Published 2026-05-22 · The Pitstop · ← All Articles

Types of Phishing Techniques: Recognize and Stop Them

Professional reviewing suspicious email at office desk

Phishing is no longer just a suspicious email from a Nigerian prince. The types of phishing techniques attackers use today span voice calls, text messages, QR codes, social media accounts, and DNS-level redirects. Many of these attacks are convincing enough to fool security professionals, not just everyday users. If your mental model of phishing stops at email, you are already behind. This article breaks down every major phishing method you need to know, with real examples, a quick-reference comparison table, and the specific defenses that actually work.

Table of Contents

Key takeaways

Point Details
Phishing goes beyond email Attackers now reach victims through texts, calls, QR codes, and social media with equal effectiveness.
Personalization raises the danger Spear phishing and whaling use researched details to make fake messages nearly indistinguishable from real ones.
Standard MFA has limits Adversary-in-the-middle attacks can bypass non-phishing-resistant MFA by capturing live authentication tokens.
Verification must happen out-of-band Never confirm a suspicious message using contact info inside that same message. Use a known, independent channel.
Awareness alone is not enough Multi-layered defenses combining behavioral skepticism, phishing-resistant authentication, and continuous education offer the strongest protection.

1. How phishing techniques are classified

Before diving into specific attacks, it helps to understand how common phishing methods differ from one another. Three criteria define most distinctions: delivery channel, target scope, and attack goal.

Delivery channel is the most obvious dividing line. Phishing reaches victims through multiple channels including texts, calls, ads, and social media messages, which means email vigilance alone is no longer sufficient. Each channel carries different trust signals and different cognitive shortcuts attackers exploit.

Target scope ranges from broad to surgical. A bulk email campaign hitting a million inboxes has very different characteristics from a message crafted specifically for one CFO using details pulled from LinkedIn. The broader the attack, the less personalized and therefore easier to spot. The narrower the attack, the more dangerous.

Attack goal shapes the entire structure of a phishing attempt. Some attacks want your login credentials. Others aim to deliver malware. Others skip all of that and go straight for a wire transfer. Understanding what an attacker wants helps you recognize what they are most likely to fake.

Pro Tip: When evaluating a suspicious message, ask yourself what the sender wants you to do. Clicking, calling, downloading, paying, or logging in are all triggers worth pausing on regardless of how legitimate the message looks.

2. Email phishing

Email phishing is the original and still the most widespread form of attack. Attackers send bulk messages impersonating trusted brands like banks, shipping companies, or government agencies. The goal is volume. Even a 0.1% click rate across a million emails produces a thousand victims.

These messages often use urgent stories claiming suspicious account activity, failed deliveries, or government refunds to pressure you into clicking before thinking. The links lead to convincing fake login pages designed to harvest your credentials.

3. Spear phishing

Spear phishing is email phishing with homework done first. Attackers research their target using LinkedIn, company websites, and data breach records to craft a message that references your name, your job title, your colleagues, or a project you are working on.

The personalization is what makes it lethal. When an email appears to come from your direct manager and mentions a real ongoing project, your defenses drop. Spear phishing is the entry point for most major corporate breaches. It is not a numbers game. It is a precision instrument.

4. Whaling

Whaling targets executives specifically, and the stakes are proportionally higher. A CEO receives a fake legal notice about a pending lawsuit. A CFO gets an urgent wire transfer request that appears to come from the board. These executive-targeted attacks often claim urgent financial or legal issues to exploit authority and bypass normal approval processes.

What separates whaling from standard spear phishing is the implied authority of the target. Executives are often accustomed to acting fast on high-priority information. Attackers exploit exactly that habit.

5. Clone phishing

Clone phishing is particularly insidious because it exploits an existing relationship. The attacker takes a real, legitimate email you previously received, creates an exact visual copy, swaps the links or attachments for malicious ones, and resends it claiming it is an update or correction to the original.

This method exploits trust in past communications, making it far harder to detect than a cold phishing email. You already trusted the sender once. The message looks identical. The only change is the payload.

