From fake password resets to convincing emails impersonating the CEO, phishing attacks have become cybercriminals’ go-to weapon, and they are working. In fact, over 90% of cyberattacks start with phishing.
Powered by generative AI, attackers craft hyper-personalised, error-free messages at scale. As a result, businesses are not just dealing with junk mail; they face financial losses, reputational damage, and social engineering attacks that bypass tools and go straight for people. To combat these next-gen threats, companies are turning to advanced cloud email security solutions built to detect and defuse sophisticated phishing attacks.
This article will break down the most common phishing attack types, backed by real-world examples targeting some of the largest brands.
12 biggest phishing attacks in history: At a glance
| Type of attack | Entity affected | What happened | Impact |
| Email phishing | Yahoo (2012–2016) | Multiple breaches between 2012 and 2016, compromising names, emails, birthdates, and hashed passwords. | Reputation damage, acquisition price reduced by Verizon, and a $117.5 million legal settlement in 2019. |
| Spear phishing |
Sony Pictures Entertainment (2014) | The hack began in retaliation for the release of The Interview, a comedy about assassinating North Korea’s leader. | Caused significant disruption, massive data leaks, reputational damage, financial losses, and executive resignations. Nearly half of the 6,800 personal computers and over half of its 1,555 servers were wiped out or destroyed. |
| Business email compromise (BEC) | Facebook and Google (2013–2015) | Impersonated Quanta Computer Inc., tricking employees into wiring payments via fake invoices that appeared like legitimate business transactions. | Facebook was defrauded of $99 million, while Google lost approximately $23 million. |
| Whaling | Levitas Capital (2020) | The co-founder clicked a fake Zoom link, allowing attackers to access systems and initiate fraudulent wire transfers while posing as executives. | $800,00 financial loss, shut down due to reputational damage. |
| Smishing |
Twilio (2022 & 2024) | Attackers impersonated Twilio’s IT department, sending SMS messages about password expiration containing a link to fake login pages mimicking Twilio’s sign-in portal. | Compromised employee credentials allowed unauthorized access to the internal system and customer data. |
| Vishing | UK-based energy firm (2019) | An AI-generated voice mimicking the firm’s German parent company CEO was used to trick the UK CEO into transferring $243,000 to a fake Hungarian supplier. | $243,000 lost, and significant reputational damage. |
| Pharming | 50 financial institutions (2011) | Sophisticated pharming campaign infected desktops, redirecting users to fake websites. | Infected 1000 desktops every day for nearly 3 days; major reputational damage. |
| HTTPS phishing | Change Healthcare (2024) | Attackers used HTTPS on fake sites to appear legitimate, aiding credential theft. | 190M PHI records compromised, $22 million ransom paid via bitcoin. |
| Clone phishing |
Ubiquiti Networks Inc. (2015) | Attackers crafted emails that mimicked legitimate internal messages from executives, directing finance staff to carry out wire transfers. The emails appeared authentic, likely using a spoofed or lookalike domain. | $46.7 million was stolen. Ubiquiti recovered $8.1 million, with another $6.8 million legally frozen. Over $31.8 million remained unrecovered. Public disclosure damaged reputation and trust. |
| Social media phishing |
Meta (Facebook, Instagram, WhatsApp, and Messenger (2021) | Attackers set up 39,000 + fake websites that cloned Meta’s login pages and tricked users into entering credentials. | Account takeovers, identity theft risks, and broad social media privacy and security compromises. |
| QR code phishing | General public in the UK (2024) | Fraudulent QR codes were placed in public places (parking meters, menus), redirecting users to malicious sites or apps. | Victims suffered financial losses, including unauthorized subscriptions and potential identity theft. |
| Malvertising | Lowe’s employees | Fake websites mimicking Lowe’s employee portal, delivered through malicious Google ads, to steal employee credentials and sales data. | Employee credentials compromised, data likely sold to cybercriminals, breach disguised as a glitch. |
The most common phishing attacks: Real examples and shocking stats
There are different types of phishing attacks, and knowing these can help you avoid falling for them.
1. Email phishing
Topping the list, an estimated 3.4 billion phishing emails are sent daily across the globe. Cybercriminals use email phishing to impersonate legitimate companies or pretend to be someone familiar, tricking victims into providing their login details.
Yahoo data breaches: Leading to a $117.5 million settlement
Between 2012 and 2016, Yahoo experienced massive data breaches that compromised over 3 billion user accounts, making it one of the most significant breaches in history. Attackers stole sensitive user information, including names, email addresses, phone numbers, birthdates, and passwords.
