We use our own and third-party cookies to offer our services and collect statistical data. Continuing to browse implies your acceptance. More information about the Cookie Policy

Accept

Types and examples of phishing

26 / 04 / 2026

Phishing is the most widely used social engineering technique by cybercriminals and, according to the latest industry reports, is behind more than 80 % of the security incidents suffered by companies. Knowing the types of phishing and the most common real-world examples is the first step to protecting yourself: from the classic fraudulent email to more sophisticated variants such as spear phishing, smishing or whaling.

In this Océano IT guide, we explain what phishing is, what types exist, real examples currently in circulation and how to prevent them in a corporate environment.

What is phishing?

Phishing is a type of cyberattack based on social engineering in which the attacker impersonates a trusted entity —a bank, a company, a public administration or even a co-worker— to deceive the victim and obtain sensitive information: credentials, banking data, personal data, or trick them into performing an action (downloading a file, making a transfer, installing malware).

The term comes from the English word fishing: the attacker casts a mass or personalised bait hoping someone will "bite".

Key fact: according to the Phishing Activity Trends Report by the Anti-Phishing Working Group (APWG), millions of unique phishing attacks are detected every quarter worldwide, with the financial, SaaS and e-commerce sectors being the most affected.

How a phishing attack works

Although each variant has its nuances, almost all phishing attacks follow a four-phase pattern:

  • Preparation: the attacker chooses the target (generic or specific) and designs the bait: an email, an SMS, a fake website, an impersonated profile, etc.
  • Distribution: the fraudulent message is sent through the chosen channel (email, SMS, WhatsApp, phone call, social networks).
  • Deception: the victim believes the message is legitimate and performs the requested action: clicks a link, enters their credentials, downloads an attachment or executes a transfer.
  • Exploitation: the attacker uses the information or access obtained to steal data, impersonate identities, install ransomware, drain accounts or move laterally within the corporate network.

Most common types of phishing

Not all phishing attacks are alike. They are classified according to the channel they use, the level of personalisation and the objective they pursue. These are the most relevant types of phishing every company should be aware of.

1. Email phishing

This is the most widespread variant and the most well known. The attacker sends mass emails impersonating recognised brands (banks, parcel delivery platforms, social networks, cloud services) so the victim clicks a link that takes them to a fake website where they are asked for credentials.

  • Typical bait: "Your account has been blocked", "We detected suspicious access", "Your parcel could not be delivered".
  • Objective: theft of credentials and banking data.
  • Typical indicators: slightly altered sender domain, spelling mistakes, artificial urgency, links that don't match the visible text.

2. Spear phishing

Unlike mass phishing, spear phishing is targeted and highly personalised. The attacker researches the victim in advance (name, role, projects, colleagues) and crafts a message that seems entirely plausible.

  • Typical bait: an email that appears to come from a real supplier, with real data about an ongoing project.
  • Objective: access to internal systems, theft of intellectual property, financial fraud.
  • Why it's dangerous: traditional anti-spam filters don't usually detect it because it is a unique, well-crafted message.

3. Whaling

This is a variant of spear phishing aimed specifically at senior executives: CEOs, CFOs, general managers, board members. The attacker seeks high-value targets capable of authorising large transfers or with access to strategic information.

  • Typical bait: false legal notice, judicial summons, urgent communication from the board.
  • Objective: large-scale financial fraud or theft of strategic information.

4. Smishing (SMS phishing)

Smishing combines SMS and phishing. The attacker sends text messages impersonating entities such as banks, courier companies (Royal Mail, UPS, DHL) or tax agencies, with a shortened link leading to a fraudulent website.

  • Typical bait: "Your parcel is on hold, pay the customs fee here", "We have detected an unauthorised charge".
  • Objective: theft of banking credentials and installation of malicious mobile apps.

5. Vishing (voice phishing)

Vishing (voice phishing) is carried out by phone call. The attacker poses as a support technician, a bank employee or even a police officer to get the victim to disclose data or install remote control software.

  • Typical bait: "We're calling from your bank's fraud department", "I'm a Microsoft technician, we've detected a virus on your computer".
  • 2025-2026 trend: growing use of AI-cloned voices to impersonate family members or executives.

6. Clone phishing

The attacker clones a legitimate email the victim has previously received (an invoice, a newsletter, a notification) and resends an almost identical copy, replacing the links or attachments with malicious versions.

