Social Engineering Examples That Bypass Every Firewall

The Attack That Didn't Need a Single Line of Code

In September 2022, an 18-year-old allegedly breached Uber's internal systems. The method wasn't a zero-day exploit or some sophisticated malware. It was a text message. The attacker bombarded an Uber contractor with multi-factor authentication push notifications until the contractor gave in and approved one. From there, the threat actor accessed Uber's Slack, vulnerability reports, and cloud dashboards. That's social engineering in its purest form — manipulating a human instead of hacking a machine.

If you've ever searched for social engineering examples, you're probably trying to understand how these attacks actually work so you can protect your organization. Good. That's exactly what this post delivers: real incidents, specific tactics, and practical defenses you can deploy this week.

Social engineering is the single most common initial attack vector in data breaches. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — whether through phishing, pretexting, or credential theft. No firewall stops a conversation. No endpoint detection platform flags a persuasive phone call.

Social engineering is any technique that exploits human psychology — trust, fear, urgency, curiosity — to trick someone into giving up access, information, or money. It's not about breaking encryption. It's about breaking people.

Threat actors prefer social engineering because it works at scale and costs almost nothing to execute. Why spend weeks finding a software vulnerability when you can send 10,000 phishing emails and get 300 clicks?

Let me walk you through actual incidents. Each one demonstrates a different tactic, and together they paint a clear picture of what your employees are up against.

1. The Uber MFA Fatigue Attack (2022)

I mentioned this one above, but the details matter. The attacker purchased a contractor's stolen credentials on the dark web, then repeatedly triggered MFA push notifications. After about an hour, the contractor approved the request — likely just to make the notifications stop. The attacker then pivoted across Uber's internal network.

This technique is called MFA fatigue or MFA bombing. It exploits the assumption that multi-factor authentication alone is bulletproof. It's not when the human on the other end can be worn down.

2. The Twitter VIP Account Takeover (2020)

In July 2020, attackers called Twitter employees, posed as IT support staff, and convinced them to enter credentials into a fake internal tool. With those credentials, the attackers accessed Twitter's admin panel and took over accounts belonging to Barack Obama, Elon Musk, Apple, and others. They ran a Bitcoin scam that netted over $100,000 in hours.

The tactic here was vishing — voice phishing. The attackers sounded legitimate because they'd done homework on Twitter's internal tools and processes. They even knew which employees had admin access.

3. The MGM Resorts Ransomware Breach (2023)

The ALPHV/BlackCat ransomware group reportedly gained access to MGM Resorts by calling the company's IT help desk and impersonating an employee. The attackers found the employee's information on LinkedIn, used it to pass verification questions, and convinced the help desk to reset credentials. MGM estimated the incident cost them over $100 million.

This is a textbook pretexting attack. The attacker creates a believable scenario — "I'm locked out of my account" — and leverages publicly available information to make it convincing.

4. The Sony Pictures Spear Phishing Campaign (2014)

Before releasing devastating amounts of internal data, the attackers sent highly targeted phishing emails to Sony employees. These emails referenced real Apple ID verification processes and directed victims to credential harvesting sites. Once inside, the attackers exfiltrated terabytes of data, including unreleased films, executive emails, and employee Social Security numbers.

Spear phishing differs from bulk phishing because every message is customized. The attacker researches the target, references real projects or colleagues, and makes the email feel routine.

5. The Business Email Compromise at Ubiquiti (2015)

Ubiquiti Networks lost $46.7 million when attackers impersonated executives via email and convinced the finance department to wire funds to overseas accounts. No malware was involved. No systems were compromised. The emails simply looked like they came from the CEO.

Business email compromise (BEC) is the most financially destructive form of social engineering. The FBI's Internet Crime Complaint Center (IC3) has reported that BEC scams have caused over $50 billion in losses globally since 2013.

6. The RSA SecurID Breach (2011)

Attackers sent a phishing email with a subject line "2011 Recruitment Plan" to a small group of RSA employees. The email contained an Excel attachment with an embedded Flash zero-day exploit. One employee opened it. The attackers eventually stole data related to RSA's SecurID two-factor authentication tokens, which then put RSA's defense contractor clients at risk.

This example shows how social engineering often serves as the entry point for a multi-stage attack. The human mistake opens the door; the technical exploit walks through it.

7. The Google and Facebook Invoice Scam (2013-2015)

A Lithuanian national sent fake invoices to Google and Facebook, impersonating a legitimate hardware vendor. Over two years, the scheme extracted over $100 million from both companies. The invoices looked real because the attacker had studied the vendor relationship and mimicked their billing processes perfectly.

