A Single Email Cost This Company $100 Million

In 2019, a Lithuanian man named Evaldas Rimasauskas pleaded guilty to stealing over $100 million from Google and Facebook using nothing more than phishing emails. He impersonated a legitimate hardware vendor, sent fake invoices, and both tech giants paid up — for years. If the most sophisticated companies on Earth can fall for phishing attack examples this straightforward, your organization is absolutely at risk.

Phishing remains the number one attack vector used in data breaches. The FBI's 2020 IC3 Report logged 241,342 phishing complaints — more than double any other cybercrime category. And that only counts incidents people actually reported. The real number is staggeringly higher.

I've spent years dissecting these attacks, training organizations, and watching the tactics evolve. This post breaks down real phishing attack examples — not theoretical scenarios — so you can recognize what's actually hitting inboxes right now and train your team to stop it.

What Makes Phishing So Devastatingly Effective

Phishing works because it exploits trust, urgency, and routine. Threat actors don't need to crack your firewall when they can trick an employee into handing over credentials or wiring money. It's social engineering at its most refined.

The 2021 Verizon Data Breach Investigations Report found that 36% of breaches involved phishing — up from 25% the prior year. That's not a small uptick. That's a trend screaming for attention.

Here's what actually happens in most attacks I investigate: the email looks legitimate, the timing feels right, and the employee is busy. They click. That one click bypasses every technical control you've invested in. Understanding real-world phishing attack examples is the only reliable way to build the pattern recognition your team needs.

Business Email Compromise: The $4.2 Billion Problem

Business Email Compromise (BEC) is the most financially damaging form of phishing. The FBI's IC3 report tallied $1.8 billion in BEC losses in 2020 alone, and cumulative losses since 2016 exceeded $4.2 billion.

The Ubiquiti Networks Attack

In 2015, Ubiquiti Networks disclosed that attackers used employee impersonation emails to trick finance staff into wiring $46.7 million to overseas accounts. The emails appeared to come from executives. No malware, no exploit kits — just carefully crafted messages exploiting the company's internal processes.

The Toyota Boshoku Scam

In 2019, Toyota Boshoku, a subsidiary of Toyota, lost $37 million after a threat actor convinced a finance executive to change wire transfer payment information via email. The attacker posed as a business partner with a legitimate-sounding request. By the time anyone noticed, the money was gone.

These aren't edge cases. They're the bread and butter of modern cybercrime. And they succeed because organizations rely on technical controls alone instead of investing in cybersecurity awareness training that teaches employees to verify before they trust.

Credential Theft Phishing: The Gateway to Everything Else

Most phishing emails aren't asking you to wire money. They're after your credentials. Once a threat actor has a valid username and password, they own your network — especially if you haven't deployed multi-factor authentication.

The 2020 SolarWinds Connection

While the SolarWinds breach primarily involved a supply chain compromise, investigators found evidence that phishing and credential theft techniques were used in early-stage reconnaissance. Attackers gathered email addresses and tested credential access to map the target environment. It's a reminder that phishing often isn't the main event — it's the opening act.

The Twitter Hack of July 2020

In July 2020, attackers compromised high-profile Twitter accounts — including Barack Obama, Elon Musk, and Apple — by phone-phishing Twitter employees. The attackers used social engineering to convince employees to provide access to internal tools. They then used those tools to take over verified accounts and run a Bitcoin scam that netted over $100,000 in hours.

This attack demonstrated that even phone-based phishing (vishing) can devastate a major platform. Your employees face the same tactics on a smaller scale every day.

Spear Phishing: When They Know Your Name

Spear phishing targets specific individuals with personalized messages. It's harder to spot because the attacker has done homework — they know your job title, your boss's name, maybe even your current projects.

The RSA SecurID Breach (2011)

One of the most instructive phishing attack examples in cybersecurity history. An attacker sent a small group of RSA employees an email with the subject line "2011 Recruitment Plan." The attached Excel spreadsheet contained a zero-day exploit. One employee opened it. The breach that followed compromised RSA's SecurID two-factor authentication products and impacted defense contractors who relied on them.

The email bypassed spam filters because it was sent to a tiny, targeted group. It looked routine. That's the power of spear phishing.

The DNC Breach (2016)

Russian threat actors sent spear phishing emails to Democratic National Committee staffers in 2016, designed to look like Google security alerts. John Podesta's email credentials were harvested through a fake Google login page. The resulting data leak dominated the news cycle for months.

A single credential theft phishing email changed the trajectory of a presidential election. If that doesn't illustrate the stakes, nothing will.

