In September 2023, a teenager used a phone call to trick an MGM Resorts employee into resetting credentials. That single social engineering attack cost MGM an estimated $100 million. No malware exploit. No zero-day vulnerability. Just a convincing voice on the other end of a help desk line. If you want to understand why social engineering examples matter more than any firewall upgrade, this is the post for you.

I've spent years watching organizations pour money into technical controls while ignoring the human layer. The attackers haven't made that mistake. According to Verizon's 2023 Data Breach Investigations Report, 74% of all breaches involved the human element — social engineering, errors, or misuse. Threat actors know that people are the cheapest vulnerability to exploit.

Let's walk through seven real social engineering examples, break down exactly how they worked, and talk about what you can actually do to stop them.

What Is Social Engineering, Exactly?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It bypasses technical security entirely by targeting trust, urgency, fear, and authority — the hardwired responses every human carries.

It's not a single technique. It's a category of attack that includes phishing, pretexting, baiting, tailgating, vishing (voice phishing), and more. Every one of the examples below exploits a different flavor of human psychology.

Example 1: The MGM Resorts Vishing Attack (2023)

The Scattered Spider group reportedly found an MGM employee's information on LinkedIn. They called the IT help desk, impersonated that employee, and convinced a technician to reset multi-factor authentication credentials. Within minutes, they had access to MGM's Okta and Azure environments.

The result: slot machines went dark, hotel check-ins reverted to pen and paper, and MGM disclosed a $100 million hit to third-quarter earnings. All from a ten-minute phone call.

Why It Worked

Help desks are trained to be helpful. That's the vulnerability. The attacker leveraged authority (posing as a known employee), urgency ("I'm locked out and need access now"), and publicly available information from social media. No technical exploit was needed.

Example 2: The Twitter (Now X) Bitcoin Scam (2020)

In July 2020, attackers compromised Twitter's internal admin tools by calling employees and posing as IT support staff. They used pretexting — building a believable backstory — to convince workers to hand over credentials to internal systems.

Once inside, they hijacked accounts belonging to Barack Obama, Elon Musk, Apple, and others, posting a Bitcoin scam that netted over $120,000 in hours. Three individuals were eventually charged, including a 17-year-old who orchestrated the scheme.

Why It Worked

The attackers targeted lower-level employees who had access to internal tools but hadn't received robust security awareness training. They exploited the credibility of an "IT department" caller — a classic social engineering move. Employees assumed the request was legitimate because it sounded internal.

Example 3: The Ubiquiti Networks Wire Transfer Fraud (2015)

Ubiquiti Networks lost $46.7 million in a business email compromise (BEC) attack. Threat actors impersonated executives via email and convinced employees in the finance department to wire funds to overseas accounts controlled by the attackers.

This is one of the most expensive social engineering examples in corporate history and a textbook case of CEO fraud. The company disclosed the incident in an SEC filing and later recovered approximately $15 million.

Why It Worked

The emails appeared to come from senior leadership. Employees in finance were conditioned to follow executive instructions quickly and without question. There was no secondary verification process — no callback, no dual approval. The authority principle did all the heavy lifting.

Example 4: The RSA SecurID Breach (2011)

Attackers sent phishing emails to small groups of RSA employees with the subject line "2011 Recruitment Plan." The attached Excel spreadsheet contained a zero-day exploit, but the attack started with social engineering. Someone had to open that file.

The breach compromised RSA's SecurID two-factor authentication tokens, which were used by defense contractors and government agencies. The downstream impact was enormous. Lockheed Martin later confirmed it was targeted using information stolen in the RSA breach.

Why It Worked

The email was targeted — a spear phishing attack aimed at specific employees. The subject line was relevant and non-threatening. It played on curiosity. The technical exploit was sophisticated, but without the social engineering component, the malware never would have executed.

Example 5: The Google and Facebook Invoice Scam (2013-2015)

A Lithuanian man named Evaldas Rimasauskas impersonated a Taiwanese hardware manufacturer (Quanta Computer) and sent fake invoices to Google and Facebook over a two-year period. Employees at both companies paid the invoices, wiring over $100 million combined to accounts Rimasauskas controlled.

He was eventually arrested in 2017 and sentenced to five years in prison. Both companies recovered portions of the stolen funds, but the case remains one of the largest social engineering frauds ever prosecuted.

Why It Worked

Rimasauskas did his homework. He knew Google and Facebook used Quanta as a vendor. He created fake contracts, invoices, and corporate stamps. The emails looked legitimate because they mimicked a real business relationship. Credential theft wasn't even necessary — he exploited the accounts payable process itself.

