14 Types of Phishing Attacks That Cause Data Breaches

Phishing isn’t just a nuisance. It’s one of the most pervasive and damaging cybersecurity threats facing organizations today, and defending against it all comes down to one thing: people.

Responsible for numerous data breaches and billions of dollars in financial losses globally, phishing attacks exploit human psychology to steal credentials, deploy malware, and commit fraud. And while you might invest heavily in endpoint security, it doesn’t prevent an employee from making one click that leads to a cascade of consequences, from financial loss to reputational damage.

In 2025, phishing training is non-negotiable because it’s far more expansive than ever. Attackers leverage a vast arsenal of technologies and techniques across multiple channels.

AI phishing, for example, has transformed the long, manual process of developing content, choosing targets, and deploying attacks into something that now takes only moments.

As the landscape continues to evolve, IT and security teams recognize that robust awareness and preparation are more critical than ever. Employees need the knowledge and confidence to serve as the organization’s human firewall, bolstering overall security posture against AI-powered threats.

Let’s explore the most common types of phishing attacks you and your employees need to recognize.

#1. Email Phishing

Email phishing is the foundational type of phishing attack, involving the sending of generic, non-personalized emails to a large number of recipients. Attackers play a numbers game, knowing that even a tiny success rate can yield significant results when targeting anywhere from a few dozen people to millions.

Emails often mimic employers, family, friends, and well-known brands, relying on familiarity and trust to elicit a click.

Common goals include credential harvesting and the widespread distribution of malware.

Here are email phishing examples:

• Fake Password Reset Notification: An email appears in your inbox, seemingly from a major service like Microsoft 365 or PayPal, claiming that your password has expired or that suspicious activity requires a password reset. The included link, however, points to a fake login page that’s ready to capture the credentials entered.
• ‘Account Verification Required’ Email: In this scenario, an email pretends to be from a platform like Amazon, Netflix, or your email provider, insisting you must verify account details due to a policy update or security concern. Clicking the link directs you to a phishing site that steals your login information.

Generic greetings and grammatical errors were once a telltale sign of email phishing, but AI has changed that, and attackers can now send bulk emails with personalization at scale. Look for mismatched sender email addresses or a random string of letters or numbers appended, and always hover over links before clicking to see the actual destination URL.

#2. Spear Phishing

Unlike broad-spectrum phishing, spear phishing is a highly targeted phishing attack. Attackers invest time researching their victims — using open-source intelligence (OSINT) to gather data from social media, company websites, and news articles — to craft personalized communications that appear legitimate.

Communications for spear phishing typically include information relevant to the recipient’s role, projects, or recent activities, and this personalization makes communications more convincing.

Ultimately, the goal of this type of phishing attack is to steal credentials, deliver tailored malware, or initiate fraud.

Here are spear phishing examples:

• Personalized Malicious Document Sharing: Imagine receiving an email seemingly from a trusted colleague with a subject line like “Draft Proposal for Project Review,” and the email body refers to a recent meeting and asks you to review an attached file named Project_Proposal_Draft_v3.docx. The context is familiar and personalized, so you might lower your guard, unaware that the document contains a virus to compromise your system.
• Fake Invitation from Compromised Account: Attackers might first compromise a legitimate email account and then use it to send spear phishing emails to the victim’s contacts. You could receive an email from a known vendor inviting you to collaborate on a shared document, and since it comes from a trusted source, you’re more likely to click the link.

Be wary of unexpected requests, even if they appear to come from a known source and contain personalized information. Additionally, verify requests through a separate communication channel, such as a phone call or instant message, before clicking links or opening attachments.

As is true for every type of phishing attack, always question if the sender would typically ask for the desired information via a specific communication channel. When in doubt, employees should never engage; instead, any suspicious activity needs to be reported to the IT or security team.

#3. Whaling

Whaling takes spear phishing a step further by explicitly targeting leadership, C-suite members, or other high-profile individuals within an organization, known as ‘whales’ among attackers.

Targets are chosen for their high level of authority, access to sensitive information, and ability to authorize significant financial transactions. As such, whaling attacks — whether by email, voice, video, or SMS — often mimic critical business communications to increase the likelihood of engagement.

Here are whaling examples:

• Fake Confidential Request: An email from a reputable law firm or government agency appears in a CEO's inbox. It contains an urgent, password-protected PDF. Opening the attachment or entering credentials to view it could trigger malware installation or lead to credential theft.
• Impersonated Communications from Board Members: An attacker researches the company’s board members and spoofs their email addresses or mimics their communication styles to email the CFO requesting urgent information related to a fictitious confidential deal or asking for insights that involve revealing financial data.

Executives, just like all employees, should scrutinize emails and other communications that demand urgent, high-stakes actions or request sensitive information, especially if they involve bypassing standard procedures.

