What Is Phishing - Types, Examples and How to Stay Safe (2026)

Phishing is the most common cyberattack in the world, and it is getting harder to spot. In 2025 alone, the Anti-Phishing Working Group (APWG) recorded 3.8 million phishing attacks, and criminals are now sending roughly 3.4 billion malicious emails every single day.This guide explains exactly what phishing is, how the most common attacks work, the warning signs you need to know, and what to do if you have already clicked something you should not have. Whether you are an everyday internet user or responsible for protecting an organisation, understanding phishing is your first and most important line of defence.What is phishing?Phishing is a type of cyberattack in which criminals impersonate a trusted entity, such as a bank, employer, or well-known service, to trick victims into revealing sensitive information like passwords, credit card numbers, or login credentials.The name is a deliberate play on "fishing": attackers cast wide nets, baiting victims with convincing lures in the hope that someone takes the hook. The bait is typically a fraudulent email, text message, phone call, or fake website designed to look completely legitimate.Phishing attacks can target individuals, businesses, and government institutions. The consequences range from stolen personal data to multi-million dollar corporate breaches.How phishing worksMost phishing attacks follow a recognisable playbook, even if the specific delivery method varies:The attacker chooses a target, either a broad population (spray-and-pray) or a specific individual or organisation (spear phishing).They craft a convincing lure, an email, text, or call that mimics a legitimate source, often with forged branding, sender addresses, and urgent language.The victim is directed to take action: clicking a link, downloading an attachment, calling a phone number, or handing over credentials directly.The attacker captures what they need: login details, payment information, or a foothold inside a corporate network.The data is exploited or sold, used directly for fraud, sold on dark web marketplaces, or leveraged to penetrate deeper into a network.The entire process can take minutes. The damage can last years.Types of phishing attacksPhishing is not a single tactic. It is an umbrella term for a broad family of social engineering attacks. Here are the most important variants to understand.Email phishingThe most common form. Attackers send mass emails impersonating reputable organisations, including banks, delivery services, government agencies, and tech platforms, and direct recipients to fake websites or malicious attachments. According to KnowBe4's 2025 Phishing Threat Trends Report, phishing email volume increased by 17.3% year-over-year, with a 47% rise in attacks successfully bypassing native email defences and secure email gateways.Spear phishingUnlike mass email campaigns, spear phishing is directed at a specific individual or company. Attackers research their target in advance, studying LinkedIn profiles, company websites, and social media, to craft highly personalised messages that are far harder to detect. Because they reference real names, roles, and relationships, spear phishing emails carry a much higher success rate than generic attacks.WhalingWhaling is spear phishing aimed specifically at senior executives, board members, or other high-privilege users within an organisation. The stakes are higher because these individuals typically have access to sensitive financial data, confidential systems, and the authority to authorise large transactions.Smishing (SMS phishing)Smishing delivers phishing attacks via text message. A common example is a fake parcel delivery notification with a link to "reschedule your delivery," a link that leads to a credential-harvesting page. USPS is among the most commonly impersonated organisations in smishing campaigns, with the Postal Inspection Service confirming that any unsolicited USPS text, or any USPS text containing a link, is fraudulent.Vishing (voice phishing)Vishing is phishing by phone call. A fraudster calls the victim impersonating a bank, tech support team, or government agency and uses social engineering to extract sensitive information verbally. Geek Squad is one of the most impersonated brands in tech support vishing, with the FTC recording 52,000 reports in 2023 alone. According to the APWG, vishing incidents increased by 260% between 2022 and 2023, making it one of the fastest-growing attack vectors.Quishing (QR code phishing)Quishing embeds malicious URLs inside QR codes, in emails, text messages, or even physical posters in public spaces. Because QR codes are opaque to the human eye, they are an effective method to obscure malicious links. Victims who scan the code are taken to a phishing page or prompted to download malware.Clone phishingIn a clone phishing attack, the attacker takes a legitimate email previously delivered to the victim, for example a shipping confirmation or invoice, and creates an almost-identical copy with the links or attachments replaced by malicious versions. Because the email mirrors one the victim has already received and trusted, the deception is highly effective.Business email compromise (BEC)Business email compromise involves attackers impersonating or compromising the email accounts of executives or trusted vendors to authorise fraudulent financial transfers. According to the FBI's 2024 Internet Crime Report, BEC caused $2.77 billion in losses in the United States alone in 2024, making it one of the most financially damaging forms of cybercrime on record.Phishing-as-a-Service: how attacks became an industryOne of the most alarming developments in modern cybercrime is the rise of Phishing-as-a-Service (PhaaS): ready-made platforms that allow even technically unsophisticated criminals to launch sophisticated phishing campaigns for a subscription fee.PhaaS has effectively lowered the barrier to entry for cybercrime to near zero. It has professionalised the industry, standardised toolkits, and driven the average cost of a phishing-initiated data breach to $4.8 million, according to industry research.A prominent example is Tycoon 2FA, active since at least August 2023. At its peak, Tycoon 2FA generated tens of millions of phishing emails per month and facilitated unauthorised