Example 6: The Shark Tank / Barbara Corcoran BEC (2020)

In February 2020, a threat actor impersonated Barbara Corcoran's assistant via email and sent a fake invoice for $388,700 to her bookkeeper. The bookkeeper paid it. The only reason the scam was caught: the bookkeeper CC'd the real assistant on a follow-up email.

The money was initially sent to a Chinese bank account. Corcoran's team worked to recover the funds, and the incident became a widely covered example of how BEC attacks target even high-profile individuals.

Why It Worked

The attacker spoofed the assistant's email address with a one-character difference — easily overlooked. The invoice amount was within the range of normal business transactions. The bookkeeper trusted the source and had no verification protocol in place beyond email.

Example 7: The Target Data Breach (2013)

The massive Target breach that exposed 40 million credit and debit card numbers started with a phishing email sent to an HVAC contractor — Fazio Mechanical Services. Attackers stole the contractor's credentials and used them to access Target's vendor portal, eventually pivoting to the point-of-sale network.

Target paid $18.5 million in a multi-state settlement. The breach reshaped how the retail industry approaches third-party risk and network segmentation.

Why It Worked

The attackers didn't target Target directly. They targeted a smaller, less-defended vendor in the supply chain. The phishing email gave them a foothold. From there, inadequate network segmentation allowed lateral movement. This is social engineering combined with poor zero trust architecture.

The Pattern Behind Every Social Engineering Attack

Look across all seven examples. The techniques vary — vishing, spear phishing, BEC, pretexting, invoice fraud. But the pattern is identical:

  • Research: Attackers gather information from LinkedIn, company websites, SEC filings, and social media.
  • Pretext: They build a believable story — a locked account, a vendor invoice, a recruitment plan.
  • Exploitation: They trigger urgency, authority, or trust to get the target to act without thinking.
  • Action: The victim hands over credentials, wires money, opens a file, or resets access.

Every one of these attacks would have been stopped — or at least slowed — by employees who recognized the pattern.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2023 Cost of a Data Breach Report puts the global average breach cost at $4.45 million — the highest figure ever recorded at the time. Social engineering and phishing were consistently among the most common initial attack vectors.

Here's what I tell every CISO I work with: your security stack is only as strong as the person who answers the phone at your help desk, clicks a link in their inbox, or processes an invoice without verifying the sender.

Technical controls matter. Multi-factor authentication matters. Zero trust architecture matters. But none of it works if your people hand over the keys willingly because they didn't recognize a social engineering attack in progress.

How to Actually Defend Against Social Engineering

Train Continuously, Not Annually

Annual compliance training doesn't change behavior. You need regular, scenario-based cybersecurity awareness training that covers real social engineering examples — not abstract theory. Monthly touchpoints outperform yearly check-the-box exercises every time.

Run Phishing Simulations

Simulated phishing campaigns are one of the most effective ways to measure and improve your organization's resilience. The goal isn't to punish people who click — it's to build pattern recognition. If you're looking for a structured approach, phishing awareness training for organizations can give your team hands-on practice identifying real-world attacks.

Implement Verification Protocols

Every wire transfer request, credential reset, and sensitive data request should require out-of-band verification. If someone emails asking you to wire $400,000, pick up the phone and call them at a known number. This alone would have prevented at least four of the seven attacks above.

Lock Down Public Information

Audit what your organization shares publicly. Employee directories, org charts, vendor relationships, and executive travel schedules are all intelligence that threat actors use. I'm not saying go dark — I'm saying be deliberate about what's visible.

Adopt Zero Trust Principles

The CISA Zero Trust Maturity Model provides a framework for limiting the blast radius of any single compromised account. Even if an attacker social engineers one credential, zero trust architecture limits what they can do with it. The Target breach is a perfect case study in what happens without segmentation.

Report Without Blame

Build a culture where employees report suspicious contacts immediately — without fear of punishment. The FBI's Internet Crime Complaint Center (IC3) received over 880,000 complaints in 2023, with potential losses exceeding $12.5 billion. Many incidents go unreported internally because employees are embarrassed. That silence costs you time and money.

Social Engineering Isn't Going Away — It's Evolving

Generative AI is making these attacks cheaper and more convincing. Voice cloning. Deepfake video calls. AI-generated phishing emails without the typos that used to be a giveaway. The social engineering examples from 2025 will look different from the ones above — but the psychological principles will be identical.

Your defense has to evolve faster. That means investing in your people, not just your perimeter. Start by studying these real-world attacks, understanding the tactics, and building the muscle memory that lets your team recognize manipulation before they act on it.

The organizations that treat social engineering as a people problem — not just a technology problem — are the ones that avoid becoming the next headline.