Login Book a call
Search
Clear search icon

15 types of phishing attacks and how to protect your business

Frankie
types of phishing attacks
Back to blog

Table of contents

Want to speak with sales?

Book a call

Phishing attacks are nothing new. But the tactics cybercriminals use? They're evolving faster than ever. Every day, an estimated 3.4 billion phishing emails are sent across the globe, many of them targeting UK businesses. The good news? Once you understand the different types of phishing attacks, you can spot the warning signs and stop them.

15 of the most popular types of phishing attacks include:

1. Email phishing
2. Spear phishing
3. Whaling
4. Vishing
5. Smishing
6. Quishing
7. “Note to self” phishing
8. SVG phishing
9. Pharming
10. Angle phishing
11. Evil twin phishing
12. Clone phishing
13. Watering hole phishing
14. Search engine phishing
15. Bulk phishing

1. Email phishing

Email is the most common type of phishing attack. Phishing emails often come from addresses that look official but are just slightly off. For example, support@micros0ft.com. While poor grammar was once a giveaway, modern phishing emails are well-written and seemingly credible.

2. Spear phishing

Spear phishing targets specific individuals based on their job title or recent company activity. Attackers research their victims through company websites, LinkedIn, and other social media platforms, using personal insights to make their messages appear legitimate. 

Red flags to watch for:

  • Unusual requests – if the requests come from within your company asking for credentials above their pay grade, message the individual directly using another communication channel for confirmation
  • Slight changes in email addresses or domain

3. Whaling

Also called whale phishing, this tactic zeroes in on executives and high-level decision-makers – the “big fish.” The stakes are higher here, so attackers go to greater lengths, even using AI-generated deepfake video or voice impersonation to deceive their targets. 

In one case, a finance employee was tricked into transferring $25 million after fraudsters used deepfake technology to impersonate the company's CFO and colleagues in a video conference. 

 Common whaling tactics include: 

  • Impersonating executives or board members
  • Creating fake acquisition or legal scenarios
  • Timing attacks when executives are travelling or busy
  • Using insider knowledge gleaned from social media or public statements

To defend against these high-stakes attacks, establish internal checks and approval processes for large transactions, and train executives to spot the hallmarks of phishing.

4. Vishing

Vishing is short for voice phishing and occurs when cybercriminals use phone calls or voice messages to get victims to reveal sensitive information. There was a 442% rise in vishing in 2024, making it clear that this type of phishing is one to look (or should we say listen?)  out for. 

The best defence? 

  • Never give sensitive information over the phone to unsolicited callers
  • Hang up and call back on an official number
  • Be suspicious of urgent requests or threats

5. Smishing

Smishing uses SMS messages to lure victims into clicking on a malicious link. A common smishing pretext is receiving a message from your bank alerting you to suspicious activity.

Other popular smishing campaigns claim that:

  • A package is waiting for collection
  • Your bank account has been compromised
  • You've won a prize or a refund
  • A payment has failed

Early in 2025, U.S. residents were targeted with fake text messages claiming to be from toll road operators like EZPass. The messages warned recipients about unpaid tolls, fines, or potential loss of their driver’s license, urging them to pay online. The scams were driven by an advanced phishing kit sold in China that allows scammers to spoof toll agencies across various states.

6. Quishing

Quishing or QR code phishing is when cybercriminals use QR codes to get victims to download malware or visit fraudulent websites. They often slip these codes into emails, posters, or public spaces.

Because QR codes are hard to inspect before scanning, many victims don’t realise they’re being phished until it’s too late.Only scan QR codes from trusted sources, and always check the URL after scanning before entering any information.

7. “Note to self” phishing

You receive an email from… yourself. But it’s not a friendly reminder. It’s a message from a cybercriminal telling you they’ve hacked your account and have compromising information. They then demand ransom, usually in the form of cryptocurrency. 

That’s what happens in “Note to self” phishing. It’s deeply unsettling, but it’s important to remember that cybercriminals don’t actually have your credentials or any compromising material; they’re just bluffing. 

