025: sophistication no one can explain

Forget the Nigerian prince, here are the real threats

Spear phishing (targeted phishing)

Unlike mass phishing (10 million identical e-mails), spear phishing specifically targets an individual or small group with personalized information.

Real-life example: A HR manager receives an e-mail from his CEO (spoofed address): "Hi Sophie, I'm in a meeting with the board of directors until 5pm. Can you urgently prepare the Excel file of Q4 salaries for the audit? Send it to me in reply to this e-mail. Thank you, absolute discretion on this matter."

The mail contains :

• The HRD's real first name
• A reference to a real audit in progress (LinkedIn public info or website)
• The CEO's tone and signature (scrapped from previous e-mails leaked in briefs)
• Urgent demands create stress
• The sender's address: pdg@votre-entreprise.com (domain purchased for €8, a different letter in Cyrillic invisible to the naked eye)

Success rate: 45-60% on HR/Finance targets according to the FBI (IC3 Report 2024).

Business Email Compromise (BEC) - Business email compromise

The attacker actually compromises a mailbox (phishing or credential stuffing). He observes the exchanges for 2-6 weeks (silent attack), identifies the payment processes and then, at the right moment, sends a transfer order from the REAL mailbox.

Case study 2024: French SME in the construction sector. The attacker compromises the accountant's mailbox via phishing, observes 3 weeks, identifies that a €230k transfer is planned to a supplier. The day before the transfer, sends an e-mail from the real accountant's mailbox, "I've changed bank, here's the new RIB". The transfer goes through. Total loss: 230k€ + 6 months of legal proceedings, money never recovered.

Global volume: $2.9 billion in losses reported to the FBI in 2023. +300% vs 2020.

Whaling

Ultra-targeted phishing attack on C-level executives. Attack preceded by OSINT (Open Source Intelligence) reconnaissance: LinkedIn, social networks, press interviews, company press releases.

Advanced technique: purchase of breaches databases (emails + passwords from third-party services), credential stuffing on Microsoft 365, if successful = full access to the CEO's Outlook calendar. The attacker knows exactly when he's on the move, with whom he's meeting and which projects are sensitive.

Clone Phishing

The attacker intercepts a legitimate e-mail (via prior compromise of a mailbox in the communication chain), creates an exact copy by simply replacing the link or attachment with a malicious version, and sends it back a few hours/days later with a message "Sorry, error in the previous file, here is the correct version".

Why it works: the victim has already received this e-mail and feels confident. They think it's a simple correction. Click-through rate: 65-70%.

QR Code phishing (Quishing)

New trend 2024-2025. A QR code in an "urgent" email (invoice, delivery, security update). The user scans with his smartphone. Problems:

• Anti-phishing solutions don't scan QR codes (impossible to detect)
• Personal smartphones often lack corporate protection
• URL behind QR code not visible before scanning

Volume: +587% of quishing attacks in 2024 vs. 2023 (Check Point).

Deepfake vocal (Vishing with AI)

AI voice synthesis reproducing the CEO's voice from 3 seconds of audio (YouTube interview, corporate video). Urgent" phone call to CFO: "I'm at the customer's, I need a €150k transfer now to save the deal, I'll text you the RIB".

Real-life case 2024: UK energy company, vocal deepfake from CEO requesting £220k transfer. The CFO recognized the voice, the intonations, even an inside joke. Transfer carried out. Fraud discovered 48 hours later.

Cost of creating a vocal deepfake: €50 (online services available). Technical barrier = zero.

Social engineering techniques that break all training courses

The triple emergency

Creating a sense of urgency + authority + fear:

• "Your account will be suspended in 2 hours".
• "The CEO is expecting this document for a meeting in 30 minutes".
• "Security alert: suspicious activity detected, click to secure your account"

Why it works: under stress, the brain short-circuits rational thinking. The "take the time to check" training becomes inoperative.

Neuroscience studies: the prefrontal cortex (rational decision-making) is deactivated under acute stress. Decisions switch to automatic mode (limbic system). Result: we click.

Contextual breach of trust

The attacker knows your professional background:

• "Further to our LinkedIn exchange last week..."
• "As discussed at the TechCrunch Paris conference..."
• "Your colleague Marie Dupont recommended that I contact you..."

Source of information: LinkedIn (99% of professionals disclose their company, function, projects), public Facebook (photos of conferences with visible company badges), Twitter/X posts mentioning events.

Average OSINT reconnaissance time for a targeted attack: 2-4 hours. Cost: €0.

The fake in-house helpdesk

Phone call: "Hello, IT department, we've detected an intrusion attempt on your account, to secure it, I need to verify your identity, can you give me your current password?"

Sophisticated variant: "We'll reset your password remotely, you'll receive a code by SMS, give it to me to finalize the procedure" (= the attacker attempts a connection, triggers the MFA, and obtains the code directly).

Success rate: 40% of employees give their password over the phone to someone claiming to be from IT (KnowBe4 2024 study).

Persistent (and costly) phishing myths

Myth 1: "Training is enough, users just need to be vigilant".

The reality: traditional training has a maximum effectiveness rate of 15-20%. After 6 months, 80% of learned behaviors are forgotten.

Behavioral studies:

• A trained user clicks on 28% of phishing attacks vs. 32% for an untrained user (non-significant difference)
• Under stress (project deadline, peak activity), even "expert" users click at 40%.
• Decision fatigue (end of day, after 50 emails processed) increases click rate by 60%.

Why training fails:

• Cognitive load: an employee processes 120 emails a day. Asking for a security analysis on each one = cognitively impossible
• False positives: anti-phishing tools also block legitimate e-mails. As a result, users bypass protections to work.
• Variability of attacks: training on "don't click on suspicious links" is useless when the link is https://microsoft.com-secure-login.verify-account.com (valid domain, valid SSL certificate).

The real figure: even among CISOs and cybersecurity experts, the click-through rate for sophisticated phishing exceeds 15% (Black Hat 2023).

Blunt conclusion: relying solely on human vigilance = accepting a 30% success rate for attackers.

Myth 2: "Internal phishing tests prove you're protected".

The problem: internal tests are 10x less sophisticated than real attacks.

Classic phishing test:

• Generic e-mail "Click here to reset your password".
• Obvously false domain (securite-entreprise.info)
• No customization
• Sent from a known tool (KnowBe4, Proofpoint)

Real attack:

• Personalized e-mail with name, position, references to real projects
• Domain 1 character from the original (micros0ft.com with a zero)
• Sent from a legitimate compromised server
• Scraped content for real internal communications

Perverse effect: users learn to detect tests, not real attacks. Feeling of false security.

Revealing figure: in a company where 5% click on internal tests, 35-40% click on a real sophisticated attack (Cofense 2024 study).

Myth 3: "Antivirus and firewall protect us".

Detection rate of antivirus solutions on zero-day phishing: 35-45% (AV-Comparatives 2024). More than half get through.

Why?

• Phishing e-mails often contain NO malware (just a link to a seemingly legitimate web page).
• Phishing pages are hosted on compromised legitimate servers (hacked WordPress, misconfigured S3 bucket)
• URLs are generated on the fly and only live for 24-48 hours (no time to be blacklisted).
• Use of URL shortening services (bit.ly, tinyurl) bypasses analyses

SSL certificates: 80% of phishing pages have a valid SSL certificate (green padlock). Let's Encrypt delivers free certificates in 2 minutes, no legitimacy check required.

Myth 4: "We'll never be taken in, we're a small business with no interest".

The reality: 43% of cyber attacks target SMEs (Verizon DBIR 2024). Large corporations have huge security teams and budgets. SMBs don't.

Attacker's logic:

• SMEs = less protection = higher success rate
• SMEs = less controlled payment processes = easier BEC
• SME = supplier to major groups = gateway to the real target (supply chain attack)

Typical case: attack on an IT subcontractor of a major corporation. Compromise via phishing, then pivot to the end customer via existing VPN/RMM accesses.

Real-life examples:

• Kaseya (2021): RMM supplier compromised → 1,500 corporate customers affected
• SolarWinds (2020): build compromised → 18,000 customers infected

Conclusion: you're not a direct target, you're a springboard.

Myth 5: "MFA (double authentication) protects us completely".

MFA is good, but...

