What Is Phishing? Types, Examples, and How to Protect Yourself in 2026

## What Is Phishing?

Phishing is a cyber attack where attackers send fraudulent messages designed to trick people into revealing sensitive information, clicking malicious links, or downloading malware. The term comes from the analogy of fishing — attackers cast a wide net of fake messages hoping victims will take the bait.

Phishing is the most common cyber attack in the world. Over 3.4 billion phishing emails are sent every single day. It is the starting point for over 90% of successful data breaches and the primary delivery method for [ransomware](https://ethicalhacking.ai/blog/what-is-ransomware). Every organization regardless of size, industry, or security budget faces phishing attacks daily.

What makes phishing so dangerous is its simplicity. Attackers do not need to find software vulnerabilities or bypass firewalls. They just need one person to click one link. This is why phishing is classified as a [social engineering](https://ethicalhacking.ai/blog/what-is-social-engineering) attack — it exploits human psychology rather than technical weaknesses.

## How Phishing Works

A phishing attack typically follows a straightforward process. The attacker creates a fake message that mimics a trusted source — a bank, employer, tech company, government agency, or colleague. The message contains either a malicious link leading to a fake login page designed to steal credentials, a malicious attachment containing malware, or a request for sensitive information like passwords, credit card numbers, or social security numbers.

The fake message creates urgency or fear to pressure the victim into acting quickly without thinking. Common pretexts include your account has been compromised please verify your identity, your package could not be delivered click here to reschedule, your invoice is overdue immediate payment required, and unusual login detected on your account.

When the victim clicks the link, they land on a website that looks identical to the real one. They enter their credentials which go directly to the attacker. Within minutes the attacker uses those credentials to access the real account, steal data, or launch further attacks inside the organization.

## Types of Phishing Attacks

### Email Phishing

Standard email phishing casts a wide net, sending the same fraudulent email to thousands or millions of recipients. These emails impersonate well-known brands like Microsoft, Google, Amazon, Netflix, banks, and shipping companies. The attacker only needs a tiny percentage of recipients to fall for it to make the campaign profitable. Modern phishing emails are highly sophisticated — they use real company logos, matching color schemes, legitimate-looking sender addresses, and convincing copy.

### Spear Phishing

Spear phishing targets specific individuals using personal information gathered from LinkedIn, social media, company websites, and data breaches. Instead of a generic message, a spear phishing email references the victim by name, mentions their company and job title, and may reference real projects or colleagues. Spear phishing has a much higher success rate than generic phishing because it appears personally relevant and legitimate.

### Whaling

Whaling targets senior executives — CEOs, CFOs, board members, and other high-value individuals. These attacks are heavily researched and customized, often involving fake legal notices, board meeting invitations, or financial requests. Because executives have broad access to systems and authority to approve transactions, a successful whaling attack can be devastating.

### Clone Phishing

Clone phishing takes a legitimate email the victim previously received — a real invoice, a real shipping notification, a real meeting invite — and creates an almost identical copy with the links or attachments replaced with malicious versions. Because the victim recognizes the email format and context, they are far more likely to trust it.

### Smishing

Smishing delivers phishing via SMS text messages. Common smishing attacks impersonate banks with fraud alerts, shipping companies with delivery notifications, tax authorities with refund notices, and two-factor authentication systems requesting codes. The shorter format of text messages makes it harder to spot red flags and people tend to trust text messages more than emails.

### Vishing

Vishing uses phone calls to extract information or manipulate victims. Attackers impersonate tech support, bank fraud departments, government agencies, or company IT helpdesks. AI-powered voice cloning in 2026 has made vishing dramatically more dangerous — attackers can clone a voice from seconds of audio and use it to impersonate executives or family members.

### Angler Phishing

Angler phishing targets people through social media. Attackers create fake customer support accounts on Twitter, Facebook, and Instagram that look like real company accounts. When users complain about a service publicly, the fake support account reaches out offering help and directs them to phishing sites or requests account credentials.

### QR Code Phishing - Quishing

Quishing uses QR codes to direct victims to phishing sites. Attackers place malicious QR codes on physical flyers, fake parking tickets, restaurant menus, or in emails. Because QR codes obscure the destination URL, victims cannot see where they are being directed before scanning.

## How to Recognize Phishing

Learning to spot phishing is the most important cybersecurity skill for every person, not just security professionals. Here are the red flags.

**Sender address mismatch.** The display name says Microsoft Support but the actual email address is support@micr0soft-security.com. Always check the full sender address, not just the display name. Legitimate companies send from their official domains.

**Generic greetings.** Dear Customer or Dear User instead of your actual name often indicates mass phishing. However, spear phishing will use your real name, so this alone is not a reliable indicator.

**Urgency and threats.** Your account will be suspended in 24 hours, Immediate action required, or Failure to respond will result in legal action. Legitimate organizations rarely create extreme time pressure via email.

**Suspicious links.** Hover over any link before clicking to see the actual URL. Look for misspellings like paypa1.com instead of paypal.com, extra subdomains like login.microsoft.com.attacker-site.com, and unfamiliar domains. On mobile, press and hold the link to preview the URL.

**Unexpected attachments.** Be extremely cautious with attachments you did not expect, especially ZIP files, Office documents with macros, and PDF files from unknown senders. These are common malware delivery methods.

**Poor grammar and formatting.** While AI-generated phishing emails in 2026 have largely eliminated obvious spelling errors, inconsistent formatting, unusual fonts, and misaligned logos still appear in many campaigns.

**Too good to be true.** You have won a prize, You have been selected for a refund, or Free gift card offers are almost always phishing or scams.

