Phishing remains the most effective tool in a cybercriminal's arsenal. Despite decades of security awareness campaigns and billions spent on email filtering, attackers continue harvesting credentials, deploying malware, and draining corporate accounts through fraudulent messages. According to the IBM Cost of Data Breach Report 2025, phishing triggers 16% of all confirmed data breaches at an average cost of $4.8 million per incident. With 3.4 billion phishing emails sent daily, understanding how these attacks work is essential for security professionals and business users alike.
This guide covers everything you need to know about phishing: the different attack types, how to spot them, and what to do when prevention fails.
Phishing is a type of social engineering attack where cybercriminals send fraudulent communications that appear to come from a trusted source, designed to trick recipients into revealing sensitive information, clicking malicious links, or installing harmful software. The term combines "fishing" for victims with "phreaking," the early phone hacking subculture that inspired many digital attack techniques.
Unlike purely technical exploits that target software vulnerabilities, phishing exploits human psychology. Attackers craft messages that trigger emotional responses like urgency, fear, or curiosity to bypass rational decision-making. This makes phishing remarkably effective regardless of an organization's technical defenses.
The MITRE ATT&CK framework classifies phishing as technique T1566 under Initial Access, with sub-techniques covering attachments (T1566.001), links (T1566.002), services (T1566.003), and voice phishing (T1566.004). Understanding where phishing fits within the cyber kill chain helps defenders build layered protections.
The scale of phishing and its business impact demands attention from security teams. Consider these statistics:
Phishing differs from spam in a critical way. Spam is unsolicited bulk email that may be annoying but is generally not malicious. Phishing is deliberately deceptive, designed to steal credentials, financial information, or access to systems. All phishing is unwanted email, but not all unwanted email is phishing.
Understanding the phishing attack lifecycle helps organizations build effective defenses. Attackers follow a consistent process regardless of their specific technique.
1. Research and reconnaissance
Attackers gather information about their targets. For mass campaigns, this might be minimal. For targeted spear phishing, attackers scrape LinkedIn profiles, corporate websites, and social media to understand organizational hierarchies, communication styles, and current business activities.
2. Crafting the lure
Using gathered intelligence, attackers create convincing messages. They register look-alike domains (such as "micros0ft.com" with a zero), clone legitimate email templates, and write copy that mirrors authentic business communications.
3. Delivery
The malicious message reaches the target through email, SMS, phone call, social media, or another channel. Modern phishing often uses multiple channels simultaneously to increase credibility.
4. Exploitation
The victim takes the intended action: clicking a link, opening an attachment, providing credentials, or transferring funds. Credential harvesting pages capture usernames and passwords, while malicious attachments may install backdoors or ransomware.
5. Data exfiltration and persistence
Attackers use harvested credentials to access systems, often leading to account takeover. They may establish persistence mechanisms, exfiltrate data, or launch follow-on attacks against other targets.
Phishing succeeds because it exploits fundamental aspects of human psychology. Security professionals must understand these principles to build effective training programs.
Authority drives compliance. Messages appearing to come from executives, IT departments, or trusted vendors carry implicit credibility. When the "CEO" requests an urgent wire transfer, employees hesitate to question it.
Urgency and scarcity override careful analysis. Phrases like "your account will be suspended in 24 hours" or "limited time offer" push recipients toward immediate action without verification.
Fear motivates response. Threats of account closure, legal action, or security breaches create anxiety that clouds judgment.
Social proof builds trust. Fake reviews, testimonials, and references to colleagues make fraudulent requests seem legitimate.
According to Push Security research, the vast majority of phishing attacks now use reverse proxy techniques for real-time MFA bypass. This adversary-in-the-middle approach captures session cookies as victims enter credentials, allowing attackers to hijack authenticated sessions even when multi-factor authentication is enabled.
Phishing has evolved far beyond simple email scams. Modern attackers use multiple channels and techniques, with one in three phishing attacks now delivered outside of email. Understanding each type helps organizations build appropriate defenses.
Table: Comparison of phishing attack types
Mass-distributed emails impersonate trusted entities like banks, popular services, or delivery companies. These campaigns prioritize volume over sophistication, sending millions of messages with generic content. While success rates are low, the scale makes even minimal conversion profitable for attackers.
Targeted attacks focus on specific individuals or organizations. Attackers research their targets and craft personalized messages referencing real projects, colleagues, or recent activities. This personalization dramatically increases success rates compared to bulk phishing.
The difference between phishing and spear phishing is personalization. Standard phishing casts a wide net with generic messages. Spear phishing uses specific information about the target to create believable, contextual communications.
Executive-targeted attacks pursue high-value outcomes. Whaling campaigns often involve sophisticated business email compromise scenarios requesting wire transfers or sensitive data. According to LevelBlue research, the average BEC wire transfer request reached $24,586 in 2025.
BEC attacks impersonate internal executives or external vendors to request fraudulent wire transfers or data access. Attackers may compromise legitimate accounts or use convincing spoofed domains. BEC attacks increased 15% in 2025, with losses reaching $2.77 billion according to the FBI IC3 2024 Report.
Smishing delivers phishing via text messages. Package delivery scams, bank alerts, and verification code requests are common lures. Smishing increased 328% in 2024 as attackers exploited the inherent trust users place in mobile communications.
Smishing differs from email phishing primarily in the delivery channel. SMS messages have higher open rates and users are less accustomed to scrutinizing text messages for fraud. The limited display space on mobile devices also makes it harder to verify sender information.
Voice phishing uses phone calls where attackers impersonate tech support, bank representatives, or government officials. Caller ID spoofing makes calls appear to come from legitimate numbers. Vishing attacks increased 442% between early and late 2024 as attackers combined phone calls with synchronized web-based credential harvesting.
Vishing in cybersecurity refers specifically to voice-based social engineering attacks designed to extract credentials, financial information, or system access. Recent campaigns like the ShinyHunters vishing operation have targeted over 100 organizations by impersonating IT staff and directing victims to credential harvesting sites.
Clone phishing replicates legitimate emails the target previously received, replacing links or attachments with malicious versions. The familiar format and reference to previous interactions makes these attacks difficult to detect.
Social media-based attacks target users who complain about companies online. Attackers create fake customer service accounts and respond to complaints with phishing links disguised as support resources.
Malicious QR codes direct victims to phishing sites. Quishing increased 25% year-over-year as attackers placed malicious QR codes in parking meters, restaurant menus, fake invoices, and email attachments. In January 2026, the FBI issued an advisory about North Korean Kimsuky hackers using QR codes to phish U.S. government and think tank employees.
Pharming attacks use DNS poisoning or malicious redirects to send victims to fraudulent sites even when they enter correct URLs. Unlike other phishing types, pharming does not require the victim to click a malicious link. They navigate to what they believe is a legitimate site and unknowingly enter credentials on an attacker-controlled page.
The difference between pharming and phishing is the attack vector. Phishing relies on tricking users into clicking malicious links. Pharming manipulates the infrastructure that translates domain names to IP addresses, redirecting users automatically.
Examining actual attacks illustrates the real-world impact of phishing and provides lessons for defenders.
Change Healthcare (2024): A credential harvesting attack led to one of the largest healthcare data breaches in history. The ALPHV/BlackCat ransomware group gained access through phishing-harvested credentials, ultimately impacting over 100 million users. The incident demonstrated how a single credential compromise can cascade into catastrophic organizational impact.
Pepco Group (2024): The European retail company lost EUR 15.5 million through a phishing attack targeting its Hungarian branch. Attackers used advanced social engineering to bypass verification procedures, highlighting the need for multi-person approval on financial transfers.
ShinyHunters vishing campaign (2026): Voice phishing attacks targeted 100+ organizations including Panera Bread, SoundCloud, and Match Group. Attackers impersonated IT staff, directed victims to branded credential harvesting sites formatted as company-sso.com domains, and captured MFA codes in real-time.
Financial services organizations receive 18.3% of all phishing attacks, followed by SaaS and webmail providers at 18.2%, and eCommerce at 14.8%. Healthcare organizations face particularly high risk with baseline phishing susceptibility of 41.9% and the highest average breach costs at $7.42 million according to IBM research.
Security teams should ensure employees can recognize these frequent attack patterns:
Developing phishing recognition skills across your organization significantly reduces risk. According to Hoxhunt research, consistent training improves threat reporting success from 34% to 74-80% over time.
Watch for these seven common phishing indicators:
SMS (smishing): Watch for shortened URLs that hide the true destination, messages from unknown numbers claiming to be known entities, and requests to call back numbers not listed on official websites.
Phone (vishing): Be alert to pressure for immediate action, requests for remote computer access, caller ID showing trusted numbers with unfamiliar voices, and requests to verify information the caller should already have.
Social media: Verify accounts through official channels before engaging with customer service, avoid clicking links in direct messages, and be suspicious of unsolicited support offers following public complaints.
QR codes: Preview the URL before proceeding when possible, be cautious of QR codes in unexpected locations, and avoid scanning codes that appear tampered with or placed over original codes.
Effective phishing prevention requires layered defenses combining technical controls, security awareness training, and organizational processes.
Email gateway security filters malicious messages before they reach inboxes. Modern solutions use machine learning to detect previously unknown threats beyond simple signature matching.
Email authentication protocols verify sender identity. SPF validates that sending servers are authorized by the domain owner. DKIM cryptographically signs messages to detect tampering. DMARC ties SPF and DKIM together and specifies how receiving servers should handle failures. As CISA guidance recommends, organizations should progress DMARC from p=none (monitoring) to p=reject (enforcement). Cloudflare's email authentication guide provides detailed implementation guidance.
Phishing-resistant MFA uses FIDO2 or passkeys rather than SMS or TOTP codes that attackers can capture through adversary-in-the-middle techniques. Traditional MFA provides some protection but modern phishing kits bypass it routinely.
URL filtering and sandboxing analyze links and attachments in isolated environments before delivery.
Endpoint detection and response solutions detect malware delivered through successful phishing attempts.
Network detection and response identifies post-compromise activity including command-and-control communications and data exfiltration.
