Types of Phishing: Spear, BEC, Vishing, Smishing and More

The types of phishing are 12 distinct variants that in 2026 appear systematically in real investigations, each with its own vector and defence. The 12 categories: mass phishing, spear phishing, whaling, BEC, vishing, smishing, clone phishing, AitM (Adversary-in-the-Middle), evil twin Wi-Fi, watering hole, search engine phishing and QR phishing (quishing). Not all of them get defended the same way, and treating them as a single block is what leaves gaps in most defensive programmes.

This guide explains the 12 types of phishing any security leader should distinguish, the signals that allow identifying each variant in real emails or calls, the public cases that illustrate the pattern (Twitter 2020, Uber 2022 MFA fatigue, MGM 2023, Snowflake 2024), how a modern organisation defends itself in layers and why phishing-resistant MFA (FIDO2/WebAuthn) is the only robust defence against the AitM kits dominating the landscape in 2026. It's the variant guide that complements the social engineering pillar.

What phishing is and why types matter

Phishing is the broadest category within social engineering: impersonating a trusted entity to get the victim to hand over information, execute code or perform an action they wouldn't normally do. The word comes from English fishing, with the typical "ph" from 1990s phreaking slang.

Distinguishing types matters because each variant has a different defence:

• Mass phishing gets stopped with email security and URL filters.
• Spear phishing requires role-specific training for executives.
• BEC needs out-of-band procedures for transfers.
• AitM only falls with FIDO2/WebAuthn MFA.
• Vishing demands helpdesk hardening and robust verification.
• Smishing depends on carriers and mobile filters.
• Evil twin Wi-Fi is only avoided with always-on VPN or authenticated corporate networks.

An organisation that invests in only one defence covers less than 50% of the problem. The right question isn't "do we have antiphishing" but "which types do we cover and which stay blind".

The 12 types of phishing

1. Mass phishing

The original form. Campaigns with millions of emails impersonating banks, cloud platforms (Microsoft 365, Google Workspace), parcel services (Correos, DHL, Amazon), Tax Agency or Social Security. Graphic quality is low, spelling mistakes frequent, but scale compensates for the success rate.

Typical signs: suspicious sender domain, spelling errors, exaggerated urgency, links to homograph domains (micro-soft.com, microsoft-365.es), generic greeting ("Dear customer"), request for credentials or immediate payment.

Defence: email gateway with URL analysis and attachment sandboxing, strict DMARC/DKIM/SPF, general annual training.

2. Spear phishing

Targeted variant. The attacker researches the target with OSINT (LinkedIn, corporate networks, press releases, GitHub) and builds a personalised email with details only the target should know: their boss's name, ongoing project, internal vocabulary, recent real invoice with a variation.

Signs: very hard for the user to detect because it looks like legitimate communication. The clue is usually in the sender domain (subdomain typosquatting, recently registered domain), a minimal change in the IBAN number versus the usual, or unusual urgency from the boss.

Defence: role-specific training for exposed roles (CISO, CFO, financial leadership, HR), out-of-band procedures to confirm unusual requests, monitoring of homograph domains.

3. Whaling

Spear phishing against "whales": senior executives, CEO, CFO, board. Goals: million-euro transfers, access to strategic information, manipulation of internal communication during M&A or crisis. It's a spear phishing subcategory defined by the target's rank.

Signs and defence: same as spear phishing but with extra weight. Specific board training is mandatory under NIS2 (article 20), although practical implementation varies a lot between companies.

4. BEC (Business Email Compromise)

Real compromise of a corporate account, not just impersonation. The attacker gets credentials of an employee (usually via prior AitM or endpoint stealer), accesses the mailbox, watches communication patterns for weeks and then sends payment instructions from the legitimate account at the right moment.

Signs: the email comes from the real sender, so there's no technical anomaly. The clue is usually in subtle IBAN changes, tone shifts versus usual communication or unusual time pressure.

Defence: strong MFA to prevent initial compromise, monitoring of suspicious inbox rules (rules that hide emails from the legitimate user), mandatory out-of-band procedures for IBAN changes or large payments, segregation of duties in the finance department. The category causing the most direct financial damage per FBI IC3.

5. Vishing (voice phishing) and phone MFA fatigue

Phone call impersonating IT technicians, banks, delivery services, authorities. Brutal 2024-2026 growth thanks to generative AI adoption: voice deepfakes cloning the CEO or a family member from a few seconds of public audio.