Pro Tip: If you receive a follow-up to an email that you do not remember specifically asking for, go directly to the source by typing the company URL manually. Do not use any links in the new message.

6. Vishing

Vishing uses phone calls instead of written messages. A caller claims to be from your bank, the IRS, Microsoft support, or your company’s IT department. The social pressure of a live voice interaction makes many people comply with requests they would reject in writing.

Man receives suspicious phone call in home office

The threat has escalated sharply. AI voice cloning requires only a few seconds of audio to convincingly impersonate a trusted contact, and CrowdStrike reports a 442% rise in voice phishing due to this technology. Attackers can now call your employees while sounding exactly like their manager or your company’s CEO. This is one of the most underestimated phishing attack strategies in circulation right now.

7. Smishing

Smishing uses SMS text messages to deliver phishing payloads. A text claims your package is held at customs, your bank account has been locked, or your subscription is about to renew for $399. A link follows. The link leads to a credential-harvesting page or a malware download.

Text messages carry a psychological advantage for attackers. People trust SMS more than email, partly because spam filters have not caught up and partly because texts feel personal. More people report scammer contacts via text than any other method, which tells you exactly where attackers are focusing their energy.

8. Pharming

Pharming takes a different approach entirely. Instead of tricking you into clicking a bad link, it corrupts the process of translating a URL into an IP address. DNS poisoning or host file manipulation redirects your browser to a fake website even when you type the correct address yourself.

This bypasses one of the most common phishing awareness tips given to users: “just check the URL.” With pharming, the URL looks right. The page looks right. The only indication something is wrong might be a missing HTTPS padlock or a slightly off SSL certificate. This is why checking for valid certificates matters more than checking the text of the URL.

9. Quishing

Quishing uses QR codes as the delivery vehicle. A malicious QR code appears on a flyer, in an email, on a parking meter, or in a fake notification. You scan it with your phone and get sent to a phishing page. Your phone’s browser is less likely to have the same security controls as your work laptop, which makes this channel particularly effective.

Quishing surged in recent years precisely because most users were trained to be suspicious of links but not of QR codes. Attackers go where defenses are weakest. Right now, QR codes are one of those gaps.

10. Angler phishing

Angler phishing operates through fake social media support accounts. You post a complaint about your bank on X or Facebook. Within minutes, a fake account mimicking the bank’s official support handle responds, offering to help and directing you to a fake resolution portal.

This technique targets people who are already frustrated and actively seeking contact from the company. That emotional state makes victims far more likely to hand over account credentials to what they believe is a helpful customer service agent. Social media scams yield the highest reported financial losses of any contact method.

11. Adversary-in-the-middle phishing

Adversary-in-the-middle (AiTM) attacks represent the most technically advanced phishing technique on this list. The attacker does not just steal your password. They position themselves between you and the real website, proxying your actual login session and capturing authentication tokens in real time.

The critical implication: standard MFA does not stop this. You enter your real password, pass your real MFA challenge, and the attacker captures the resulting session token. Microsoft documented a multi-stage campaign that used this method to compromise accounts even when MFA was enabled. The only reliable defense is phishing-resistant authentication such as FIDO2 hardware keys or passkeys, which cryptographically bind the authentication to the legitimate origin.

Comparing phishing techniques at a glance

Technique Delivery channel Target scope Primary goal Detection difficulty
Email phishing Email Broad Credential theft Low to moderate
Spear phishing Email Individual/team Credential theft, fraud High
Whaling Email Executive Financial fraud Very high
Clone phishing Email Previous contacts Malware, credentials Very high
Vishing Phone call Broad or targeted Financial fraud, access High
Smishing SMS Broad Credentials, malware Moderate
Pharming DNS/network Broad Credential theft Very high
Quishing QR code Broad Credentials, malware High
Angler phishing Social media Complaint-driven Credential theft High
AiTM phishing Email/proxy Targeted Session hijacking Extremely high

12. How to protect yourself against phishing

Knowing the types of phishing techniques is only useful if you translate that knowledge into habits. Here are the protections that make a measurable difference.

