11 Types of Phishing + Real-Life Examples (2024)

Phishing is a type of cybercrime in which criminals pose as a trustworthy source online to lure victims into handing over personal information such as usernames, passwords, or credit card numbers.

A phishing attack can take various forms, and while it often takes place over email, there are many different methods scammers use to accomplish their schemes. This is especially true today as phishing continues to evolve in sophistication and prevalence. While the goal of any phishing scam is always stealing personal information, there are many different types of phishing you should be aware of.

1. Email Phishing

Arguably the most common type of phishing, this method often involves a “spray and pray” technique in which hackers impersonate a legitimate identity or organization and send mass emails to as many addresses as they can obtain.

These emails are often written with a sense of urgency, informing the recipient that a personal account has been compromised and they must respond immediately. Their objective is to elicit a certain action from the victim such as clicking a malicious link that leads to a fake login page. After entering their credentials, victims unfortunately deliver their personal information straight into the scammer’s hands.

11 Types of Phishing + Real-Life Examples (1)

Example of Email Phishing

The Daily Swig reported a phishing attack that occurred in December 2020 at US healthcare provider Elara Caring that came after an unauthorized computer intrusion targeting two employees. The attacker gained access to the employees’ email accounts, resulting in the exposure of the personal details of over 100,000 elderly patients, including names, birth dates, financial and bank information, Social Security numbers, driver’s license numbers and insurance information. The attacker maintained unauthorized access for an entire week before Elara Caring could fully contain the data breach.

2. Spear Phishing

Rather than using the “spray and pray” method as described above, spear phishing involves sending malicious emails to specific individuals within an organization. Rather than sending out mass emails to thousands of recipients, this method targets certain employees at specifically chosen companies. These types of emails are often more personalized in order to make the victim believe they have a relationship with the sender.

Example of Spear Phishing

Armorblox reported a spear phishing attack in September 2019 against an executive at a company named one of the top 50 innovative companies in the world. The email contained an attachment that appeared to be an internal financial report, which led the executive to a fake Microsoft Office 365 login page. The fake login page had the executive’s username already pre-entered on the page, further adding to the disguise of the fraudulent web page.

3. Whaling

Whaling closely resembles spear phishing, but instead of going after any employee within a company, scammers specifically target senior executives (or “the big fish,” hence the term whaling). This includes the CEO, CFO or any high-level executive with access to more sensitive data than lower-level employees. Often, these emails use a high-pressure situation to hook their victims, such as relaying a statement of the company being sued. This entices recipients to click the malicious link or attachment to learn more information.

11 Types of Phishing + Real-Life Examples (2)

Example of Whaling

In November 2020, Tessian reported a whaling attack that took place against the co-founder of Australian hedge fund Levitas Capital. The co-founder received an email containing a fake Zoom link that planted malware on the hedge fund’s corporate network and almost caused a loss of $8.7 million in fraudulent invoices. The attacker ultimately got away with just $800,000, but the ensuing reputational damage resulted in the loss of the hedge fund’s largest client, forcing them to close permanently.

4. Smishing

SMS phishing, or smishing, leverages text messages rather than email to carry out a phishing attack. They operate much in the same way as email-based phishing attacks: Attackers send texts from what seem to be legitimate sources (like trusted businesses) that contain malicious links. Links might be disguised as a coupon code (20% off your next order!) or an offer for a chance to win something like concert tickets.

Example of Smishing

In September 2020, Tripwire reported a smishing campaign that used the United States Post Office (USPS) as the disguise. The attackers sent SMS messages informing recipients of the need to click a link to view important information about an upcoming USPS delivery. The malicious link actually took victims to various web pages designed to steal visitors’ Google account credentials.

5. Vishing

Vishing—otherwise known as voice phishing—is similar to smishing in that a phone is used as the vehicle for an attack, but instead of exploiting victims via text message, it’s done with a phone call. A vishing call often relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity.

Attackers might claim you owe a large amount of money, your auto insurance is expired or your credit card has suspicious activity that needs to be remedied immediately. At this point, a victim is usually told they must provide personal information such as credit card credentials or their social security number in order to verify their identity before taking action on whatever claim is being made.

Examples of Vishing

In September of 2020, health organization Spectrum Health System reported a vishing attack that involved patients receiving phone calls from individuals masquerading as employees. The attackers were aiming to extract personal data from patients and Spectrum Health members, including member ID numbers and other personal health data associated with their accounts. Spectrum Health reported the attackers used measures like flattery or even threats to pressure victims into handing over their data, money or access to their personal devices.

