A CFO wires $1.2 million to a fake vendor. An engineer logs into a spoofed portal and hands over credentials. A support rep scans a QR code from a hallway poster and unknowingly gives attackers access to internal tools. These aren’t rare mistakes — they’re the result of well-crafted phishing attacks that look just real enough. And they work. Today’s phishing tactics are more targeted, more convincing, and harder to spot. In this post, we break down 10 types of phishing attacks your business needs to recognize — before they cost you data, money, and trust.
What is phishing and why it’s still so effective
Phishing is a tactic where attackers impersonate trusted sources — a vendor, a colleague, your own tools — to get users to hand over credentials, send payments, or download malware. It doesn’t exploit software; it exploits routine. And that’s why it still works. Most users won’t fall for a poorly written email, but a well-timed message that mimics a real login page or mimics a ticket from your IT platform? That gets clicks. Attackers don’t need to breach your systems — they just need one distracted person to act without thinking. That one moment can expose the entire network.
What are the most common types of phishing attacks?
Phishing comes in more forms than just suspicious emails. While traditional email phishing is still widespread, attackers now use text messages (smishing), voice calls (vishing), QR codes (quishing), and fake Wi-Fi networks (evil twin phishing) to reach users across every digital touchpoint. Some attacks are broad; others are tailored — like spear phishing that uses personal details or whaling that targets executives. Techniques like pharming and clone phishing manipulate trust in websites or past communications. Even fake support accounts on social media (angler phishing) are now part of the playbook. The goal is always the same: make it look real, get the user to act.
Here’s a breakdown of the most common phishing tactics, what they look like, and how to avoid them.
| Attack Type | What It Is | How to Spot or Avoid It |
| 1. Phishing | Fraudulent emails that trick users into revealing sensitive information. | Check for suspicious sender addresses, urgent language, and mismatched URLs. |
| 2. Smishing | Phishing via SMS messages. | Avoid clicking links in unsolicited texts; verify with the sender through another channel. |
| 3. Vishing | Voice phishing—fraudulent phone calls seeking personal info. | Hang up and call back using a verified number; be wary of urgent or threatening language. |
| 4. Quishing | QR code phishing—malicious QR codes that lead to phishing sites. | Don’t scan QR codes from unknown sources; preview the URL before opening. |
| 5. Pharming | Redirecting users from legitimate to fake websites via DNS manipulation. | Use HTTPS websites, enable DNS security tools, and keep software updated. |
| 6. Clone Phishing | A legitimate email is cloned and resent with malicious links or attachments. | Look for unexpected attachments or links in familiar-looking emails. |
| 7. Whaling | Targeted phishing aimed at high-level executives. | Verify requests for sensitive actions via a second channel; train execs on phishing risks. |
| 8. Spear Phishing | Highly targeted phishing using personal details to appear legitimate. | Be cautious with unexpected requests, even from known contacts; verify before acting. |
| 9. Angler Phishing | Fake social media accounts posing as customer support to steal info. | Check for verified accounts; don’t share personal info over social media DMs. |
| 10. Evil Twin Phishing | Fake Wi-Fi hotspots that mimic legitimate ones to steal data. | Avoid public Wi-Fi for sensitive tasks; use VPNs and verify network names. |
Credit: Kaleb (AJ) Arjes-Maddox
Who do cybercriminals target with phishing attacks
Phishing often has a specific target. While some attacks are sent in bulk, others—like spear phishing, whaling, and clone phishing—are crafted for individuals or small groups. Executives may receive fake financial approvals. IT teams get spoofed system alerts. Customer support staff are approached through fake user messages. These messages aren’t random—they’re designed to land with the right person, at the right moment, with just enough context to trigger action. Whether broad or precise, phishing finds its mark by preying on trust, routine, and urgency.
3 Real-world examples of phishing attacks
Phishing attacks hit real people inside real organizations. Someone clicks, someone replies, and money moves. These examples show how fast it happens and what it looks like when attackers get through.
1. Spear‑phishing CFOs via Fake Recruiter Emails
In mid‑May 2025, Trellix confirmed a targeted spear‑phishing campaign hitting CFOs and finance executives at U.S. banks, utilities, insurers, and investment firms. Attackers impersonated recruiters from Rothschild & Co., embedding encrypted CAPTCHAs that delivered a VBScript in a ZIP file. This script installed NetBird, a legitimate remote-access tool—effectively granting persistent access, enabling fraudulent wire transfers or data theft from high‑value accounts.
2. Illinois agency hit with $6.85M BEC scam
Between March and April 2025, Illinois’s Office of the Special Deputy Receiver fell victim to BEC spear-phishing. The attacker accessed the CFO’s Outlook account and sent emails to staff requesting wire transfers. Eight transfers totaling approximately $6.85 million were made to fraudulent accounts before detection. An Illinois federal court later ruled the loss was not covered under contract exclusions due to the phishing nature of the fraud.
3. Phishing attack targets UC employees’ payroll accounts
In May 2025, UCLA and UC system staff became targets of phishing designed to change direct deposit information in UCPath. Attackers used spoofed emails and vishing to extract usernames and passwords. Dozens of employees fell for phishing scams and attempted bank account changes. UC responded by introducing manual verification for all deposit updates, preventing hundreds of thousands of dollars in fraudulent transfers.
How to protect your organization if you suspect a phishing attack
When a phishing attack is suspected, the first priority is containment. That means isolating the affected device and identifying how the attack got in—whether through email, SMS, or a compromised login. Any user who engaged with the message should have credentials reset, even if MFA was enabled.
From there, it’s about checking access logs, scanning for anything installed, and looking for related activity in your SIEM and EDR. Blocking the sender and alerting internal teams is standard, but so is documenting every step. The goal isn’t just to stop the attack—it’s to make sure the response is fast, structured, and repeatable.
Whether you need to prevent phishing attacks or respond when they break through, GCS helps you build the systems, processes, and visibility to stay ahead. Get in touch to make sure your team is ready before it matters.