Organizations, meanwhile, should implement strict protocols for verifying significant requests out of band, even for internal communications.

#4. Business Email Compromise

Business email compromise (BEC) attacks are a sophisticated form of phishing focused on carrying out financial fraud by impersonating executives or trusted partners.

It involves manipulating employees, typically in finance or human resources (HR), into making unauthorized wire transfers, altering direct deposit details, or disclosing sensitive corporate data.

BEC attacks typically involve no malicious links or attachments, relying purely on social engineering.

Here are business email compromise examples:

• Fake Invoice Scam: An email arrives in the accounts payable department, appearing to be from a regular supplier. The message politely informs them of updated banking details for future payments and provides new account information, often accompanied by a legitimate-looking (but fraudulent) invoice attachment.
• CEO Fraud Requesting Urgent Transaction: An employee receives an email, seemingly from their CEO, who’s stuck in a meeting, requesting an urgent wire transfer to secure a time-sensitive deal. Alternatively, the request might be for purchasing several gift cards for employee or client appreciation, asking for the codes to be emailed back immediately.

Everyone within an organization should exercise caution when receiving emails requesting urgent financial transactions, changes to payment details, or the sharing of employee data (such as W-2s). Look for pressure tactics, requests for secrecy, and slight variations in contact information, like supplier@examplle.com instead of supplier@example.com.

#5. Clone Phishing

Clone phishing leverages legitimacy by duplicating a real email that the victim previously received. Attackers obtain a legitimate email, such as an invoice or shipping notification, copy it precisely, and modify crucial elements, such as replacing legitimate links or attachments.

With clone phishing, attackers often use a spoofed email address similar to the original sender, sometimes claiming it’s a corrected or updated version.

Here’s a clone phishing example:

• Invoice with Malicious Link or Attachment: You previously received an invoice from a vendor and then get a near-identical email, perhaps with a subject line correcting the invoice number. The email explains a minor error in the previous version and directs you to click a link or download an attachment, which is malicious.

Be suspicious of ‘updated’ or ‘corrected’ versions of legitimate emails you’ve recently received, especially if they contain new links or attachments. Carefully verify the sender’s email address and the destination of any links. And, if in doubt, contact the supposed sender through a known, trusted channel to confirm the legitimacy of the correspondence.

#6. Smishing (SMS Phishing)

Smishing shifts the threat vector to SMS text messages. Attackers exploit the immediacy and perceived trustworthiness of a text message, creating a sense of urgency that prompts quick action.

Text messages for smishing usually request personal information, ask the recipient to call a fraudulent phone number, or contain malicious links. Due to the concise nature of SMS, it can be very challenging to identify suspicious elements.

Here are smishing examples:

• Fake Delivery Notification: A text message states, “Your package from UPS is on hold due to an issue with the delivery address. Please update your details here,” followed by a malicious link asking for your full name, address, phone number, and perhaps even payment information.
• Urgent Bank Account Security Alert: You receive an alarming text message saying, “Security Alert: Unusual login detected on your Bank of America account. If this wasn’t you, please secure your account immediately,” followed by a link taking you to a bank login page designed to steal your bank account username and password.

Unsolicited text messages, especially those with urgent requests or links, should be met with caution. Legitimate companies rarely ask for login credentials or other sensitive information via SMS. Always go directly to a brand’s website to communicate through its official channels.

#7. Vishing (Voice Phishing)

Vishing employs voice calls to execute phishing attacks, so attackers use voice over IP (VoIP) technology to spoof legitimate caller IDs (like your bank’s number or a government agency) and social engineering techniques to build trust, sow urgency, or instill fear.

During a vishing attack, the attacker might aim to extract sensitive information directly over the phone, convince you to install malware, or trick you into making a fraudulent payment.

Here are vishing examples:

• Tech Support Scam: A caller claims to be from Microsoft or Apple’s customer service team, stating your computer is sending error signals or is infected with a virus. They offer to ‘help’ by guiding you to install remote access software or charge for unnecessary services.
• AI-Cloned Voice Impersonation: An employee receives a call from their manager’s voice, which urgently instructs them to process a specific payment or share confidential client data, bypassing regular verification due to the perceived authenticity of the voice.

Remember that even caller ID can be spoofed, so it’s not enough to see a familiar name or number and assume it’s an authentic call. If a caller claims to be from a known organization but asks for access to your devices or makes an immediate request, hang up and call the suspected individual using an official phone number from their website or your records.

#8. Quishing (QR Code Phishing)

Quishing utilizes malicious quick response (QR) codes as the delivery mechanism for phishing scams. Easily generated and deployed in physical and digital spaces, these codes direct users’ smartphones to phishing websites, initiate malware downloads, add fraudulent contacts, and more when scanned.