6. Business Email Compromise (CEO Fraud)

CEO fraud is a form of phishing in which the attacker obtains access to the business email account of a high-ranking executive (like the CEO). With the compromised account at their disposal, they send emails to employees within the organization impersonating as the CEO with the goal of initiating a fraudulent wire transfer or obtaining money through fake invoices.

11 Types of Phishing + Real-Life Examples (3)

Example of CEO Fraud

Inky reported a CEO fraud attack against Austrian aerospace company FACC in 2019. This attack involved a phishing email sent to a low-level accountant that appeared to be from FACC’s CEO. The email relayed information about required funding for a new project, and the accountant unknowingly transferred $61 million into fraudulent foreign accounts.

7. Clone Phishing

If you’ve ever received a legitimate email from a company only to receive what appears to be the same message shortly after, you’ve witnessed clone phishing in action. This method of phishing works by creating a malicious replica of a recent message you’ve received and re-sending it from a seemingly credible source. Any links or attachments from the original email are replaced with malicious ones. Attackers typically use the excuse of re-sending the message due to issues with the links or attachments in the previous email.

Examples of Clone Phishing

A security researcher demonstrated the possibility of following an email link to a fake website that seems to show the correct URL in the browser window, but tricks users by using characters that closely resemble the legitimate domain name. Always visit websites from your own bookmarks or by typing out the URL yourself, and never clicking a link from an unexpected email (even if it seems legitimate).

8. Evil Twin Phishing

Evil twin phishing involves setting up what appears to be a legitimate WiFi network that actually lures victims to a phishing site when they connect to it. Once they land on the site, they’re typically prompted to enter their personal data, such as login credentials, which then goes straight to the hacker. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic and find ways to steal sensitive information and data.

Example of Evil Twin Phishing

In September 2020, Nextgov reported a data breach against the U.S. Department of the Interior’s internal systems. Hackers used evil twin phishing to steal unique credentials and gain access to the department’s WiFi networks. Further investigation revealed that the department wasn’t operating within a secure wireless network infrastructure, and the department’s network policy failed to ensure bureaus enforced strong user authentication measures, periodically test network security or require network monitoring to detect and manage common attacks.

9. Social Media Phishing

Social media phishing is when attackers use social networking sites like Facebook, Twitter and Instagram to obtain victims’ sensitive data or lure them into clicking on malicious links. Hackers may create fake accounts impersonating someone the victim knows to lead them into their trap, or they may even impersonate a well-known brand’s customer service account to prey on victims who reach out to the brand for support.

11 Types of Phishing + Real-Life Examples (4)

Example of Social Media Phishing

In August 2019, Fstoppers reported a phishing campaign launched on Instagram where scammers sent private messages to Instagram users warning them that they made an image copyright infringement and requiring them to fill out a form to avoid suspension of their account.

One victim received a private message from what appeared to an official North Face account alleging a copyright violation, and prompted him to follow a link to “InstagramHelpNotice.com,” a seemingly legitimate website where users are asked to input their login credentials. Victims who fell for the trap ultimately provided hackers with access to their account information and other personal data linked to their Instagram account.

10. Search Engine Phishing

Search engine phishing involves hackers creating their own website and getting it indexed on legitimate search engines. These websites often feature cheap products and incredible deals to lure unsuspecting online shoppers who see the website on a Google search result page. If they click on it, they’re usually prompted to register an account or enter their bank account information to complete a purchase. Of course, scammers then turn around and steal this personal data to be used for financial gain or identity theft.

Example of Search Engine Phishing

In 2020, Google reported that 25 billion spam pages were detected every day, from spam websites to phishing web pages. Additionally, Wandera reported in 2020 that a new phishing site is launched every 20 seconds. That means three new phishing sites appear on search engines every minute!

11. Pharming

Pharming—a combination of the words “phishing” and “farming”—involves hackers exploiting the mechanics of internet browsing to redirect users to malicious websites, often by targeting DNS (Domain Name System) servers. DNS servers exist to direct website requests to the correct IP address. Hackers who engage in pharming often target DNS servers to redirect victims to fraudulent websites with fake IP addresses. Victims’ personal data becomes vulnerable to theft by the hacker when they land on the website with a corrupted DNS server.

