🚨  NIS2 is now in effect. Security awareness is now legally required in the EU.

Check compliance
Start your free trial
Back to Resource Center

10 types of Phishing Attacks (2026 update)

What is phishing

Phishing is a form of digital fraud where cybercriminals impersonate someone else. Think of an important authority or a well-known person. Via urgent-sounding e-mails, WhatsApp or SMS, you are requested to provide information, such as personal or bank details.

Recognising these attacks is crucial for organisations. In practice, many companies use phishing simulation to train employees to spot these threats.

Below, we explain 10 types of phishing attacks, together with tips on how to prevent them.

10 types of phishing attacks

1. Spray phishing

With spray phishing, cyber criminals send messages to a large number of people within a spray phishing campaign by default. This is sometimes ten thousand e-mails or text messages at the same time. They throw a wide net, as it were, in the hope that some people will fall for the e-mail. Usually, it is an e-mail from an existing company that asks to update a password or to renew credit card information.

2. Email phishing

Sending e-mails is one of the most common forms of phishing. These e-mails are designed to appear to come from a trustworthy source. Usually, in these e-mails, you are asked to fill in a form or to reply to the e-mail. This is how cybercriminals get personal information.

One form of e-mail phishing is clone phishing, where a legitimate e-mail is copied and the links and files are replaced with malicious substitutions. This can be, for example, an invoice file, a link that contains a virus, or a link that sends you to a website to enter your personal data.

3. Mobile phishing

Mobile phishing is also known as smishing or SMS phishing. You will receive a message from the perpetrator with an urgency to take action. Think of calling a telephone number or clicking on a link to a website. Often, you will be asked for personal information, such as passwords or credit card information.

The other form of mobile phishing is phone phishing or vishing. With this form of phishing, you will not receive a message, but you will be called. The attackers pose as your bank, the police, or other companies or agencies. They try to scare you into pushing you to take action, often transferring money.

4. Ambulance chasing

With these types of phishing attacks, cybercriminals capitalize on current events. Think of asking for donations for relief funds, natural disasters, or wars. The perpetrators can collect personal data and take money from the victims.

5. Account expired/change password

You will receive a message via e-mail or via your mobile with the request to reset your password. These messages often appear to come from a reliable source and are sometimes difficult to distinguish from real messages. For example, consider a message from your bank. If you changed the password via a link that e-mail, the perpetrator has the necessary information to log in to your bank account.

6. Whaling phishing

In this phishing attack, also known as business e-mail compromise, cybercriminals target the big whales, i.e. employees with a high position within an organization. Often they impersonate a senior employee within the organization to make it credible to access financial information or corporate platforms.

7. Wifi twin

A WiFi twin is a WiFi network that copies the address of another network. Anyone who connects to it will also be exposed to hackers. That way they gain access to passwords and other information. This type of phishing attack is often done in public areas such as shopping malls, cafes, and airports. So it’s not always a good idea to connect to a public Wi-Fi network.

8. Spear phishing

Spear phishing is a very personal phishing attack. This is because the attacker pretends that he or she is a person who knows the target well. The target is well-researched for this, so the attack feels very personal. The purpose of this is to gain access to sensitive information to exploit the target.

9. Pretexting

This type of phishing attack is a very effective one because it gives a sense of legitimacy. The victims will initially receive a message via a channel other than e-mail to let them know that they will receive an e-mail shortly. For example, they pretend to be a supplier and indicate that the victim will soon receive a quote by e-mail. This telephone contact is therefore referred to in the final e-mail, which makes it appear more reliable.

10. Man-in-the-Middle

Finally, we discuss a fairly complicated way of phishing: man-in-the-middle. The cybercriminal intercepts the emails between two people. The criminal then sends these emails back to these two people, who then think the emails came from each other. Thus, this increases trust in the emails, allowing the criminal to ask for private details and other information.

Tips to prevent types of phishing attacks

1. Staff training

By training your staff to recognise phishing techniques and the psychological triggers behind them, you can prevent a large number of attacks. Employees learn to verify senders, avoid blindly clicking links or downloading files, and assess messages critically. Key warning signs include:

  • Generic salutations: phishing emails often lack personalisation.
  • Unexpected links or attachments: especially when unsolicited.
  • Grammar and spelling mistakes: often a sign of malicious intent.
  • Urgency or pressure: attackers try to rush decisions.

2. Do not click on everything

Never click on links without verifying the source, even if the message appears legitimate. Instead, manually navigate to the official website or inspect the link by hovering over it. Small differences in domain names are a common phishing tactic.

3. Check for HTTPS

Especially when you are asked to share sensitive information, you must check whether the URL starts with HTTPS instead of HTTP. The extra S does not guarantee that it is a secure website, but it is better protected against hackers than an HTTP site. (So don’t rely on HTTPS alone)

4. Encourage reporting

Create a culture where employees feel comfortable reporting suspicious emails. The faster a phishing attempt is reported, the quicker action can be taken to protect the rest of the organisation.

4. Use Guardey

To effectively protect your organisation against phishing attacks, awareness alone is not enough. Employees need to experience real-world scenarios and learn how to respond.

With phishing simulation, you can safely simulate real attacks and train employees to recognise and report threats in practice. This significantly reduces the risk of successful phishing attempts.

In addition, Guardey helps organisations continuously improve their security awareness through interactive training and real-time insights. This way, you not only train employees once, but build a long-term security culture within your organisation.

Dinela Lokvancic
Dinela Lokvancic Marketing Specialist Dinela keeps Guardey's online presence up to date. She creates content that makes complex cyber security topics accessible, and helps organizations understand why security awareness training matters for their teams.
READY TO GET STARTED?

Join 500+ businesses already protecting their teams with Guardey

Start your free 14-day trial
14 days free · No credit card · Full access · Setup in 5 minutes
Or schedule a personalised demo