What Are Phishing Attacks? Types, Tactics, and How to Defend

What are phishing attacks? Phishing attacks are social-engineering scams in which an attacker impersonates a trusted entity (a bank, employer, vendor, government agency, or colleague) to trick a victim into surrendering credentials, money, or sensitive information. Phishing accounts for the majority of breach incident root causes reported by Verizon’s annual Data Breach Investigations Report year after year. For businesses of any size, phishing is the most common attack vector and the one most worth defending against systematically.

This post covers the main types of phishing attacks, the tactics attackers use, why phishing works despite decades of awareness training, and the practical defenses that meaningfully reduce risk. For broader security context, see our piece on Zero Trust security and our coverage of social engineering attacks more broadly.

The main types of phishing attacks

Phishing comes in several recognized forms, distinguished by channel and target specificity:

• Email phishing: the classic form. Mass-distributed emails impersonating banks, retailers, shippers, government agencies. The email contains a link to a fake site that captures credentials or an attachment that delivers malware. Volume-based; the attacker hopes some fraction of recipients fall for it.
• Spear phishing: targeted to a specific person or small group. The attacker researches the target and crafts a message specific to them: a fake email from the CEO to the CFO, or from a vendor the target actually works with. Higher success rate than mass phishing because the message looks legitimate.
• Whaling: spear phishing aimed specifically at executives or other high-value targets. The “whale” is the high-value catch. Particularly common in business email compromise (BEC) attacks where the goal is fraudulent wire transfers.
• Smishing: SMS-based phishing. Text messages impersonating banks, package delivery services, government agencies. Often more effective than email phishing because users trust SMS more and the abbreviated format hides suspicious details.
• Vishing: voice phishing. Phone calls impersonating IT support, banks, government agencies. Often combined with SMS or email to seem more legitimate. Voice deepfakes are an emerging concern.
• Clone phishing: a legitimate email previously sent to the victim is copied and modified to include a malicious link or attachment. The familiarity of the original message reduces the recipient’s suspicion.
• Business email compromise (BEC): the most financially damaging category. An attacker impersonates a senior executive or trusted vendor and tricks an employee into making a fraudulent wire transfer or changing payment information. BEC losses run into billions of dollars annually per FBI IC3 annual reporting.

The variety reflects an attacker innovation cycle: as one channel gets defended, attackers shift to others. A complete defense addresses all channels, not just email.

Why phishing works despite decades of awareness

Three reasons phishing remains effective:

• Cognitive load and busy users: most users process email under time pressure. The attacker’s job is to trigger a reaction (urgency, authority, fear, curiosity) before the user pauses to evaluate the message. Pause-and-evaluate is the defense; busy-and-react is what attackers exploit.
• Brand impersonation at scale: legitimate brands send transactional emails routinely (shipping notifications, account alerts, security warnings). Attackers mimic these patterns closely enough that distinguishing them from genuine messages requires effort the recipient often does not invest.
• Authentication still optional in many contexts: businesses that have not deployed phishing-resistant MFA, email authentication (SPF, DKIM, DMARC), and verification protocols for high-value transactions are easier targets. Awareness training alone does not compensate for missing technical controls.

The pattern: phishing success is a technical-controls problem and a process problem more than an awareness problem. Awareness training helps but plateaus quickly; technical controls and process discipline produce sustained improvement.

How attackers craft convincing phishing

Modern phishing emails are sophisticated. The tactics that distinguish effective phishing from obvious spam:

• Domain spoofing or look-alike domains: the from-address uses a domain that looks like the legitimate brand at a glance (paypa1.com instead of paypal.com, microsoft-support.co instead of microsoft.com).
• Authentic-looking design: copied logos, fonts, and layouts that match the legitimate brand’s emails. Often pulled directly from real templates.
• Urgent calls to action: “your account will be suspended in 24 hours unless you verify.” The urgency overrides the recipient’s instinct to verify before acting.
• Plausible context: a phishing email about a package delivery during a known delivery period. A fake invoice during a known billing cycle. Context-aware attacks succeed more than generic ones.
• Multi-step social engineering: phishing emails followed by phone calls, or SMS reinforcement. The combination feels more legitimate than any single channel.
• Compromised legitimate accounts: an attacker who has already compromised one account uses it to send phishing emails to that user’s contacts. The “from” address is real; the trust is real; the link is malicious.

The best phishing emails are indistinguishable from real ones at first glance. The defense is to never make important decisions based on email content alone.

The practical defenses

Three categories of defense, in order of effectiveness:

Technical controls (the highest-leverage defenses):

• Phishing-resistant MFA: hardware security keys, passkeys, or platform authenticators that cannot be phished. SMS-based MFA is better than nothing but is phishable; FIDO2 / WebAuthn factors are not.
• Email authentication: SPF, DKIM, and DMARC configured strictly on your domain. Prevents attackers from spoofing your own domain to your employees and customers.
• Email filtering: modern email security gateways (Microsoft Defender for Office 365, Google Workspace’s built-in protections, Proofpoint, Mimecast) filter the bulk of phishing before it reaches inboxes.
• Web filtering: DNS-level and proxy-level filtering blocks known phishing sites even when a user clicks a phishing link.
• Endpoint detection and response (EDR): detects and stops malicious payloads when phishing succeeds despite the other layers.

Process controls:

• Out-of-band verification for high-value actions: any wire transfer, payment-information change, or sensitive data release requires verification through a channel different from the request channel. Email request, phone verification. Or email request, in-person verification.
• Vendor management: known vendor email addresses, established payment processes, clear escalation paths for changes.
• Incident response readiness: clear processes for what happens when someone reports a phishing email, what happens when someone clicks one, how the security team triages and contains.

Awareness training (necessary but not sufficient):

• Regular phishing simulation campaigns: monthly or quarterly. Identify users who repeatedly fall for simulations; provide additional training. Track aggregate trend over time.
• Specific scenario training: BEC, wire transfer fraud, credential phishing, payroll diversion. Generic “be careful” training is less effective than scenario-specific training.
• Easy reporting mechanism: a “Report Phishing” button in the email client. Make reporting easier than ignoring suspicious messages.

The combined approach is what works. Technical controls catch most phishing before it reaches users; process controls catch what slips through and reaches high-value actions; awareness training reinforces good behavior at the user level.

Update (2026-05-12): phishing landscape since this post first published.

Phishing has continued to evolve significantly:

• AI-generated phishing has become the norm. Generative AI tools (ChatGPT, GPT-4, GPT-5 family) produce convincing phishing emails in any language, customized to specific targets, without the grammatical errors that previously gave phishing away.
• Voice deepfakes have moved from novelty to operational. Voice clone-based BEC attacks (a fake call from the "CEO" requesting an urgent wire transfer) are now documented attack patterns.
• MFA bypass attacks have grown. AiTM (adversary-in-the-middle) phishing kits capture credentials and MFA codes in real time, defeating SMS and TOTP-based MFA. Phishing-resistant FIDO2 factors remain effective.
• Passkey adoption has accelerated as a defensive response. Major platforms (Google, Microsoft, Apple, Amazon) now offer passkeys as primary authentication.
• AI-powered defenses like OpenAI’s Daybreak and Anthropic’s Project Glasswing represent the defender response to AI-powered attacks.
• Regulatory pressure has tightened in many jurisdictions. SEC cybersecurity disclosure rules, NIS2 in the EU, and others mandate better defenses and faster incident reporting.

The defenses described in this post remain the right framework in 2026, with passkey adoption now being more practical than it was in 2022 and AI-driven detection becoming a meaningful additional layer.

Frequently Asked Questions