Attacks that bypass the MFA:

1. MFA Fatigue / Push BombingTheattacker has the password (phishing, breach). Attempts to connect 50 times in 10 minutes. The user receives 50 push notifications "Approve connection?". Tired, he finally approves "so that it stops".

Success rate: 20-30% (Cisco Duo Security 2024).

Real case: Uber (September 2022), complete compromise via MFA fatigue.

2. Session Hijacking / Cookie TheftTheattacker steals the session cookie after authentication, not the password. The user authenticates legitimately (MFA passed), the attacker steals the cookie (malware, intermediate phishing page) and reuses the active session.

Protection: only phishing-resistant MFAs (FIDO2, passkeys, WebAuthn) protect. MFA by SMS, email, or even TOTP app = bypassable.

3. Adversary-in-the-Middle (AiTM)The attacker creates a proxy page between the victim and the real site. The victim enters his/her credentials + MFA code on the fake page, which transmits them in real time to the real site, obtains the session and redirects the victim. Everything is transparent.

Open-source tools for AiTM: Evilginx2, Modlishka. Available free of charge. Setup time: 1h.

Success rate against conventional MFA: 70-80%.

Conclusion: MFA = necessary but not sufficient. Only MFA based on FIDO2/passkeys can withstand modern attacks.

The real cost of a phishing incident (and why no one calculates it beforehand)

Cost structure of an average incident

Scenario: 80-strong SME, compromised via phishing on CFO's mailbox

Phase 1: Detection and investigation (Week 1-2)

• In-house IT team: 60h x €60/h = €3,600
• External forensics provider: €15,000 (minimum for a basic investigation)
• Log analysis, extended identification of the compromise
• Total Phase 1: €18,600

Phase 2: Containment and remediation (Week 3-4)

• Forced reset of all passwords (80 users x 30min x €60/h) = €2,400
• Complete reinstallation of 15 compromised workstations: 15h per workstation x €60/h = €13,500
• Microsoft 365 tenant reconfiguration: 20h = €1,200
• Total Phase 2: €17,100

Phase 3: Business interruption costs (3-5 days)

• 80 employees at 50% productivity for 4 days: 80 x €40/h x 8h x 4d x 50% = €51,200
• Customer impact (delivery delays, failure to reply to e-mails): estimated loss of sales €20,000
• Total Phase 3: €71,200

Phase 4: Regulatory and legal costs

• CNIL notification (if personal data exposed): €5,000 (lawyer + procedure)
• Potential RGPD fine: €0 to €20M or 4% of sales (depending on severity). Average SME: €15,000
• Cyber insurance (deductible not covered): €10,000
• Total Phase 4: €30,000

Phase 5: Post-incident compliance (Months 2-3)

• Deployment of advanced protection (EDR, reinforced anti-phishing): €25,000
• Mandatory employee training: 80 x 4h x €60 = €19,200
• Full security audit: €15,000
• Total Phase 5: €59,200

Phase 6: Indirect costs (6-12 months)

• Loss of customer confidence : -5% sales over 6 months = €50,000 (estimated)
• Increase in cyber-insurance premiums (+40%): €8,000/year
• Management time devoted to the crisis: 200 non-billable hours = €20,000
• Total Phase 6: €78,000

Total cost of an average phishing incident: €274,100

Decomposition:

• Direct technical costs: €35,700 (13%)
• Business interruption: €71,200 (26%)
• Regulatory/legal: €30,000 (11%)
• Compliance: €59,200 (22%)
• Indirect costs: €78,000 (28%)

Comparison: robust prevention investment = €30,000-50,000/year. ROI: avoiding ONE incident = 5-9x the cost of prevention.

Extreme cases (ransomware following phishing):

• Average cost: €4.9M (IBM 2024)
• Average recovery time: 287 days
• 60% of SMEs hit by ransomware close down within 6 months

The costs that no one quantifies (but which do exist)

Loss of intellectual propertyAsuccessful phishing attack on an R&D engineer = access to CAD files, current patents, product roadmap. Value: incalculable. Competitive advantage lost: permanent.

Brand damageNotification"Your data has been exposed following a cyber attack" sent to 10,000 customers. Post-incident churn rate: +15% on average. Over 3 years: -30% recurring revenue.