The breaches went undisclosed for years, allowing cyber criminals to exploit the data extensively. In 2017, Yahoo publicly confirmed the extent of the violations, which severely damaged its reputation and led to a significant reduction in the company’s acquisition price by Verizon. The legal fallout culminated in a $117.5 million settlement in 2019 to compensate affected users.
Related: Adding layers like DomainKeys Identified Mail (DKIM) can significantly block phishing at the source.
2. Spear phishing
Spear phishing is a targeted email sent to specific people to trick them into sharing private information. Out of 50 billion analyzed across 3.5 million mailboxes, Barracuda researchers uncovered only 0.1% as spear-phishing emails. Despite being rare, spear-phishing attacks cause significant harm when they succeed.
The Sony Pictures Entertainment hack: 47,000 SSNs leaked
In 2014, Sony Pictures was hit by a massive cyberattack. Hackers called themselves the Guardians of Peace and broke into Sony’s computer systems. The hackers infiltrated Sony’s systems using a spear phishing campaign, stealing terabytes of sensitive data, including 47,000 Social Security Numbers, executive emails, and confidential employee records. The hacker’s main goal was to stop Sony from releasing a comedy movie called “The Interview”, which made light of North Korea’s leader.
The breach crippled Sony’s operations: nearly half of 6,800 personal computers and over half of its 1,555 servers were wiped out or destroyed, and the company faced considerable embarrassment and trust issues. Sony had to delay the movie’s release, which cost them tens of millions of dollars in financial losses. They also spent a lot fixing their security and dealing with lawsuits from employees whose personal data was leaked. The hack showed how vulnerable big companies can be to cyberattacks.
3. Business email compromise (BEC)
BEC is a scam in which bad actors hack or fake a company email account, usually of a boss or trusted employee, to trick others into sending money or sensitive information. This form of fraud caused $2.8 billion in reported losses in the U.S. alone in 2024.
The Facebook and Google invoice scam: Over $100 million loss
Between 2013 and 2015, a Lithuanian named Evaldas Rimasauskas ran a sophisticated, large-scale scam that tricked Facebook and Google out of over $100 million. He set up a fake company in Latvia that mimicked Quanta Computer, a legitimate hardware vendor with which both companies did business. The attacker sent fake invoices and emails and convinced Facebook’s and Google’s employees to pay for goods and services that the attackers never delivered.
The scam exploited trust in vendor relationships and the company’s payment processes. Google lost about $23 million, and Facebook lost around $98 million. Rimasauskas was extradited to the U.S., where he pleaded guilty to wire fraud in 2019 and agreed to forfeit $49.7 million. He faces up to 30 years in prison.
4. Whaling
Whaling is a phishing attack aimed at high-profile targets like CEOs or top executives. It is also a type of BEC attack targeting high-level executives such as CEOs, CFOs, or directors. These attacks rely heavily on advanced social engineering techniques, using highly personalized and convincing emails to trick leaders into authorizing large payments or sharing sensitive information. While BEC can target any employee within a company, whaling specifically focuses on top executives, increasing the stakes and potential damage.
In 2021, one in every 3,226 emails received by an executive was a whaling attack, and 59% of organizations reported that at least one executive had been targeted.
The Levitas Capital collapse: Shut down due to financial and reputational damage
In 2020, Australian hedge fund Levitas Capital was hit by a whaling attack that led to its closure. The attack started when a co-founder clicked a fake Zoom link, which installed malware and gave attackers access to the firm’s email system. Then, they posed as executives and authorized fraudulent transactions, causing a loss of about $800,000.
The financial damage, along with the loss of their biggest client, forced the firm to shut down due to reputational damage.
5. SMS phishing
Smishing, or SMS phishing, is a type of phishing done through text messages to steal information or money. A zLabs Mishing Report reveals that India is the most vulnerable to smishing, with 37% of its population at risk, followed by the U.S. at 16% and Brazil at 9%.
Twilio breach: 33 million phone numbers stolen
In August 2022, Twilio, a major cloud communications company, was hit by a social engineering attack. Hackers tricked some Twilio employees and gained access to sensitive internal systems, allowing the attackers to steal data about Twilio’s customers. Because of this breach, attackers accessed information from at least 125 Twilio customers, causing serious data security and privacy concerns.
