In March 2022, Okta confirmed that the Lapsus$ threat actor group had compromised a support engineer's account — and the initial access vector was social engineering. One employee, one credential, and suddenly a company trusted by thousands of organizations was in the headlines. If you think phishing only targets careless people at small companies, these phishing attack examples from real incidents should change your mind permanently.
This post breaks down seven documented phishing campaigns that led to massive breaches, regulatory action, or multimillion-dollar losses. I'm not going to give you hypothetical scenarios. Every example here is public record. And after each one, I'll show you exactly what went wrong and what your organization can do differently.
What Is a Phishing Attack, Really?
Before we dive into the examples, let's get precise. A phishing attack is a social engineering technique where an attacker impersonates a trusted entity — usually via email, SMS, or a fake website — to trick a target into revealing credentials, installing malware, or authorizing a fraudulent transaction.
According to the FBI IC3 2021 Internet Crime Report, phishing was the number one reported cybercrime category with 323,972 complaints. The adjusted losses from phishing, vishing, smishing, and pharming totaled over $44 million. And those are just the incidents people reported.
The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved a human element — and phishing was present in 36% of all breaches, up from 25% the prior year. The trend line is clear: threat actors are doubling down on humans because humans keep clicking.
Phishing Attack Examples From Real-World Breaches
1. The $100 Million Google and Facebook Invoice Scam (2013-2015)
Evaldas Rimasauskas, a Lithuanian national, sent phishing emails to employees at both Google and Facebook impersonating Quanta Computer, a legitimate hardware vendor both companies used. The emails included forged invoices, contracts, and letters that appeared to come from Quanta's executives.
Over two years, employees at both tech giants wired approximately $100 million to bank accounts controlled by Rimasauskas. He was arrested in 2017 and sentenced to five years in prison in 2019. The money was partially recovered.
What went wrong: No secondary verification process existed for large wire transfers. The attacker exploited the trust relationship between the companies and a known vendor. This is textbook business email compromise (BEC), and it remains one of the most expensive phishing attack examples in history.
2. The Crelan Bank BEC Attack — $75.8 Million (2016)
Belgian bank Crelan lost approximately $75.8 million (€70 million) after attackers used BEC phishing to impersonate a senior executive and authorize wire transfers. The fraud was only discovered during an internal audit.
What went wrong: Insufficient approval controls for high-value transfers, and no real-time anomaly detection for executive email behavior. When a single email can authorize tens of millions in transfers, your process is the vulnerability.
3. The Ubiquiti Networks Spear Phishing — $46.7 Million (2015)
Ubiquiti Networks disclosed in an SEC filing that employee impersonation and fraudulent requests targeting the company's finance department resulted in $46.7 million in losses through wire transfers to overseas accounts held by third parties. The attacker used spear phishing to impersonate executives.
What went wrong: The finance team processed transfer requests that appeared to come from executives without out-of-band verification. I've seen this pattern dozens of times in my career — the bigger the organization, the more people assume someone else already verified the request.
4. The Twitter Internal Tool Compromise (2020)
In July 2020, attackers used phone-based social engineering — specifically vishing — to target Twitter employees. They called employees posing as IT staff, directing them to a credential-harvesting phishing site that mimicked Twitter's internal VPN login page. Once inside, the attackers accessed an internal admin tool and took over 130 high-profile accounts including Barack Obama, Elon Musk, and Apple.
The attackers used those accounts to post a Bitcoin scam that netted roughly $120,000. But the real damage was reputational. The FTC and multiple congressional committees demanded answers.
What went wrong: Twitter employees fell for vishing — a voice-based phishing variant. Multi-factor authentication existed but was bypassed because the attackers obtained credentials to internal tools that had elevated privileges. The lesson here: even sophisticated tech companies with security teams get breached through their people.
5. The RSA SecurID Breach (2011)
This one still gets discussed in security circles over a decade later. Attackers sent phishing emails to small groups of RSA employees with the subject line "2011 Recruitment Plan." The emails contained an Excel spreadsheet with an embedded Flash zero-day exploit (CVE-2011-0609).
One employee opened it. That single action led to the compromise of RSA's SecurID two-factor authentication product data, which in turn put RSA's clients — including defense contractors like Lockheed Martin — at risk. RSA's parent company EMC reported spending $66 million on remediation.
What went wrong: A well-crafted spear phishing email exploited human curiosity. The attacker combined social engineering with a zero-day exploit. Even if your email filters catch 99% of phishing, the 1% that gets through can be catastrophic if employees aren't trained to recognize it.
6. The Anthem Health Data Breach — 78.8 Million Records (2015)
Anthem, the second-largest health insurer in the United States, suffered one of the largest healthcare data breaches ever. The attack started with spear phishing emails sent to a subsidiary. At least one employee clicked a malicious link, which gave attackers a foothold. From there, they escalated privileges and eventually exfiltrated names, Social Security numbers, and medical IDs for 78.8 million people.
Anthem later settled with the HHS Office for Civil Rights for $16 million — the largest HIPAA settlement at that time — and paid an additional $115 million to settle a class action lawsuit.
What went wrong: The initial compromise was a phishing email. Once inside, the attackers found unencrypted data and insufficient network segmentation. This is one of the most consequential phishing attack examples in the healthcare sector.
