Phishing in Practice: Case Studies and Lessons Learned

Phishing isn’t some abstract threat from a textbook. It’s a tactic that even experienced tech professionals fall for—as four real-life cases clearly demonstrate. If you want to understand how attackers operate and why their methods work, you can’t ignore concrete case studies. Statistics show that phishing is one of the most common attack methods. Real-world examples explain why.

This article analyzes four documented phishing cases and draws conclusions that companies can apply immediately.

---

Why Case Studies Are Important

Cybersecurity training faces an acceptance problem: Many employees consider abstract warnings to be exaggerated. “That wouldn’t work on me” is a common reaction—until a colleague clicks on a link and the incident becomes known throughout the company.

Case studies serve two purposes: they make the reality of the threat tangible, and they reveal the psychological mechanisms attackers exploit. Only those who know the patterns can recognize them—before it’s too late.

The following four cases come from different contexts: a technology company, the financial sector, retail, and the public sector. Together, they show that no environment is immune.

---

Case Study 1: GitLab Tests Its Own Employees – 20% Fell for It

What happened

GitLab—one of the best-known technology companies in the source code management sector—conducted an internal phishing simulation. The assumption was obvious: anyone working in the IT industry is prepared for phishing. The result clearly contradicted this assumption.

In a sample of 50 employees, 17 clicked on the link provided. The lure: a new MacBook. Of these 17, 10 subsequently entered their login credentials on the fake website. Only six employees reported the email as suspicious to the IT department.

That corresponds to a click-through rate of 34 percent and a credential entry rate of 20 percent—at a company that deals with IT security issues on a daily basis.

What this means

The affected employees did not face any further consequences. Instead, GitLab provided links to guidance and training materials. This was the right decision for several reasons: Punishment spreads quickly throughout the company, creates a negative atmosphere, and leads employees to click on links less frequently out of fear of making mistakes—which lowers productivity without improving security.

The Lesson

Technical expertise does not automatically protect against phishing. Even experts fall for attractive bait if the email is designed professionally enough. Furthermore, a single phishing simulation provides only limited insight: Was the email particularly convincing? Did someone click the wrong link? Was the bait unusually attractive?

Anyone who wants to seriously measure their company’s security awareness level needs multiple simulated emails of increasing difficulty. It is recommended to send three emails over a period of six months. Well-prepared companies ultimately achieve click-through rates below 5 percent.

---

Case Study 2: Finance Phishing – AI Voices and Fake Letters

What Happened

The financial sector has always been a prime target for phishing attacks—the potential for damage is high, and bank customers are highly sensitive to messages concerning their accounts. However, the methods have changed fundamentally in recent years.

Two particularly effective current attack vectors in the financial sector:

AI-generated voice calls: Cybercriminals use artificial intelligence to generate voice calls that sound deceptively real. The AI analyzes real speech patterns and imitates bank employees. The calls contain urgent requests—such as verifying account details or confirming allegedly unusual transactions. The days when phishing could be recognized by poor pronunciation or a foreign accent are over.

Quishing—fake letters with manipulated QR codes: In addition to voice calls, attackers rely on physical letters containing QR codes. This method, known as quishing, lures recipients to fraudulent websites that look deceptively real and request confidential information such as login credentials or credit card numbers. The insidious part: QR codes appear trustworthy and convenient to many users—a simple scan with a smartphone is enough to fall into the trap.

What this means

Banks generally do not unsolicitedly ask for sensitive data over the phone. Anyone who receives a suspicious call should end the conversation immediately and call the bank back using the official number on the website—never a number provided during the call. For QR codes from unknown sources: Do not scan them. If you do, carefully check the displayed URL before entering any data.

The Lesson

Financial phishing has reached a new level of threat. Spelling mistakes as a telltale sign of phishing are a thing of the past. Today, attackers produce professional emails, convincing voices, and deceptively authentic websites. Security awareness must keep pace with this development—mistrust of unsolicited requests is not a sign of paranoia, but of competence.

---

Case Study 3: Black Friday – Shopping Frenzy as a Vulnerability

What Happened

Black Friday is a golden opportunity for cybercriminals. Millions of people are in the mood to shop at the same time, expect a flood of promotional emails, and act under time pressure. This combination of high email volume, emotional motivation to buy, and time pressure significantly lowers cognitive defenses.

Phishing campaigns on Black Friday specifically exploit several psychological triggers:

Artificial time pressure: Many Black Friday deals are only available for a short time. This stress causes shoppers to click on links without verifying the source. Countdown timers and “Only 3 left” messages amplify this effect.

Professional imitation of well-known brands: Phishing emails and websites are so well-crafted today that they can deceive even the most experienced eyes. Scammers copy the designs, logos, and fonts of well-known retailers with such precision that their messages are nearly indistinguishable from genuine offers. Phrases like “Exclusive Deal” or “Last Chance” tempt many to act without much thought.

Volume as a disguise: Phishing attempts easily get lost among legitimate promotional emails from retailers. People scroll through their inboxes, skim messages, and often no longer check the details.

What this means

Anyone shopping online on Black Friday should consistently ignore unknown senders and access offers directly through the retailer’s website—not via links in emails. A pre-made list of reputable retailers with saved favorites protects against accidentally landing on a fake site.