access to nearly 100,000 organisations globally, including schools, hospitals, and public institutions. By mid-2025, it accounted for roughly 62% of all phishing attempts blocked by Microsoft. The platform was eventually dismantled in a coordinated public-private operation led by Europol.Phishing as a gateway to larger attacksPhishing is not just a consumer problem. For sophisticated state-sponsored and criminal groups, it is often the entry point for far more destructive operations.An advanced persistent threat (APT) is a prolonged, targeted cyberattack typically conducted by well-resourced criminal groups seeking to infiltrate a high-value target: a government agency, critical infrastructure provider, or large corporation. Many APT campaigns begin with a single phishing email that compromises one employee's account. From there, attackers use a process called lateral movement to navigate deeper into the network, escalating privileges until they reach their true target: intellectual property, financial data, or the ability to deploy ransomware across the entire organisation.The implication is significant: a single employee clicking a single malicious link can be the starting point for a breach that costs millions and makes national news.Common phishing scenariosUnderstanding how phishing plays out in practice is essential for recognition. Here are three of the most frequently encountered attack patterns.The website forgeryThe attacker builds a website that is visually identical to a legitimate site: a bank login page, a PayPal portal, a Microsoft sign-in screen. Victims are directed to the fake site via email, text message, or even through search engine ads. Everything they enter, including usernames, passwords, and credit card numbers, is harvested by the attacker. In a sophisticated version of this attack, the victim is then silently redirected to the real website so that nothing appears out of place.The account deactivation scamThe attacker sends an urgent email claiming the victim's account, typically a bank, email service, or social platform, will be deactivated unless they act immediately. The emotional trigger, fear of losing access, drives victims to click quickly and without scrutiny. The link leads to a fake login page that captures their credentials.The advance-fee scamPerhaps the most famous phishing variant, popularised by the "Nigerian prince" email. The victim is offered a large sum of money in exchange for a small upfront fee. The promised windfall never materialises. This scam has deeper roots than most people realise: it descends from the "Spanish Prisoner" con of the late 1800s, in which fraudsters solicited funds to bribe prison guards and free a fictitious wealthy captive. The mechanics are identical. Only the medium has changed.Most commonly impersonated brandsAttackers gravitate toward brands with large user bases and strong name recognition, because more people are likely to hold accounts there and respond reflexively to communications appearing to come from them.Among the most frequently impersonated:PayPal, ranked as the third-most impersonated company by scammers according to the FTC's 2024 data, with attacks on PayPal users surging by 600% in 2025. Common variants include fake invoice emails, account deactivation warnings, and subscription renewal scams.McAfee and Norton, used in fake subscription renewal scams designed to extract payment card details or install remote access malware. Tech support scams using McAfee branding more than doubled in the first half of 2025.Geek Squad, the most impersonated company in the US in 2023 according to FTC data, commonly used in fake renewal emails that bait victims into calling a fraudulent support line.USPS, one of the most impersonated brands in smishing campaigns, leveraging the high volume of genuine parcel tracking notifications consumers expect.Venmo, used in social engineering attacks targeting peer-to-peer payment fraud, including fake customer support, reversal traps, and account impersonation.ScamInfo's ScamCheck Validator analyses suspicious links and websites for fraud indicators across all these brand impersonation variants. If you receive a suspicious email or text, you can paste any link into the tool without visiting the site yourself.Warning signs of a phishing attackPhishing attacks are designed to bypass critical thinking by creating urgency. Knowing the red flags is essential.Be suspicious if a message:Creates a sense of urgency, invoking fear ("your account will be closed"), greed ("you've won a prize"), or curiosity ("someone has accessed your account")Requests money or login credentials: legitimate organisations will never ask for passwords via email or textContains generic greetings: "Dear User" or "Dear Customer" instead of your name suggests the sender does not actually know who you areHas suspicious or mismatched links: hover over any link before clicking and watch for subtle misspellings like paypa1.com or amaz0n.com. Note that sophisticated attackers can spoof sender addresses to appear identical to legitimate onesContains unexpected attachments: even PDF files can contain malware. If you are not expecting an attachment, do not open itHas poor spelling and grammar: historically a reliable signal, though the widespread availability of AI writing tools is making this indicator less reliable over timeOne important nuance: sender address spoofing is common, but it has a limitation. When attackers need you to reply to a specific address (to continue a fraud conversation, for example), they cannot use a spoofed address, because replies would go to the real company. When they do not need a reply and are simply directing you to click a link, spoofing is easy and common.The scale of the phishing problemThe statistics paint a clear picture of the threat landscape:Phishing is the most common initial attack vector for data breaches, initiating up to 22% of confirmed global breachesThe average cost of a phishing-initiated breach is $4.88 million, according to IBM's Cost of a Data Breach reportThe FBI received 193,407 phishing and spoofing complaints in 2024 alone, the most frequent complaint category that yearThe hospitality (52.9%) and education (50.2%) sectors have the highest phishing click rates by industry, reflecting lower security awareness investment in those