Some of them are quite sophisticated. Sometimes the email appears to come from an internal email address or from that of a customer or vendor. I got one while working for a manufacturing company that appeared to be from our CFO, they spoofed his email address, complete with his email signature line, requesting that I send an urgent wire transfer, the details of which were in an attached Word doc. likely with a executable macro containing the malware or keylogger.
Of course I opened nothing, clicked on nothing and reported it to IT. What tipped me off was that I was in Payroll and wouldn't be the person to initiate a wire transfer. I would also get emails that appeared to be from ADP requesting my urgent attention to some past due invoices, but were executable files. Again, I knew enough not to open but a gal in our AP department got one and did. Fortunately she called me about the alleged past due invoices and I alerted IT.
It happens a lot more than people think and again, it's not like the old days when these emails were in broken English or obviously scams.
The hackers targeting companies and organizations need only get a directory of employees, their job titles, company logo, often all available via the org's website to come up with a convincing looking email.
Due to the extreme sensitive nature of a lot we work with, my company does random phishing tests on employees and reward those who report back to IT security the attempts. If someone fails and clicks a link in a test email, they aren't punished but it is a training opportunity. Phishing hacks are tested and trained with us more than fire drills (I can't even remember the last time we had one of those).
