A fun anecdote: We once received continuous customer complaints that they were being phished, but we could never figure out the attack vector. The request logs for the phished accounts showed suspicious referral URLs in the headers, but when we visited those URLs, they appeared to be normal, legitimate websites that had nothing to do with us. It was only because one of our coworkers happened to be working from out of state that he was able to spot the discrepancy: the website would look identical to ours only when the requester's IP was not from our office location. Our investigation later revealed that the attacker had created an identical clone of our website and bought Google Ads to display it above ours. Both the ads and the website were geofenced, ensuring that requests from our office location would only see an innocent-looking page.