  • Why it works: the victim recognises the format and the sender, which lowers their defences.

7. Pharming

Pharming doesn't require the victim to click on anything. The attacker manipulates the DNS system or the device's hosts file so that, even if the user types the bank's URL correctly, they are redirected to an identical fake website.

  • Typical vector: vulnerable home routers and malware on the device.
  • Why it's dangerous: it is practically invisible to the user.

8. Angler phishing (social media)

Angler phishing takes place on social media. The attacker creates fake support profiles for well-known brands (banks, airlines, platforms) and intercepts customers' public complaints to reply from the fake account and steal their credentials.

  • Typical bait: a user complains on X/Twitter about their bank and a fake "Customer Support" profile replies with a link to "resolve the issue".

9. QR code phishing (quishing)

Quishing uses malicious QR codes distributed in emails, physical posters, parking meters, restaurant terraces or public chargers. When scanned, the user is redirected to a fraudulent website or malware is downloaded.

  • Rising trend: QR codes bypass many traditional anti-phishing filters because the malicious URL doesn't appear in the email's text.

10. Business Email Compromise (BEC)

Business Email Compromise or CEO fraud is one of the costliest types of attack for companies. The attacker impersonates (or compromises) the account of an executive or supplier to order urgent transfers from the finance department.

  • Typical bait: "I need you to make a confidential transfer before the end of the day, I'll explain later".
  • Average cost: according to the FBI Internet Crime Report, BEC generates multi-billion-dollar annual losses and is the type of corporate fraud with the greatest financial impact.

Real phishing examples

To better illustrate how they appear in everyday life, here are real and recent examples of campaigns circulating across Europe:

  • Fake parcel delivery notifications: SMS or email indicating a parcel is held up and requesting a payment of €1.79 in customs fees. The website perfectly impersonates the courier's branding and captures card data.
  • Tax agency impersonation: emails with subjects like "Pending refund" or "Urgent tax notice", linking to a cloned tax portal. Tax agencies never request banking data via email.
  • Fake Microsoft 365 or Google Workspace alerts: messages warning that the mailbox is full or that the password is about to expire, with a link to a fake login page that steals corporate credentials.
  • Bank impersonation (Santander, BBVA, HSBC, ING): SMS messages within the same legitimate thread as the bank's real messages (a technique known as SMS spoofing), warning of a suspicious charge.
  • CEO fraud: an employee in the finance department receives an email from the "general manager" asking for an urgent transfer to a new supplier. The sender's domain is altered (for example, @oceano-it.com instead of @oceanoit.com).
  • Quishing in restaurants and car parks: QR codes stuck on top of the original ones, redirecting to a fake payment gateway.
  • AI-powered vishing: calls in which the voice of a relative or executive is cloned to request an urgent transfer.

How to identify a phishing attempt

Learning to spot the warning signs is the best defence. The most common indicators are:

  • Sense of urgency or threat: "Your account will be blocked in 24 hours".
  • Suspicious sender: domains with altered letters, numbers replacing letters (0 instead of o, 1 instead of l) or strange subdomains.
  • Generic greeting: "Dear customer" instead of your real name.
  • Spelling and grammar errors, especially in automatic translations.
  • Links that don't match the visible text: hover over them (without clicking) and check the real URL.
  • Unusual requests: no bank, no tax agency and no public administration will ever ask for your credentials or card code via email, SMS or phone.
  • Unexpected attachments, especially .zip, .iso, .htm or Office documents with macros.
  • Design that imitates but isn't quite right: pixelated logos, slightly different colours, incomplete footers.

How to prevent phishing in your company

Effective prevention combines technology, processes and training. At Océano IT we recommend a layered approach:

Technical measures

  • Advanced anti-phishing and anti-spam filters with URL analysis and attachment sandboxing.
  • Implementation of SPF, DKIM and DMARC on the corporate domain to prevent impersonation.
  • Multi-factor authentication (MFA) on all critical access points: with stolen credentials, the attacker won't be able to get in without the second factor.
  • Secure password management through a corporate password manager.
  • Continuous updates and patching of operating systems, browsers and email software.
  • EDR/XDR solutions to detect anomalous behaviour following an accidental click.
  • Network segmentation to limit lateral movement in the event of a compromise.