Identity threat detection and response monitors for suspicious authentication patterns and credential abuse.
Adopting a zero trust security model reduces the impact of successful phishing by limiting what compromised credentials can access.
Training remains the most cost-effective phishing countermeasure. According to the KnowBe4 2025 Phishing by Industry Benchmarking Report, organizations reduce phishing susceptibility from a baseline of 33.1% to just 4.1% after 12 months of regular training with simulations, representing an 86% improvement.
Effective training programs include:
Healthcare organizations require particular attention given their 41.9% baseline susceptibility rate, the highest of any industry measured.
Technical controls and training must be supported by clear processes:
Swift incident response limits damage when prevention fails. Knowing what to do if you clicked on a phishing link can mean the difference between a minor incident and a major breach.
1. Disconnect from the network if you suspect malware installation. This limits the attacker's ability to move laterally or exfiltrate data.
2. Change passwords immediately from a known-clean device, starting with the compromised account and any accounts using the same or similar credentials.
3. Report to IT/security team with full details of what happened, including the message content, any links clicked, and information provided.
4. Enable MFA on all accounts if not already configured.
5. Document everything including timestamps, screenshots, and actions taken.
Security teams should initiate structured response procedures:
The FTC provides consumer guidance on steps individuals should take after phishing exposure.
After containing the immediate threat:
Phishing has evolved dramatically since its origins in the mid-1990s when attackers targeted AOL users with fake account messages. According to Cofense's history of phishing, the first documented phishing attacks appeared around 1994.
Key milestones include:
Attackers are increasingly leveraging artificial intelligence to create more convincing, personalized phishing content at scale. For a deep dive into these emerging threats, see AI-powered phishing attacks.
Vectra AI operates from an "assume compromise" philosophy. Smart attackers will get in despite the best prevention efforts. The key is finding them fast.
Rather than relying solely on blocking phishing emails at the gateway, Vectra AI focuses on detecting post-phishing attacker behavior. When credentials are harvested, attackers must use them. When malware is installed, it must communicate. These activities create signals that behavioral detection can identify.
Attack Signal Intelligence analyzes behavior across network, identity, cloud, and endpoints to surface real threats through advanced threat detection. The approach prioritizes signal over noise, helping security teams focus on active attacks rather than drowning in alerts.
Network detection and response capabilities identify command-and-control communications, lateral movement, and data exfiltration that follow successful phishing. Combined with identity-focused detection, organizations gain visibility into the full attack chain regardless of the initial entry point.
Phishing is a type of cyberattack where criminals send fraudulent messages designed to trick you into revealing sensitive information like passwords, credit card numbers, or personal data. These messages often appear to come from trusted sources like your bank, employer, or popular online services. The goal is to exploit human trust rather than technical vulnerabilities. Attackers may want to steal money directly, harvest credentials for account access, or install malware for future attacks.
The most common types include email phishing (mass-distributed attacks), spear phishing (targeted at specific individuals), whaling (targeting executives), business email compromise (impersonating internal staff or vendors), smishing (SMS-based), and vishing (voice calls). Newer techniques include quishing (QR code-based) and angler phishing (social media-based). Each type exploits different channels and trust relationships, but all rely on social engineering to manipulate victims into taking harmful actions.
Look for several red flags: urgent or threatening language demanding immediate action, generic greetings when the sender should know your name, sender addresses that do not match the claimed organization, spelling and grammar errors unusual for professional communications, links that show different destinations when you hover over them, unexpected attachments, and requests for sensitive information. When in doubt, contact the supposed sender through a known legitimate channel rather than replying or clicking links.
Immediately disconnect from the network if you suspect malware was installed. Change your passwords from a known-clean device, starting with the compromised account and any accounts using the same credentials. Enable multi-factor authentication on all accounts. Report the incident to your IT or security team with full details of what happened. Monitor your accounts for suspicious activity and consider placing fraud alerts with credit bureaus if financial information may have been compromised.
Effective prevention combines technical controls with human factors. Deploy email filtering and authentication protocols (SPF, DKIM, DMARC). Implement phishing-resistant MFA using FIDO2 or passkeys rather than SMS codes. Conduct regular security awareness training with simulated phishing exercises. Establish verification procedures for sensitive requests, especially financial transfers. Create clear reporting mechanisms that make it easy for employees to flag suspicious messages without fear of punishment.
Standard phishing targets large groups with generic messages hoping some recipients will fall for the scam. Spear phishing targets specific individuals using personalized information about the victim, their role, and their organization. Attackers research spear phishing targets through LinkedIn, corporate websites, and social media to craft believable messages referencing real projects, colleagues, or activities. Spear phishing has significantly higher success rates because the personalization makes messages appear legitimate.
Phishing exploits human psychology rather than technical vulnerabilities. It leverages principles like urgency, authority, fear, and trust to bypass rational decision-making. Even security-aware individuals can fall victim when well-crafted attacks arrive at opportune moments such as during busy periods, after hours, or during organizational transitions. The human element cannot be patched like software, making ongoing training and technical controls essential complements to each other.