11 Types of Phishing + Real-Life Examples (5)

Example of Pharming

Secure List reported a pharming attack targeting a volunteer humanitarian campaign created in Venezuela in 2019. The campaign included a website where volunteers could sign up to participate in the campaign, and the site requested they provide data such as their name, personal ID, cell phone number, their home location and more.

A few days after the website was launched, a nearly identical website with a similar domain appeared. The hacker created this fake domain using the same IP address as the original website. Whenever a volunteer opened the genuine website, any personal data they entered was filtered to the fake website, resulting in the data theft of thousands of volunteers.

Tips to Spot and Prevent Phishing Attacks

One of the best ways you can protect yourself from falling victim to a phishing attack is by studying examples of phishing in action. This guide by the Federal Trade Commission (FTC) is useful for understanding what to look for when trying to spot a phishing attack, as well as steps you can take to report an attack to the FTC and mitigate future data breaches. In general, keep these warning signs in mind to uncover a potential phishing attack:

  • An email asks you to confirm personal information: If you get an email that seems authentic but seems out of the blue, it’s a strong sign that it’s an untrustworthy source.
  • Poor grammar: Misspelled words, poor grammar or a strange turn of phrase is an immediate red flag of a phishing attempt.
  • Messages about a high-pressure situation: If a message seems like it was designed to make you panic and take action immediately, tread carefully—this is a common maneuver among cybercriminals.
  • Suspicious links or attachments: If you received an unexpected message asking you to open an unknown attachment, never do so unless you’re fully certain the sender is a legitimate contact.
  • Too good to be true offers: If you’re being contacted about what appears to be a once-in-a-lifetime deal, it’s probably fake.

The next best line of defense against all types of phishing attacks and cyberattacks in general is to make sure you’re equipped with a reliable antivirus. At the very least, take advantage of free antivirus software to better protect yourself from online criminals and keep your personal data secure.

11 Types of Phishing + Real-Life Examples (6)

Panda Security

Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.

11 Types of Phishing + Real-Life Examples (2024)


What is a famous example of phishing? ›

The Nordea Bank Incident

Dubbed the "biggest ever online bank heist" by digital security company McAfee, Nordea customers were hit with phishing emails containing Trojan viruses that installed a keylogger into the victims' computers and directed them to a fake bank website where hackers intercepted login credentials.

What is an example of whale phishing? ›

For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press.

What is spear phishing explain with examples? ›

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer.

What is Facebook phishing? ›

“Phishing happens when you enter your login credentials on a fake Facebook login page or download malicious software to your computer. This may result in messages or links being automatically sent to a large number of your friends.

What is a phishing email example? ›

Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.

How many types of phishing attacks are there? ›

19 Types of Phishing Attacks.

What is spear vishing? ›

Spear phishing is a phishing method that targets specific individuals or groups within an organization.

What is spear smishing? ›

What is Spear Phishing? - Definition. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer.

What is clone phishing? ›

The definition of clone phishing is that it's a type of scam where the perpetrator replicates the emails from an existing, legitimate company. Some clones can be very well-duplicated, fooling even the most keen-eyed individuals.

What is angler phishing? ›

Angler phishing is a new type of phishing attack that targets social media users. People disguise themselves as a customer service agent on social media in order to reach a disgruntled customer and obtain their personal information or account credentials.

What is the difference between smishing and vishing? ›

Phishing attack is targeted for a wide range of people through emails. A vishing attack is also targeted at a wide range of people through voice communication.

How common is Spearphishing? ›

As per the SANS institute, 95% of all attacks on business networks are because of successful spear phishing. Almost 1.5 million new phishing websites come into existence every single month.

What is a phishing URL? ›

URL Phishing - A Malicious Website

The link to the site is embedded within a phishing email, and the attacker uses social engineering to try to trick the user into clicking on the link and visiting the malicious site.

What happens if you click on a phishing link on your phone? ›

Review where a phishing link redirected your Android phone, noting the site address or any files downloaded. Do not interact with the suspect webpage. Delete any downloaded files. Scan the device for malware using a trusted app.

What is an example of pharming? ›

An example of pharming would be if a user would open their browser and enter the web address of their bank in order to complete a transaction in online banking. However, the user is redirected to a fraudulent site that looks like the bank's website.

What are 3 signs of a phishing email? ›

What are the key signs of a phishing email?
  • An unfamiliar greeting.
  • Grammar errors and misspelled words.
  • Email addresses and domain names that don't match.
  • Unusual content or request – these often involve a transfer of funds or requests for login credentials.

Top Articles
Latest Posts
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 5863

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.