A modern sub-variant is phone MFA fatigue, where the attacker with a stolen password bombards the user with MFA prompts and, in parallel, calls posing as IT asking them to approve the prompt "to resolve an issue". The Uber 2022 case (Lapsus$) follows this pattern exactly.

Documented cases: Twitter Hack July 2020 (teenagers gained access to internal tools via vishing targeting employees); Uber September 2022 (combined MFA fatigue + vishing); UK CEO scam 2019 (first public voice deepfake case, ~$243,000); MGM 2023 (10-minute call to the helpdesk impersonating an employee).

Defence: helpdesk hardening with robust verification (video call, callback to the HR-registered number, non-obvious questions), specific training for support staff, clear policy on what information CAN'T be confirmed by phone.

6. Smishing (SMS phishing)

Phishing by SMS. Usually impersonates carriers, public services (Correos, Tax Agency, INE, DGT), banks, parcel platforms. Especially effective on mobile because the full URL is rarely visible and the user is in rushed context.

Cases: massive FluBot campaigns (2021-2022) in Spain impersonating Correos, continuous waves attributed to Spanish-speaking criminal services.

Defence: carrier SMS gateway blocking where applicable, specific training on identifying URLs on mobile, policy against clicking links from unknown SMS senders, always validate by typing the domain manually.

7. Clone phishing

Variant where the attacker captures a previous legitimate email (invoice, Microsoft notification, bank alert), replicates it almost identically and replaces links or attachments with malicious versions. Forwards it from a spoofed domain or compromised account.

Signs: the email looks exactly like a previous legitimate one. The clue sits in small header differences, sender domain or link destinations.

Defence: automatic similarity analysis with previous emails, DMARC with reject policy, training on link verification before clicking.

8. AitM (Adversary-in-the-Middle) phishing

The most dangerous modern variant. Platforms like evilginx2, Modlishka, EvilProxy and Tycoon 2FA act as a proxy between the victim and the legitimate site: the victim enters credentials and the MFA code on the fake page, the proxy forwards them to the real site, captures the issued session cookie. The attacker receives an active session without needing the password.

Cases: massive 2022-2026 campaigns with evilginx2, EvilProxy and Tycoon 2FA against Microsoft 365, Okta and Google Workspace portals, hundreds of affected companies. (Snowflake May-June 2024 also affected accounts without strong MFA, but the main vector was infostealer on endpoints, not AitM; covered in the real cases block.)

Main defence: phishing-resistant MFA (FIDO2/WebAuthn, passkeys, hardware tokens). These technologies bind the signature to the real URL and are immune to AitM kits. SMS, TOTP and push notifications DON'T block AitM.

9. Evil twin (Wi-Fi phishing)

The attacker stands up a Wi-Fi access point with an identical SSID to the legitimate one (STARBUCKS_FREE, AIRPORT_GUEST) and stronger signal. Devices connect automatically and the traffic passes through the attacker's network, who can serve a fake captive portal to steal credentials or run AitM against unprotected pages.

Defence: always-on corporate VPN on employee endpoints with traveller profile, certificate pinning in corporate apps, specific training for high-mobility staff.

10. Watering hole

Attacker compromises a website frequented by the target (sector site, professional forum, supplier portal) and serves a payload from there. The victim visits normally and gets compromised without having clicked anything external.

Cases: APT campaigns attributed to state actors against specific industries (Aurora 2010, attacks on defence company HR sites).

Defence: modern EDR with behavioural detection, browser sandboxing, aggressive browser and plugin updates, network segmentation.

11. Search engine phishing (SEO poisoning)

Fake pages positioned in Google or Bing through black-hat SEO for popular terms ("download AnyDesk", "Microsoft 365 support", "Notion download"). The user searches, clicks the sponsored result or first organic, downloads malware or enters credentials.

Cases: ongoing BatLoader, Gootkit, FakeBat campaigns 2023-2026. Especially damaging because they bypass email filters.

Defence: corporate web filtering with categorisation, anti-malvertising policy, general training, ad blockers on endpoints (controversial but effective), blocking executable downloads from suspicious categories.

