What Is Phishing? Types, Examples and Prevention

Phishing is a type of social engineering attack in which an adversary impersonates a trusted person or organization to trick a victim into revealing sensitive information — like passwords or payment details — or into taking a harmful action, such as opening a malicious attachment or approving a fraudulent transaction. It remains the single most common way attackers gain initial access, and it's the root cause behind a huge share of data breaches and ransomware incidents.

Phishing works because it targets people, not just technology. No firewall stops an employee from voluntarily typing their password into a convincing fake login page. That's what makes it so durable and so dangerous.

How phishing works

A classic phishing attack follows a simple pattern: the attacker crafts a message that looks legitimate, creates a sense of urgency or curiosity, and includes a "hook" — a malicious link, an attachment, or a request. Common psychological triggers include fear ("your account will be suspended"), authority ("a message from the CEO"), urgency ("act within 24 hours") and reward ("you've won").

The link typically leads to a fake login page that harvests credentials, while attachments may carry malware. Increasingly, attackers also use phishing to defeat multi-factor authentication by relaying one-time codes in real time or bombarding users with push-approval requests until one is accepted.

The main types of phishing

Spear phishing

Where ordinary phishing is sprayed at thousands of people, spear phishing is highly targeted. The attacker researches a specific individual — their role, colleagues and projects — and crafts a personalized message that's far more convincing. Spear phishing is a favorite first step for advanced persistent threats.

Whaling

Whaling targets the "big fish" — executives and senior leaders who have access to money or sensitive data. A whaling message might impersonate a board member or be tailored to a CFO's responsibilities.

Business email compromise (BEC)

In BEC, attackers compromise or convincingly spoof a business email account to request fraudulent wire transfers or sensitive data — for example, posing as a supplier changing their bank details. BEC causes enormous financial losses despite rarely involving any malware at all.

Smishing and vishing

Phishing isn't limited to email. Smishing uses SMS text messages, and vishing uses voice calls — often impersonating a bank, IT support or a delivery service. "Callback phishing" combines email and phone, luring victims to call a fake support line.

Clone and angler phishing

Clone phishing copies a legitimate message the victim has already received and swaps in a malicious link. Angler phishing uses fake social-media support accounts to intercept customers seeking help.

How to spot a phishing message

• A sense of urgency or threat pushing you to act fast.
• Mismatched or look-alike sender addresses and links — hover before clicking.
• Requests for credentials, payment changes or sensitive data.
• Unexpected attachments, especially those asking you to "enable content."
• Subtle spelling, grammar or branding errors — though AI-written lures increasingly look flawless.
• A request that bypasses normal process ("don't tell anyone, just send the transfer").

How to prevent phishing

Effective defense combines people, process and technology:

• Phishing-resistant MFA. Use FIDO2/passkeys where possible, which can't be relayed like one-time codes.
• Email security. Deploy filtering, and enforce SPF, DKIM and DMARC to make spoofing your domain harder.
• Security awareness training. Regular, realistic simulations measurably reduce click rates.
• Least privilege. Limit what a compromised account can access.
• Verification process. Require out-of-band confirmation for payment changes and unusual requests.
• Reporting culture. Make it easy and blame-free for staff to report suspicious messages — fast reporting shrinks an attacker's window.
• Threat intelligence. Track active phishing campaigns and the lures targeting your sector.

How AI is changing phishing

One of the biggest shifts in phishing is the use of generative AI by attackers. For years, a reliable tell of a phishing message was clumsy grammar and awkward phrasing. That signal is rapidly disappearing. AI tools let attackers produce flawless, fluent, well-targeted messages at scale, in any language, instantly — eroding one of the simplest ways people spotted fakes.

AI raises the threat in several concrete ways:

• Perfect language. Lures are grammatically clean and convincingly written, even in languages the attacker doesn't speak.
• Personalization at scale. AI can tailor messages to individuals using publicly available information, making mass spear phishing economically viable.
• Deepfake voice and video. Vishing and video calls can now feature synthetic audio that mimics a real executive's voice, supercharging business email compromise into "business communication compromise."
• Faster iteration. Attackers can generate and test many variants of a lure quickly to find what works.

The defensive implication is important: you can no longer rely on spelling and grammar as a primary filter. Awareness training must evolve to emphasize context and process over surface clues — questioning unexpected requests, verifying through a second channel, and being suspicious of urgency regardless of how polished a message looks. Technical controls become even more critical as the human eye gets less reliable: phishing-resistant authentication that can't be relayed, robust email authentication, and behavioral detection of credential theft. The fundamentals don't change — verify, don't trust urgency, and use strong authentication — but the margin for relying on "it looked off" has narrowed sharply. Staying aware of the lures and techniques currently in circulation is more valuable than ever.

Quick recap:

• Phishing is a social-engineering attack that impersonates a trusted party to trick victims into revealing data or taking a harmful action.
• Key types include spear phishing, whaling, business email compromise, smishing, vishing, clone and angler phishing.
• It works by exploiting urgency, authority, fear and trust — and AI is making lures more convincing, eroding the old "bad grammar" tell.
• Defense layers phishing-resistant MFA, email security, awareness training, verification processes and a blame-free reporting culture.

The bottom line

Phishing is the most common and adaptable entry point for cyberattacks because it exploits human trust rather than technical flaws. Defending against it means layering phishing-resistant authentication, email security, awareness training and strong verification processes — and staying aware of the campaigns active right now. Our live threat intelligence feed tracks phishing and social-engineering campaigns reported across dozens of authoritative sources, ranked by priority, so you can warn your people before a lure lands.