What Is Phishing? How to Spot and Avoid Scams in 2026

Phishing is the most common cyberattack in the world, and it works because it targets human psychology rather than technical vulnerabilities. Phishing messages impersonate trusted entities—banks, software vendors, government agencies, even your coworkers—to trick you into revealing sensitive information, clicking malicious links, or downloading malware.

Despite decades of awareness campaigns, phishing remains devastatingly effective. The 2025 Verizon Data Breach Investigations Report attributes over 90% of successful data breaches to phishing as the initial access vector. And attackers are getting better, not worse—AI-generated content, deepfake voice cloning, and adversary-in-the-middle proxy attacks have made phishing more convincing and harder to detect than ever before.

This guide explains what phishing is, breaks down every major attack variant, shows you how to recognize sophisticated attacks before they succeed, and outlines the layered defenses that protect individuals and organizations alike. Whether you're protecting personal accounts or securing a business that handles sensitive client data, understanding phishing is the single most valuable cybersecurity skill you can develop.

Types of Phishing Attacks

Phishing has evolved far beyond the obvious "Nigerian prince" emails. Modern attacks come in many forms, each engineered to exploit a different context, channel, or level of trust. Understanding these variations is essential for recognizing threats across your inbox, text messages, phone calls, and even QR codes.

Email Phishing

The most common form, email phishing sends mass messages impersonating trusted brands—Microsoft, Amazon, your bank, or a government agency. These attacks cast a wide net, relying on volume rather than personalization. Modern email phishing increasingly uses AI-generated content that eliminates the grammar errors and awkward phrasing that once made fake emails easy to spot.

Attackers use spoofed sender addresses, cloned company branding, and urgent language to pressure victims into clicking malicious links or downloading infected attachments. Targets are typically cloud service credentials, banking portals, and corporate systems—any account that provides access to money or sensitive data.

Spear Phishing

Unlike generic email phishing, spear phishing targets specific individuals or organizations with highly personalized messages. Attackers research their victims on LinkedIn, company websites, and social media to craft messages that reference real projects, colleagues, or business relationships. Success rates run up to 10 times higher than mass phishing campaigns precisely because the messages feel genuine.

These attacks often incorporate information harvested from prior data breaches or social media reconnaissance to establish credibility. A spear phishing email might reference a real vendor you work with, a deal you recently closed, or a conference you attended—making the request feel entirely plausible. This is the primary vector for social engineering attacks against businesses.

Whaling

Whaling targets high-value individuals—executives, CFOs, attorneys, and decision-makers with access to sensitive data or financial authority. These attacks often impersonate board members, legal counsel, or business partners requesting urgent wire transfers or confidential information. The FBI's Internet Crime Complaint Center reports the average whaling attack results in losses exceeding $130,000.

Attackers use publicly available information about executive travel schedules, board meetings, and business transactions to time their attacks when targets are distracted, traveling, or under deadline pressure.

Smishing (SMS Phishing)

Smishing delivers phishing attacks via text message. Common tactics include fake package delivery notifications, bank fraud alerts, and two-factor authentication (2FA) warnings designed to steal credentials. Mobile devices make smishing particularly effective—URLs are harder to inspect on small screens, and users tend to trust text messages more than email.

For tax professionals, smishing attacks frequently impersonate the IRS or state revenue departments during filing season. Learn more about phishing attacks targeting tax professionals and how to protect your practice.

Vishing (Voice Phishing)

Vishing uses phone calls to manipulate victims into revealing information or authorizing fraudulent payments. Attackers spoof caller ID to appear as legitimate organizations, use AI voice cloning to impersonate executives, and create elaborate pretexts around account security, technical support, or legal threats.

The rise of AI has made vishing attacks nearly indistinguishable from legitimate calls. In 2025, the FBI documented over 400 cases of deepfake vishing resulting in losses exceeding $50 million. Voice phishing often serves as the initial contact before directing victims to phishing websites or requesting remote access to their systems.

Quishing (QR Code Phishing)

Quishing embeds malicious URLs in QR codes that bypass email security filters because the URL isn't visible as text. Common scenarios include fake parking tickets, restaurant menus, payment requests, and Microsoft 365 login prompts. QR codes are especially dangerous because users cannot preview the destination before their device automatically opens it—the scan-and-open behavior is instantaneous and habitual.

Business Email Compromise (BEC)

BEC attacks compromise legitimate email accounts to send fraudulent messages from trusted, real addresses. Unlike traditional phishing that impersonates organizations, BEC uses actual compromised accounts, making detection extremely difficult. The FBI reports BEC attacks caused $2.9 billion in losses in 2025, making it the costliest single form of cybercrime.