Secure payment methods like PayPal or virtual credit cards offer additional protection, as fraudsters cannot gain direct access to your bank account in the event of an attack. Public Wi-Fi networks should generally be avoided for shopping.

The Lesson

Seasonal events with high emotional engagement—shopping events, tax refund periods, times of crisis—are regularly peak periods for phishing. Attackers systematically align their campaigns with the calendar. Companies should design their security awareness measures to be timing-sensitive: Training held shortly before Black Friday is more effective than training in February.

---

Case Study 4: Energy Subsidy as Phishing Bait – Current Events Systematically Exploited

What Happened

This case study illustrates a broader pattern that remains timeless: Attackers use political and social events as bait. The specific example was the energy subsidy—a one-time government payment to offset rising energy costs in Germany.

At least three different phishing campaigns ran in parallel:

Campaign 1 – Gas Price Subsidy Program: Phishing emails claimed to be part of an alleged government subsidy program for reduced gas prices. Linked websites requested names, addresses, credit card numbers, and bank account details. The Federal Network Agency issued an explicit warning about these sites. The stolen data was used to drain bank accounts or misuse credit card information for large-scale purchases.

Campaign 2 – Sparkasse Promises 500 Euros: A second campaign used the Sparkasse logo and brand. Phishing emails promised a 500-euro energy rebate, allegedly to be paid out via Sparkasse—all one had to do was quickly confirm their details. The Sparkasse logo gave the message increased credibility for many recipients and prevented them from critically questioning it.

Campaign 3 – SMS from the Ministry of Finance (smishing): The third variant was sent via SMS—so-called smishing. A purported SMS from the Ministry of Finance announced a refund. The amount listed was intentionally odd—such as 224.25 euros instead of a round sum—to feign legitimacy. A link led to forms requesting personal and financial data.

What this means

Anyone receiving such messages should not open any links or enter any data. No trustworthy government or private-sector institution requests sensitive financial data via email or SMS through opaque URLs. If in doubt: call the alleged sender directly—using an official number you’ve looked up yourself, not one provided in the message.

The Lesson

The pattern behind this case study is independent of the specific energy subsidy and repeats itself with every publicly relevant event: pandemic relief payments, tax refunds, government subsidy programs, crises. Attackers often react to current events faster than security authorities can issue warnings. Companies and individuals must learn to ask themselves with every unsolicited message: “Why is this coming now, and why through this channel?”

---

Common Patterns: What All Four Cases Have in Common

Even though the four case studies have very different contexts, they share the same basic patterns:

Emotional Hook: Every successful phishing campaign appeals to a strong emotion—joy at winning a MacBook, fear of account misuse, shopping frenzy on Black Friday, hope for government relief. People who react emotionally are less likely to think critically.

Time Pressure: Almost all phishing messages create artificial pressure. “Act now,” “Today only,” “Your account will be blocked.” Time pressure shuts down rational decision-making processes.

Trustworthy Senders: Attackers impersonate well-known brands, government institutions, or the victim’s own IT department. The savings bank logo, the bank employee on the phone, the official government text message—familiarity lowers the barrier to clicking.

Professional presentation: The quality of phishing emails and websites has increased dramatically. Spelling mistakes and poor graphics are no longer reliable indicators of a scam. AI helps attackers create deceptively authentic content in any language.

Multiple parallel campaigns: The energy flat-rate example shows that attackers often run several variants simultaneously when targeting a lucrative topic. Knowing one attack vector does not automatically protect you from the others.

---

What companies can do specifically

The lessons from the four case studies can be translated into concrete measures:

Conduct phishing simulations regularly: A single simulation provides little meaningful data. A program involving three emails of increasing difficulty over six months reliably measures the level of awareness and shows whether training measures are effective. Well-prepared companies achieve click-through rates below 5 percent. A professional phishing simulation reveals where the actual vulnerabilities lie within the company.

Avoid punishment: GitLab’s approach is exemplary. Employees who fall for simulated phishing emails receive guidance and training materials—no consequences. Punishment creates fear and lowers productivity without increasing security.

Establish and practice reporting channels: Only six out of 50 GitLab employees reported the suspicious email. A clear, simple reporting channel—for example, a button in the email client or a dedicated address—increases this rate. Reports should be acknowledged promptly so employees know their report has been received.

Consistently use two-factor authentication: Even if login credentials are stolen in a phishing attack, 2FA prevents attackers from accessing accounts with them. This is one of the most effective technical safeguards.

Schedule training sessions accordingly: Seasonal peaks—Black Friday, tax season, government payments, current crises—are peak times for phishing. Security awareness training should be scheduled so that employees are made aware of the risks shortly before these periods.

Cultivate critical thinking: The most important protective measure is cultural in nature: employees must feel confident to pause and verify suspicious messages. This requires a corporate culture in which skepticism toward unexpected requests is viewed as a skill—not as mistrust.

Implement technical safeguards: Anti-phishing software and browser extensions detect many known phishing websites before employees open them. Email security solutions filter out suspicious messages. These measures do not replace awareness training, but they significantly reduce the attack surface.

---

Phishing remains the most effective entry point for cyberattacks—because it targets people, not technology. The four case studies show that neither technical expertise nor vigilance alone is sufficient. Systematic preparation, regular practice, and an open security culture are the foundation for effective protection.