In 2022, a single phishing email sent to a Twilio employee led to the compromise of 163 customer accounts, including high-profile targets like Signal. The attacker didn't exploit a zero-day vulnerability or brute-force a password. They sent a text message that looked like it came from Twilio's IT department. That's it. Studying real phishing attack examples like this one is the fastest way to understand how social engineering actually works — and why it keeps working despite billions spent on security tools.

This post breaks down seven real-world phishing incidents, explains the specific techniques threat actors used, and gives you concrete steps to protect your organization. These aren't hypothetical scenarios. Every one of these happened to real companies with real security teams.

Why Real Phishing Attack Examples Matter More Than Theory

I've seen organizations pour money into firewalls and endpoint detection while ignoring the channel responsible for the majority of breaches. According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting via email accounted for over 40% of social engineering incidents. The human element was present in 68% of all breaches.

Theory won't prepare your employees for what lands in their inbox. Real phishing attack examples will. Let's get into them.

1. The Twilio Smishing Campaign (2022)

What Happened

Attackers sent SMS messages to current and former Twilio employees. The messages claimed employees needed to update their passwords or that their schedules had changed. Each message included a link to a convincing lookalike domain — something like "twilio-sso.com" — which captured credentials in real time.

The Technique: Smishing + Credential Theft

This wasn't email phishing. It was SMS-based phishing, or smishing. The attackers matched employee names to phone numbers, likely using publicly available data or a previous breach. Once they had credentials, they accessed internal systems and customer data for 163 accounts.

The Lesson

Phishing doesn't stop at email. Your security awareness training needs to cover SMS, voice calls, and messaging apps. If your phishing awareness training program only simulates email attacks, you're leaving a massive gap.

2. The Google and Facebook Invoice Scam ($100M+)

What Happened

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas impersonated Quanta Computer, a real Taiwanese hardware manufacturer that did business with both Google and Facebook. He sent fraudulent invoices via email, complete with forged contracts, letters, and corporate stamps. Both companies paid — to the tune of over $100 million combined.

The Technique: Business Email Compromise (BEC)

This is a textbook BEC attack. No malware. No links. Just carefully crafted emails that exploited existing business relationships and internal processes that didn't verify payment changes. The FBI's IC3 reports consistently rank BEC as the costliest form of cybercrime, with losses exceeding $2.9 billion in 2023 alone.

The Lesson

Invoice and payment-redirect phishing targets finance teams specifically. If your accounts payable staff can't spot these, no email filter will save you. Out-of-band verification — picking up the phone and calling a known number — stops this attack cold.

3. The Sony Pictures Spear Phishing Attack (2014)

What Happened

Attackers believed to be linked to North Korea sent targeted spear phishing emails to Sony Pictures employees. The emails contained malicious attachments and links disguised as Apple ID verification messages. Once inside, the attackers deployed destructive malware that wiped systems, leaked unreleased films, and exposed tens of thousands of employees' personal data including Social Security numbers and salary information.

The Technique: Spear Phishing + Malware Deployment

The initial vector was a carefully crafted email tailored to specific employees. The threat actors did their homework — messages were personalized enough that recipients clicked. From there, lateral movement through the network was straightforward.

The Lesson

Spear phishing targets individuals, not organizations in bulk. Executives, IT admins, and HR staff are prime targets. Multi-factor authentication would have added a critical barrier, but in 2014, MFA adoption was far lower than it is today. In my experience, organizations that combine MFA with regular cybersecurity awareness training reduce their risk of successful spear phishing dramatically.

4. The Colonial Pipeline Ransomware Attack (2021)

What Happened

Colonial Pipeline, which supplies roughly 45% of the East Coast's fuel, was shut down by a ransomware attack attributed to the DarkSide group. The initial access point was a compromised VPN credential — a single password that had been exposed in a previous data breach and was not protected by multi-factor authentication.

The Technique: Credential Stuffing from Phished Data

While the initial credential theft may have originated from a prior phishing campaign or data breach, the reuse of that password without MFA gave attackers a direct path in. The company paid a $4.4 million ransom (much of which the FBI later recovered).

The Lesson

Phishing attack examples don't always end at the inbox. Stolen credentials circulate on dark web marketplaces for months or years. Password reuse turns a single successful phish into a skeleton key. Zero trust architecture — where no user or device is implicitly trusted — would have flagged the anomalous VPN login.

5. The Twitter Internal Tool Compromise (2020)

What Happened

A 17-year-old orchestrated a phone-based social engineering attack against Twitter employees. He called staff, posed as IT support, and convinced them to enter their credentials on a fake internal site. With those credentials, he accessed Twitter's internal admin tools and took over high-profile accounts including Barack Obama, Elon Musk, and Apple, posting cryptocurrency scam messages.

The Technique: Vishing + Internal Tool Access

This was voice phishing, or vishing. The attacker didn't need sophisticated malware. He needed a convincing phone manner and knowledge of Twitter's internal processes. The damage was reputational and financial — the scam collected over $100,000 in Bitcoin before it was shut down.

