Types of phishing: a complete taxonomy

Overview of the main phishing types

Phishing is the leading initial-access vector for breaches in the EU, according to ENISA threat-landscape reporting. But "phishing" is not one attack - it is a family of social-engineering techniques that share a goal (deceive a person into a harmful action) while varying in channel, targeting, and payload. Attackers pick the variant that best fits their objective, whether that is harvesting Microsoft 365 credentials at scale or convincing one finance manager to redirect a wire transfer.

The cleanest way to classify the types of phishing is along two axes: the delivery channel (email, SMS, voice, QR code) and the degree of targeting (mass versus tailored). The sections below walk through each major type in that order. For the underlying mechanics shared by all of them, see the related article on what phishing is.

• Email phishing - high-volume, generic lures sent to many recipients.
• Spear phishing - researched, personalised messages aimed at a specific person or role.
• Whaling and BEC - fraud impersonating or compromising executives and trusted partners.
• Smishing - phishing delivered by SMS or messaging apps.
• Vishing - voice-based phishing over the phone, increasingly aided by AI voice cloning.
• Quishing - phishing that hides a malicious link inside a QR code.
• Clone and other variants - copies of legitimate mail, plus angler, pharming and consent phishing.

Email phishing

Email phishing is the classic, highest-volume type and still the workhorse of cybercrime. The Anti-Phishing Working Group has tracked sustained volumes well into the hundreds of thousands of attacks per quarter, and email remains the channel where most campaigns begin. The economics are simple: industrialised Phishing-as-a-Service kits let an attacker send the same generic lure to thousands of inboxes and profit even if only a fraction respond.

A typical lure impersonates a brand the recipient is likely to use. In Europe that means fake Microsoft 365 "view document" or password-reset notices, look-alike messages from major banks and payment brands, or a missed-parcel notice from a courier. The message creates urgency - an account will be locked, an invoice is overdue - and routes the victim to a credential-harvesting page hosted on a freshly registered or compromised domain.

Spear phishing

Spear phishing flips the volume model. Instead of one message to thousands of people, it is one carefully researched message to one person. Attackers gather names, roles, reporting lines, projects and writing style from public sources such as the company website, LinkedIn and past breaches, then craft a lure that fits the target's world. Because it is personalised and references real context, spear phishing slips past both filters and gut instinct far more often than bulk mail.

A typical lure might be a message that appears to come from a colleague referencing a genuine project, or a fake shared-document invitation tailored to the recipient's actual team. The tell-tale sign is subtler than with bulk phishing: an unexpected request that nonetheless fits your role, often paired with a reason you cannot verify it through your usual channel. When in doubt, confirm out-of-band - a quick call to the supposed sender defeats most spear-phishing attempts. The related article on spear phishing and BEC covers targeted attacks in depth.

Whaling and Business Email Compromise (BEC)

Whaling is spear phishing aimed at the biggest "fish" - executives, board members and other high-authority targets whose approval can move money or unlock sensitive data. Business Email Compromise (BEC) is the closely related fraud that exploits that authority: an attacker impersonates an executive, vendor or partner - often via a look-alike domain or a genuinely compromised mailbox - to trick staff into wiring funds or disclosing data.

BEC is among the costliest cybercrimes precisely because it relies on trust and process, not malware. The FBI's IC3 reporting attributes billions in annual losses to BEC. A typical lure is an urgent payment-change request: "We've updated our bank details, please use these for today's invoice," arriving just before a deadline so there is pressure to act fast.

Smishing (SMS phishing)

Smishing is phishing delivered by SMS or messaging apps. It exploits the trust and immediacy of text messages: people read texts quickly, often on a phone where the full URL is hard to inspect and security tooling is thinner than on corporate email. Smishing volumes spike around holidays and shopping seasons, when a delivery message feels plausible.

The signature European lure is parcel-delivery smishing - a text impersonating a courier or postal service (think a fake Slovenská pošta or DPD message) claiming a package is held pending a small customs fee or address confirmation. Banking smishing is also common, warning of a "blocked card" and linking to a fake login. The tell-tale sign is a request to tap a shortened link and enter personal, payment or login details; legitimate carriers and banks do not collect credentials through an SMS link.

Vishing (voice phishing)

Vishing is voice-based phishing carried out over a phone call. The attacker phones the target while impersonating a trusted role - a bank's fraud department, the IT help desk, or a supplier - and uses urgency and authority to extract credentials, one-time codes, or a payment. Vishing is sometimes combined with email or SMS in a multi-channel "hybrid" attack to add credibility.

AI voice cloning has sharpened the threat: a few seconds of recorded audio can be enough to mimic a familiar voice, making a fake "CEO" call sound convincing. A typical lure is a caller claiming suspicious activity on your account and asking you to "verify" by reading back a code you just received - that code is usually the MFA prompt the attacker is trying to pass. The tell-tale sign is any caller who pressures you for a one-time passcode, password, or immediate payment; legitimate institutions never ask for those over the phone.

Quishing (QR-code phishing)

Quishing hides a malicious link inside a QR code. Because the destination is encoded as an image rather than clickable text, a QR code can slip past some email link-scanning filters, and the victim typically scans it with a personal phone that sits outside corporate protections. The act of pointing a camera at a code also feels low-risk, which is exactly what attackers exploit.

A typical lure is an email or printed notice asking you to scan a code to view a secure document, reset your Microsoft 365 password, or complete a payment - sometimes a sticker placed over a legitimate QR code in a public space such as a parking meter. The tell-tale sign is being asked to scan a code that then leads to a login page; treat a QR-code destination with the same suspicion as any other link, and check the URL your phone previews before opening it. Quishing is covered further in the related article on modern phishing techniques.

Clone phishing and other variants

Beyond the main channels, several variants are worth knowing so they appear on your radar:

• Clone phishing - the attacker copies a legitimate email the victim already received and resends it with the link or attachment swapped for a malicious one, often as a "resend" or "updated version."
• Angler phishing - impersonating a brand's support account on social media to intercept customers who post complaints, then luring them to a fake help page.
• Pharming - redirecting victims from a correct address to a fraudulent site via DNS or host-file tampering, so even a carefully typed URL lands on a fake page.
• OAuth consent phishing - tricking a user into granting a malicious app permissions, giving the attacker token-based access without ever stealing a password.

These variants reuse the same psychology as the core types - trust, urgency, authority - wrapped in a different delivery trick.

How knowing the types helps defenders

Naming the types of phishing is not an academic exercise - it shapes a layered defence. Email phishing is blunted by SPF, DKIM and DMARC plus filtering; spear phishing and BEC need verification procedures and out-of-band call-backs for payment changes; smishing, vishing and quishing extend the threat beyond the inbox to phones and QR codes, so awareness has to cover every channel. Phishing-resistant authentication such as passkeys (FIDO2) defeats credential-harvesting across most of these types at once.

The human layer ties it together. Because regulations such as NIS2 and DORA now require regular cybersecurity awareness training for staff, organisations are expected to demonstrate that people can recognise these variants in practice. Ongoing phishing simulations paired with short, in-the-moment training - on platforms such as PhishGun - build measurable resilience across channels and turn employees into an active line of defence rather than a single point of failure.