QR codes are innocuous in appearance, which makes them an effective threat vector.

Here are quishing examples:

• Malicious QR Codes in Public Spaces: Attackers place stickers printed with malicious QR codes over legitimate ones found on parking meters, directing unsuspecting users to fake payment sites.
• QR Codes Embedded in Phishing Emails: An email includes an embedded QR code that prompts users to scan to verify their identity or access a protected document, ultimately leading them to a phishing site.

Scanning QR codes from untrusted sources or unexpected public locations is a no-go. Preview the URL in your camera or QR code scanner before opening it in a browser. If the QR code prompts a login page or requests sensitive information, treat it as highly suspicious.

#9. Deepfake Phishing

Representing a significant leap in phishing attack sophistication, deepfake phishing leverages artificial intelligence (AI) to create highly convincing fake videos, images, or audio recordings that impersonate real individuals.

Deepfakes can be used to create fake video messages, participate in manipulated video conferences, or enhance vishing calls with cloned voices. As a result, the impersonation displayed through a deepfake is incredibly difficult to detect solely based on sight or sound.

Here’s a deepfake phishing example:

• Urgent Deepfake Video Call from a Colleague: You receive a video call on Zoom, which appears to be from your manager or a project teammate — their face and voice seem authentic. However, it’s an AI-generated deepfake, and the ‘colleague’ urgently requests sensitive files, credentials, or approval for a transaction.

While it may be difficult, look for subtle visual anomalies in videos, such as unnatural facial movements or poor lip-syncing, or unusual audio artifacts. More importantly, any unusual or high-stakes requests should run through several protocols to receive approval, regardless of how convincing the video or audio appears.

#10. Angler Phishing

Angler phishing occurs on social media platforms when attackers create fake profiles impersonating the customer service accounts of well-known brands in industries such as banking, hospitality, and retail.

Attackers actively monitor public posts where users mention the brand, particularly those containing complaints or requests for help.

The fake accounts then reply or send a direct message, offering assistance to ‘angle’ the user into revealing personal information, providing account credentials, or clicking a malicious link.

Here’s an angler phishing example:

• Fake Customer Service Account Responding to Public Complaints: A frustrated customer tweets, “@BigAirline My flight was canceled, how do I rebook?” So a fake account, @BigAirline_Support, quickly replies, “We’re sorry for the trouble! Please DM us your booking reference number and account credentials so we can assist you immediately.”

Social media allows anyone to create an account, so be cautious of those offering customer support, especially if they initiate contact or request that you move to direct messages for sensitive information. Most platforms typically verify legitimate and well-known brands, and you can verify official accounts through a company’s website.

#11. Search Engine Phishing

Search engine phishing exploits search engines like Google or Bing to direct users to malicious websites. Attackers either pay for malicious advertisements that appear at the top of search results for specific keywords, or use ‘black hat’ search engine optimization — known as SEO poisoning — to make their phishing sites rank highly in organic search results.

Here are search engine phishing examples:

• Malicious Ads for Customer Support: A user searches for a cryptocurrency brand’s customer support phone number, and the top result is a paid advertisement displaying a number; however, calling this number connects the individual to scammers attempting to steal keys or personal information under the guise of providing support.
• SEO-Poisoned Fake Login Page: Using deceptive SEO tactics, an attacker gets fake pages to rank highly in organic search results for terms like “[Service Name] login.” Users searching for the legitimate version might click the high-ranking fake result and unknowingly enter their credentials.

Don’t assume every ad or organic result displayed by a search engine is legitimate, especially for support numbers and login pages; always try to find the official website link instead.

#12. Pharming

Pharming is a technically distinct type of phishing attack that redirects users to malicious websites even if they type the correct URL into their browser.

Attackers achieve this by corrupting the process of translating domain names into IP addresses, which happens by compromising the DNS server settings or modifying the ‘hosts’ file on the victim’s device itself using malware.

Here are pharming examples:

• DNS Cache Poisoning: Attackers compromise a DNS server used by an organization, altering the entry for a legitimate banking website to redirect it to the IP address of their fake replica site. When users attempt to visit the bank online, they’re automatically redirected to a fraudulent site without warning.
• Malware Modifying a User’s Hosts File: A user inadvertently installs malware from a phishing email or infected download, which modifies the computer’s local ‘hosts’ file by adding entries that force specific legitimate domain names to resolve to the IP address of phishing sites.

While it’s difficult for end users to detect directly, look for browser warnings about invalid SSL/TLS certificates, or websites that suddenly appear different or request unusual information despite typing the correct URL.

Additionally, ensure your system uses trusted DNS servers and that anti-malware software is active and up to date to detect malware that might modify host files.