12. QR phishing (quishing)

2023-2026 variant. Malicious QR codes instead of visible URLs. Takes advantage of the user not being able to preview the QR destination before scanning with mobile. Common vector: physical stickers on parking meters, stickers over legitimate QRs at restaurants, QRs in emails where the URL "broke", QRs in PDF documents.

Defence: QR scanning apps that preview URL, training on physical QR verification (overlaid sticker), treating QRs in emails with the same care as traditional links.

Quick identification signals

Regardless of type, patterns that trigger suspicion and can be taught to any employee.

• Unusual urgency: "act now", "your account closes today", "last chance", "overdue invoice". Any legitimate communication allows verification.
• Subtle change in critical data: IBAN slightly different from usual, domain with one changed character, new phone number.
• Sender that doesn't fit: the supposed bank writing from a free domain, the supposed CEO writing from a personal domain, IT technician who doesn't have your name in the internal account.
• Request that breaks procedure: urgent transfer without the usual double signature, payment change without prior notice to finance, credential reset without an open ticket.
• Unusual greeting or vocabulary: "Dear sir" at a company where everyone uses first names, jargon foreign to internal culture, obvious translation.
• Unexpected attachments: invoices in strange formats, password-protected ZIPs with the password in the email body, files with double extension, unusual OneNote or ISO.
• Call asking to skip procedure: "don't open a ticket, this is urgent", "don't call to verify me, I don't have time", IT technician asking to share screen and disable antivirus.
• QR without verifiable context: overlaid sticker, QR in email from doubtful source, QR instead of URL in a serious document.

The most effective cultural rule is "if it's urgent, suspect". Time-pressured decisions are the most easily manipulated.

Documented real cases

Examples illustrating each category with public incidents.

Twitter Hack (July 2020), vishing. Teenagers gained access to internal tools through calls to employees impersonating IT. Compromised verified accounts of Obama, Musk, Gates for Bitcoin scam. Low financial damage, massive reputational damage.

Uber breach (September 2022), MFA fatigue. Lapsus$ compromised an Uber contractor with MFA prompt spam until approval. Once inside, accessed a Thycotic vault with AWS/GCP/Slack/GitHub secrets.

MGM Resorts (September 2023), vishing. Scattered Spider ran a 10-minute call to the MGM helpdesk impersonating an employee, got credential reset, escalated to Active Directory, deployed ransomware. Estimated damage $100 million. Caesars suffered a similar attack and paid ~$15 million.

Snowflake breach (May-June 2024), credentials stolen by infostealer. UNC5537 accessed Snowflake databases of multiple clients (AT&T, Ticketmaster, Santander) using credentials captured by infostealers on employee endpoints without MFA. Not AitM phishing strictly, but illustrates why weak or absent MFA equals certain compromise when credentials are circulating underground.

Deepfake CEO scam (2019 UK), AI-powered vishing. Call with cloned CEO voice to the CFO ordering an urgent transfer. ~$243,000 lost. Similar cases have multiplied since 2022 with commercial cloning tools.

FluBot (2021-2022, Spain and EU), mass smishing. Correos impersonation via SMS with link to malicious APK. Tens of thousands of victims in Spain before a coordinated Europol operation dismantled the infrastructure in 2022.

Modern layered defence

The measures that close each type, ordered by impact.

Technical defence

• Phishing-resistant MFA (FIDO2/WebAuthn, passkeys). Closes AitM, MFA fatigue and almost any phishing aimed at session capture. The most important defensive investment of 2026.
• Multi-layer email security. Microsoft Defender for O365, Google Workspace Advanced Protection, Proofpoint, Mimecast, Abnormal. Attachment sandboxing, click-time URL analysis, external banner on emails from outside the domain.
• Strict DMARC, DKIM, SPF. Reject policy to prevent spoofing of your own domain.
• Modern EDR that detects post-phishing behaviour: execution from Outlook, macros, PowerShell scripts, C2 connections.
• Identity-EDR / ITDR. Microsoft Defender for Identity, CrowdStrike Falcon Identity, Okta ThreatInsight. Detect anomalous logins even when credentials are correct.
• Corporate web filtering with categorisation and blocking of downloads from no-reputation domains.
• DNS filtering. Quad9, Cloudflare 1.1.1.1 for Families, Cisco Umbrella. Block resolution of known malicious domains before connection.
• Always-on VPN on corporate endpoints to avoid evil twin Wi-Fi.