Post-incident turnoverITteams burn 80h/week for 2 months to manage the incident. Departure rate within 6 months of the incident: 40% (burnout, loss of confidence).

Loss of business dealsAprospect asks for your security certifications. You had an incident 6 months ago. Deal lost. Frequency: increases with supply chain security requirements (ISO 27001, SOC 2, etc.).

Real protections that work (and those that don't)

Tier 1: Essential technical protection (60-70% efficiency)

1. Advanced Email Gateway with behavioral analysis

NOT enough: classic antispam solutions (SpamAssassin, basic Exchange filters). Sophisticated phishing detection rate: 30-40%.

Effective solutions:

• Proofpoint Targeted Attack Protection: €12-25/user/month
• Mimecast Secure Email Gateway: €8-15/user/month
• Microsoft Defender for Office 365 Plan 2: included in M365 E5 or €4/user/month standalone
• Barracuda Email Protection: €5-10/user/month

Critical features:

• URL rewriting: rewriting clicked links for real-time analysis
• Automatic sandboxing of attachments (detonation in isolated environment)
• DMARC, SPF, DKIM enforcement strict (rejection of unauthenticated mail)
• ML/AI for anomaly detection (tone change, unusual urgency, out-of-process requests)

Measured effectiveness: 65-75% of phishing attacks are blocked before reaching the mailbox.

2. Phishing-resistant MFA (FIDO2/Passkeys)

Low MFA (avoid):

• SMS (SIM swapping, interception)
• Email (if mailbox compromised = MFA compromised)
• TOTP standard app (Microsoft Authenticator, Google Authenticator) = vulnerable to AiTM attacks

Strong MFA:

• FIDO2 hardware (YubiKey, Titan Security Key): €25-60/key
• Passkeys (device-bound biometrics): free on iOS 16+, Android 14+, Windows Hello
• Microsoft Authenticator in passwordless mode (no code, but contextual notification with connection details)

Protection rate: 99.9% against phishing (Google Security Blog, 2 billion accounts analyzed).

Deployment:

• YubiKey cost for 100 users: €4,000 (€40/key)
• Rollout time: 2-3 weeks
• Training: 1h/user

ROI: a single incident avoided (€275k) = 68x the cost of deployment.

3. EDR (Endpoint Detection & Response) with post-compromise protection

If a user clicks and downloads malware, the EDR detects and blocks abnormal behavior.

Solutions:

• CrowdStrike Falcon: 7-12€/endpoint/month
• Microsoft Defender for Endpoint (Plan 2): included M365 E5 or €5/endpoint/month
• SentinelOne: 6-10€/endpoint/month

Protection:

• Block unsigned executables from %TEMP%, %APPDATA%.
• Data exfiltration detection (abnormal upload volume)
• Automatic isolation of the compromised station

Efficiency: reduces the impact of a compromise by 80%.

Tier 2: Ongoing training and realistic simulations (20-30% additional efficiency)

Annual 2-hour training = useless. Forgotten in 6 months.

Effective approach: weekly microlearning (5 min) + monthly simulations.

Platforms:

• KnowBe4: €20-35/user/year (market leader)
• Proofpoint Security Awareness Training: €15-25/user/year
• Terranova Security : 12-20€/user/year

Contents:

• 3-5 min videos on real cases (not boring corporate content)
• Gamified quiz (rewards for correct answers)
• Customized phishing simulations (not the dumb tests that can be detected in 2 seconds)

Golden rule of simulations:

• Vary techniques (email, SMS, Teams, QR code)
• Gradually increasing sophistication
• NEVER punish users who click (it creates a culture of concealment)
• Use clicks as an immediate training opportunity (page explaining why it was a test and how to detect)

Measured effectiveness: after 12 months of continuous training, click-through rate reduced from 32% to 22% (30% improvement, no miracle).

Tier 3: Processes and governance (40-50% additional efficiency on BECs)

Out-of-band validation of critical requests

Mandatory rule: any transfer request >10k€, supplier RIB change, bank data modification = validation by 2 different channels.

