A Single Email That Cost $100 Million

In 2019, Toyota Boshoku Corporation lost $37 million after an employee followed wire transfer instructions in a fraudulent email. Facebook and Google collectively lost over $100 million to a Lithuanian threat actor who sent fake invoices posing as a hardware vendor. These aren't edge cases. These are phishing attack examples that happened to organizations with massive security budgets.

If it can happen to them, it can happen to your organization. And in 2026, phishing remains the number one initial access vector for data breaches. According to the Verizon Data Breach Investigations Report, phishing and pretexting account for the vast majority of social engineering incidents year after year.

This post breaks down real-world phishing attack examples across every major category — from basic credential theft to sophisticated spear phishing campaigns. You'll see exactly how each attack works, why people fall for them, and what your organization can do right now to build resilience.

What Is a Phishing Attack? A Quick-Reference Answer

A phishing attack is a social engineering technique where a threat actor impersonates a trusted entity — via email, text, phone, or a fake website — to trick a victim into revealing sensitive information, clicking a malicious link, or transferring money. Phishing is the most common cyberattack type reported to the FBI's Internet Crime Complaint Center (IC3), with hundreds of thousands of complaints filed annually.

Email Phishing: The Attack That Never Gets Old

Classic email phishing casts a wide net. The attacker sends thousands or millions of messages impersonating a well-known brand — Microsoft, Amazon, DHL, your bank — hoping a small percentage of recipients take the bait.

The DocuSign Lure

I've investigated dozens of incidents where employees received emails that looked exactly like DocuSign notifications. The subject line reads "Please review and sign this document." The link routes to a credential harvesting page that mirrors Microsoft 365's login screen pixel for pixel. The victim enters their username and password, and the attacker now owns their mailbox.

What makes this effective is context. People expect DocuSign emails. They're trained to click them. That's precisely what threat actors exploit.

The Fake Invoice Scheme

Remember the Facebook and Google case I mentioned? Evaldas Rimasauskas sent fraudulent invoices from a company name nearly identical to a real Taiwanese hardware supplier. Finance departments paid them without a second thought. This phishing attack example cost two of the world's most sophisticated tech companies a combined $121 million before anyone noticed.

Spear Phishing: When the Email Knows Your Name

Spear phishing targets a specific individual using personal details scraped from LinkedIn, corporate websites, or previous data breaches. The attacker doesn't just say "Dear Customer." They say "Hi Sarah, following up on our conversation at the Denver conference last week."

The RSA Security Breach (2011)

One of the most infamous spear phishing attack examples hit RSA Security itself. An employee opened an Excel file titled "2011 Recruitment Plan" attached to an email sent to a small group of employees. The spreadsheet contained a zero-day exploit that installed a backdoor. The attackers ultimately compromised RSA's SecurID two-factor authentication tokens — affecting defense contractors and government agencies worldwide.

This single email bypassed every technical control RSA had in place. The human was the vulnerability.

Business Email Compromise: The $2.9 Billion Problem

Business email compromise (BEC) is the most financially devastating form of phishing. The FBI IC3 has consistently ranked BEC as the costliest cybercrime category, with losses in the billions. In BEC attacks, the threat actor either compromises or spoofs an executive's email account and instructs an employee to wire funds, change payment details, or share sensitive data.

Ubiquiti Networks ($46.7 Million)

In 2015, Ubiquiti Networks disclosed that employee impersonation and fraudulent requests targeting the company's finance department resulted in $46.7 million in unauthorized transfers. The attackers posed as executives and used emails that appeared completely legitimate. No malware was involved — just social engineering at its most effective.

Your finance team is a primary target for BEC. If they haven't completed dedicated phishing awareness training for organizations, you're leaving your biggest vulnerability unaddressed.

Smishing and Vishing: Phishing Beyond Email

Phishing isn't limited to email anymore. Smishing (SMS phishing) and vishing (voice phishing) have exploded in recent years.

The Twilio Smishing Attack (2022)

In August 2022, Twilio disclosed that attackers sent SMS messages to employees claiming to come from the company's IT department. The messages warned that passwords had expired and included a link to a fake Okta login page. Multiple employees entered their credentials, giving attackers access to internal systems and customer data. This attack then cascaded to affect over 130 downstream organizations.

MGM Resorts Vishing Attack (2023)

The MGM Resorts breach started with a phone call. A threat actor from the Scattered Spider group called the MGM help desk, impersonated an employee found on LinkedIn, and convinced the help desk to reset multi-factor authentication credentials. The resulting ransomware attack shut down hotel operations, slot machines, and booking systems across Las Vegas properties. MGM estimated the incident cost over $100 million.

This is why security awareness must cover every channel — not just email. Comprehensive cybersecurity awareness training teaches employees to recognize social engineering whether it arrives by email, text, or phone.

Clone Phishing: The Replay Attack

Clone phishing is a technique where an attacker takes a legitimate email the victim has already received — a real shipping notification, a real invoice, a real internal update — and creates a near-identical copy with one change: the link or attachment is malicious.

I've seen this tactic used after a mailbox compromise. The attacker reads the victim's inbox, finds a real email thread, then resends the message from the compromised account with a weaponized attachment. The recipient has no reason to be suspicious because the conversation is real.

This is one of the hardest phishing attack examples to detect without technical controls like link sandboxing and attachment detonation, combined with employees who know to verify unexpected re-sends.

Pharming and Credential Theft at Scale

Pharming attacks redirect users from legitimate websites to fraudulent ones by poisoning DNS records or compromising a router. The victim types the correct URL but arrives at the attacker's page.

While less common than direct email phishing, pharming has been used in large-scale credential theft campaigns targeting banking customers. The Cybersecurity and Infrastructure Security Agency (CISA) has issued multiple alerts about DNS hijacking campaigns, including those attributed to nation-state threat actors.

How to Protect Your Organization: What Actually Works

Knowing these phishing attack examples is only useful if you act on the patterns. Here's what I've seen work in practice across organizations of every size.

Layer 1: Technical Controls

  • Multi-factor authentication (MFA) on every account, every system. Phishing-resistant MFA like FIDO2 keys is the gold standard.
  • Email authentication protocols — DMARC, DKIM, and SPF — configured to reject unauthorized senders.
  • Zero trust architecture — never assume a user or device is trustworthy based on network location alone.
  • Endpoint detection and response (EDR) to catch malware delivered through phishing attachments.

Layer 2: Human Controls

  • Regular phishing simulation campaigns that test employees with realistic scenarios, not obvious fakes.
  • Security awareness training that covers email, SMS, voice, and social media attack vectors.
  • Verification procedures for wire transfers, password resets, and MFA changes — especially requests that come from executives.

Technical controls reduce exposure. Human controls catch what technology misses. You need both. If your organization hasn't invested in structured training, start with a program like the phishing awareness training at phishing.computersecurity.us — it's built around the exact attack scenarios covered in this post.

The Pattern You Should See by Now

Every phishing attack example in this post shares three traits. First, the attacker exploited trust — a trusted brand, a trusted colleague, a trusted process. Second, the attack required human action — clicking a link, entering credentials, wiring money. Third, technical controls alone weren't enough to stop it.

Phishing will remain the dominant initial access vector for data breaches as long as humans make decisions under pressure. The organizations that survive aren't the ones with the biggest budgets. They're the ones that train their people relentlessly and build verification into every sensitive workflow.

Start building that culture now. Explore computersecurity.us for a comprehensive training program that covers phishing, ransomware, social engineering, and the full threat landscape your employees face every day.