#13. Evil Twin Attack (WiFi Phishing)

An evil twin attack, also known as WiFi phishing, involves setting up a rogue WiFi access point that mimics a legitimate, trusted network, such as Airport Free WiFi or CoffeeShop_Guest.

Unsuspecting users connect their devices to this ‘evil twin, and once connected, attackers can potentially intercept unencrypted network traffic for a man-in-the-middle (MitM) attack.

More commonly, attackers rely on WiFi phishing to present users with a fake captive portal login page, stealing credentials for various services or credit card information.

Here are evil twin, or WiFi phishing, examples:

• Fake Public WiFi Captive Portal Harvesting Credentials: You connect to what appears to be free WiFi at a hotel, and a familiar-looking portal page pops up and asks you to log in with your room number and last name, or perhaps your email and password — all captured by the attacker.
• Man-in-the-Middle Attacks on Unsuspecting Users: After connecting to an evil twin network, if a user visits websites that don’t enforce HTTPS encryption properly, the attacker controlling the fake hotspot can monitor the data exchanged, capturing login details, session cookies, or other sensitive information transmitted in plain text.

Public WiFi networks are dangerous for several reasons, and if multiple networks in the same area have similar names, one could be an ‘evil twin.’ Avoid unsecured networks, and disconnect immediately if a login portal requests more information than seems necessary.

It’s also wise to use a VPN on public WiFi networks to encrypt your traffic.

#14. Watering Hole Attack

Instead of directly targeting victims via email or other direct communications, watering hole attacks compromise legitimate websites that members of a specific target group, such as company employees, are known to visit frequently — the digital ‘watering hole,’ so to speak.

Attackers identify vulnerabilities on trusted sites and inject malicious code designed to infect visitors’ devices with malware, redirect them to phishing pages, or exploit browser vulnerabilities.

Here are watering hole attack examples:

• Compromised Industry News Site: Attackers exploit a vulnerability on a popular cybersecurity news website to embed malicious scripts. When IT and security professionals visit the site for information, the script silently runs, attempting to install spyware or direct them to a fake login page for a corporate tool they commonly use.
• Infected Online Forum Delivering Malware: A well-known online forum dedicated to cybersecurity is compromised, with attackers injecting code that serves malware disguised as a software update or a popular plugin to unsuspecting regular visitors who trust the site and its content.

End users can’t detect this as the initial site is legitimate. Still, it’s essential to keep browsers, operating systems, and any programs or plugins fully patched and updated to protect against exploits often delivered through watering hole attacks. Organizations can also utilize endpoint security software with web protection features to safeguard their employees.

Build a Multi-Layered Defense Against Phishing Attacks

Phishing attacks are incredibly diverse, exploiting numerous vectors and becoming more dangerous as AI amplifies their effectiveness.

Defending against this complex array of cybersecurity threats requires a robust, multi-layered strategy within security awareness training that includes:

1. Cultivate Deep-Seated Skepticism: Encourage a default stance of questioning unsolicited or unexpected communications, regardless of the channel. Urgency, unusual requests, and unexpected links or attachments should always raise suspicion.
2. Verify Independently: Make it a standard practice to verify suspicious or high-takes requests through a separate communication channel. For example, if an email asks for a wire transfer, call the supposed sender using a known, trusted phone number.
3. Scrutinize Details: Train employees to meticulously check contact information, hover over links to preview the actual URL destination, examine visual elements, and verify the legitimacy of information.
4. Implement & Enforce Multi-Factor Authentication (MFA): Multi-factor authentication is one of the most effective controls against credential theft. Even if attackers steal passwords, they’re unlikely to have the second factor. Enforce MFA wherever possible.
5. Maintain Rigorous Patch Management: Keep operating systems, browsers, security software, and all applications updated as patches frequently fix vulnerabilities that cybercriminals exploit.
6. Establish Clear Reporting Channels: Ensure employees know precisely how to report suspected phishing scams quickly and easily. Prompt reporting enables IT and security teams to respond more quickly.

Endpoint security and many other technological defenses remain critical, but human error often leads to costly and damaging cyber incidents that could have been easily avoided. Even the most advanced security stack can be circumvented if a cybercriminal successfully manipulates an employee.

This is why standard, check-the-box training with legacy solutions fails to keep pace with today’s AI-powered, multi-channel phishing attacks. In 2025 and beyond, employees require engaging, continuous learning reinforced by realistic practice to build lasting behavioral change and true resilience.

‍Adaptive Security understands the nuances of this evolving threat landscape, and our next-generation platform delivers dynamic security awareness training coupled with cutting-edge phishing simulations designed to prepare your team for the full spectrum of modern attacks, including those powered by AI. Our platform prepares your employees to recognize and, more importantly, respond to sophisticated social engineering attacks across all vectors, transforming your human firewall from a liability to a line of defense.