**Requests for sensitive information.** No legitimate company will ask for your password, full credit card number, or social security number via email. Ever.

## Real-World Phishing Examples

**Google Docs phishing 2017.** Attackers sent emails appearing to come from known contacts inviting victims to edit a Google Doc. Clicking the link led to a real Google OAuth page requesting permission for a malicious app disguised as Google Docs. The attack spread virally as compromised accounts automatically sent the same phishing email to all their contacts.

**Office 365 credential harvesting.** One of the most persistent phishing campaigns targets Microsoft 365 users with fake sign-in pages. Emails claim your password is expiring, you have a new voicemail, or a shared document is waiting. The fake login page is nearly indistinguishable from the real Microsoft login. These campaigns account for a significant portion of all phishing attacks because Microsoft 365 credentials provide access to email, files, Teams, and corporate resources.

**COVID-19 phishing 2020-2021.** Attackers exploited pandemic fear with phishing emails impersonating the WHO, CDC, and local health authorities. Messages offered fake vaccine appointments, stimulus check information, and COVID test results. This demonstrated how attackers exploit current events and public fear.

**MGM Resorts 2023.** The attack that cost MGM over $100 million started with attackers finding an employee on LinkedIn, calling the IT helpdesk, and impersonating that employee to get credentials reset. This shows how phishing and [social engineering](https://ethicalhacking.ai/blog/what-is-social-engineering) combine in sophisticated attacks.

## How to Protect Against Phishing

### For Individuals

**Enable multi-factor authentication on every account.** MFA is the single most effective defense against phishing. Even if an attacker steals your password, they cannot access your account without the second factor. Use an authenticator app like Google Authenticator or Authy rather than SMS which can be intercepted through SIM swapping.

**Use a password manager.** Password managers only autofill credentials on the correct domain. If you land on a phishing site at micr0soft-security.com, your password manager will not offer to fill in your Microsoft credentials because the domain does not match. This provides automatic phishing detection. See the password manager tools in our [tool directory](https://ethicalhacking.ai/tools).

**Verify through separate channels.** If you receive a suspicious email from your bank, do not click the link. Open a new browser tab and navigate directly to your bank website or call the number on the back of your card. If a colleague sends an unusual request, verify by calling or messaging them directly.

**Keep software updated.** Browser updates include new phishing site blocklists and security features. Operating system and email client updates patch vulnerabilities that phishing attachments exploit.

**Report phishing.** Report phishing emails to your IT department, forward them to reportphishing@apwg.org, and use the report phishing button in Gmail or Outlook. Reporting helps protect others by getting phishing sites taken down faster.

### For Organizations

**Deploy email security tools.** Enterprise [email security platforms](https://ethicalhacking.ai/blog/best-email-security-tools-2026) provide AI-powered phishing detection, URL sandboxing that detonates links in a safe environment, attachment sandboxing that executes files in isolation, DMARC DKIM and SPF authentication to prevent domain spoofing, and real-time link rewriting that checks URLs at click time not just delivery time.

**Run phishing simulations.** Regular simulated phishing campaigns test employee awareness and identify who needs additional training. Start with obvious phishing and gradually increase sophistication. Track metrics like click rates, credential submission rates, and reporting rates over time. Tools like KnowBe4 and Cofense specialize in this.

**Implement DMARC.** Domain-based Message Authentication Reporting and Conformance prevents attackers from spoofing your organization domain in phishing emails sent to your customers, partners, and employees. Start with DMARC in monitoring mode then move to reject policy.

**Security awareness training.** Train employees to recognize and report phishing. Focus on practical skills rather than compliance checkboxes. The most effective training happens immediately after an employee falls for a simulated phish — the teachable moment creates lasting behavioral change.

**Monitor with SIEM.** [SIEM platforms](https://ethicalhacking.ai/blog/best-siem-tools-2026) can correlate email security alerts with endpoint and network activity to detect when phishing leads to compromise. Automated playbooks can isolate affected endpoints and reset credentials within minutes of detection.

## Phishing in Penetration Testing

Phishing assessments are a core part of professional [penetration testing](https://ethicalhacking.ai/blog/what-is-penetration-testing-beginners-guide) and red team engagements. Security teams use tools like Gophish, the Social Engineering Toolkit in [Kali Linux](https://ethicalhacking.ai/tools/kali-linux), and custom phishing infrastructure to test organizational defenses.

A professional phishing assessment measures employee click and credential submission rates, effectiveness of email security controls, incident reporting speed and accuracy, and organizational risk from social engineering. These assessments provide concrete data for improving security awareness programs and email security configurations.

## Frequently Asked Questions

**What is the difference between phishing and spam?** Spam is unwanted bulk email, usually commercial advertising. Phishing is specifically designed to steal information or deliver malware by impersonating trusted entities. All phishing is unwanted, but not all spam is phishing.

**Can phishing emails contain malware without clicking anything?** In rare cases, yes. Some email clients have had vulnerabilities where simply previewing an email could execute malicious code. However, this is uncommon with modern updated email clients. The vast majority of phishing requires the victim to click a link or open an attachment.

**What should I do if I clicked a phishing link?** Immediately change the password for any account whose credentials you may have entered. Enable MFA if not already active. Run a malware scan on your device. Monitor your accounts for suspicious activity. Report the incident to your IT team. If you entered financial information, contact your bank immediately.

**Is phishing illegal?** Yes. Phishing is illegal under computer fraud, wire fraud, and identity theft laws in virtually every jurisdiction. Penalties include significant fines and imprisonment. However, authorized phishing simulations conducted by [ethical hackers](https://ethicalhacking.ai/blog/what-is-ethical-hacking) with written consent are legal and encouraged.