BEC typically targets finance departments with fraudulent wire transfer requests, payroll redirection schemes, or W-2 data theft. These attacks often combine social engineering with technical compromise—gaining access to a legitimate mailbox, then monitoring conversations for weeks before executing the fraud at the right moment.

How to Spot a Phishing Attempt Before It's Too Late

The most reliable indicator of phishing is manufactured urgency. Legitimate organizations rarely demand immediate action under threat of account closure, legal action, or financial penalty. If a message pressures you to act within minutes or hours, pause and verify through official channels—call the company directly using the number on their website, not the one in the suspicious message.

Always inspect sender addresses carefully. Phishing emails frequently use domains that look similar to legitimate ones: "microsft.com," "arnazon.com," or "support-microsoft.com." Check for extra letters, number substitutions (using "0" for "O"), or unusual top-level domains (.co instead of .com, unfamiliar country codes). Hover over any link before clicking to see the actual destination URL. A link displaying "microsoft.com" might actually point to "microsoft-login.secure-verification.tk." Modern browsers display the destination URL in the bottom-left corner when you hover—use this before every click.

Grammar errors and inconsistent formatting remain red flags, though sophisticated attacks increasingly use AI to produce flawless copy. More reliable indicators include generic greetings ("Dear Customer" instead of your name), requests for information the sender should already have, and branding inconsistencies like wrong logos, colors, or fonts. Compare suspicious emails to previous legitimate messages from the same organization.

Be especially wary of unexpected attachments—particularly ZIP files, Office documents with macros, or PDFs from unknown senders. Legitimate companies almost never send executable files via email. According to the Anti-Phishing Working Group, 73% of malware infections originate from email attachments. Even documents can contain malicious macros or embedded exploits that execute on opening.

Any message asking for passwords, PINs, Social Security numbers, credit card details, or other sensitive information should be treated as suspicious by default. No legitimate organization requests these via email. Be equally skeptical of unusual payment requests, especially those involving gift cards, wire transfers, cryptocurrency, or peer-to-peer payment apps. According to the Federal Trade Commission, gift card scams caused $217 million in losses in 2025 alone.

When in doubt, contact the supposed sender through a separate communication channel using contact information from their official website—not from the suspicious message. For more guidance on personal cybersecurity defense, including password hygiene that limits the damage from successful phishing attacks, see our full resource center.

What to Do If You Clicked a Phishing Link

If you clicked a phishing link or entered credentials on a suspicious site, act immediately. Most attackers begin exploiting compromised accounts within minutes of credential capture—the window for containing damage is narrow.

Change the compromised password on every site where you used it. This is precisely why unique passwords matter: reuse turns one compromised account into many. Use a password manager to generate and store unique passwords for every account. If you don't already use multi-factor authentication (MFA), enable it on the affected account now. Even if attackers have your password, MFA requires a second verification factor they cannot easily obtain. Prioritize email accounts first—access to your email allows attackers to reset passwords across every connected service.

If you entered financial information, contact your bank immediately to freeze your accounts and dispute any unauthorized transactions. Most banks provide zero-liability protection when fraud is reported promptly. Monitor statements closely for the next 60 days and consider placing a fraud alert with Equifax, Experian, and TransUnion if personal information like your Social Security number was exposed.

Run a full malware scan on your device using updated antivirus software. If you downloaded an attachment, disconnect from your network before scanning to prevent potential spread to other devices. Malware installed through phishing can establish persistent backdoor access, install keyloggers to capture future passwords, or serve as a foothold for ransomware deployment. For businesses, isolating compromised devices is essential to prevent lateral movement across your infrastructure.

For business accounts, report the incident to your IT team or security provider immediately—they need to assess whether attackers have already used your credentials to access other systems. Under NIST SP 800-61 guidelines, incident response must be swift, coordinated, and documented. Follow your organization's incident response plan to contain the breach, preserve evidence, and determine the full scope of compromise.

Document everything for potential insurance claims or law enforcement reports: save copies of the phishing message, any attacker correspondence, and a timeline of events. Report the phishing attempt to the Anti-Phishing Working Group at reportphishing@apwg.org and forward suspicious IRS-themed emails to phishing@irs.gov.

Building Organizational Phishing Resilience

The most effective defense against phishing combines regular security awareness training with realistic phishing simulations. Organizations that run monthly simulations see phishing click rates drop from 30% to under 5% within a year. Training must cover current attack trends—not just generic awareness—and show employees real examples of phishing emails targeting your specific industry and role.

