In March 2025, the FBI's Internet Crime Complaint Center reported that phishing remained the number one reported cybercrime for the fifth consecutive year. That stat alone should tell you everything about where threat actors are focusing their energy. But raw numbers don't teach your employees what a real attack looks like in their inbox at 8:47 on a Tuesday morning. That's why studying actual phishing attack examples matters — they reveal the specific tactics, timing, and psychological triggers attackers use to bypass even well-funded security teams.
I've spent over a decade analyzing breaches, running phishing simulations, and training organizations to recognize social engineering before it becomes a headline. What follows are seven real incidents where phishing emails led to massive financial losses, stolen credentials, and reputational damage. More importantly, I'll break down exactly what went wrong and what your organization can do differently.
What Makes Phishing Attack Examples So Valuable?
Reading about phishing in the abstract is like studying car crashes without looking at the wreckage. You need to see the specific lure, the urgency the attacker manufactured, and the exact moment someone handed over their credentials. That's where real learning happens.
Every phishing attack example in this post comes from a publicly documented incident. I've included the attack vector, the impact, and the defensive gap that let it succeed. Use these as case studies in your next security awareness session — or share them with leadership when you need budget for training.
1. The Google and Facebook Invoice Scam ($121 Million)
Between 2013 and 2015, a Lithuanian national named Evaldas Rimasauskas impersonated a legitimate hardware manufacturer and sent fraudulent invoices to Google and Facebook. The phishing emails included forged contracts, letters, and invoices — all convincing enough that employees at both companies wired a combined $121 million to overseas bank accounts.
This wasn't a technical exploit. There was no malware. A threat actor simply studied the vendor relationship, crafted believable documents, and exploited the trust that already existed. The Department of Justice announced his sentencing in 2019.
The Lesson
Business email compromise (BEC) attacks don't need sophisticated code. They need good research and a believable story. Your finance team should verify every wire transfer request through an out-of-band channel — a phone call, not a reply email.
2. The Twitter VIP Account Takeover (2020)
In July 2020, attackers called Twitter employees and impersonated IT staff, convincing them to enter credentials into a fake internal tool. The credential theft gave attackers access to an admin panel, which they used to hijack accounts belonging to Barack Obama, Elon Musk, Apple, and others.
The attackers then posted cryptocurrency scam messages, collecting over $100,000 in Bitcoin within hours. The breach exposed a painful truth: even companies that build technology for billions of users are vulnerable to a well-crafted phone-based phishing attack.
The Lesson
This was a vishing (voice phishing) attack, a close cousin of email phishing. Multi-factor authentication alone wouldn't have stopped it because the attackers tricked employees into providing real-time access. Organizations need layered defenses — including phishing awareness training for organizations that covers voice and SMS vectors, not just email.
3. The Anthem Health Insurance Breach (78.8 Million Records)
In early 2015, attackers sent spear-phishing emails to a handful of Anthem employees. At least one person clicked a malicious link, which installed a backdoor on Anthem's systems. Over the following weeks, the attackers exfiltrated the personal data of 78.8 million current and former members — names, Social Security numbers, birth dates, addresses, and employment information.
The breach cost Anthem over $115 million in settlements and prompted one of the largest HIPAA-related investigations in history. The HHS Office for Civil Rights documented the case extensively.
The Lesson
One click. That's all it took. The attacker didn't need to compromise the entire email system. They needed one employee who didn't recognize a spear-phishing email. This is why ongoing security awareness programs beat one-time training sessions every time.
4. The Colonial Pipeline Ransomware Attack (2021)
In May 2021, the DarkSide ransomware group shut down Colonial Pipeline, disrupting fuel supplies across the southeastern United States. The initial access vector? A compromised password on an inactive VPN account. While the exact method of credential theft is debated, multiple reports — including analysis from CISA — indicate the password was likely obtained through a prior phishing campaign or credential dump.
Colonial Pipeline paid a $4.4 million ransom. The incident triggered a national emergency declaration and exposed how a single set of stolen credentials can cascade into a critical infrastructure crisis. CISA's advisory on DarkSide provides the full technical breakdown.
The Lesson
Ransomware almost always starts with credential theft or phishing. Implementing zero trust architecture — where no user or device is implicitly trusted — combined with mandatory multi-factor authentication on every remote access point would have made this attack dramatically harder to execute.
5. The RSA SecurID Breach (2011)
This one still stings. RSA, a company that literally sold security products, was compromised through a phishing email. An attacker sent a small group of RSA employees an email with the subject line "2011 Recruitment Plan" and an attached Excel spreadsheet containing a zero-day exploit.
One employee opened it. The malware installed a remote access tool, giving attackers a foothold in RSA's network. They eventually stole data related to RSA's SecurID two-factor authentication tokens, which were used by defense contractors and government agencies worldwide. The downstream impact affected organizations like Lockheed Martin.
The Lesson
Even security companies fall for phishing. The attack worked because it was targeted, relevant, and landed in the inbox of someone who had no reason to be suspicious. Phishing simulations that mimic this level of personalization are essential — generic "You've won a prize!" tests don't prepare anyone for real spear-phishing.