Processes and policies

  • Double-verification procedure for transfers and supplier bank account changes (always through an alternative channel: a phone call to a known number, never the one provided in the email).
  • Clear reporting protocol for suspicious emails: a "Report phishing" button in the email client.
  • Documented and tested incident response plan.

Training and awareness

  • Regular training for all employees, not just the technical team.
  • Controlled phishing simulations to measure the actual exposure level and reinforce training where needed.
  • Security culture: reporting a mistake or a suspicious click should not be penalised, but appreciated.

What to do if you've been a phishing victim

If you suspect you've fallen for a phishing attack, act quickly:

  • Disconnect the device from the network if you think malware has been installed.
  • Immediately change the affected passwords, starting with the most critical (corporate email, banking, internal system access). Do it from a different device if possible.
  • Enable multi-factor authentication on all accounts if you didn't have it already.
  • Notify your IT department or CISO as soon as possible.
  • Contact your bank if you provided financial data, to block cards and review transactions.
  • Preserve evidence: screenshots, full emails with headers, URLs.
  • Report the incident to the relevant national cybersecurity agency or law enforcement (cybercrime unit).
  • Notify the data protection authority if there has been a personal data breach (mandatory within 72 hours under the GDPR).

Do you need to strengthen your company's cybersecurity against phishing? At Océano IT we help you implement anti-impersonation solutions, technical safeguards, procedures and training plans tailored to your organisation. Get in touch with our team and we'll advise you with no commitment.

Frequently asked questions about phishing

What's the difference between phishing and spear phishing?

Phishing is a mass, indiscriminate attack: the same email is sent to thousands of people in the hope that someone will fall for it. Spear phishing, on the other hand, is a targeted, personalised attack on a specific person or company, based on prior information the attacker has collected. This makes it much harder to detect and, therefore, more dangerous.

What is smishing and how does it differ from traditional phishing?

Smishing is phishing carried out via SMS or messaging apps (WhatsApp, Telegram). It differs from email phishing in the channel used, but the goal is the same: to get the victim to click a fraudulent link or call a number controlled by the attacker. It is particularly dangerous because SMS messages are usually perceived as more trustworthy than emails and mobile anti-spam filters are less effective.

How can I tell if an email is phishing?

The main indicators are: a sense of urgency, sender with a suspicious domain, links that don't match the text when you hover over them, spelling errors, generic greetings and requests for sensitive information (passwords, banking data, copies of ID documents). When in doubt, don't click: contact the supposed sender through a known official channel (a manually typed website or a previously saved phone number).

Does phishing only affect email?

No. Although email is the most common channel, phishing can arrive via SMS (smishing), phone calls (vishing), social media (angler phishing), QR codes (quishing), messaging apps and even malicious ads on search engines. Any communication channel can be used by cybercriminals to impersonate identities.

What is CEO fraud or BEC?

Business Email Compromise (BEC) or CEO fraud is a type of targeted phishing in which the attacker impersonates a senior executive or trusted supplier to instruct the finance department to make an urgent transfer to a fraudulent account. It is one of the cybercrimes with the greatest financial impact worldwide. The best prevention is to set up a double-verification procedure through an alternative channel for any unusual payment order.

Does multi-factor authentication protect against phishing?

Multi-factor authentication (MFA) drastically reduces the risk: even if the attacker manages to steal the password, they will need the second factor (mobile code, physical key, authenticator app) to gain access. However, it is not infallible: there are MFA fatigue, adversary-in-the-middle and SIM swapping attacks. That's why it should be combined with other measures and, whenever possible, you should use phishing-resistant factors such as FIDO2/WebAuthn keys.

What should I do if I clicked a phishing link?

If you only clicked but didn't enter any data, close the window, run an antivirus scan and proactively change the most sensitive passwords. If you entered credentials or banking data, act immediately: change passwords from another device, enable MFA, notify your bank and IT department, and preserve the evidence to report the incident to the relevant cybersecurity agency or law enforcement.

How can a company protect itself against phishing?

Effective protection combines three pillars: technology (anti-phishing filters, MFA, SPF/DKIM/DMARC, EDR), processes (double payment verification, incident response plan, reporting protocol) and people (continuous training and phishing simulations). No single layer is enough on its own: human error remains the number one vector, so awareness is just as important as technology.

Related news