Types of phishing attacks: a complete overview

1. Email phishing (mass phishing)

The classic and most common form. An attacker sends the same fake email to thousands or even millions of recipients simultaneously. The goal is broad: steal banking details, intercept passwords or install malware.

Mass phishing is recognisable by generic language ("Dear customer"), imitation branding of known organisations like Microsoft, your bank or a parcel carrier, and links to domains that appear correct at first glance but differ on closer inspection.

Recognition signs:

• Salutation without a name or with an unusual name
• Urgency: "respond within 24 hours"
• Links with deceptive domains (e.g. paypa1.com, micros0ft.com)
• Request for password, PIN or payment details

2. Spear phishing

Spear phishing is the targeted variant: the attacker focuses on a specific person or small group, with personalised content. The email appears to come from a colleague, customer or business partner and contains details that build trust: your name, your company, a current project.

Spear phishing requires more preparation from the attacker - gathering information via LinkedIn, the company website or previously leaked data - but is also significantly more effective. Click-through rates for spear phishing are on average three times higher than mass phishing.

Recognition signs:

• Email contains your name, job title or a reference to a specific project
• Sender address resembles a known contact but differs subtly
• The request falls just outside normal working procedures

3. Whaling (attacks on executives)

Whaling is spear phishing aimed at senior management: CEOs, CFOs and other "big fish". The goal is to gain access to financial systems, sensitive company data or to authorise large payments.

Recognition signs:

• Targeted at senior management
• Requests approval of a transaction or confidential information
• References current business situations or known business partners

4. CEO fraud (Business Email Compromise)

In CEO fraud (also BEC or Business Email Compromise), the attacker impersonates a director or manager and asks an employee to make an urgent transfer or share confidential data. The urgency and apparent authority of the "sender" undermine normal control procedures.

Recognition signs:

• Sender claims to be a senior manager
• Requests urgent payment or secrecy ("don't tell anyone")
• Directs to an unknown bank account number
• Sends from a private email or address with a small variation

5. Smishing (phishing via SMS)

Smishing is phishing via SMS or messaging services like WhatsApp. The recipient receives a message from their "bank", parcel carrier or government body with a link to a fake website or a request to call back.

Recognition signs:

• Unexpected message from a bank, delivery service or government body
• Link in the message leads to an unusual URL
• Request for PIN, password or payment details via SMS

6. Vishing (phishing via phone)

Vishing (voice phishing) is phishing via a phone call. The attacker calls as an employee from a bank, Microsoft, the government or an IT department and requests access to systems, login credentials or payments.

Recognition signs:

• Call demands immediate action: "block your account now"
• Request for login credentials or remote access to your computer
• Caller claims to be from a known organisation but calls unexpectedly

7. Clone phishing

Clone phishing is an advanced technique where the attacker copies a legitimate email that was previously sent - from a bank, supplier or colleague - and resends it with a modified attachment or link. Because the recipient has already seen the original email, vigilance drops drastically.

Recognition signs:

• Resembles an email you previously received, but with a different attachment or link
• Sender name is correct but the email address differs subtly
• Reason for resending is vague or illogical

Which types of phishing do businesses test most?

In phishing simulations by CoBoo, all the above types are used depending on the goal and sector of your organisation. The most commonly used scenarios include Microsoft 365 login pages, fake supplier invoices, parcel notifications, CEO fraud and IT helpdesk requests.

By simulating multiple types of phishing, you get a complete picture of your organisation's vulnerability - per department and per attack type.