In 2024, Twilio was breached again by a hacker group called ShinyHunters, who claimed to have stolen 33 million phone numbers from Twilio’s system. This later breach was much bigger in scale. The 2022 attack revealed vulnerabilities in employee security training and internal controls.
6. Vishing
Vishing, or voice phishing, is a scam in which attackers use phone or voice calls to trick people into giving away sensitive information. In 2022, phishing was the second most common cause of data breaches, costing organizations an average of $4.91 million in breach expenses.
2019 UK-based energy company scam: $243,000 stolen via deepfake voicecall
In 2019, a UK-based energy company fell victim to a highly sophisticated cyberattack that used artificial intelligence to clone a CEO’s voice. Criminals used AI-powered voice-generating software to impersonate the chief executive of the company’s German parent firm, successfully convincing the UK CEO to urgently transfer $243,000 to a fraudulent supplier account in Hungary.
The scammers mimicked the German CEO’s accent and tone so accurately that the UK executive believed the call was real. The attackers called three times, even following up with fake reassurances and requesting a second payment. Suspicion was raised only after inconsistencies in the caller’s number and the promised reimbursement failed to arrive. Experts warned that traditional security tools are not equipped to detect AI-generated audio, and as AI technology becomes more accessible, the risk of such attacks is rising.
7. Pharming
Pharming attacks redirect people from a real website to a fake one to steal their information without their knowledge. They can affect everyone, from individual users to large organizations, by hijacking DNS services or infecting many devices to redirect victims to fake websites.
In 2021, the FBI’s Internet Crime Complaint Center (IC3) reported 323,972 incidents under the combined phishing/Vishing/Smishing/Pharming category, making it the top-reported cybercrime type that year.
Global pharming attack: Over 50 banks targeted
In 2007, cybercriminals launched a sophisticated pharming attack that targeted customers of more than 50 major financial institutions worldwide, including banks like Barclays, Bank of Scotland, PayPal, and American Express. Instead of relying on traditional phishing emails, this attack redirected users from legitimate banking websites to fraudulent replicas without their knowledge. The attackers deployed malware that infected victims’ computers, silently redirecting them to fake banking sites designed to steal login credentials.
The attack affected thousands of users daily, with infections estimated at around 1000 PCs per day during its peak. Although the full financial impact was never publicly disclosed, this large-scale pharming campaign demonstrated the evolving tactics of cybercriminals beyond classic phishing. It highlighted the need for stronger endpoint security and DNS protection.
8. HTTPS phishing
Hypertext Transfer Protocol Secure (HTTPS) phishing uses SSL/TLS certificates to make fake phishing sites appear legitimate. The SSL certificate is projected to grow from $234.5 million in 2025 to $518.4 million by 2032, with a strong compound annual growth rate of 12% from 2025 to 2032.
Change Healthcare HTTPS attack: 190 million people affected
In February 2024, Change Healthcare suffered a major ransomware attack by the ALPH/Blackcat group, which began with stolen credentials likely obtained through an HTTPS phishing attack. This breach exposed the private health information of 190 million people, disrupting healthcare billing, insurance claims, and pharmacy services nationwide for weeks. UnitedHealth CEO Andrew Witty later confirmed the company paid a $22 million ransom in bitcoin to protect personal information and mitigate further damage.
9. Clone phishing
Hackers resend a real, previously delivered email but replace a link or attachment with a fake one to trick employees into clicking and giving away info or downloading malware.
Ubiquiti Networks wire transfer scam: $46.7 million in lost cyber heist
In 2015, networking company Ubiquiti Networks fell victim to a significant cyber heist in which attackers stole $46.7 million using a type of scam known as CEO fraud. The attackers impersonated senior executives and sent fake emails to the company’s finance department, tricking employees into sending wire transfers to overseas accounts. The San Jose–based company discovered the fraud in June 2015 and reported it in a financial filing.
The scam targeted a Ubiquiti subsidiary in Hong Kong, where funds were transferred to third-party accounts in other countries. Ubiquiti recovered $8.1 million quickly and placed legal holds on another $6.8 million, but more than $31 million remained unrecovered. The company said there was no evidence that its internal systems were hacked or that employees were involved, but it admitted that its financial controls were weak at the time. The attackers likely used a fake email domain resembling Ubiquiti’s domain name, a common trick in CEO fraud.
10. Social media phishing
Billions of people scroll through platforms like Facebook, Instagram, Snapchat, and LinkedIn to connect with people, sharing everything from getting new dogs to getting new job promotions. This makes the scammers’ job easier when creating convincing scams. Attacks targeting social media platforms accounted for 22.5% of all cyberattacks in Q4 2023, down from 30.5% in the previous quarter, showing a decrease in this threat vector.
Facebook’s 2021 legal crackdown: 39,000 fake logins created
In 2021, Facebook (now Meta) took legal action against a large-scale phishing operation that targeted millions of users across its platforms, including Facebook, Instagram, WhatsApp, and Messenger. Attackers created over 39,000 fake login websites to steal users’ credentials by impersonating legitimate social media services. These phishing sites were distributed widely through emails, social media messages, and posts, tricking countless users into entering their usernames and passwords.
Meta’s lawsuit aimed to shut down the infrastructure supporting this massive polishing campaign and hold the perpetrators accountable. The operation highlighted the growing sophistication and scale of phishing attacks targeting social media users and underscored the importance of coordinated legal and technical efforts to protect online communities.
11. Quishing
Quishing is a QR code-based phishing attack. In 2023, Barracuda found that about one in twenty email inboxes was targeted with malicious QR Codes, showing how attackers even use QR scans to trick users.
The 2024 UK quishing attack story: Reportedly, 1386 people affected
In 2024, organized crime groups in the UK launched a widespread quishing attack. They placed fraudulent QR codes on everyday public signs like parking meters and restaurant menus. When people scanned these fake QR codes, they were taken to malicious websites or apps designed to steal their personal and financial information. According to the UK’s national fraud reporting center, Action Fraud, it received 1,386 reports of people being targeted in 2024, a dramatic increase from just 100 cases in 2019. This reflects how attackers are adapting old scams to new technology.
Many victims ended up with unauthorized subscriptions and even faced risks of identity theft. This clever scam targeted the general public and caused significant monetary harm. It highlighted how attackers use new, everyday technologies like QR codes to trick people unexpectedly.
12. Malvertising
Malvertising is when malware or malicious code is hidden inside online ads. In the fall of 2023, cybersecurity firms reported a significant 42% month-over-month spike in malvertising incidents across the U.S.
Lowe’s malvertising scam: Employees targeted in a Google ad phishing scam
In mid-August 2024, attackers launched a sophisticated phishing scheme targeting Lowe’s employees. They created multiple fake websites resembling the official “MyLowe’sLife” employee portal, disguised as ordinary retail sites. These websites were likely generated using AI to avoid raising suspicion.
The scam worked by exploiting user trust in search results. Employees who searched for “myloweslife” saw multiple fake ads that appeared above or alongside the legitimate site. Clicking one of these led to a phishing page to steal usernames and passwords, potentially giving attackers access to sensitive employment and payroll data. After capturing the data, the fake site redirected users to the real Lowe’s portal, making the incident appear like a simple glitch.
Researchers identified two separate advertiser accounts impersonating the MyLowesLife portal. In one case, they observed three malicious ads appearing back-to-back. Many employees didn’t realize that attackers had compromised their sensitive credentials and were likely selling them to other cybercriminals.
Phishing clues you’ll wish you knew sooner
Validate before you click. Report suspicious activity.
- Check the email address to see if it exactly matches the alleged sender. Scammers often use addresses almost identical to legitimate ones but contain subtle typos or extra characters (example: Amaz0n instead of Amazon).
- Phishing messages often pressure you with warnings like “your account will be suspended!” or “Immediate action required!” designed to rush you into a mistake.
- Legitimate companies don’t ask for sensitive data via email. Beware of password requests, social security numbers, credit card details, or verification codes are red flags.
- Be wary of generic greetings, such as “Dear Customer/Dear Sir/Madam”.
- Be cautious of unknown files, especially if they are executable (.exe, .zip, .scr).
- Hover the mouse over the attached links to check the URL. If the URL seems suspicious, don’t click.
- Take a moment to assess the email/SMS before taking any actions.
- Use organizations’ designated methods to report phishing attempts.
- To stay informed, regularly review information on common phishing attacks. Attackers constantly evolve their tactics, so regular updates on common scams improve your awareness.
If it smells fishy, just don’t click
From a normal text message to a QR code in a public place, it just takes one second of distraction to get tricked. Most cybercrime is not as high-tech as it sounds. Just trust that tiny voice in your head saying “uhh.. this feels weird” — that gut feel might be the best cybersecurity tool you have got. The more informed a person is, the harder they are to deceive them.
From phishing to ransomware, cyberthreats are rising across the board. Check out our list of essential cybercrime statistics every business should know.