verticalsNearly 1 in 5 adults in the United States has experienced at least one scam in the past five yearsHow to protect yourselfFor individualsPause before you click. Urgency is a manipulation tactic. Take five seconds to scrutinise any unexpected communication before acting on it.Verify directly. If an email or text claims to be from your bank or a service you use, navigate to the official website independently rather than clicking any links in the message.Use multi-factor authentication (MFA). Even if an attacker obtains your password, MFA prevents them from accessing your account without a second verification step.Check websites before interacting. ScamInfo's ScamCheck Validator analyses multiple data points to assess whether a site is safe to interact with.Keep software updated. Many phishing attacks exploit vulnerabilities in outdated operating systems and browsers.For organisationsSecurity awareness training. Regular, simulated phishing training is one of the most effective ways to reduce employee susceptibility. Hospitality and education organisations, given their higher click rates, should treat this as a priority investment.Email filtering. Deploy email security solutions, and be aware that attackers specifically engineer campaigns to evade them. Layered defences matter.Zero-trust architecture. Limit the damage a compromised account can do by restricting access to only what each user genuinely needs.Incident response planning. Have a clear protocol for what employees should do when they suspect or confirm a phishing attempt.What to do if you have been phishedActing quickly after a phishing incident significantly limits the damage.If you clicked a malicious linkEven clicking a link without entering any information can compromise your device. Take the following steps immediately:Run a full antivirus scan on your deviceChange your passwords for all important accounts, starting with email, banking, and any account linked to a payment methodEnable MFA on every account that supports itCheck for unauthorised activity in your email, bank, and any services you useIf this happened on a work device or account, report it to your IT or security team immediatelyIf you entered personal or financial informationContact your bank or card issuer immediately if you entered any financial details. Ask them to freeze the account or card and dispute any unauthorised transactions. Place a free fraud alert with one of the three credit bureaus (Experian, Equifax, TransUnion) if personal identifying information was exposed. They are legally required to notify the other two.For platform-specific recovery steps, see the dedicated guides for PayPal, Venmo, McAfee, Geek Squad, and USPS.How and where to report phishingOnly 7% of scams are reported globally, largely due to shame and victim blaming. This matters enormously, because investigations built on victim reports can be transformative. In one documented example, a single complaint submitted through a law enforcement tip line led to the identification of commingled cryptocurrency wallets and ultimately to the seizure of more than $61 million in USDT tied to large-scale fraud schemes.To report a phishing attack in the US:FTC: ReportFraud.ftc.govPhishing emails: forward to reportphishing@apwg.orgPhishing texts: forward to 7726Financial loss or significant breach: FBI IC3 at ic3.govScamInfo: report through ScamInfo's reporting dashboard; your report directly contributes to protecting others from the same attackFrequently asked questionsWhat is the difference between phishing and spear phishing?Phishing typically refers to large-scale, untargeted attacks sent to many recipients at once. Spear phishing is a targeted variant directed at a specific individual or organisation, typically incorporating personalised details gathered through prior research. Spear phishing has a significantly higher success rate.Can I get hacked just by clicking a phishing link?Yes. While the risk is lower than submitting credentials on a phishing page, simply clicking a malicious link can expose your device to drive-by malware downloads, especially if your browser or operating system is outdated. Run a virus scan and change key passwords if you have clicked a suspicious link.What is smishing?Smishing is phishing conducted via SMS text message. Common smishing attacks impersonate parcel delivery services, banks, and government agencies. USPS is one of the most frequently impersonated organisations in smishing, with scammers sending fake delivery failure texts containing links that harvest personal and financial information.What is vishing?Vishing, or voice phishing, is phishing carried out over the phone. A caller impersonates a trusted organisation, such as a bank, tech support provider, or government agency, and uses psychological pressure to extract information. Vishing incidents increased by 260% between 2022 and 2023.What is Phishing-as-a-Service?Phishing-as-a-Service (PhaaS) refers to commercial platforms that sell ready-to-deploy phishing kits to criminals, complete with fake website templates, email infrastructure, and support. It has industrialised cybercrime and driven down the technical skill required to launch a sophisticated phishing campaign.How do I report a phishing attempt in the US?Report to the FTC at ReportFraud.ftc.gov, forward phishing emails to reportphishing@apwg.org, and forward phishing texts to 7726. You should also report to ScamInfo, whose database helps identify and track phishing operations.Is PayPal a common phishing target?Yes. PayPal is one of the most impersonated brands in the world, ranked third by the FTC in its 2024 data. Attacks on PayPal users surged by 600% in 2025. Common variants include fake invoices, account suspension warnings, and fraudulent payment request emails.Phishing remains the world's most prevalent cyberattack, and the most preventable. It initiates up to 22% of all global data breaches, costs organisations an average of nearly $5 million per incident, and affects nearly one in five American adults. The warning signs are learnable, the protective habits are straightforward, and if the worst happens, the steps to take are clear.If you have encountered a suspicious website, email, or message, use ScamInfo's ScamCheck Validator to assess the risk, and report any suspected phishing to help protect others.