In September 2022, a teenager allegedly convinced an Uber employee to hand over access credentials through a simple text message. No zero-day exploit. No sophisticated malware. Just a convincing story and a target who didn't verify the request. That single social engineering attack gave the threat actor access to Uber's internal systems, Slack channels, and vulnerability reports.

If you're searching for social engineering examples, you're probably trying to understand how these attacks actually work — not in theory, but in practice. I've spent years analyzing breaches and training organizations, and I can tell you this: the attacks that cause the most damage almost always start with a human being tricked into doing something they shouldn't.

Here are seven real-world cases that show exactly how threat actors exploit people, along with what your organization can do to stop them.

What Is Social Engineering, Really?

Social engineering is the art of manipulating people into giving up confidential information, access, or money. It bypasses firewalls, endpoint detection, and encryption entirely. The attack surface is human psychology — trust, urgency, authority, and fear.

According to the Verizon Data Breach Investigations Report, the human element is involved in roughly 68% of breaches. That's not a technology problem. That's a people problem.

7 Social Engineering Examples From Real Breaches

1. Uber (2022): The MFA Fatigue Bombing

The attacker, believed to be associated with the Lapsus$ group, bombarded an Uber contractor with multi-factor authentication push notifications. After repeated prompts, the contractor finally approved one. The attacker then contacted the employee via WhatsApp, posing as IT support, and secured further access.

This technique — called MFA fatigue — exploits the frustration people feel when their phone won't stop buzzing. The lesson: multi-factor authentication is essential, but it's not bulletproof when users aren't trained to recognize abuse of it.

2. Twitter (2020): Phone Spear Phishing

In July 2020, attackers called Twitter employees and posed as IT department staff. They directed victims to a fake VPN login page where employees entered their credentials. With those stolen credentials, the attackers accessed internal admin tools and hijacked high-profile accounts including Barack Obama, Elon Musk, and Apple — running a Bitcoin scam that netted over $100,000 in hours.

This was classic credential theft through vishing — voice phishing. The attackers didn't hack a server. They called people on the phone.

3. RSA Security (2011): The Spear Phishing Email

An employee at RSA opened an Excel file attached to an email with the subject line "2011 Recruitment Plan." The file contained a zero-day exploit that installed a backdoor. Attackers eventually stole data related to RSA's SecurID tokens, compromising the security of thousands of organizations worldwide.

One email. One curious employee. Billions of dollars in downstream impact.

4. Sony Pictures (2014): Pretexting and Phishing

Attackers sent phishing emails to Sony employees disguised as Apple ID verification requests. Once inside the network, they exfiltrated terabytes of data — unreleased films, employee records, salary data, and embarrassing executive emails. The FBI attributed the attack to North Korean threat actors.

The initial entry point wasn't a flaw in Sony's perimeter. It was a convincing email that looked like it came from a trusted brand.

5. Target (2013): Third-Party Vendor Compromise

Attackers sent a phishing email to an employee at Fazio Mechanical Services, Target's HVAC vendor. The stolen credentials gave attackers a foothold into Target's network, where they eventually installed malware on point-of-sale systems. The breach exposed 40 million credit and debit card numbers.

This is a textbook example of why your supply chain is your attack surface. Social engineering doesn't always target your employees directly — sometimes it targets the people who have access to your systems.

6. Google and Facebook (2013-2015): The $100M Invoice Scam

A Lithuanian man named Evaldas Rimasauskas impersonated Quanta Computer, a real hardware manufacturer, and sent fraudulent invoices to Google and Facebook. Both companies paid — to the tune of approximately $100 million combined — before the scheme was uncovered.

This business email compromise (BEC) attack relied entirely on social engineering. No malware. No exploits. Just forged invoices and letterheads that looked legitimate. The FBI's IC3 has repeatedly identified BEC as the costliest category of cybercrime.

7. MGM Resorts (2023): A 10-Minute Phone Call

In September 2023, the ALPHV/BlackCat ransomware group reportedly gained access to MGM Resorts through a social engineering call to the IT help desk. The attackers found an employee's information on LinkedIn, called the help desk posing as that employee, and convinced a technician to reset credentials. The resulting ransomware attack cost MGM an estimated $100 million.

Ten minutes on the phone. One hundred million dollars in damages. That's the ROI of social engineering for a threat actor.

Why These Social Engineering Examples Keep Repeating

Every one of these attacks shares a common thread: the technology was fine. The people weren't prepared.

Organizations invest millions in firewalls, SIEM tools, and zero trust architecture. But if an employee hands over credentials because a caller sounds authoritative, none of that matters. Social engineering attacks succeed because they exploit patterns deeply embedded in human behavior — our tendency to help, to comply with authority, and to act fast under pressure.

That's exactly why cybersecurity awareness training isn't optional anymore. It's a critical security control.

How Do You Defend Against Social Engineering?

This is the question I get asked most often. Here's what actually works, based on what I've seen in organizations that successfully reduce their human risk:

  • Conduct regular phishing simulations. Sending one test email a year accomplishes nothing. Consistent, varied phishing awareness training for organizations builds the reflexes employees need to spot deception in real time.
  • Train for all vectors, not just email. Vishing, smishing, pretexting, and in-person social engineering are all in play. Your training program needs to cover them all.
  • Implement strong verification procedures. The MGM and Uber breaches could have been stopped with callback verification policies. If someone requests a credential reset, verify their identity through a separate, pre-established channel.
  • Adopt phishing-resistant MFA. FIDO2 security keys and passkeys are far more resistant to MFA fatigue and credential theft than push notifications or SMS codes. CISA's MFA guidance is a solid starting point.
  • Limit information exposure. Attackers research targets on LinkedIn, social media, and corporate websites. Audit what your employees and your organization share publicly.
  • Build a culture where reporting is rewarded. Employees who report suspicious contacts — even if they fell for them — should be thanked, not punished. Shame kills reporting. Silence kills security.

The Pattern You Need to Recognize

Across all of these social engineering examples, the attack pattern is remarkably consistent:

  • Research: The attacker gathers information about the target from public sources.
  • Pretext: They craft a believable scenario — IT support, a vendor, a boss in a hurry.
  • Engagement: They make contact via email, phone, text, or even in person.
  • Exploitation: They extract credentials, access, or money.
  • Exit: They move laterally, deploy ransomware, or exfiltrate data before anyone notices.

If your employees can recognize the first three steps, they can break the chain before exploitation ever occurs.

Your People Are the Last Line of Defense

I've reviewed hundreds of incident reports. The breaches that hurt the most aren't the ones caused by advanced nation-state tooling. They're the ones where someone clicked a link, answered a phone call, or approved a push notification because they didn't know any better.

Security awareness isn't about scaring people. It's about giving them the pattern recognition skills to pause, question, and verify before acting. That's what separates organizations that get breached from organizations that catch the attempt and shut it down.

The social engineering examples above didn't target weak companies. They targeted Uber, Google, Facebook, MGM, and the U.S. defense supply chain. If it can happen to them, it can happen to your organization.

The question isn't whether your people will be targeted. It's whether they'll be ready.