One Email Cost This Company $100 Million
In 2019, Toyota Boshoku Corporation — a major Toyota parts supplier — lost $37 million after an employee wired funds to a fraudster posing as a legitimate business partner. That same year, Nikkei's American subsidiary lost $29 million to a nearly identical scheme. These aren't hypotheticals from a training slide. These are phishing attack examples that destroyed balance sheets and ended careers.
I've spent years analyzing breach post-mortems, and the pattern is always the same. A well-crafted email. A moment of trust. A catastrophic financial or data loss. This post walks through seven real-world phishing attack examples — not theoretical scenarios, but documented incidents — so you can see exactly how threat actors operate and what your organization can do to avoid becoming the next case study.
What Makes Phishing So Devastatingly Effective?
The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element, including social engineering and phishing. That number has barely moved in years. Attackers don't need zero-day exploits when a convincing email will do.
Phishing works because it exploits trust, urgency, and authority — not software vulnerabilities. A threat actor impersonating your CEO at 4:55 PM on a Friday, requesting an urgent wire transfer, is leveraging psychology. Your firewall can't stop an employee from clicking.
Here's what I tell every CISO I work with: your technical controls are only as strong as the person reading the email. That's why phishing awareness training for organizations isn't optional — it's your most cost-effective layer of defense.
7 Real Phishing Attack Examples That Made Headlines
1. Google and Facebook: The $121 Million Fake Invoice Scam
Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas sent fraudulent invoices to Google and Facebook, impersonating the Taiwanese hardware manufacturer Quanta Computer. Both companies paid. Google lost approximately $23 million. Facebook lost around $98 million. The scam was a textbook business email compromise (BEC) attack — no malware, no exploits, just forged invoices and spoofed email addresses.
The lesson: even the most sophisticated tech companies on Earth fell for a social engineering attack. If Google's accounts payable team can be fooled, so can yours.
2. Ubiquiti Networks: $46.7 Million Wire Fraud
In 2015, Ubiquiti Networks disclosed that employee impersonation and fraudulent requests targeting the finance department resulted in $46.7 million in transfers to overseas accounts held by third parties. The attackers used spoofed emails from executives — a technique called CEO fraud or whaling. Ubiquiti eventually recovered about $15 million. The rest vanished.
This is one of the most cited phishing attack examples in the industry because it demonstrates how credential theft and impersonation can bypass every technical control you own.
3. Anthem Health Insurance: 78.8 Million Records Stolen
In February 2015, health insurer Anthem revealed a data breach affecting 78.8 million individuals — one of the largest healthcare breaches in history. The attack began with spear-phishing emails sent to a handful of employees. At least one clicked. Attackers gained access to a database containing names, Social Security numbers, medical IDs, and employment information.
The phishing emails were reportedly crafted to look like internal communications. No ransomware was deployed. The attackers just needed a foothold, and a phishing email gave them one. Anthem eventually settled for $115 million in a class-action lawsuit.
4. Sony Pictures: The Breach That Changed Hollywood
In November 2014, attackers — later attributed to North Korea by the FBI — breached Sony Pictures Entertainment. The initial access vector included phishing emails sent to Sony employees. The aftermath was devastating: unreleased films leaked, executive emails published, employee Social Security numbers exposed, and an estimated $100 million in damages.
This breach is a stark reminder that phishing isn't just about money. It's about operational destruction, reputational damage, and even geopolitical conflict.
5. RSA Security: Breaching the Security Company
In 2011, RSA — the company that made SecurID tokens used by millions — was breached via a phishing email. An employee opened an Excel attachment titled "2011 Recruitment Plan." The file contained a zero-day exploit that installed a backdoor. Attackers ultimately stole data related to RSA's SecurID two-factor authentication products, potentially compromising every customer using them.
I reference this case constantly because it demolishes the myth that security companies are immune. The attack surface is human, and even security professionals can be deceived.
6. Colonial Pipeline: Ransomware from a Single Credential
In May 2021, Colonial Pipeline — which supplies roughly 45% of the East Coast's fuel — shut down operations after a ransomware attack. While the exact initial access is debated, investigators determined that a compromised credential for a legacy VPN account without multi-factor authentication played a key role. Whether that credential was phished or harvested from a previous breach, the lack of MFA made exploitation trivial.
Colonial paid a $4.4 million ransom (the DOJ later recovered about $2.3 million). Gas stations across the Southeast ran dry. This is what happens when credential theft meets absent zero trust principles.
7. Twilio: The 2022 Smishing Campaign
In August 2022, cloud communications company Twilio disclosed that attackers used SMS phishing — "smishing" — to trick employees into providing credentials. The text messages impersonated Twilio's IT department, directing employees to a fake login page. Attackers accessed data for 163 Twilio customers, and the attack cascaded to other companies including Signal.
This example matters because it shows phishing has evolved beyond email. SMS, voice calls (vishing), and messaging apps are all attack vectors now. Your security awareness program needs to cover them all.