6. The Ubiquiti Networks Wire Transfer Fraud ($46.7 Million)
In 2015, Ubiquiti Networks disclosed that attackers impersonated company executives and tricked employees into wiring $46.7 million to overseas accounts. The phishing emails were carefully crafted to mimic the CEO's communication style and referenced legitimate ongoing projects.
Ubiquiti recovered about $15 million. The rest was gone. This phishing attack example shows how CEO fraud (a subset of BEC) exploits hierarchical trust. When the boss says "wire the money now," most employees comply without question.
The Lesson
Build a culture where employees feel safe questioning unusual requests — even from executives. Verification protocols for financial transactions aren't optional. They're a basic control that would have saved Ubiquiti $46.7 million.
7. The 2024 MGM Resorts Social Engineering Attack
In September 2023, attackers from the Scattered Spider group called MGM Resorts' IT help desk, impersonated an employee they found on LinkedIn, and convinced the help desk to reset account credentials. The resulting breach brought down slot machines, hotel key systems, and reservation platforms across Las Vegas properties. MGM estimated the incident cost over $100 million.
This attack started with open-source intelligence gathering on social media, followed by a vishing call. No malware was needed for initial access. The attacker was personable, prepared, and patient.
The Lesson
Your help desk is a high-value target. Identity verification procedures for password resets and account recoveries must be rigorous and consistent. A friendly voice on the phone with a few LinkedIn details should never be enough to grant access.
How Do Phishing Attacks Actually Work?
Phishing attacks follow a predictable lifecycle that your team should understand inside and out:
- Reconnaissance: The attacker researches your organization, identifies targets, and gathers details from social media, press releases, and public records.
- Lure creation: They craft an email, text message, or phone script designed to trigger urgency, curiosity, or fear. Common pretexts include invoice disputes, password expirations, HR policy changes, or executive requests.
- Delivery: The message arrives via email, SMS, voice call, or even messaging apps. It typically contains a malicious link, a weaponized attachment, or a request for credentials.
- Exploitation: The victim clicks the link, opens the file, or provides information. The attacker now has credentials, a malware foothold, or both.
- Post-compromise: The attacker moves laterally, escalates privileges, exfiltrates data, or deploys ransomware. The dwell time — how long they stay undetected — averages 10 days according to the 2024 Mandiant M-Trends report.
Understanding this lifecycle helps your team recognize the warning signs at every stage, not just at the inbox.
What These Phishing Attack Examples Have in Common
After analyzing hundreds of incidents, I see the same patterns repeating:
- Human trust is the primary vulnerability. Every example above exploited a relationship, a process, or a moment of inattention — not a software flaw.
- Urgency is the weapon. Attackers manufacture time pressure to prevent critical thinking. "Wire the money before end of business" is the hallmark of BEC fraud.
- Initial access is cheap. A single phishing email costs almost nothing to send. The return on investment for attackers is enormous.
- Technical controls alone aren't enough. Email filters, firewalls, and endpoint detection are necessary but insufficient. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse.
Building Defenses That Actually Work
Knowing the problem is step one. Here's what I recommend based on what these breaches teach us:
Run Realistic Phishing Simulations
Generic simulations don't build resilience. Use scenarios modeled on real phishing attack examples — BEC lures, fake password resets, spoofed vendor invoices. Track who clicks, who reports, and how fast your security team responds. Our phishing awareness training for organizations includes simulation frameworks built on actual attack patterns.
Implement Multi-Factor Authentication Everywhere
MFA won't stop every attack (the Twitter breach proved that), but it eliminates the easiest path for credential theft. Prioritize phishing-resistant MFA methods like FIDO2 security keys over SMS-based codes, which are vulnerable to SIM swapping.
Adopt Zero Trust Principles
Stop assuming that anyone inside your network perimeter is trustworthy. Verify every access request based on identity, device health, and context. NIST's Zero Trust Architecture framework (SP 800-207) is the reference standard your team should follow.
Train Continuously, Not Annually
Annual compliance training checks a box. It doesn't change behavior. The organizations I've seen reduce their phishing click rates below 3% all share one trait: they train monthly with short, specific modules and reinforce lessons with real-world examples. Our cybersecurity awareness training program is designed for exactly this kind of ongoing engagement.
Secure Your Help Desk
After the MGM breach, every organization should audit its identity verification procedures for help desk interactions. Require callback verification, manager approval for sensitive account changes, and strict policies that no single call can override. Social engineering targets the path of least resistance — don't let your help desk be that path.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. Phishing was identified as the most common initial attack vector. That number isn't abstract — it represents legal fees, regulatory fines, lost customers, incident response costs, and years of reputational recovery.
Every phishing attack example in this post was preventable. Not with perfect technology, but with trained people who knew what to look for, verification processes that couldn't be bypassed with a convincing voice, and a security culture where questioning unusual requests was expected — not punished.
Your organization will face a phishing attack. The only variable is whether your people recognize it before it becomes a breach. Start building that recognition today.