Social Engineering Examples That Fool Even Experts

The Phone Call That Cost MGM Resorts $100 Million

In September 2023, a threat actor called MGM Resorts' IT help desk, impersonated an employee they found on LinkedIn, and convinced the technician to reset credentials. That single phone call triggered a ransomware attack that disrupted operations across Las Vegas for ten days and cost the company over $100 million. No malware exploit. No zero-day vulnerability. Just a convincing voice on the phone.

That's the reality of social engineering — and it's why I'm walking you through the most dangerous social engineering examples from real incidents. These aren't hypothetical scenarios. They're the actual techniques that have breached Fortune 500 companies, drained bank accounts, and ruined careers. If your organization isn't training against these specific attacks, you're exposed.

Social engineering is the art of manipulating people into giving up confidential information, access, or money. Instead of hacking a firewall, the attacker hacks the human. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a human element — social engineering, errors, or misuse of credentials.

The reason these attacks work isn't stupidity. It's psychology. Threat actors exploit urgency, authority, trust, and fear. I've seen senior security engineers fall for well-crafted pretexts. The difference between someone who gets fooled and someone who catches it is almost always training and awareness.

1. Spear Phishing: The Targeted Email That Breached RSA

In 2011, attackers sent a small group of RSA employees an email with the subject line "2011 Recruitment Plan." It contained an Excel file with an embedded Flash zero-day exploit. An employee opened it from their junk folder. That single action compromised RSA's SecurID tokens — affecting thousands of defense and government clients.

Spear phishing remains the most common social engineering vector. Unlike bulk phishing, the attacker researches you, your role, and your organization. They craft messages that look legitimate because they are based on real details from your LinkedIn profile, company website, or press releases.

2. Vishing: The MGM Help Desk Attack

The MGM incident I described above is a textbook vishing (voice phishing) attack. The Scattered Spider group identified an employee on LinkedIn, called the help desk, and socially engineered a credential reset. Vishing is surging because most organizations train against email phishing but ignore phone-based social engineering entirely.

I've run vishing simulations for organizations where over 60% of help desk staff gave up password resets to callers who had nothing more than a name and employee ID format.

3. Business Email Compromise: The $37 Million Toyota Loss

In 2019, a Toyota subsidiary lost $37 million when a threat actor used business email compromise (BEC) to impersonate a senior executive and instruct a finance employee to change wire transfer details. The FBI's IC3 2023 Internet Crime Report identified BEC as the costliest cybercrime category, with adjusted losses exceeding $2.9 billion in a single year.

BEC doesn't require malware. The attacker either compromises a real email account or spoofs one that looks nearly identical. They study communication patterns, wait for the right moment, then strike.

4. Pretexting: Impersonating Vendors and IT Staff

Pretexting is creating a fabricated scenario to extract information. The Uber breach in September 2022 used this technique. An 18-year-old attacker bombarded an Uber contractor with multi-factor authentication push notifications, then contacted the contractor on WhatsApp, pretending to be Uber IT. The contractor approved the MFA request. The attacker walked into Uber's internal systems.

This attack — called MFA fatigue combined with pretexting — is now one of the most common social engineering examples in corporate environments. Your multi-factor authentication is only as strong as the human approving the prompt.

5. Baiting: USB Drops That Still Work

In a 2016 study by researchers at the University of Illinois, 48% of USB drives dropped in parking lots were plugged into computers, with some opened within minutes. Baiting exploits curiosity. Threat actors label USB drives with enticing labels like "Confidential — Salary Data" or "Q4 Layoff Plans" and leave them in company lobbies, restrooms, or parking garages.

This isn't ancient history. The Department of Homeland Security has warned about USB-based attacks as recently as 2023, and they remain a vector in red team engagements I've participated in.

6. Quid Pro Quo: Fake Tech Support Scams

The attacker calls employees claiming to be from IT support, offering to fix a slow computer or install an update. In exchange, they ask the employee to disable antivirus, install remote access software, or share credentials. These quid pro quo attacks target organizations with large workforces and outsourced IT — environments where employees don't personally know the tech support staff.

7. Tailgating: Walking Right Through the Door

Social engineering isn't just digital. Tailgating — following an authorized person through a secured entrance — remains embarrassingly effective. I've watched red team operators in business casual walk into server rooms by carrying a box and saying "Can you hold the door? Thanks." Physical security is part of social engineering awareness, and most organizations ignore it completely.

Three reasons. First, attackers constantly adapt. When organizations trained against Nigerian prince emails, attackers shifted to spear phishing. When companies deployed MFA, attackers invented MFA fatigue. Second, most security awareness programs are annual checkbox exercises — one boring video per year doesn't build the instinct to spot a pretext in real time.

Third, organizations underinvest in phishing simulation and social engineering testing. You can't build muscle memory against credential theft if you've never experienced a realistic simulated attack. That's why continuous, scenario-based training makes such a measurable difference.

Build a Human Firewall With Ongoing Training

Annual compliance training is the bare minimum, and minimums get breached. Your employees need regular exposure to realistic social engineering examples through phishing awareness training built for organizations. Simulated phishing campaigns, vishing drills, and pretexting exercises build real recognition skills.

Adopt Zero Trust — Including for Internal Requests

Zero trust isn't just a network architecture buzzword. Apply it to human interactions. Every request for credentials, wire transfers, or access changes should require out-of-band verification. If someone calls claiming to be the CFO, you call the CFO back on a known number. Period.

Harden Your Help Desk Verification Process

The MGM and Uber breaches both exploited weak identity verification at the help desk. Implement strict identity verification procedures that go beyond knowledge-based questions. Require callback verification, manager approval for credential resets, or token-based identity confirmation.

Layer Multi-Factor Authentication With Phishing-Resistant Methods

Standard MFA push notifications are vulnerable to fatigue attacks. Move to phishing-resistant MFA — FIDO2 security keys or passkeys — that can't be socially engineered through push notification spam. CISA's MFA guidance provides a clear framework for implementation.

Make Security Awareness Part of Your Culture

The organizations I've seen with the lowest social engineering click rates share one trait: security is a cultural value, not a compliance obligation. That starts with leadership and gets reinforced through consistent, engaging training. A comprehensive cybersecurity awareness training program gives your team the foundation to recognize and resist manipulation.

Here's the insight that will serve you across every scenario: every social engineering attack follows the same four-step cycle. Research — the attacker gathers information about the target. Engagement — they establish contact and build rapport or urgency. Exploitation — they extract credentials, money, or access. Exit — they disappear before the victim realizes what happened.

If you teach your team to recognize the engagement phase — the moment something feels urgent, unusual, or too convenient — you disrupt the entire kill chain. That recognition comes from seeing real social engineering examples repeatedly in training, not from reading a policy document once a year.

Your Employees Are Your Biggest Risk — and Your Best Defense

Every data breach post-mortem I've read reinforces the same lesson. Technology alone doesn't stop social engineering. Firewalls don't block a convincing phone call. Email filters don't catch every spear phish. Endpoint detection doesn't help when the employee willingly hands over the keys.

Your people are either your weakest link or your strongest defense. The difference is training — real, ongoing, scenario-driven training that keeps pace with how threat actors actually operate in 2026. Start building that capability now, because the next social engineering attack against your organization isn't a question of if. It's a question of when.