A Teenager Breached Uber. No Malware Required.
In September 2022, an 18-year-old compromised Uber's internal systems — not with a sophisticated zero-day exploit, but with a text message. The attacker bombarded an Uber contractor with multi-factor authentication push requests until the contractor finally approved one. From there, the threat actor pivoted across Uber's internal Slack, cloud dashboards, and vulnerability reports.
That single incident is one of the most instructive social engineering examples of the past decade. It proves something I've been telling organizations for years: your biggest vulnerability isn't your firewall. It's the human sitting behind it.
This post breaks down real-world social engineering examples — the specific techniques threat actors use, what they look like in practice, and what you can actually do to stop them. If you're responsible for protecting an organization, this is the playbook attackers are running against you right now.
What Is Social Engineering, Exactly?
Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise security. Instead of exploiting software vulnerabilities, attackers exploit trust, urgency, fear, and helpfulness — the very traits that make us good at our jobs.
According to the Verizon 2024 Data Breach Investigations Report, the human element was involved in 68% of all breaches. That number has barely budged in years. Attackers keep using social engineering because it keeps working.
7 Social Engineering Examples Ripped from Real Incidents
1. MFA Fatigue: The Uber Breach
I already mentioned this one, but let's dig into the mechanics. The attacker purchased the contractor's stolen credentials on the dark web. Then they spammed the contractor with MFA push notifications — dozens of them — while simultaneously sending a WhatsApp message posing as Uber IT support, saying the contractor needed to approve the login to make the alerts stop.
The contractor approved. Game over. This technique — called MFA fatigue or MFA bombing — has become one of the most common social engineering examples in the wild. Microsoft, Cisco, and other major companies have faced similar attacks.
2. CEO Fraud Wire Transfer: The Scoular Company
In 2014, an employee at The Scoular Company, a commodities trader in Omaha, received emails that appeared to come from the CEO instructing a wire transfer of $17.2 million. The emails referenced a confidential acquisition and insisted on secrecy. The employee complied. The money went to a bank account in China.
This is classic business email compromise (BEC). The FBI's Internet Crime Complaint Center (IC3) has reported that BEC scams have resulted in over $50 billion in global losses since 2013. No malware. No credential theft. Just a convincing email and a sense of authority.
3. Spear Phishing: The RSA SecurID Breach
In 2011, attackers sent a phishing email to a small group of RSA employees with the subject line "2011 Recruitment Plan." The attached Excel spreadsheet contained a zero-day exploit. One employee opened it. The attackers ultimately stole data related to RSA's SecurID two-factor authentication products, which then impacted defense contractors including Lockheed Martin.
This remains one of the most studied social engineering examples in cybersecurity history. The phishing email was targeted, relevant, and delivered to people most likely to open it.
4. Pretexting: The Hewlett-Packard Scandal
In 2006, investigators hired by HP's board used pretexting — calling phone companies while impersonating board members and journalists — to obtain private phone records. They fabricated identities and backstories to trick customer service representatives into handing over call logs.
Pretexting doesn't require technical skill. It requires acting ability and research. In my experience, this is the social engineering technique that's hardest to defend against because it targets customer-facing employees who are trained to be helpful.
5. Vishing (Voice Phishing): The MGM Resorts Attack
In September 2023, a threat actor called the MGM Resorts IT help desk, impersonated an employee found on LinkedIn, and convinced the help desk to reset that employee's credentials. This gave the attackers initial access to MGM's environment. The resulting ransomware attack cost the company over $100 million.
All it took was a phone call. The attackers — linked to the group known as Scattered Spider — used publicly available information from social media to sound convincing. This is vishing at its most devastating.
6. Watering Hole Attacks: The Polish Financial Regulator
In 2017, attackers compromised the website of the Polish Financial Supervision Authority — a site that employees at Polish banks visited routinely. The compromised site served malware to visitors from specific IP ranges belonging to targeted banks. Dozens of banks were affected.
This is a watering hole attack: instead of going after the target directly, you poison the resource the target trusts. It's the digital equivalent of contaminating the office water cooler.
7. Tailgating: The Forgotten Physical Layer
I've personally watched penetration testers walk into secured office buildings by holding a box of donuts and waiting for someone to hold the door open. No badge. No questions asked. Physical social engineering — tailgating or piggybacking — is alive and well in 2026.
Your employees might be trained to spot phishing emails. But are they trained to challenge a friendly stranger walking in behind them? Most aren't.
Why These Attacks Keep Working
Every one of these social engineering examples exploits the same psychological triggers. Attackers leverage authority ("I'm from IT"), urgency ("This must be done now"), social proof ("Your colleague already approved this"), and helpfulness ("Can you just hold the door?").
Technical controls matter — multi-factor authentication, zero trust architecture, endpoint detection. But none of those controls stopped the Uber breach. None of them stopped the MGM attack. The attackers went around the technology by going through the people.
That's why security awareness training isn't optional anymore. It's the control that addresses the 68% of breaches involving humans. If you haven't built a structured cybersecurity awareness training program, you're leaving your biggest attack surface completely undefended.
How to Defend Against Social Engineering
Build a Culture of Healthy Skepticism
Your employees need permission to question requests — even from executives. Especially from executives. Every BEC attack succeeds because someone was too intimidated to verify. Create explicit policies that say: "It is always acceptable to verify a financial request through a second channel."
Run Realistic Phishing Simulations
Static training slides don't change behavior. Realistic phishing simulations do. When employees experience a simulated attack and get immediate feedback, retention rates skyrocket. I've seen organizations cut click rates by over 60% within six months of implementing a structured phishing awareness training program.
Harden Your Help Desk
The MGM and Uber breaches both went through help desk and IT support channels. Implement strict identity verification procedures for password resets and MFA changes. Require callback verification to a number on file, not a number the caller provides.
Limit Public Exposure
Scattered Spider found their MGM target on LinkedIn. Attackers routinely mine social media for employee names, job titles, reporting structures, and technology stacks. Audit what your organization exposes publicly. Train employees to be cautious about what they share online.
Adopt Zero Trust Principles
Zero trust assumes that any user or device could be compromised at any time. Even if a social engineering attack succeeds and an attacker gets initial credentials, zero trust architecture — microsegmentation, least privilege access, continuous verification — limits how far they can go. CISA's Zero Trust Maturity Model is an excellent starting point.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Breaches involving social engineering and phishing were among the most expensive categories, in part because they take longer to detect. The average time to identify and contain a breach involving stolen credentials was 292 days.
Nearly 10 months. That's 10 months of an attacker sitting inside your network, escalating privileges, exfiltrating data, and setting up persistence — all because someone clicked a link or approved a push notification.
Your Employees Are the Last Line of Defense — Train Them Like It
I've audited organizations that spent millions on security tooling but allocated zero budget for employee training. That's like installing a state-of-the-art alarm system and leaving the front door propped open.
The social engineering examples in this post aren't theoretical. They're drawn from breaches that cost real companies hundreds of millions of dollars. The techniques are getting more sophisticated — deepfake voice calls, AI-generated phishing emails, and multi-stage pretexting campaigns are all part of the 2026 threat landscape.
Your technical controls will catch some of these attacks. But the ones that get through will target your people. Make sure your people are ready.