The Email That Cost One Company $121 Million
In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $121 million from Google and Facebook using nothing more than fake invoices and spoofed email addresses. No zero-day exploits. No sophisticated malware. Just phishing emails that looked like they came from a legitimate hardware vendor. That's the reality of phishing in 2026 — and these phishing attack examples keep working because they exploit human trust, not software vulnerabilities.
I've spent years dissecting real phishing campaigns, running phishing simulations, and training organizations to recognize threats before someone clicks. What follows are seven real phishing attack examples that are actively fooling employees right now — plus what makes each one dangerously effective.
Why Phishing Still Dominates the Threat Landscape
According to Verizon's Data Breach Investigations Report, phishing and pretexting accounted for the vast majority of social engineering incidents. The FBI's IC3 2023 report logged over 298,000 phishing complaints — making it the most reported cybercrime category for the fifth consecutive year.
Threat actors don't need to hack your firewall when they can simply ask an employee for their password. That's not a failure of technology. It's a gap in security awareness — one that targeted training programs like phishing awareness training for organizations are specifically designed to close.
Phishing Attack Example #1: The Microsoft 365 Credential Harvest
This is the single most common phishing attack I encounter. The employee receives an email that appears to come from Microsoft, warning that their password is expiring or their mailbox is full. The link leads to a pixel-perfect replica of the Microsoft 365 login page.
Once the victim enters their credentials, the attacker has immediate access to email, SharePoint, OneDrive, and potentially Teams. In many cases, they set up mail forwarding rules to silently intercept future messages — enabling business email compromise attacks that can go undetected for months.
What Makes It Work
The fake login page is nearly identical to the real one. The URL uses a lookalike domain like "microsoftonline-login.com." Most employees don't scrutinize the address bar when they're in a hurry. Without multi-factor authentication, a stolen password is all a threat actor needs.
Phishing Attack Example #2: The Payroll Diversion Scam
An HR employee receives an email that appears to come from a colleague — usually someone in management. The email says, "Hey, I just changed banks. Can you update my direct deposit info?" The email address is either spoofed or sent from a compromised internal account.
I've seen organizations lose tens of thousands of dollars before anyone notices the real employee didn't get paid. By then, the funds are gone.
What Makes It Work
The request sounds routine. It doesn't ask for money directly — it asks for an administrative change. There's no malicious attachment or link for security tools to flag. It's pure social engineering.
Phishing Attack Example #3: The Fake Shipping Notification
This one surges during holiday seasons but runs year-round. The victim gets an email from what looks like UPS, FedEx, or DHL saying a package couldn't be delivered. A link or attachment offers a "shipping label" or "tracking update." It delivers malware — often ransomware or an info-stealer.
What Makes It Work
Everyone orders packages. The urgency of a missed delivery triggers immediate action. The branding is spot-on, and the malicious payload hides inside a PDF or ZIP file that looks like a standard shipping document.
Phishing Attack Example #4: The CEO Wire Transfer Request
Also known as Business Email Compromise (BEC), this attack targets finance teams. The CFO or accounts payable clerk receives an urgent email from the "CEO" requesting an immediate wire transfer to close a deal or pay a vendor. The email stresses confidentiality and speed.
The FBI's IC3 has reported BEC as the costliest form of cybercrime, with adjusted losses in the billions of dollars cumulatively. One compromised email thread is all it takes.
What Makes It Work
Authority and urgency are a lethal combination. Employees are conditioned to respond quickly to executive requests. The attacker often does research on LinkedIn and company websites to make the email feel authentic — referencing real projects, travel schedules, or colleagues by name.
Phishing Attack Example #5: The MFA Fatigue Attack
This is a newer tactic that bypasses multi-factor authentication. The attacker already has valid credentials (often purchased on the dark web from a previous data breach). They repeatedly trigger MFA push notifications to the victim's phone — sometimes dozens of times — until the exhausted user approves one just to make it stop.
In the 2022 Uber breach, a threat actor used exactly this technique, bombarding an employee with MFA prompts and then contacting them on WhatsApp posing as IT support. The employee approved the request, and the attacker gained access to internal systems.
What Makes It Work
It weaponizes a security control against the user. Most people don't understand that approving an MFA prompt they didn't initiate is equivalent to handing over their credentials. This is why security awareness training must cover MFA abuse — not just email-based phishing.
Phishing Attack Example #6: The QR Code Phish (Quishing)
A growing trend I'm seeing in 2026: phishing emails that contain no clickable links at all. Instead, they include a QR code — directing users to scan it with their phone. Since mobile devices often lack the same endpoint security as corporate laptops, the phishing page bypasses traditional email filters entirely.
These emails impersonate internal IT departments, parking management systems, or benefits enrollment portals. The QR code leads to a credential theft page optimized for mobile screens.
What Makes It Work
Email security gateways are designed to scan URLs. A QR code is just an image — it passes right through. The victim moves to their personal phone, outside the protection of corporate security tools, to complete the action.
Phishing Attack Example #7: The Voicemail Phish
The victim receives an email claiming they have a new voicemail — often branded to look like it's from Microsoft Teams, Cisco, or RingCentral. A "Play" button links to a credential harvesting page, or an HTML attachment opens a fake login portal in the browser.
What Makes It Work
Voicemail notifications are mundane and expected. They don't trigger the same suspicion as a message about account suspension or wire transfers. That's precisely why they're effective — they fly under the radar of employees who've been trained to watch only for "obvious" threats.
What Do All These Phishing Attack Examples Have in Common?
Every single one exploits human behavior, not technical vulnerabilities. They leverage urgency, authority, curiosity, and routine. Firewalls can't block an employee from voluntarily typing their password into a fake page. Spam filters can't stop every well-crafted social engineering attempt.
That's why technical controls and human training must work together. A zero trust architecture helps limit the blast radius of compromised credentials. But the first line of defense is always the person reading the email.
How to Protect Your Organization Starting Today
Here's what actually moves the needle, based on what I've seen work across hundreds of organizations:
- Run regular phishing simulations. Quarterly at minimum. Use scenarios based on the real phishing attack examples above — not generic templates. Platforms like our phishing awareness training program provide realistic, customizable campaigns.
- Make training continuous, not annual. A once-a-year compliance video changes nothing. Short, frequent lessons build lasting habits. Our cybersecurity awareness training course is built around this principle.
- Enforce phishing-resistant MFA. FIDO2 security keys or passkeys eliminate MFA fatigue attacks entirely. CISA recommends phishing-resistant MFA as a top priority — see their guidance at cisa.gov/mfa.
- Implement a zero trust framework. Assume breach. Verify every access request. Limit lateral movement so one compromised account doesn't mean total compromise.
- Create a no-blame reporting culture. If employees fear punishment for clicking a link, they'll hide incidents instead of reporting them. Fast reporting saves organizations millions.
Can You Spot the Phish? Here's a Quick Test
If you received an email from "IT Support" asking you to scan a QR code to re-verify your credentials before your account is disabled in 24 hours — what would you do? If your answer is anything other than "report it and verify through a separate channel," your organization needs better training.
The phishing attack examples in this article aren't edge cases. They're the standard playbook. Threat actors refine them constantly because they keep working. Your defense has to evolve faster.
Start with your people. Train them on real scenarios. Test them regularly. Give them the tools to recognize credential theft, social engineering, and ransomware delivery before it's too late.