The Lesson

Your employees are getting phone calls from people pretending to be IT support, vendors, and executives right now. If they haven't practiced responding to these scenarios, they'll fall for them. Phishing simulations that include vishing components are essential in 2026.

6. The Ubiquiti Networks Vendor Impersonation ($46.7M)

What Happened

In 2015, Ubiquiti Networks disclosed that attackers impersonated company executives and a vendor via email, requesting wire transfers to overseas accounts. The company lost $46.7 million. They later recovered approximately $15 million.

The Technique: CEO Fraud / Whaling

This is sometimes called "whaling" because the attacker impersonates a whale — a C-suite executive. The emails typically carry urgency: "This acquisition is confidential. Wire the funds immediately." Finance teams under pressure to respond quickly are the primary targets.

The Lesson

No single person should be able to authorize a large wire transfer based on an email alone. Dual-authorization controls and mandatory verbal confirmation over a pre-established phone number stop this attack. I've helped organizations implement these controls after incidents, and the pushback from executives who don't want to be "slowed down" is real. But $46.7 million buys a lot of patience.

7. The Microsoft 365 OAuth Phishing Wave (2022-2024)

What Happened

Across 2022 through 2024, CISA issued multiple advisories about campaigns exploiting OAuth consent flows in Microsoft 365. Attackers sent phishing emails asking users to grant permissions to a malicious app. Instead of stealing passwords, the attacker obtained an OAuth token — a persistent access credential that survives password changes and often bypasses MFA.

This is one of the more sophisticated phishing attack examples on this list. The victim doesn't enter a password on a fake page. They click "Allow" on a legitimate Microsoft consent screen, granting a malicious app read access to their email, contacts, and files. Because the token is separate from the user's password, changing the password doesn't revoke access.

The Lesson

Traditional phishing awareness training that focuses only on "don't click suspicious links" misses this entirely. Your people need to understand app consent screens and what granting permissions actually means. This is where ongoing training — not a once-a-year compliance video — makes the difference.

What Is the Most Common Type of Phishing Attack?

Email-based phishing remains the most common type by volume. These are bulk campaigns that impersonate banks, shipping companies, SaaS providers, or internal IT teams. They cast a wide net, hoping a small percentage of recipients will click a link or open an attachment. According to the Verizon DBIR, email is the delivery method in the vast majority of social engineering incidents, and the median time for a user to click a phishing link is under 60 seconds.

However, the fastest-growing categories are BEC, smishing, and consent phishing. Volume doesn't equal impact — a single successful BEC attack can cost more than ten thousand commodity phishing emails combined.

How to Use These Examples to Strengthen Your Defenses

Run Realistic Phishing Simulations

Generic "click this link to verify your account" simulations don't reflect the threat landscape in 2026. Your phishing simulation program should include BEC scenarios, OAuth consent phishing, and SMS-based attacks. Platforms that deliver ongoing, varied simulations build real muscle memory. Check out our phishing awareness training for organizations to see how scenario-based simulations work in practice.

Implement Multi-Factor Authentication Everywhere

MFA wouldn't have stopped every attack on this list, but it would have stopped Colonial Pipeline and made the Twilio breach significantly harder. Phishing-resistant MFA — hardware security keys or passkeys — is the gold standard. SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping and interception.

Adopt Zero Trust Principles

Zero trust means verifying every access request regardless of where it originates. If the Colonial Pipeline VPN had required device health checks and contextual authentication, a single stolen password wouldn't have been enough. NIST's Zero Trust Architecture guidelines (SP 800-207) provide a solid framework for getting started.

Train Finance Teams Separately

The Google/Facebook invoice scam and the Ubiquiti wire fraud both targeted finance. These teams need specific training on BEC, invoice fraud, and payment redirect attacks. They also need process controls — dual authorization, callback verification, and limits on email-only payment requests.

Make Security Awareness Continuous

Annual compliance training doesn't work. Threat actors evolve their techniques quarterly, sometimes weekly. Your training needs to keep pace. Our cybersecurity awareness training program delivers ongoing education that adapts to the current threat landscape, not last year's.

The Pattern Every Phishing Attack Shares

Every example on this list shares three elements: urgency, authority, and a plausible pretext. The attacker creates time pressure ("your password expires in 2 hours"), invokes authority ("this is from the CEO"), and wraps it in a context that makes sense to the recipient ("we use this vendor" or "IT just sent this").

Your employees don't need to become security experts. They need to recognize the emotional triggers that make them act before thinking. That's a trainable skill. But it requires practice, not just policies.

Every breach I've investigated started with someone who thought, "This looks legitimate." The organizations that fare best are the ones where employees have seen enough phishing attack examples — both real and simulated — that suspicion becomes a reflex. Build that reflex now, before the next email lands.