Smart, careful, tech-savvy people fall for phishing scams every single day. If you’ve ever thought “I’d never fall for that,” these real examples of phishing emails might change your mind. From a Google employee wiring $100,000 to a con artist to a CEO who authorized a $61 million transfer, the victims of phishing aren’t careless — they’re just human. Understanding how these scams actually worked is one of the best ways to protect your own family from the next one.
Phishing works because it targets emotions, not intelligence. A well-crafted email can trigger fear, urgency, curiosity, or trust faster than your brain can pause and think it through.
Scammers also do their homework. They research company structures, mimic real login pages pixel-for-pixel, and time their messages to moments when people are busy, tired, or distracted — like right before a holiday weekend or during tax season.
According to the Cybersecurity and Infrastructure Security Agency (CISA), social engineering tactics like these succeed precisely because they exploit normal human decision-making shortcuts — not a lack of intelligence.
Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas convinced employees at both Google and Facebook to wire over $100 million to accounts he controlled. He didn’t hack any systems — he simply emailed fake invoices that looked like they came from a real hardware supplier both companies actually worked with.
The emails included forged contracts, official-looking letterhead, and email addresses that closely mimicked the real vendor’s domain. Because the invoices matched real business relationships, employees processed the payments without a second thought.
This case is a reminder that even massive tech companies with sophisticated security teams can be fooled when a scam mimics normal business communication closely enough. Attackers didn’t need to break through firewalls — they just needed one trusting employee in accounts payable.
The scammer used a real company name, a lookalike domain, and legitimate-looking paperwork. Nothing about the email “looked” like a typical scam — no bad grammar, no obvious red flags.
In a widely reported case, tech company Ubiquiti Networks lost $61 million after employees received emails that appeared to come from the company’s own executives, requesting urgent wire transfers for a confidential business deal.
This type of scam is called business email compromise (BEC), and the FBI reports that it has caused billions of dollars in losses across thousands of organizations. The emails often come from spoofed or nearly identical email addresses and rely on the employee’s desire to be helpful and act quickly for a superior.
Ubiquiti eventually recovered some of the funds, but the case shows how even financially sophisticated companies can be tricked when urgency overrides process.
Yes — and it happens more often than people assume. Security researchers themselves have documented falling for cleverly disguised phishing attempts, usually ones that arrived at an inconvenient moment: right after traveling, during a stressful workweek, or while multitasking on a phone screen.
One common trap involves fake “password expired” or “unusual sign-in” alerts that mimic real login pages from Microsoft, Google, or a company’s internal system. The fake page captures the password the moment it’s typed in — no malware required.
Mobile devices make this worse. Small screens hide the full web address, making it harder to spot a fake domain like “micros0ft-security.com” at a glance. Experts who normally catch these details on a desktop can miss them entirely on a phone during a rushed moment.
Not necessarily. Work devices often have stronger spam filters, but a convincing email can still land in an inbox and fool anyone who doesn’t pause to verify it.
Here are patterns pulled from real-world phishing reports that consistently fool recipients:
What ties these together isn’t poor writing or obvious typos anymore — today’s phishing emails are often grammatically perfect, professionally formatted, and branded with real company logos copied straight from the internet.
The Federal Trade Commission (FTC) notes that scammers increasingly use real company names and logos to build instant trust, making visual inspection alone an unreliable way to detect a scam.
The good news is that the tactics used against Fortune 500 employees are the exact same tactics used against everyday families — which means the same detection skills protect both. Teaching kids and teens to slow down before clicking is one of the most valuable digital habits they can build.
Families can build these skills together by talking through examples like the ones above and asking simple questions: Who supposedly sent this? Does the request make sense? What happens if I wait 10 minutes before responding?
For more on scams that specifically target younger internet users, see our guide to 5 online scams targeting kids in 2026 and how to spot them, and our deeper look at protecting your kids from online scams what every parent should know.
Social platforms are a growing entry point for scams aimed at younger users too — our research on is Instagram safe for kids under 13 what the data shows dives into how these platforms are frequently used to open the door to phishing-style manipulation.
This is exactly the kind of real-world scenario practice that LanternPhish is built around — giving families a safe, simulated way to recognize phishing red flags before they show up in a real inbox.
Mistakes happen, even to careful people — what matters most is what you do next.
Acting quickly limits the damage far more than dwelling on how the mistake happened in the first place.
Business email compromise and fake invoice scams are among the most financially damaging, while fake shipping and account-alert emails are the most common types people encounter day to day.
Yes. Cases like the $61 million Ubiquiti Networks scam and the $100 million Google/Facebook invoice fraud prove that even highly trained professionals can be deceived by well-researched, convincingly formatted emails.
Check the sender’s actual email address (not just the display name), hover over links before clicking, and be suspicious of any message creating urgency or requesting money, passwords, or personal information.
Yes. Modern phishing emails often have perfect grammar, real company branding, and personalized details, making old advice like “look for typos” far less reliable than it used to be.
Change your passwords immediately, enable two-factor authentication, notify your bank or employer if relevant, and monitor your accounts closely for the following few weeks.
No. Kids and teens are increasingly targeted through gaming platforms, social media, and text messages, which is why family-wide awareness matters just as much as workplace training.
Phishing scams succeed by exploiting trust, urgency, and routine — not stupidity. The more real examples your family recognizes, the harder these tricks become to pull off. Start practicing internet safety with your family today at LanternPhish.com.
Protect your family from scams — get Lantern Phish free: