11 Types of Phishing + Real-Life Examples (2024)

Phishing is a type of cybercrime in which criminals pose as a trustworthy source online to lure victims into handing over personal information such as usernames, passwords, or credit card numbers.

A phishing attack can take various forms, and while it often takes place over email, there are many different methods scammers use to accomplish their schemes. This is especially true today as phishing continues to evolve in sophistication and prevalence. While the goal of any phishing scam is always stealing personal information, there are many different types of phishing you should be aware of.

1. Email Phishing

Arguably the most common type of phishing, this method often involves a “spray and pray” technique in which hackers impersonate a legitimate identity or organization and send mass emails to as many addresses as they can obtain.

These emails are often written with a sense of urgency, informing the recipient that a personal account has been compromised and they must respond immediately. Their objective is to elicit a certain action from the victim such as clicking a malicious link that leads to a fake login page. After entering their credentials, victims unfortunately deliver their personal information straight into the scammer’s hands.

11 Types of Phishing + Real-Life Examples (1)

Example of Email Phishing

The Daily Swig reported a phishing attack that occurred in December 2020 at US healthcare provider Elara Caring that came after an unauthorized computer intrusion targeting two employees. The attacker gained access to the employees’ email accounts, resulting in the exposure of the personal details of over 100,000 elderly patients, including names, birth dates, financial and bank information, Social Security numbers, driver’s license numbers and insurance information. The attacker maintained unauthorized access for an entire week before Elara Caring could fully contain the data breach.

2. Spear Phishing

Rather than using the “spray and pray” method as described above, spear phishing involves sending malicious emails to specific individuals within an organization. Rather than sending out mass emails to thousands of recipients, this method targets certain employees at specifically chosen companies. These types of emails are often more personalized in order to make the victim believe they have a relationship with the sender.

Example of Spear Phishing

Armorblox reported a spear phishing attack in September 2019 against an executive at a company named one of the top 50 innovative companies in the world. The email contained an attachment that appeared to be an internal financial report, which led the executive to a fake Microsoft Office 365 login page. The fake login page had the executive’s username already pre-entered on the page, further adding to the disguise of the fraudulent web page.

3. Whaling

Whaling closely resembles spear phishing, but instead of going after any employee within a company, scammers specifically target senior executives (or “the big fish,” hence the term whaling). This includes the CEO, CFO or any high-level executive with access to more sensitive data than lower-level employees. Often, these emails use a high-pressure situation to hook their victims, such as relaying a statement of the company being sued. This entices recipients to click the malicious link or attachment to learn more information.

11 Types of Phishing + Real-Life Examples (2)

Example of Whaling

In November 2020, Tessian reported a whaling attack that took place against the co-founder of Australian hedge fund Levitas Capital. The co-founder received an email containing a fake Zoom link that planted malware on the hedge fund’s corporate network and almost caused a loss of $8.7 million in fraudulent invoices. The attacker ultimately got away with just $800,000, but the ensuing reputational damage resulted in the loss of the hedge fund’s largest client, forcing them to close permanently.

4. Smishing

SMS phishing, or smishing, leverages text messages rather than email to carry out a phishing attack. They operate much in the same way as email-based phishing attacks: Attackers send texts from what seem to be legitimate sources (like trusted businesses) that contain malicious links. Links might be disguised as a coupon code (20% off your next order!) or an offer for a chance to win something like concert tickets.

Example of Smishing

In September 2020, Tripwire reported a smishing campaign that used the United States Post Office (USPS) as the disguise. The attackers sent SMS messages informing recipients of the need to click a link to view important information about an upcoming USPS delivery. The malicious link actually took victims to various web pages designed to steal visitors’ Google account credentials.

5. Vishing

Vishing—otherwise known as voice phishing—is similar to smishing in that a phone is used as the vehicle for an attack, but instead of exploiting victims via text message, it’s done with a phone call. A vishing call often relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity.

Attackers might claim you owe a large amount of money, your auto insurance is expired or your credit card has suspicious activity that needs to be remedied immediately. At this point, a victim is usually told they must provide personal information such as credit card credentials or their social security number in order to verify their identity before taking action on whatever claim is being made.

Examples of Vishing

In September of 2020, health organization Spectrum Health System reported a vishing attack that involved patients receiving phone calls from individuals masquerading as employees. The attackers were aiming to extract personal data from patients and Spectrum Health members, including member ID numbers and other personal health data associated with their accounts. Spectrum Health reported the attackers used measures like flattery or even threats to pressure victims into handing over their data, money or access to their personal devices.

6. Business Email Compromise (CEO Fraud)

CEO fraud is a form of phishing in which the attacker obtains access to the business email account of a high-ranking executive (like the CEO). With the compromised account at their disposal, they send emails to employees within the organization impersonating as the CEO with the goal of initiating a fraudulent wire transfer or obtaining money through fake invoices.

11 Types of Phishing + Real-Life Examples (3)

Example of CEO Fraud

Inky reported a CEO fraud attack against Austrian aerospace company FACC in 2019. This attack involved a phishing email sent to a low-level accountant that appeared to be from FACC’s CEO. The email relayed information about required funding for a new project, and the accountant unknowingly transferred $61 million into fraudulent foreign accounts.

7. Clone Phishing

If you’ve ever received a legitimate email from a company only to receive what appears to be the same message shortly after, you’ve witnessed clone phishing in action. This method of phishing works by creating a malicious replica of a recent message you’ve received and re-sending it from a seemingly credible source. Any links or attachments from the original email are replaced with malicious ones. Attackers typically use the excuse of re-sending the message due to issues with the links or attachments in the previous email.

Examples of Clone Phishing

A security researcher demonstrated the possibility of following an email link to a fake website that seems to show the correct URL in the browser window, but tricks users by using characters that closely resemble the legitimate domain name. Always visit websites from your own bookmarks or by typing out the URL yourself, and never clicking a link from an unexpected email (even if it seems legitimate).

8. Evil Twin Phishing

Evil twin phishing involves setting up what appears to be a legitimate WiFi network that actually lures victims to a phishing site when they connect to it. Once they land on the site, they’re typically prompted to enter their personal data, such as login credentials, which then goes straight to the hacker. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic and find ways to steal sensitive information and data.

Example of Evil Twin Phishing

In September 2020, Nextgov reported a data breach against the U.S. Department of the Interior’s internal systems. Hackers used evil twin phishing to steal unique credentials and gain access to the department’s WiFi networks. Further investigation revealed that the department wasn’t operating within a secure wireless network infrastructure, and the department’s network policy failed to ensure bureaus enforced strong user authentication measures, periodically test network security or require network monitoring to detect and manage common attacks.

9. Social Media Phishing

Social media phishing is when attackers use social networking sites like Facebook, Twitter and Instagram to obtain victims’ sensitive data or lure them into clicking on malicious links. Hackers may create fake accounts impersonating someone the victim knows to lead them into their trap, or they may even impersonate a well-known brand’s customer service account to prey on victims who reach out to the brand for support.

11 Types of Phishing + Real-Life Examples (4)

Example of Social Media Phishing

In August 2019, Fstoppers reported a phishing campaign launched on Instagram where scammers sent private messages to Instagram users warning them that they made an image copyright infringement and requiring them to fill out a form to avoid suspension of their account.

One victim received a private message from what appeared to an official North Face account alleging a copyright violation, and prompted him to follow a link to “InstagramHelpNotice.com,” a seemingly legitimate website where users are asked to input their login credentials. Victims who fell for the trap ultimately provided hackers with access to their account information and other personal data linked to their Instagram account.

10. Search Engine Phishing

Search engine phishing involves hackers creating their own website and getting it indexed on legitimate search engines. These websites often feature cheap products and incredible deals to lure unsuspecting online shoppers who see the website on a Google search result page. If they click on it, they’re usually prompted to register an account or enter their bank account information to complete a purchase. Of course, scammers then turn around and steal this personal data to be used for financial gain or identity theft.

Example of Search Engine Phishing

In 2020, Google reported that 25 billion spam pages were detected every day, from spam websites to phishing web pages. Additionally, Wandera reported in 2020 that a new phishing site is launched every 20 seconds. That means three new phishing sites appear on search engines every minute!

11. Pharming

Pharming—a combination of the words “phishing” and “farming”—involves hackers exploiting the mechanics of internet browsing to redirect users to malicious websites, often by targeting DNS (Domain Name System) servers. DNS servers exist to direct website requests to the correct IP address. Hackers who engage in pharming often target DNS servers to redirect victims to fraudulent websites with fake IP addresses. Victims’ personal data becomes vulnerable to theft by the hacker when they land on the website with a corrupted DNS server.

11 Types of Phishing + Real-Life Examples (5)

Example of Pharming

Secure List reported a pharming attack targeting a volunteer humanitarian campaign created in Venezuela in 2019. The campaign included a website where volunteers could sign up to participate in the campaign, and the site requested they provide data such as their name, personal ID, cell phone number, their home location and more.

A few days after the website was launched, a nearly identical website with a similar domain appeared. The hacker created this fake domain using the same IP address as the original website. Whenever a volunteer opened the genuine website, any personal data they entered was filtered to the fake website, resulting in the data theft of thousands of volunteers.

Tips to Spot and Prevent Phishing Attacks

One of the best ways you can protect yourself from falling victim to a phishing attack is by studying examples of phishing in action. This guide by the Federal Trade Commission (FTC) is useful for understanding what to look for when trying to spot a phishing attack, as well as steps you can take to report an attack to the FTC and mitigate future data breaches. In general, keep these warning signs in mind to uncover a potential phishing attack:

  • An email asks you to confirm personal information: If you get an email that seems authentic but seems out of the blue, it’s a strong sign that it’s an untrustworthy source.
  • Poor grammar: Misspelled words, poor grammar or a strange turn of phrase is an immediate red flag of a phishing attempt.
  • Messages about a high-pressure situation: If a message seems like it was designed to make you panic and take action immediately, tread carefully—this is a common maneuver among cybercriminals.
  • Suspicious links or attachments: If you received an unexpected message asking you to open an unknown attachment, never do so unless you’re fully certain the sender is a legitimate contact.
  • Too good to be true offers: If you’re being contacted about what appears to be a once-in-a-lifetime deal, it’s probably fake.

The next best line of defense against all types of phishing attacks and cyberattacks in general is to make sure you’re equipped with a reliable antivirus. At the very least, take advantage of free antivirus software to better protect yourself from online criminals and keep your personal data secure.

11 Types of Phishing + Real-Life Examples (2024)


What is a real life example of phishing? ›

Another classic example is a phishing email from Netflix that says “Your account has been suspended”. It asks you to click a link and give your details to reactivate your account. The attackers then harvest those details and either use them to commit fraud, or sell them on the dark web.

What is phishing give examples and explain them? ›

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

What is spear phishing examples? ›

During an individual spear phishing attack a cyber criminal will pretend to be a business the individual trusts, such as a bank or well-known brand like Amazon, to send them a “transaction confirmation” or “shipping notice.”

What is an example of Pharming? ›

Credential Pharming

For example, obtaining account credentials on an email account provides an attacker far more information than just stealing sensitive information from a targeted user. In a phishing attack, users are tricked into sending their credentials to a threat actor via email.

How many types of phishing attacks are there? ›

19 Types of Phishing Attacks with Examples | Fortinet.

What is phishing on Instagram? ›

What is phishing? Phishing is when someone tries to get access to your Instagram account by sending you a suspicious message or link that asks for your personal information.

Which of these is an example of a phishing email? ›

Attackers use the information to steal money or to launch other attacks. A fake email from a bank asking you to click a link and verify your account details is an example of deceptive phishing.

What is bank phishing? ›

Phishing is a criminal activity where a malicious person(s) attempt to fraudulently acquire sensitive information, such as online banking passwords and credit card details, by masquerading as a trustworthy organization or website. Phishing is usually done in the form of an email.

What is an example of whale phishing? ›

For example, an attacker may send an email to a CEO requesting payment, pretending to be a client of the company. Whaling attacks always personally address targeted individuals, often using their title, position and phone number, which are obtained using company websites, social media or the press.

What is an example of vishing? ›

Vishing attacks examples include:

The fraudster calls the victim saying they are from their bank or another institution and informs them that there is a problem with their account or credit card. The false alert may also arrive by SMS initially, asking the person to call a number to resolve the issue.

What is angler phishing? ›

Angler phishing is a new type of phishing attack that targets social media users. People disguise themselves as a customer service agent on social media in order to reach a disgruntled customer and obtain their personal information or account credentials.

What are the examples of malware? ›

Types of malware include computer viruses, worms, Trojan horses, ransomware and spyware. These malicious programs steal, encrypt and delete sensitive data; alter or hijack core computing functions and monitor end users' computer activity.

How can you tell a phishing email? ›

7 Ways to Spot Phishing Email
  1. Emails with Bad Grammar and Spelling Mistakes.
  2. Emails with an Unfamiliar Greeting or Salutation.
  3. Inconsistencies in Email Addresses, Links & Domain Names.
  4. Suspicious Attachments.
  5. Emails Requesting Login Credentials, Payment Information or Sensitive Data.
  6. Too Good to Be True Emails.

What are the examples of computer virus? ›

Some examples of widespread computer viruses include:
  • Morris Worm.
  • Nimda.
  • SQL Slammer.
  • Stuxnet.
  • CryptoLocker.
  • Conficker.
  • Tinba.

What companies have been phished? ›

The Five Most Costly Phishing Attacks to Date
  • 1. Facebook and Google. Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an extended phishing campaign. ...
  • Crelan Bank. ...
  • FACC. ...
  • Upsher-Smith Laboratories. ...
  • Ubiquiti Networks.

Why are phishing attacks successful? ›

Large User base. One of the biggest reasons for the success of Phishing attacks is the widespread use of emails. At present, there are around 2.6 billion email users and this number is expected to cross 4.2 billion by the year 2022.

What is phishing called over the phone? ›

In a vishing attack, threat actors or “vishers” use fraudulent phone numbers, voice altering software, and other social engineering tactics to entice people to divulge personal and sensitive information over the phone.

Which type of phishing perform on the smartphone by calling? ›

What is vishing? Vishing has the same purpose as other types of phishing attacks. The attackers are still after your sensitive personal or corporate information. This attack is accomplished through a voice call.

Why do people fall for phishing? ›

Phishing emails are carefully designed by scammers and criminals to manipulate our emotions and tap into our unconscious biases, so humans are practically hardwired to fall for them, says cybersecurity expert and computer scientist Daniela Oliveira, an associate professor at the University of Florida in Gainesville.

What is clone phishing? ›

Clone phishing or cloning is a type of social engineering attack in which cybercriminals pretext their targets into thinking a malicious email looks just like a legitimate one. Clone phishing attacks are typically much harder for unsuspecting individuals to identify because they look similar to legitimate emails.

What is executive phishing? ›

Executive Phishing is a scam where cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information.

Which of the following is are common phishing attempt? ›

Deceptive phishing is one of the most common types of phishing attacks. A criminal impersonates a recognized sender in this scam to get information like personal data or login credentials.

How common are phishing attacks? ›

The frequency of phishing attacks

Phishing is a huge threat and growing more widespread every year. In 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49.

What is spear phishing vs phishing? ›

Spear phishing is a targeted attack on a specific person or organization, whereas general phishing campaigns are sent to a large volume of people.

What can a scammer do with my picture? ›

Identity thieves could potentially gather information on you from images that you share online. A photo posted on your birthday, for example, would provide them with your date of birth, whereas a photo of a new house could potentially give them details of where you live.

What can a stranger do with your number? ›

The Top 8 Ways Hackers Use Your Phone Number Against You
  • Rerouting your messages.
  • Stealing your personal information.
  • SIM swaps.
  • Text scams and spyware.
  • Doxxing that leads to harassment and fraud.
  • Blackmail using your sensitive data.
  • Spoofing caller ID numbers.
  • Preying on your family.

What to do if someone wants to send you money? ›

If you do receive a message from someone saying they want to send you money, the first step is to report the message or phone call to the authorities. You can also visit the Federal Trade Commission to see if someone else has received a similar message.

What is Facebook phishing? ›

Unlike phishing scams that impersonate brands like Microsoft and PayPal, Facebook phishing is viewed more as a threat to consumers rather than businesses. A Facebook phishing email, for example, will likely not land in a corporate inbox but will be sent to an employee's personal email address.

What is phishing Class 11? ›

It is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining illegitimate access.

Is this email from PayPal real? ›

How do I know if the PayPal email is genuine? PayPal themselves say that if there's a problem with your account then they would let you know via the website/app in the message centre. A genuine email from PayPal would also address you by name and not start with 'Dear Customer'.

How do you protect phishing emails? ›

If you receive a phishing email
  1. Never click any links or attachments in suspicious emails. ...
  2. If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it.
  3. Report the message (see below).
  4. Delete it.

How can someone steal money from your bank account? ›

8 ways online banking thieves will try to steal your money
  • 1.Phishing emails. Phishing emails look like legitimate emails from your online banking provider. ...
  • 2.Fake website attack. ...
  • 3.Keylogger trojans. ...
  • 4.Stolen passwords. ...
  • 5.Insecure wi-fi. ...
  • 6.Text message spoofing. ...
  • 7.DNS cache poisoning. ...
  • 8.Social engineering attacks.

Do banks ever call you? ›

Remember that a genuine bank will never call you out of the blue to ask for your PIN, full password or to move money to another account. If you feel something is suspicious or feel vulnerable, hang up and then call your bank or card issuer on their advertised number to report the fraud.

Is spear phishing more successful? ›

Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” Spear phishing attacks are far more successful than the untargeted efforts of generic phishing emails.

How does spear phishing work? ›

Spear phishing is a type of scam in which cybercriminals send highly customized emails to specific individuals within an organization. Spear phishers portray themselves as known or trusted people or entities, fooling victims into providing sensitive information, sending money, or downloading dangerous malware.

What is an example of whaling? ›

Some examples of whaling attacks

The employee disclosed all of the payroll information to the attacker. An employee of Scoular Company, a commodities firm located in Omaha, transferred $17.2 Million to a Chinese bank account. The perpetrators sent emails that made appeared to be from the company's CEO.

Who is targeted with spear phishing? ›

Spear phishing is typically used in targeted attack campaigns to gain access to an individual's account or impersonate a specific individual , such as a ranking official or those involved in confidential operations within the company.

Can scammer use your voice? ›

There's no way for a scammer to use a recording of your voice to do any serious damage, according to researchers at snopes.com. It's more likely that the scammer will try to intimidate you into paying by claiming that the voice recording is authorization of charges.

What is vishing and smishing? ›

Vishing: fraudulent phone calls that induce you to reveal personal information. Smishing: fraudulent text messages meant to trick you into revealing data.

What does ransomware stand for? ›

Ransomware is a type of malicious software (malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a deadline.

What is Cyber angling? ›

Angler phishing is a new scam technique where cyber actors masquerade as customer support staff using social media platforms and accounts. The mission is to trick dissatisfied customers into revealing personal details.

Where does the term angler phishing come from? ›

The name Angler Phishing comes from a Finding Nemo movie character. In the film, a deep-water fish called Anglerfish uses a bright lure to attract its prey and devour them. Basically, Angler Phishing does the same to its victims.

What is a phishing website? ›

A phishing website is a domain similar in name and appearance to an official website. They're made in order to fool someone into believing it is legitimate. Today, phishing schemes have gotten more varied, and are potentially more dangerous than before.

What is ice phishing? ›

Ice phishing is a type of phishing that fools the user into signing a transaction that entrusts the consent of the user's tokens to the attacker.

What are different types of phishing attacks? ›

14 Types of Phishing Attacks and How to Identify Them
  • Email phishing. Also called “deception phishing,” email phishing is one of the most well-known attack types. ...
  • HTTPS phishing. ...
  • Spear phishing. ...
  • Whaling/CEO fraud. ...
  • Vishing. ...
  • Smishing. ...
  • Angler phishing. ...
  • Pharming.
5 May 2021

What is phishing called over the phone? ›

In a vishing attack, threat actors or “vishers” use fraudulent phone numbers, voice altering software, and other social engineering tactics to entice people to divulge personal and sensitive information over the phone.

What is whale phishing? ›

Whaling is a highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.

What are fake emails called? ›

Phishing refers to different types of online scams that 'phish' for your personal and financial information (e.g., your passwords, Social Security Number, bank account information, credit card numbers, or other personal information).

Why do people fall for phishing? ›

Phishing emails are carefully designed by scammers and criminals to manipulate our emotions and tap into our unconscious biases, so humans are practically hardwired to fall for them, says cybersecurity expert and computer scientist Daniela Oliveira, an associate professor at the University of Florida in Gainesville.

How do hackers use phishing? ›

Phishing definition

These attacks use social engineering techniques to trick the email recipient into believing that the message is something they want or need—a request from their bank, for instance, or a note from someone in their company—and to click a link or download an attachment.

Which tool is used to detect phishing attacks? ›

We can use the dnstwist tool to detect such domains. Dnstwist helps us prepare for techniques such as typosquatting, often used in phishing attacks.

How do phishing emails get passwords? ›

Sometimes phishing emails contain malicious software, or malware, either in attachments or in embedded links. By downloading the malware to their computer, people increase the likelihood of having a keylogger installed that can then capture their passwords and send it to a hacker.

What is phishing on Instagram? ›

What is phishing? Phishing is when someone tries to get access to your Instagram account by sending you a suspicious message or link that asks for your personal information.

How common is phishing? ›

Phishing is a huge threat and growing more widespread every year. In 2021 Tessian research found that employees receive an average of 14 malicious emails per year. Some industries were hit particularly hard, with retail workers receiving an average of 49.

When did phishing first appear? ›

The first time someone used the term 'phishing' can be traced back to January 2nd, 1996. During the 1990s, hackers would pretend to be AOL administrators and phish for login credentials so they can access the internet for free.

Top Articles
Latest Posts
Article information

Author: Jonah Leffler

Last Updated:

Views: 6534

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.