Example:

• Mail received: "RIB change for supplier payment".
• Mandatory action: phone call to the supplier (phone number in the directory, NOT the one in the e-mail) to confirm.

Effectiveness: blocks 90% of BECs (Business Email Compromise).

Cost: 0€ (just a process). Time: 5 min per validation.

Segregation of privileges

• No standard user should have permanent local admin rights
• Temporary elevation only (Privileged Access Management)
• Separate admin and user accounts (NEVER read e-mail with an admin account)

Why: if a user account is phished, the attacker has no admin rights. He can't install malware, create persistence or pivot to other machines.

Monitoring abnormal behavior

Alerts to be configured:

• Connection from an unusual IP/country
• Massive file downloads (>500 MB in 1 hour)
• Automatic e-mail forwarding enabled (Outlook rule created by attacker)
• Modification of MFA parameters (deactivation, addition of a new device)
• Creation of suspicious mailbox rules ("move all mail containing 'invoice' to hidden folder")

Tools:

• Microsoft 365 Defender (E5 included)
• Splunk SIEM: €150-300/GB indexed/month
• Elastic SIEM: free (open-source) or €95/user/month (cloud)

Bullshit protection that serves no purpose

❌ "ATTENTION EXTERNAL EMAIL" banners on all emails

Problème : habituation. Après 1 semaine, les utilisateurs ne les voient plus (cécité attentionnelle). Efficacité mesurée : <5%.

❌ Block all clickable links in emails

Problem: unusable. 80% of work requires clicking on links (SharePoint, Salesforce, Jira, etc.). Massive circumvention by users = ineffective protection.

❌ Post "Beware of phishing" posters in offices

Efficiency: 0%. Nobody reads. And even if they do, it doesn't change behavior under stress.

❌ Silly phishing tests that are easy to detect

Example: "Click here to reset your password" sent from phishing-test@securityawareness.com.

Result: users learn to detect TESTS, not real attacks. A deadly false sense of security.

The realistic protection checklist by company size

PME <50 personnes (budget 5-10k€/an)

Mandatory:

• Microsoft 365 Business Premium (€20/user/month): includes Defender for Office 365 Plan 1, MFA, basic protection
• KnowBe4 Starter training (800€/year for 50 users)
• YubiKey for the 5 most critical accounts (CEO, CFO, CIO): €200
• Out-of-band validation process for transfers >€5k: €0

Total: €5,000 first year + €12,000/year recurring = €17,000 year 1

Protection achieved: 70-75% of attacks blocked

Company 50-200 people (budget 15-35k€/year)

Mandatory:

• Microsoft 365 E3 (23€/user/month) + Defender for Office 365 Plan 2 (4€/user/month) = 27€/user/month x 100 users = 32 400€/year
• CrowdStrike EDR or Defender for Endpoint Plan 2 (€5/endpoint/month) = €6,000/year
• KnowBe4 Enterprise: €3,000/year
• YubiKey for top 20 critical users: €800
• Basic SIEM (Wazuh open-source): €5,000 setup

Total: €47,200/year

Protection obtenue : 80-85% des attaques bloquées, détection rapide (<24h) des compromissions

Large company 200-1000+ people (budget 60-200k€/year)

Mandatory:

• Microsoft 365 E5 (€38/user/month) x 500 users = €228,000/year (includes Defender Plan 2, Cloud App Security, Advanced Threat Protection)
• or Proofpoint TAP (€20/user/month) = €120,000/year
• CrowdStrike Falcon Complete EDR (managed): €12/endpoint/month x 500 = €72,000/year
• Continuing education + monthly simulations: €25/user/year = €12,500/year
• YubiKey for 100% of users: €20,000 (one-shot)
• SIEM Splunk or Sentinel: €80,000/year
• 24/7 external SOC (if no in-house team): €150,000/year

Total: €300,000 - €500,000/year depending on choice

Protection obtenue : 90-95% des attaques bloquées, temps de détection <1h, response automatisée

Fatal mistakes in the event of an incident (and how not to make things worse)

Mistake 1: Panic and turn everything off immediately

Reflex: "We've been phished, let's cut it all off!"

Problem: you destroy forensic evidence. Volatile RAM logs disappear. Impossible to know what the attacker has done, what data has been exfiltrated, if there are any backdoors.

