Phishing is still a real threat, and has evolved into dangerous forms such as spear-phishing and whaling. In the past, phishing was primarily viewed as a consumer problem, but today phishing attacks have direct financial and reputational impact on businesses. Targeted attacks are commonly initiated through sophisticated phishing campaigns to harvest credentials or to deliver payloads such as ransomware. Often organizations ignore or minimize phishing assuming for their spam filter alone can detect phishing or that employees can easily tell; neither is true. This paper looks at challenges an organization faces in staying ahead of phishing.