What Is Phishing? Types of Attacks and How to Spot Them
Learn what phishing is, the different types of phishing attacks (email, SMS, voice), red flags to watch for, and how to protect yourself from scams.
Phishing is a type of cyberattack where criminals impersonate trusted entities to trick you into revealing sensitive information. The attacker might pretend to be your bank, your employer, or a well-known company like Microsoft or Amazon. Their goal is to steal passwords, credit card numbers, or other data they can use for fraud or identity theft.
Cybercriminals send an estimated 3.4 billion phishing emails every day. That makes phishing the most common form of cybercrime, and the numbers are climbing. The Anti-Phishing Working Group recorded over 1.1 million phishing attacks in Q2 2025 alone, a 13% jump from the previous quarter.
TL;DR
- What it is: Phishing uses fake messages to trick you into sharing passwords, payment info, or personal data
- Why it matters: The average phishing breach costs organizations $4.88 million
- Key takeaway: Verify sender identity before clicking links or sharing information
How Phishing Works
A phishing attack typically follows a simple pattern. The attacker sends a message that appears legitimate, often mimicking a company's branding, tone, and email format. The message creates urgency, claiming your account is locked, your payment failed, or you need to verify your identity immediately.
The message includes a link to a fake website designed to look like the real thing. When you enter your login credentials or payment information, the attacker captures it. Some phishing messages skip the fake website entirely and attach malware directly, infecting your device when you open the file.
This same approach drives more sophisticated attacks like business email compromise campaigns that targeted energy sector companies with adversary-in-the-middle techniques.
Types of Phishing Attacks
Email Phishing
The original and still the most common form. Attackers send mass emails that copy the format and branding of legitimate companies. They might claim to be from PayPal, your bank, or a delivery service. The email urges you to click a link to fix some made-up problem.
A recent campaign used Google Cloud Application Integration to send phishing emails to over 3,200 organizations, exploiting legitimate infrastructure to bypass security filters.
Spear Phishing
Unlike mass email phishing, spear phishing targets specific individuals. Attackers research victims online, checking LinkedIn profiles and company websites to craft personalized messages. They might reference your job title, recent projects, or colleagues by name. About 65% of attackers prefer spear phishing because targeted messages are far more effective.
When spear phishing targets executives or high-value individuals, it's called whaling. These attacks often impersonate board members or business partners to authorize fraudulent wire transfers.
Business Email Compromise (BEC)
BEC attacks go beyond impersonation. Attackers either compromise actual business email accounts or create convincing lookalikes to request wire transfers, W-2 forms, or other sensitive data. BEC losses reached $2.7 billion in reported incidents. In one type of BEC attack, criminals hijack email threads and insert themselves into ongoing conversations, making detection extremely difficult.
Smishing (SMS Phishing)
Phishing via text message. You receive an SMS claiming to be from your bank, a delivery service, or the IRS. The message creates urgency and includes a link. Smishing now accounts for 39% of mobile threats, and attacks on mobile devices increased 25-40% compared to desktops in 2024.
Common smishing lures include fake delivery notifications, claims that your account is suspended, or warnings about unauthorized charges.
Vishing (Voice Phishing)
Phishing over the phone. Scammers use spoofed caller IDs to appear as legitimate businesses or government agencies. They create panic with claims of legal problems, unpaid taxes, or compromised accounts. Voice phishing incidents jumped 442% between early and late 2024.
The threat has escalated with AI voice cloning. Attackers can now replicate a manager's voice from public recordings or presentations, making calls that sound exactly like someone you know. We've covered how groups like ShinyHunters used vishing to bypass Okta SSO protections, demonstrating the technique's effectiveness against enterprise security.
Quishing (QR Code Phishing)
Malicious QR codes in emails, printed materials, or public places lead to phishing sites. Some attackers place fake QR codes over legitimate ones, like payment codes on parking meters. Quishing is particularly dangerous because users can't preview where the QR code leads before scanning.
Red Flags to Watch For
Suspicious sender addresses: Check the actual email address, not just the display name. Look for misspellings like "micros0ft.com" or domains that don't match the company (a bank sending from a Gmail address).
