10 phishing and cybersecurity cases — real and simulated — that sparked major controversy
Cybersecurity is usually associated with technology, malware and hackers. Yet some of the most talked-about cases of recent years had nothing to do with technical vulnerabilities — they exploited something far more human: emotions.
In 2021, the British rail company sent an email to around 2,500 employees thanking them for their efforts during the pandemic and announcing a special payment.
When workers clicked to find out more, they discovered the bonus did not exist. It was a phishing simulation.
What made this message particularly difficult to detect was the context: the workforce had been through years of hardship, had been directly affected by the pandemic, and some employees had lost colleagues to COVID. The scenario was emotionally plausible — and that is precisely what made it such a representative example of how social engineering works.
Tribune Publishing sent employees an email announcing bonuses of between $5,000 and $10,000.
In reality, the company was going through layoffs, closures and financial difficulties. The simulation prompted internal and external reactions, leading the organisation to issue a statement explaining its purpose.
This case highlights something important: the effectiveness of an awareness campaign is directly tied to the context in which it takes place.
Thousands of Australian police officers received an email about a 5% salary increase. It was not a real offer — it was an internal phishing campaign.
What made it hard to identify was the timing: it coincided with genuine pay negotiations, making the message indistinguishable from an official communication. The organisation decided to review its process and refine the criteria for planning future campaigns.
The University of California Santa Cruz launched a phishing exercise simulating a health alert over a supposed Ebola case on campus. Many students and staff believed it was a genuine emergency.
The fact that so many people took it at face value says a great deal about the effectiveness of high-stakes emotional scenarios. The incident opened a debate within the cybersecurity community about what types of situations are most appropriate for these tests and how to manage communication with participants afterwards.
In 2018, a phishing exercise related to the technology infrastructure of the Michigan Democratic Party was so convincing that it was reported as a genuine attack.
The Democratic National Committee went as far as alerting the FBI, believing it was facing a real intrusion. Following the incident, procedures were updated to require better coordination in future security tests.
When the attacks were real
The following cases show how cybercriminals use exactly the same mechanisms as awareness exercises: messages that create expectation, urgency or a sense of benefit. The difference is that here the objective is unauthorised access, financial theft or credential capture.
Microsoft identified a campaign in which attackers gained access to corporate systems to modify employees' banking details. The goal was to redirect payroll payments into accounts controlled by the criminals themselves.
The attackers used messages related to HR, benefits and payroll to establish credibility with their targets.
For years, phishing campaigns have exploited supposed salary reviews, benefits updates and changes to internal policies.
Employees receive apparently legitimate messages that redirect them to fake portals where they enter their corporate credentials. The effectiveness of this tactic lies in the fact that few subjects command more immediate attention than a financial improvement.
In 2025, a campaign was detected that promised employees an extraordinary bonus. The target received a document containing a QR code which, when scanned, directed them to a fake Microsoft page designed to capture credentials.
The campaign combined two proven elements: the promise of a financial benefit and the use of QR codes as a redirection vector.
Some criminal groups do not even need to send emails. They impersonate employees by calling the IT support desk and convince staff to reset passwords or register new authentication devices.
Once inside, they modify payroll data or gain access to critical corporate systems — all without exploiting a single technical vulnerability.
In 2016, groups linked to Russian intelligence used phishing emails targeting members of the US Democratic Party. The messages mimicked legitimate login pages and successfully captured real credentials.
The incident became one of the most widely known phishing cases in recent history and demonstrated that a single email can have geopolitical consequences.
What stands out across these ten cases is that the pattern is virtually identical in all of them: a message that appeals to something relevant to the recipient — a financial benefit, an urgent alert, an internal communication — and that is genuinely difficult to dismiss.
The question worth asking is not whether these exercises are appropriate, but something more direct: would you have spotted it was an attack?
Awareness simulations exist precisely because, in many cases, the honest answer is no. Not through any lack of ability, but because these messages are designed to be convincing. Knowing how they work is the best way to be prepared.
Awareness is the first line of defence. At Cloud Levante we help organisations assess and strengthen their security posture against attacks that rely not on exploits, but on human behaviour.
Talk to our team