7. The Colonial Pipeline Ransomware Incident (2021)
Colonial Pipeline, which supplies roughly 45% of fuel to the U.S. East Coast, was hit by the DarkSide ransomware group in May 2021. While the precise initial access vector involved a compromised VPN credential, investigators believe the credential was likely obtained through credential theft — potentially via a phishing attack or credential stuffing from a previous breach. The password appeared in a dark web dump.
Colonial paid a $4.4 million ransom (about $2.3 million was later recovered by the DOJ). The real cost was the fuel panic, the six-day pipeline shutdown, and a complete reassessment of critical infrastructure cybersecurity across the country. CISA published detailed guidance in the aftermath.
What went wrong: A single compromised credential — without multi-factor authentication — gave attackers access to the network. Whether the credential was phished directly or harvested from a prior breach, the result was the same. No MFA, no segmentation, and a ransomware attack that disrupted millions of lives.
The Pattern Every Phishing Attack Shares
After analyzing hundreds of these incidents, I see the same failure chain repeated:
- Step 1: An attacker crafts a convincing message targeting a specific person or role.
- Step 2: The target takes an action — clicking a link, opening an attachment, entering credentials, or authorizing a payment.
- Step 3: The organization's technical controls fail to catch the compromise in time.
- Step 4: The attacker moves laterally, escalates privileges, or exfiltrates data before anyone notices.
Technology alone doesn't break this chain. Your people have to be the first line of defense, and that means training them with realistic phishing awareness training for organizations that mirrors exactly how these attacks work in the real world.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2021 Cost of a Data Breach Report put the average total cost of a data breach at $4.24 million globally. But breaches where phishing was the initial attack vector averaged $4.65 million. For organizations without security awareness programs, those numbers climb even higher.
Here's what actually reduces costs: security awareness training combined with phishing simulation programs. Organizations that run regular phishing simulations and train employees to recognize social engineering attacks cut their risk of a successful breach dramatically. The same IBM report found that organizations with mature incident response teams and tested security programs saved over $2 million per breach compared to those without.
If you haven't already enrolled your team in cybersecurity awareness training, the math is simple. Training costs a fraction of what a single successful phishing attack costs your business.
How to Protect Your Organization Right Now
Deploy Multi-Factor Authentication Everywhere
Colonial Pipeline, Twitter, and countless others were compromised because attackers only needed one credential. Multi-factor authentication (MFA) stops the majority of credential theft attacks cold. Implement it on every external-facing system, VPN, email platform, and admin console. No exceptions.
Run Regular Phishing Simulations
You can't know how your employees will respond to phishing until you test them. Run monthly simulations that replicate current real-world tactics — invoice fraud, credential harvesting pages, CEO impersonation, package delivery lures. Track click rates, report rates, and time-to-report. Improvement should be measurable.
Implement a Zero Trust Architecture
Zero trust assumes that every user, device, and connection is potentially compromised. Even if a phishing attack succeeds and an attacker gets a credential, zero trust principles like least-privilege access, microsegmentation, and continuous verification limit how far that attacker can move. NIST SP 800-207 provides the framework to get started.
Verify Financial Requests Out of Band
Every single BEC example in this post — Google, Facebook, Crelan, Ubiquiti — could have been stopped with one phone call. Require verbal or in-person confirmation for wire transfers above a threshold. Use a known phone number, not the one in the email. This one process change can save your organization millions.
Build a Reporting Culture
Your employees need to feel safe reporting suspicious emails, even if they already clicked. Punishing employees for falling for phishing drives incidents underground. Reward reporting speed instead. The faster you know about a compromise, the faster you contain it.
What Makes 2022 Phishing Attacks Different
The phishing landscape in 2022 has evolved significantly. I'm seeing three trends that make these attacks harder to detect than ever:
Adversary-in-the-middle (AiTM) phishing: Attackers now use reverse proxy toolkits like Evilginx2 to intercept MFA tokens in real time. The victim enters their credentials and MFA code on what looks like a legitimate Microsoft 365 login page, and the attacker captures the session cookie. MFA helps, but it's not bulletproof against this technique.
Phishing-as-a-Service: Underground marketplaces now sell phishing kits as subscription services, complete with hosting, templates, and evasion techniques. The barrier to entry for launching a sophisticated phishing campaign has never been lower.
Multi-channel attacks: Threat actors combine email phishing with SMS (smishing), voice calls (vishing), and even direct messages on platforms like LinkedIn and Slack. The Twitter breach demonstrated how effective voice-based social engineering can be.
These trends mean your defenses need to evolve too. Static email filters aren't enough. Your people need ongoing, updated security awareness training that covers the latest tactics — not a once-a-year compliance checkbox.
Your Next Step
Every one of these phishing attack examples started with a single person making a single decision. The attacker's entire strategy depends on that moment. Your job is to make sure your people recognize it.
Start with phishing awareness training that uses real-world scenarios — not generic slides. Then build the technical controls around your people: MFA, zero trust, network segmentation, and verified financial processes.
The organizations that survive phishing attacks aren't the ones with the biggest security budgets. They're the ones where every employee knows what a phishing email looks like — and reports it before the damage is done.