Best practice:

1. Isolate the compromised workstation from the network (physical disconnection or VLAN isolation)
2. DO NOT switch it off (memory capture first)
3. Call a forensics expert BEFORE taking any action

Error 2: Just reset the password of the compromised account

Why it's not enough: the attacker may have created :

• Email forwarding rules
• Authorized OAuth applications (permanent password-free access)
• A second admin account created
• Backdoors (scheduled tasks, registry run keys)

Best practice:

• Revoke ALL active sessions
• Delete all mailbox rules
• Auditing authorized OAuth apps
• Full station EDR scan
• Reset password AND security questions
• Force MFA re-registration

Error 3: Failure to notify authorities/insurance company

RGPD obligation: CNIL notification within 72 hours if personal data exposed. Failure to notify = aggravated fine.

Cyber insurance: failure to notify immediately = refusal to cover (standard contract clause).

Best practice:

• CNIL notification within 72 hours (even if the investigation is not yet complete)
• Insurer notification within 24 hours
• Documentation of EVERYTHING (timeline, actions, communications)

Error 4: Hiding the incident from employees/customers

Problem:

• Employees continue to use compromised systems
• Customers discover the breach via the media = maximum loss of trust
• Legal obligation to notify (RGPD, NIS2)

Best practice:

• Immediate, transparent internal communication
• External communication if customer data affected (legal obligation + ethics)
• No downplaying ("minor incident"): details will always stand out

Error 5: Not performing post-mortem analysis

Statistics: 60% of phishing victims are reattacked within 12 months (same vector).

Why: attackers know that the flaw has not been corrected (just the symptom).

Best practice:

• Mandatory post-mortem: how the attack succeeded, why protection failed, what improvements are needed
• Technical AND organizational remediation
• Red team penetration test within 3 months to validate corrections

Conclusion: Phishing isn't a user problem, it's a system problem.

Phishing is the most effective attack in 2025 because it exploits the human link, which will ALWAYS be the weakest. Blaming users who click is as absurd as blaming an unarmored door when a burglar enters.

Inconvenient truths:

• 32% average click-through rate on targeted phishing = NORMAL, not user failure
• Training alone reduces risk by a maximum of 15-20%, not 80%.
• Even security experts fall prey to sophisticated attacks
• Classic MFA (SMS, TOTP app) can be circumvented by motivated attackers
• An average incident costs €275k, i.e. 5-10x the annual prevention budget

The strategy that works:

1. Defense in depth: Email Gateway + MFA FIDO2 + EDR (60-70% blocking)
2. Ongoing training (not annual) with realistic simulations (+20-30%)
3. Out-of-band validation process for critical actions (+40-50% on BEC)
4. Monitoring et response rapide : détecter en <24h, contenir en <48h

Brutal ROI:

• Robust prevention: €20-50k/year depending on size
• A single incident: 275k€ on average, 4.9M€ if ransomware
• Payback: avoiding an incident every 5-10 years = already profitable

The fatal mistake: save €20k/year on email security and bet that you'll never be targeted. Attackers automate everything. You WILL be targeted. The question is not "if" but "when".

The blunt advice: if you don't have a FIDO2 MFA, no EDR, no advanced Email Gateway, and you're banking on "our users are trained", you have an 80% chance of being compromised within the next 12 months. That's not doom and gloom, it's statistics.

Never underestimate phishing. It's the gateway to 90% of ransomware, 100% of BECs, and the #1 cause of post-cyberattack SME bankruptcy.

Recommended next steps

1. Flash audit: test your current protection with a real, sophisticated phishing test (not the dumb ones). Hire an external service provider.
2. Calculate your incident cost: use the template provided, adapt it to your context. Compare with prevention costs.
3. Deploy MFA FIDO2 on the 10 most critical accounts this week (not next month, this week)
4. Activate Advanced Email Gateway: if you are on Microsoft 365, upgrade to E3+Defender Plan 2 minimum
5. Create an out-of-band validation process for credit transfers: cost 0€, 90% efficiency on CLBs

Phishing doesn't wait until you're ready. Start now, or pay €275k later.

‍