Effective programs follow the NIST NICE Framework approach: knowledge reinforcement through repeated exposure, realistic simulations without punishment, and immediate feedback when users click simulated phishing links. Sessions should be brief (10–15 minutes monthly), engaging, and relevant to actual threats your organization faces. Punishment-based approaches backfire—employees who fear consequences stop reporting suspicious emails, which eliminates your early warning system. Learn how security awareness training for tax firms reduces phishing risk during the highest-threat periods of the year.

Technical Controls Add Essential Defense Layers

Deploy email filtering solutions that scan attachments for malware, analyze URLs for known phishing indicators, and quarantine suspicious messages before they reach inboxes. Modern Secure Email Gateways (SEGs) use machine learning to detect zero-day phishing attempts that signature-based filters miss. Pair this with URL rewriting—routing every link in incoming email through a real-time security scanner that checks destinations against threat intelligence feeds at the moment of click.

Implement DMARC, DKIM, and SPF email authentication protocols to prevent spoofing of your own domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers how to handle messages that fail authentication checks. Organizations with enforced DMARC policies block approximately 90% of domain spoofing attempts. The FTC recommends DMARC implementation in its Safeguards Rule guidance for financial institutions. Start with a monitoring policy (p=none) to inventory all legitimate email sources, then move to quarantine, and finally to reject once all authorized senders are confirmed.

Enable multi-factor authentication on all business accounts. According to Microsoft, MFA blocks 99.9% of account compromise attacks. Prioritize email, VPNs, administrative accounts, and any system containing sensitive or regulated data. For guidance tailored to tax practices, see our article on IRS Publication 4557 requirements for safeguarding taxpayer data, which mandates MFA as a baseline control.

Establish a clear, friction-free process for reporting suspicious emails. A single-click reporting button in email clients works best—anything requiring more steps gets skipped under deadline pressure. Respond to every report with feedback to reinforce the behavior. According to the Ponemon Institute, organizations where employees actively report phishing reduce breach costs by an average of $186,000 per incident.

Advanced Phishing Techniques to Watch in 2026

Attackers continuously evolve their methods to bypass security controls and exploit new technologies. The techniques emerging in 2025 and 2026 require updated defenses that go beyond traditional email filtering and awareness training.

AI-Generated Phishing Content

Large language models enable attackers to generate perfectly grammatical, contextually appropriate phishing emails at scale. AI eliminates the spelling and grammar errors that once served as reliable detection signals. More concerning, AI can analyze a target's writing style from public social media posts and generate personalized messages that match their communication patterns—making spear phishing more convincing and far less resource-intensive to produce at volume. Organizations can no longer rely on linguistic red flags alone as a detection strategy.

Deepfake Voice and Video Phishing

AI voice cloning creates convincing audio deepfakes of executives requesting wire transfers or credential resets. Video deepfakes are an emerging threat for collaboration platforms—attackers impersonate executives in Microsoft Teams or Zoom calls to authorize fraudulent transactions. The MITRE ATT&CK framework now includes techniques for social engineering via deepfake media under T1598.

Organizations should establish out-of-band verification procedures for any high-risk request made via phone or video: a call back to a known number, a code word system, or a secondary approval from a separate person. These procedural controls defeat deepfake attacks regardless of how realistic the audio or video becomes. Learn more about how AI is reshaping the cyber threat environment in 2026.

Adversary-in-the-Middle (AitM) Phishing

AitM phishing intercepts authentication sessions in real-time, bypassing MFA. Attackers create proxy sites that sit between the victim and the legitimate login page, capturing credentials and session cookies simultaneously. Because the attacker relays the one-time code to the real service while stealing the authenticated session, traditional MFA provides no protection. Microsoft reported a 146% increase in AitM attacks targeting Microsoft 365 accounts in 2025.

Defense requires phishing-resistant MFA methods—specifically FIDO2 security keys or passkeys that are cryptographically bound to the legitimate domain and cannot be proxied. Password-based OTP codes and SMS-based MFA remain vulnerable to AitM attacks.

Consent Phishing (OAuth Abuse)

Instead of stealing passwords, consent phishing tricks users into granting OAuth permissions to malicious applications through legitimate-looking authorization flows. Because no password is entered, traditional phishing defenses don't trigger alerts. Once access is granted, attackers maintain persistent access to email, files, and contacts—even if the user later changes their password.

This technique is especially effective against Microsoft 365 and Google Workspace environments. Organizations should implement application consent policies that require administrator approval for third-party OAuth grants, monitor existing OAuth permissions regularly, and audit third-party application access quarterly.