  1. Verify through independent channels. When a message asks you to act, contact the company using a number or website you already know, not any contact information in the suspicious message itself. This single habit neutralizes most phishing attempts.
  2. Use phishing-resistant MFA. FIDO2 security keys and passkeys are bound to the legitimate website origin. They cannot be replayed by an AiTM attacker. Time-based OTP codes and SMS codes can be captured and reused.
  3. Update your software. Many phishing attacks rely on exploiting unpatched browsers or plugins to deliver malware after you click. Staying current removes that second layer of attack surface.
  4. Treat urgency as a red flag. Legitimate organizations rarely demand immediate action through unsolicited messages. Urgency is the attacker’s primary psychological lever. Slow down when something feels pressing.
  5. Be skeptical of unsolicited QR codes. Before scanning, consider the source. A QR code in a physical location you did not expect is just as dangerous as a link you did not ask for.
  6. Check social media accounts before engaging. Verify follower counts, account age, and blue checkmarks before providing any information to a social media support account. Look up the real account handle yourself.

Pro Tip: Run a phishing awareness assessment on yourself or your team periodically. Knowing what you know in theory and reacting correctly under simulated pressure are two very different things.

My take: the verification mistake that keeps costing people

I have spent years working at the intersection of human behavior and security systems, and one pattern stands out above everything else. When people receive a suspicious message, their instinct is to verify it. That is the right instinct. The mistake is in how they verify.

Most people call the number in the email. They reply to the sender asking if it is legitimate. They click the “contact us” link in the message itself. Every one of those actions puts you in direct communication with the attacker. They will tell you everything is fine. They will reassure you. They have scripted exactly this scenario.

I have seen this failure mode take down people who were genuinely security-aware. Smart people with good instincts who just made the one wrong move of verifying inside the attacker’s controlled environment. The AiTM token hijacking documented by Microsoft is the logical extreme of this problem. It is not just that traditional defenses fail. It is that attackers have engineered environments that turn your own verification behavior against you.

The discipline I would advocate for is simple and non-negotiable: all verification happens outside the channel that delivered the suspicious message. Full stop. Your phishing defense strategy is only as strong as that one habit. Everything else, the training, the filters, the MFA, it all works better when this habit is in place.

— Nicholas

Test your defenses before attackers do

Understanding these phishing methods is the starting point. The real question is whether you and your team would actually recognize them under pressure.

https://thepitstop.ai

Thepitstop offers free tools built specifically for this. The SERA™ Certification is a professional credential for social engineering resilience that tests your real-world ability to detect and resist phishing and social engineering attacks across every channel covered in this article. Beyond certification, Thepitstop’s platform includes a free AI agent security scan to assess your full attack surface, and a social engineering defense workflow designed specifically for teams operating with AI agents alongside human operators. If phishing is part of your risk profile, and it is for every organization, these tools give you something most awareness training does not: actual measured results.

FAQ

What is the most common type of phishing attack?

Email phishing remains the most widespread method due to low cost and high volume. However, smishing via text message is growing fastest in reported victim contacts.

Can phishing bypass multi-factor authentication?

Yes. Adversary-in-the-middle phishing captures live authentication tokens, bypassing standard MFA. Only phishing-resistant methods like FIDO2 keys or passkeys block this attack class.

What is the difference between phishing and spear phishing?

Phishing sends generic messages to large groups while spear phishing uses personal details gathered through research to target specific individuals, making it far harder to detect.

How does pharming differ from standard phishing?

Pharming redirects you to a fake site even when you type the correct URL by corrupting DNS or host files. You do not need to click anything suspicious for it to work.

What is the first thing to do when you suspect a phishing message?

Do not use any contact information in the suspicious message. Reach the company directly through a website or phone number you already know and verify independently.

🔍 Scan Your AI Agent for Free

27 security checks. 2 minutes. No signup required.

Run Free Scan →