This document discusses phishing techniques and strategies for both offense and defense. It begins by explaining why phishing works by targeting people through social engineering instead of machines. Examples are provided of common and sophisticated phishing methods used to steal sensitive information or install malware. Outdated advice for detecting phishes is debunked. The document then provides tips for crafting effective phishing campaigns, such as using tools to generate domains and obfuscate payloads. Lastly, it outlines defensive strategies like monitoring domains for phishing, implementing email gateway protections, using endpoint security tools, and educating users through awareness training.