This is vendor impersonation — a subset of BEC that targets accounts payable teams. Your finance team is a prime target, and they may never suspect a routine invoice.

Every one of these incidents exploited a predictable human behavior. Here's what I see over and over again in my work:

Authority bias: People comply when they think the request comes from a boss or IT department.
Urgency: "Your account will be locked in 15 minutes" short-circuits critical thinking.
Familiarity: A message that references a real project or colleague feels safe.
Helpfulness: Help desk staff are trained to assist — attackers exploit that instinct.
Fatigue: Bombard someone with enough prompts and they'll eventually click "approve."

Technical controls like multi-factor authentication, email filtering, and zero trust architecture are essential. But they can't fully compensate for an untrained workforce. The human layer is always the final firewall.

Knowing the social engineering examples is step one. Building defenses that actually hold up under pressure is step two. Here's what works.

Run Realistic Phishing Simulations

Simulated phishing campaigns are the closest thing to a fire drill for cybersecurity. They test whether your employees can spot credential theft attempts, malicious links, and spoofed sender addresses in real-time conditions. If you're not running these yet, start with our phishing awareness training for organizations to get a structured program in place.

The key word is "realistic." Simulations that look nothing like real attacks teach nothing. Use templates based on actual campaigns — BEC emails, fake MFA alerts, vendor impersonation invoices.

Train for Specific Scenarios, Not Generic Awareness

Most security awareness programs fail because they're vague. "Be careful with email" isn't actionable. Your employees need to recognize specific patterns: an unusual wire transfer request, a help desk call that skips verification steps, a LinkedIn message that leads to a credential harvesting page.

I've seen organizations cut their phishing click rates by over 60% within six months by switching from annual compliance videos to scenario-based training delivered monthly. Our cybersecurity awareness training course covers exactly these types of real-world scenarios.

Implement Verification Protocols for Sensitive Actions

The MGM and Ubiquiti breaches could have been prevented with a simple callback verification. Any request to reset credentials, change payment details, or transfer funds should require out-of-band confirmation — a phone call to a known number, not the number provided in the request.

Write this into policy. Make it non-negotiable. When the CFO says "wire $200,000 to this new account," your finance team should have a documented process to verify that request through a separate channel.

Adopt a Zero Trust Mindset

Zero trust isn't just a network architecture philosophy. It's a human behavior framework too. "Never trust, always verify" applies to emails, phone calls, and Slack messages just as much as it applies to network packets. Encourage your team to question everything — even requests from people they know.

Monitor for Credential Exposure

The Uber attack started with stolen credentials available on the dark web. Use threat intelligence services to monitor whether your employees' credentials have been exposed in breaches. When they have, force immediate password resets and review MFA configurations.

CISA's cyber threat advisories are a solid starting point for staying current on the techniques threat actors are using right now.

The Tactics Are Evolving — Your Training Should Too

The social engineering examples I've shared above represent well-documented, high-profile incidents. But the same techniques hit small and mid-sized businesses every single day. You just don't hear about them because they don't make headlines.

In 2026, threat actors are leveraging AI-generated voice clones to make vishing calls nearly indistinguishable from real executives. Deepfake video is being used in real-time on video conferencing platforms. Phishing kits now include adversary-in-the-middle capabilities that capture session tokens and bypass MFA entirely.

Static, once-a-year training doesn't cut it. Your security awareness program needs to evolve at the same pace as the threats.

What About Ransomware?

Most ransomware infections start with social engineering. A phishing email delivers a loader. A vishing call extracts VPN credentials. A fake job application contains a weaponized PDF. If you're worried about ransomware — and you should be — the most effective prevention strategy starts with training your people to recognize the initial social engineering attempt before it escalates.

Build the Human Firewall Your Organization Actually Needs

Your perimeter defenses are only as strong as the people behind them. Every one of the social engineering examples in this post bypassed technical controls by targeting human trust, helpfulness, or fatigue.

Here's your action plan:

Audit your current training program. Is it scenario-specific or generic?
Launch phishing simulations this quarter using realistic templates.
Implement callback verification for credential resets and financial transactions.
Monitor for credential exposure on the dark web.
Brief your help desk on pretexting tactics — they're target number one.

Start building that human firewall today with our security awareness training program and equip your team with hands-on phishing simulation exercises that mirror the attacks actually hitting your inbox right now.