Supply Chain Phishing

Attackers compromise legitimate business partners and use those established trust relationships to phish downstream targets. A compromised accounting firm's email, for example, allows attackers to send convincing phishing messages to every client with no technical indicators of compromise. These attacks bypass technical controls because messages originate from legitimate, whitelisted sources.

Defense requires vendor risk management programs, out-of-band verification for unusual requests from partners, and security requirements in vendor contracts. Tax professionals should be especially cautious about unexpected requests from software vendors, payroll providers, or professional associations—particularly during filing season when the urgency of requests seems more plausible.

Technical Email Security Controls

User awareness is essential, but technical controls provide defense layers that don't depend on human judgment in the moment of attack. The most resilient organizations implement defense-in-depth: multiple overlapping technologies that each catch what others miss.

Email Authentication Protocols

SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds cryptographic signatures that verify messages haven't been tampered with in transit. DMARC builds on both, specifying how receiving servers should handle messages that fail authentication—reject, quarantine, or monitor—and sends daily aggregate reports so you can see exactly what's happening with your domain.

DMARC deployment is a phased process. Start with p=none to collect intelligence on all legitimate email sources (marketing platforms, payroll systems, CRM tools). Once you've confirmed all authorized senders are included in your SPF record and signing with DKIM, move to p=quarantine, then p=reject. Rushing to reject without auditing legitimate senders can interrupt business-critical email flows.

Advanced Threat Protection

Secure Email Gateways provide protection including URL rewriting, attachment sandboxing, and impersonation detection. Machine learning models detect zero-day phishing attempts that signature-based detection misses. URL defense technologies rewrite all links in incoming email so that when users click, the system checks the destination against live threat intelligence feeds and analyzes page content for phishing indicators in real time—providing protection even when users click convincing links that weren't flagged at delivery.

Endpoint Detection and Response

Endpoint Detection and Response (EDR) solutions monitor devices for malicious activity that results from phishing attacks. If a user downloads malware from a phishing email, EDR can detect and block execution, isolate the endpoint from the network, and alert security teams before damage spreads. For businesses evaluating their options, our guide on advanced EDR threats and bypass techniques explains what modern endpoint protection must defend against.

Managed Detection and Response (MDR) services extend EDR with 24/7 monitoring and incident response by security experts—ideal for organizations without dedicated security operations centers. MDR providers hunt for threats across your environment, contain incidents in real time, and provide forensic analysis after attacks. For financial security and data protection, MDR provides a level of coverage that in-house teams at most small businesses cannot replicate.

Zero Trust Network Access

Zero Trust architectures assume breach and verify every access request, even from authenticated users. Conditional access policies based on device compliance, location, and risk signals limit the damage from compromised credentials. Even if an attacker steals a password through phishing, they cannot access resources from unmanaged devices or unusual locations without triggering additional verification requirements.

Zero Trust implementation starts with identity: enforce MFA everywhere, implement conditional access, and require device compliance certificates. Extend to network access by replacing legacy VPNs with identity-aware proxies. For network security at professional offices, Zero Trust provides the most effective defense against credential-based attacks that bypass perimeter controls entirely.

Phishing Defense for Tax Professionals and Regulated Industries

Tax professionals face an elevated phishing threat environment because they hold exactly what attackers want: Social Security numbers, financial records, direct deposit information, and access credentials for tax preparation software connected to millions of returns. The IRS identifies tax preparers as a top-targeted group and requires them to maintain documented security programs under IRS Publication 4557.

A Written Information Security Plan (WISP) is the IRS-required foundation for phishing defense at tax practices. The WISP must document your email security controls, employee training program, incident response procedures, and acceptable use policies. Tax preparers handling 11 or more returns annually are required to maintain a compliant WISP—and the IRS has signaled increased enforcement attention on preparers without documented security programs. Our guide to building a WISP walks through every required element.

Healthcare organizations face similar requirements under HIPAA Security Rule §164.308(a)(5), which mandates security awareness training that specifically addresses phishing and malicious software. The Office for Civil Rights has cited inadequate phishing training as a contributing factor in multiple enforcement actions resulting in significant civil monetary penalties. For dental and medical practices, see our HIPAA cybersecurity requirements guide for phishing defense obligations specific to covered entities.

Financial institutions and businesses subject to the FTC Safeguards Rule must implement safeguards specifically addressing phishing under 16 C.F.R. Part 314. The rule requires multi-factor authentication, employee training, and technical controls to detect and prevent unauthorized access—all directly applicable to phishing defense. Review our FTC Safeguards Rule compliance guide for detailed implementation requirements.