What Do These Phishing Attack Examples Have in Common?
After analyzing hundreds of breaches, I see the same five factors in nearly every phishing-driven incident:
- No multi-factor authentication: Stolen credentials are useless if MFA blocks the login. Colonial Pipeline, Twilio, and countless others were breached partly because MFA was missing or poorly implemented.
- Lack of verification procedures: The Google/Facebook and Ubiquiti attacks succeeded because no one picked up the phone to verify a wire transfer request.
- Insufficient employee training: At Anthem and RSA, a single employee clicking one email opened the door to catastrophic breaches. Regular cybersecurity awareness training directly reduces that risk.
- Excessive trust in email: Email was never designed to be a secure communication channel. Treat every unexpected request with suspicion.
- Flat network architectures: Once attackers got in, they moved laterally with ease. Zero trust architectures limit blast radius.
How Do Phishing Attacks Work? A Quick Breakdown
A phishing attack follows a predictable lifecycle. The threat actor researches the target, crafts a convincing message (email, SMS, or voice call), and delivers it to the victim. The message typically creates urgency — "Your account will be locked," "The CEO needs this transfer now," or "HR requires you to update your benefits."
The victim clicks a malicious link, opens a weaponized attachment, or enters credentials on a spoofed login page. That single action gives the attacker a foothold: a valid credential, a malware implant, or access to a sensitive system. From there, the attacker escalates privileges, exfiltrates data, deploys ransomware, or initiates fraudulent transactions.
The entire chain — from email to breach — can take less than 60 seconds. According to the CISA StopRansomware initiative, phishing remains one of the top initial access vectors for ransomware deployment in 2024.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2023 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.45 million — the highest figure recorded at that time. Phishing was the second most common initial attack vector and carried an average cost of $4.76 million per incident. For organizations without security AI and automation, costs climbed even higher.
Here's what frustrates me: every one of those dollars is largely preventable. Not entirely — no defense is perfect — but dramatically reducible. Organizations that implemented security awareness training, phishing simulations, and incident response planning cut their breach costs significantly.
The FBI's Internet Crime Complaint Center (IC3) reported over $2.7 billion in losses from BEC attacks alone in 2022. BEC is just one type of phishing. The total economic impact of phishing across all categories is staggering.
How to Protect Your Organization: Practical Steps That Actually Work
Deploy Multi-Factor Authentication Everywhere
This is non-negotiable in 2024. Every externally facing application, VPN, email system, and cloud service needs MFA. Not SMS-based MFA if you can avoid it — use FIDO2 security keys or authenticator apps. The Colonial Pipeline breach could have been prevented with this single control.
Run Realistic Phishing Simulations
Simulated phishing campaigns are the closest thing to a fire drill for your inbox. They identify employees who are susceptible, provide immediate training at the moment of failure, and build organizational muscle memory. I recommend monthly simulations with varied scenarios: BEC, credential harvesting, malicious attachments, and smishing. Our phishing awareness training for organizations includes simulation frameworks you can implement immediately.
Establish Out-of-Band Verification for Financial Requests
Any request to transfer funds, change banking details, or share sensitive data should require verification through a separate channel. If you get an email from the CFO requesting a wire transfer, call the CFO directly on a known phone number. This single policy would have stopped the Google/Facebook, Ubiquiti, and Toyota scams cold.
Implement Zero Trust Architecture
Zero trust means "never trust, always verify." Every access request is authenticated, authorized, and encrypted — regardless of where it originates. Even if a phishing attack compromises one credential, zero trust limits what the attacker can reach. NIST Special Publication 800-207 provides the foundational framework.
Invest in Continuous Security Awareness Training
Annual compliance training doesn't cut it. Threat actors evolve their techniques weekly. Your training should too. Effective programs include short, frequent modules that cover current threats — not just email phishing, but smishing, vishing, QR code phishing (quishing), and AI-generated deepfake attacks. Our cybersecurity awareness training program is built around this continuous-learning model.
Monitor for Credential Exposure
Use threat intelligence services to monitor for your organization's credentials appearing on dark web marketplaces and paste sites. If an employee's corporate password appears in a breach dump, force a reset immediately. Pair this with a password policy that requires unique, complex passwords and prohibits credential reuse.
The Human Firewall Is Your Best Investment
I've reviewed every major phishing incident from the past decade. The pattern is undeniable: technical controls alone don't stop phishing. You need trained, skeptical humans who know what a social engineering attack looks like and have practiced responding to one.
The phishing attack examples in this post aren't ancient history. They're the playbook that threat actors are running right now, in 2024, against organizations exactly like yours. The techniques have been refined — AI-generated phishing emails are more convincing than ever, and multi-channel attacks combining email, SMS, and voice are increasingly common — but the fundamentals haven't changed.
Your organization's defense starts with the person reading the next suspicious email. Make sure they're ready.