Organisational defence

• Helpdesk hardening. Formal reset procedures (video call, callback, non-obvious questions). The MGM 2023 case shows it's the weakest link in many organisations.
• Out-of-band procedures for transfers and IBAN changes. Double signature, verification via alternative channel.
• Segregation of financial duties.
• Easy suspicion reporting. "Report phishing" button in the email client, dedicated Slack/Teams channel, SOC team with fast response.
• "If it's urgent, suspect" culture. Internal communication that celebrates whoever questions.

Training defence

• Annual programme with quarterly drills. KnowBe4, Cofense, Proofpoint Security Awareness or equivalents.
• Role-specific training (helpdesk, finance, executive, HR).
• Real metrics: percentage that clicks, percentage that reports, monthly trend.
• Specific refresh after relevant public incidents in the sector.

Compliance fit

Phishing defence appears in current frameworks:

• NIS2 (article 21). Mandatory awareness and training. Specific board training is an explicit requirement.
• DORA (article 11). Periodic digital awareness programmes.
• ISO 27001:2022 (controls 5.1, 6.3, 7.3). Policy, awareness, training.
• ENS Royal Decree 311/2022. mp.per measures (personnel management).
• PCI DSS v4.0 (req. 12.6). Formal awareness programme.
• GDPR (article 32). Technical and organisational measures. Training counts as an enforceable organisational measure.

Frequently asked questions

Which phishing type is most dangerous in 2026?

AitM (Adversary-in-the-Middle) is the category that has compromised the most large companies in 2024-2026. Bypasses MFA via TOTP/SMS/push, captures session cookies and operates with kits available as a service. Against AitM, only FIDO2/WebAuthn closes the door.

Does my current MFA protect against phishing?

It depends on the type. SMS or TOTP MFA (authenticator app) blocks classic phishing but falls against modern AitM. MFA with FIDO2/WebAuthn (YubiKey hardware tokens, platform passkeys) does block AitM because the signature binds to the real URL. For privileged accounts, FIDO2 is practically mandatory in 2026.

How do I distinguish a legitimate email from spear phishing?

At first glance it's very hard because the attacker invests in personalisation. Clues usually sit in metadata: sender domain (subdomain typosquatting, recent domain), email headers, exact IBAN compared to usual, unusual urgency versus the normal sender's cadence. When in doubt, out-of-band verification always.

Does phishing training actually reduce incidents?

Yes, with nuance. Reduces click rate from the initial 25-30% to a sustained 5-15% after 12-18 months of a serious programme. What doesn't work is expecting training to eliminate the problem; a percentage always falls. Technical defences (strong MFA, EDR, email security) are the safety net.

What do I do if I fell for phishing at my company?

Report immediately to the security team. The sooner it's known, the sooner the account gets isolated and sessions invalidated. Don't try to "fix it" quietly: the internal reputational cost of reporting is minimal compared to the damage of an incident escalating undetected.

Is launching simulated phishing in my company legal?

Yes, with conditions: formal management authorisation, prior communication to the works council where applicable, clear educational message on the "fallen" page for users who click, no individualised sanction for falling, minimal retention of personal data. Without formal authorisation, launching simulated phishing against employees can breach GDPR and worker rights.

Is quishing (QR phishing) really a problem?

Yes, it has grown a lot since 2023. Common vectors: physical stickers over legitimate QRs at parking meters or restaurants, QRs inside emails the traditional filter doesn't analyse, QRs in malicious PDF invoices. The main defence is training: treat any QR with the same care as a link, preview the destination with the camera before opening it.

Related resources

• What is social engineering: pillar covering the broader discipline phishing fits within.
• What is ransomware: scenario where initial phishing translates into mass encryption and extortion.
• Types of malware: malware families typically delivered after a successful phishing.

Phishing defence at Secra

At Secra we address phishing risk on three usual fronts: defensive technical review (phishing-resistant MFA, email security, identity-EDR, helpdesk hardening, web/DNS filtering), Red Team exercises with controlled AitM, vishing and quishing vectors to empirically validate detection and response, and design of a role-specific awareness programme with real metrics. The usual deliverable is a risk map with concrete priorities and documented drills. If your organisation still relies on SMS or TOTP MFA for privileged accounts, hasn't audited helpdesk procedures or has never empirically measured staff resistance to modern campaigns, get in touch via contact or check our Red Team service.