COVID-19 Phishing: Exploiting a Global Crisis

I've never seen threat actors pivot faster than they did in early 2020. Within weeks of the pandemic declaration, phishing campaigns impersonating the WHO, the CDC, and various government agencies exploded. CISA issued multiple alerts about COVID-themed phishing campaigns throughout 2020.

Common tactics included fake PPP loan applications designed to steal business data, phony vaccine appointment confirmations with malicious links, and spoofed HR emails about remote work policy changes. Every one of these leveraged fear, confusion, and urgency — the three ingredients that make phishing irresistible.

These attacks haven't stopped in 2021. As vaccine rollouts continue, new phishing campaigns impersonate pharmacy chains, state health departments, and employer HR portals. Your employees need to recognize these patterns, and that starts with structured phishing awareness training for organizations.

Ransomware Delivered by Phishing: A Double Disaster

Ransomware gets the headlines, but phishing is how it usually gets in. In my experience, roughly 70-90% of ransomware incidents begin with a phishing email — a stat consistent with findings from multiple incident response firms.

The Ryuk Ransomware Campaign

Ryuk ransomware attacks, which caused hundreds of millions in damages in 2019 and 2020, typically started with a phishing email delivering a TrickBot or Emotet loader. Once the initial malware established a foothold, Ryuk operators would move laterally and deploy the ransomware payload days or weeks later.

Hospitals were particularly hard hit. Universal Health Services suffered a Ryuk attack in September 2020 that cost an estimated $67 million. The attack chain almost certainly began with someone clicking a phishing email.

How to Spot a Phishing Email: The Quick Reference

Here's what I tell every organization I work with. Look for these signals:

  • Urgency or threats. "Your account will be suspended in 24 hours." Legitimate companies don't operate this way.
  • Mismatched sender addresses. The display name says "Microsoft Support" but the email address is a random Gmail account.
  • Suspicious links. Hover before you click. If the URL doesn't match the supposed sender, stop.
  • Unexpected attachments. Especially .zip, .xlsm, or .docm files from someone you didn't expect to hear from.
  • Requests for credentials or payment changes. Always verify through a separate communication channel.
  • Poor grammar and odd formatting. Less reliable than it used to be — attackers are improving — but still a signal.

Pattern recognition is a skill. It gets sharper with practice. That's exactly why phishing simulation programs exist — they give employees safe reps against realistic scenarios.

Why Technical Controls Alone Won't Save You

Email gateways, spam filters, DMARC, and sandboxing are all essential. I'd never tell you to skip them. But here's the reality: these tools catch a high percentage of bulk phishing. They consistently miss targeted spear phishing and BEC attacks because those messages don't contain malware or malicious links — they're pure social engineering.

A zero trust architecture helps. Multi-factor authentication dramatically reduces credential theft risk. But when an employee is socially engineered into changing a wire transfer recipient or sharing sensitive data over the phone, no technology intervenes.

Your people are the last line of defense. And that line is only as strong as your security awareness program makes it.

Building a Phishing-Resistant Organization

Here's what I recommend based on years of incident response and training program development:

Step 1: Baseline Your Risk

Run a phishing simulation before you do anything else. You need to know your click rate, your reporting rate, and which departments are most vulnerable. This data drives everything that follows.

Step 2: Train With Real Phishing Attack Examples

Generic "don't click suspicious links" training is useless. Show your employees actual phishing emails. Walk them through BEC scenarios. Let them practice identifying credential theft pages. The cybersecurity awareness training program at computersecurity.us is built around exactly this approach — real-world scenarios, not compliance checkboxes.

Step 3: Simulate Regularly

A once-a-year phishing test is like going to the gym once in January. Monthly or quarterly simulations keep awareness sharp. Vary the attack types — BEC, credential harvesting, malware delivery, vishing. The phishing simulation and training platform at phishing.computersecurity.us makes this operationally simple.

Step 4: Make Reporting Easy and Rewarded

Every email client should have a one-click "Report Phishing" button. Employees who report should get positive reinforcement, not silence. The goal is a culture where reporting a suspicious email is second nature.

Step 5: Layer Your Technical Defenses

Deploy multi-factor authentication everywhere. Implement DMARC, SPF, and DKIM for your domains. Use conditional access policies. Segment your network. These controls won't stop every phishing attack, but they dramatically reduce the blast radius when one succeeds.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2020 Cost of a Data Breach Report pegged the average breach cost at $3.86 million. Breaches involving phishing as the initial attack vector averaged even higher. The organizations that spent the least on security awareness consistently paid the most in incident response, legal fees, regulatory fines, and lost business.

Every phishing attack example in this post was preventable. Not with a better firewall. Not with a more expensive email gateway. With trained people who knew what to look for and had the confidence to pause, verify, and report.

That's the investment that actually moves the needle. The threat actors aren't slowing down. Your preparation shouldn't either.