Urgency and threats: "Act now or your account will be closed." "Respond within 24 hours to avoid legal action." Legitimate companies don't typically threaten you via email.
Generic greetings: "Dear Customer" or "Dear Account Holder" instead of your name. Real companies usually know who you are.
Suspicious links: Hover over links before clicking to see the actual URL. If it doesn't match the company's real website, don't click.
Requests for sensitive information: No legitimate company will ask for your password, Social Security number, or full credit card number via email.
Grammar and spelling errors: Professional organizations proofread their communications. Multiple errors suggest a scam.
Unexpected attachments: Be especially wary of .exe, .zip, or documents asking you to enable macros.
How to Protect Yourself
Verify before acting. If an email or text asks you to click a link or call a number, go directly to the company's website by typing the address yourself. Or call using a number you know is legitimate, not one from the suspicious message.
Enable multi-factor authentication (MFA). Even if attackers steal your password, MFA blocks 99.9% of automated account compromise attempts. Use authenticator apps rather than SMS when possible.
Keep software updated. Security updates patch vulnerabilities that attackers exploit. Enable automatic updates on your devices.
Use security software. Modern antivirus and anti-phishing tools can detect and block many threats before they reach you.
Report phishing attempts. Forward phishing emails to [email protected]. Forward phishing text messages to 7726 (SPAM). Reporting helps security researchers track and disrupt campaigns.
What to Do If You've Been Phished
If you clicked a link or entered credentials on a suspicious site:
- Change your passwords immediately, starting with the compromised account
- Enable MFA on all accounts if you haven't already
- Check for unauthorized activity in your accounts
- Run a full antivirus scan on your device
- Report the incident to your IT department if it involved work accounts
- Consider a credit freeze if financial information was exposed
For guidance on recovering from a security incident, check our ransomware guide which covers response procedures that apply to various types of compromise.
The AI Phishing Threat
AI has transformed phishing. By early 2025, over 80% of phishing content was AI-generated or AI-assisted. Attackers use AI to write flawless, personalized emails in seconds, eliminating the spelling errors that once made phishing obvious.
AI also powers voice cloning for vishing attacks and generates deepfake video for executive impersonation. Some security researchers predict the time from initial phishing email to full organizational compromise will shrink to under one hour as AI accelerates every phase of attacks.
The defensive side is using AI too, but the barrier to entry is much lower for attackers. Phishing-as-a-service platforms now offer AI-powered personalization engines that scrape social media to tailor messages, no technical skills required.
Frequently Asked Questions
How can I tell if an email is really from my bank?
Banks will never ask you to verify sensitive information via email. If an email claims to be from your bank, don't click any links. Instead, log into your account directly through the bank's official app or website, or call the number on your card.
What's the difference between phishing and spam?
Spam is unsolicited bulk email, often advertising products or services. Phishing is a targeted attack designed to steal information or install malware. Spam is annoying; phishing is dangerous. An email can be both.
Should I click unsubscribe on suspicious emails?
No. Clicking "unsubscribe" confirms your email address is active and monitored, leading to more attacks. Delete the email or report it as phishing instead.
For more tips on staying safe online, explore our security guides and keep up with the latest threats in our hacking news coverage.
Related Articles
Phishers Hide Behind Google Slides Publish Feature
Attackers exploit Google Presentations' publish mode to host phishing pages that bypass Google's own security warnings, targeting Vivaldi Webmail users.
Jan 30, 2026LastPass Warns of Phishing Campaign Targeting Master Passwords
Fake maintenance emails urge users to backup their vaults before a deadline, redirecting victims to credential-harvesting sites. The campaign launched over MLK weekend.
Jan 22, 2026Microsoft: Tycoon2FA Phishing Exploits Email Misconfigurations
Threat actors spoof organization domains by abusing complex mail routing and weak DMARC policies. Microsoft blocked 13 million malicious emails in October alone.
Jan 7, 2026Google Cloud Feature Weaponized in 9,000-Email Phishing Wave
Attackers abuse Google Cloud Application Integration to send phishing emails that bypass SPF, DKIM, and DMARC, targeting 3,200 organizations globally.
Jan 3, 2026