What to do:

  • Don't panic
  • Don't pay
  • Change your passwords 
  • Mark it as spam and delete it

8. SVG phishing

SVG phishing refers to using scalable vector graphics (SVG) files in phishing attacks. SVGs are image files, but hackers embed them with JavaScript that contains malicious code. 

Since many security systems don’t scan SVGs as thoroughly as PDFs or Office documents, these files often slip through.To protect your business, block or restrict SVG attachments unless necessary, and make sure endpoint security solutions can analyse embedded scripts.

9. Pharming

Sometimes referred to as “phishing without a lure”, pharming is when cybercriminals redirect users to fake, lookalike websites to steal sensitive information. Rather than using social engineering, attackers use technical means like exploiting DNS server vulnerabilities to trick victims. 

Your defence:

  • Keep your devices and browsers updated
  • Use reliable DNS servers
  • Look for HTTPS and valid security certificates
  • Install reputable antivirus software with real-time protection

10. Angler phishing

Angler phishing exploits customer frustration on social media. Scammers monitor complaints directed at companies (especially banks or service providers), then swoop in posing as helpful support reps.

They use fake profiles, unofficial links, and friendly language to get victims to “verify” account info – only to steal it.

Watch out for:

  • Customer service accounts without verification badges
  • Requests to move conversations to private messages
  • Links to non-official websites
  • Requests for passwords or account details

11. Evil twin phishing

Cybercriminals set up fake Wi-Fi access points imitating legitimate ones. Once victims connect, the hackers have access to their internet activity and, by extension, sensitive information, such as login details and personal data. 

Evil twin phishing is common in place spaces like train stations, shopping malls, and airports. 

Here’s how to protect yourself: 

  • Use a VPN if you have to use public Wi-Fi
  • Disable the auto-connect function on your devices

12. Clone phishing

Clone phishing is a difficult-to-spot cyberattack because cybercriminals take a legitimate email that a user has already received and clone it. The only change they make is replacing the original links with malicious ones. 

Precautions you can take: 

  • Hover over links before clicking to verify the URL 
  • If you receive a duplicate or out-of-place email, contact the sender directly to confirm the email's authenticity 
  • Keep antivirus and anti-phishing tools updated so they detect malicious emails and attachments.

13. Watering hole phishing

Watering hole phishing occurs when hackers compromise a website that’s frequented by a specific group of people. For example, employees of a company, government officials, and members of a particular industry. 

Once the site is infected with malware, anyone who visits it may unknowingly download malware, giving attackers access to sensitive systems or data.

Tips for safe browsing: 

  • Keep all software and browsers up to date to close known security vulnerabilities.
  • Use reputable antivirus and anti-malware tools to detect and block threats.

14. Search engine phishing

Also known as SEO poisoning, search engine phishing is when cybercriminals create malicious websites and use SEO techniques to make the sites appear high in search results for popular or trending keywords. Since most users tend to click on the top few results, this increases the chances that users will visit these harmful sites.

When you click on one of these poisoned links, you might be: 

  • Tricked into entering personal information like login credentials, credit card details, or other sensitive data.
  • Infected with malware or ransomware if the site automatically downloads malicious software.
  • Redirected to other phishing or scam sites that continue the attack chain.

15. Bulk phishing

Bulk phishing is when attackers send a large number of generic phishing emails to many people at once. They’re usually the easiest to spot as they use simple, non-personalised messages to trick recipients into clicking malicious links or giving away personal info. Attackers rely on volume, hoping some victims will fall for the scam.

Key features of bulk phishing:

  • Mass distribution: attackers send thousands of identical or very similar phishing emails.
  • Generic content: the messages usually contain general, non-personalised language like “Your account has been compromised” or “Click here to verify your information.”
  • Goal: to trick recipients into clicking malicious links, downloading malware, or submitting login or financial info on fake websites.

Knowledge is your best defence

These 15 types of phishing attacks show just how diverse and dangerous the threat landscape has become. Phishing isn't going away, but with a diligent approach to cybersecurity and the right tools, your business won’t be an easy catch.

Want to give your people the skills to recognise cyber threats before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.