.webp)
You probably think you can spot a phishing email. Bad grammar, a sketchy link, some stranger asking for your password. Those were the usual giveaways, and that version of phishing barely exists anymore. The FBI received over 191,000 phishing complaints in 2025, with losses jumping from $70 million to $215.8 million (FBI IC3, 2025 Annual Report). Phishing has spread well beyond email. Attackers now hit you across texts, calls, QR codes, and social media, often at the same time.
Each type of phishing attack works differently. Here is a breakdown of every major method active now and how to protect yourself from phishing attacks before one lands.
Key takeaways
- Phishing now spans eight types across email, SMS, voice, QR codes, and AI-generated content
- AI phishing scams have removed the grammar mistakes that once made scams easy to spot
- BEC losses hit $3.04 billion in 2025 according to the FBI
- Using unique aliases for each account and removing your data from broker sites breaks the reconnaissance chain behind most attacks
Types of phishing attacks you need to know in 2026
Phishing is not one trick. Eight distinct attack types are actively targeting consumers and businesses right now. Email phishing is the most common starting point, so that is where we begin.
Email phishing
Email phishing is when a scammer sends a fake message from a company you trust (your bank, a streaming service, a shipping carrier), tricking you into clicking a link or entering credentials on a fake site.
You get an email from your bank saying your account has been locked. The logo looks right, the "Verify Now" button seems harmless, and you click without thinking. Bank alerts are just one example. Common phishing email examples also include "password reset" notices, "failed delivery" alerts, and fake "invoices." Each sends you to a fake login page where your credentials are captured.
Phishing emails are harder to spot now, but there are still phishing email red flags worth watching for:
- The sender address does not match the company's real domain (e.g., [email protected] instead of paypal.com)
- Urgent language like "Your account will be locked in 24 hours"
- Generic greetings like "Dear Customer" instead of your actual name
- Links that point to an unfamiliar URL when you hover over them
How to tell if an email is phishing comes down to one habit: if a message asks you to click a link and enter credentials, go to the company's website instead. If those credentials do get stolen, they can end up on dark web marketplaces within days.
Spear phishing
Spear phishing is a targeted attack where the scammer researches one person and crafts a message using real details (name, employer, job title). Spear phishing has a much higher success rate because the message feels personal.
An attacker pulls your name and job title from LinkedIn, your employer from a press release, and your email address from a data broker. AI has made this reconnaissance even faster. IBM X-Force researchers showed that AI could build a full spear phishing campaign in five minutes using five prompts, while the same task took humans roughly 16 hours.
When your real email sits on dozens of broker databases, attackers build a detailed picture of you without hacking anything. Removing your personal data starves the supply chain behind spear phishing. Run a safety scan to see how much of your data is already exposed.
Smishing (SMS phishing)
Smishing is phishing through text messages, and people open texts faster and with less suspicion than email, which is exactly what scammers count on. Fake texts pretend to be from banks, delivery services, or government agencies, dropping links to credential-stealing sites.
A text arrives saying your package could not be delivered or your bank account has been flagged. The link takes you to a fake page designed to steal your login info. Mobile browsers hide the full URL, making smishing harder to spot, so avoid tapping links in unexpected texts. Contact the company using their official number, and delete the message once you confirm it is fake. Going forward, using a separate alias for each account keeps your real phone number out of reach.
Vishing (voice phishing)
Vishing is phishing over the phone, where a scammer calls pretending to be from your bank, a government agency, or tech support, pressuring you into sharing passwords or payment details. These calls have become harder to question now that AI voice cloning can mimic specific voices with alarming accuracy.
Your phone rings. The caller says suspicious activity was detected on your account and walks you through "security steps" that actually hand over your credentials. The caller sounds professional, uses real details about you, and spoofs a legitimate number. In 2024, a finance worker at an engineering firm transferred approximately $25.6 million after joining a video call where every participant, including the CFO, was an AI-generated deepfake.
The simplest defense against vishing is to slow down. Screening unknown calls before picking up keeps scammers from reaching you in the first place. If someone claims to be from your bank, hang up and call back using the number on your card.
QR code phishing (quishing)
Quishing hides a malicious link inside a QR code. When you scan it, you land on a fake website built to steal credentials or install malware. Many email security tools cannot read what is inside a QR code, which is why quishing bypasses traditional filters.
Quishing shows up in fake invoices sent by email, printed flyers and parking meter stickers, and emails pretending to be from IT departments asking you to "verify your identity." The problem is growing fast. Between April 2024 and April 2025, Action Fraud logged 784 quishing reports with losses near £3.5 million. With attacks on the rise, verify the domain before scanning any QR code from a public space or unexpected email. Using a different alias for each account means a stolen credential only compromises one login.
AI phishing scams
AI phishing scams use large language models and deepfake technology to generate convincing emails, calls, and video at scale. The grammar mistakes and generic phrasing that used to give phishing away are gone.
AI tools generate unique, flawless phishing emails for thousands of targets, referencing real personal details scraped from data broker sites, social media, and past breaches. The FBI's 2025 IC3 Report logged over 22,000 AI cybercrime complaints with $893 million in losses. AI phishing goes beyond email as well. Deepfake voices can impersonate real people on calls, and AI video can produce convincing fake meetings.
Phishing prevention in 2026 can no longer rely on spotting bad grammar. Verify any request for money or credentials through a separate channel, and do not trust a message just because it sounds personal. Use unique email aliases for different accounts so a breach at one service does not expose your real identity.
Business email compromise (BEC)
Business email compromise is when a scammer impersonates a company executive, vendor, or coworker and asks someone to wire money or share sensitive data. BEC attacks skip malicious links and attachments entirely, relying on trust and urgency to get people to act before thinking twice.
BEC losses hit $3.04 billion in 2025 per the FBI IC3 Report. The emails come from compromised accounts or spoofed addresses. Finance teams and HR departments tend to be the most targeted.
Clone phishing
Clone phishing is when a scammer copies a real email you received and swaps the links or attachments for malicious versions. The cloned email gets resent from a spoofed address with a note like "Updated attachment." Because you trusted the original, your guard is lower, and clone phishing often follows an account compromise. Monitoring for leaked credentials helps catch these compromises early.
How to report phishing emails
If you get hit by any type of phishing, reporting it helps block the same message from reaching someone else.
- Email provider: Use the "Report phishing" button in Gmail, Outlook, or your email app
- Anti-Phishing Working Group: Forward phishing emails to [email protected]
- FBI IC3: File a report at ic3.gov if you lost money or personal information
- FTC: Report at reportfraud.ftc.gov
How Cloaked helps you stay ahead of phishing
Phishing works because attackers already have your real email, phone number, and personal details on broker sites. Cloaked is useful here in a straightforward way, it removes your data from over 300 people-search sites and generates unique email and phone aliases for every account, so a breach at one service cannot be linked back to you. Cloaked also offers dark web and SSN monitoring and $1M identity theft insurance.
Take a safety scan and see how exposed you already are, or contact us to learn more.
FAQs
What are the most common types of phishing attacks in 2026?
The most active types are email phishing, spear phishing, smishing, vishing, QR code phishing, AI-powered phishing, business email compromise, and clone phishing. Email leads by volume, but AI-assisted attacks are growing fastest.
How can you tell if an email is a phishing attempt?
Check the sender's actual email address rather than the display name. Look for urgent demands, generic greetings, and links to unfamiliar domains. If an email asks you to enter credentials, go to the company's website directly.
What is the difference between phishing and spear phishing?
Standard phishing sends generic messages to thousands of people. Spear phishing targets one person using researched details like their name and employer, giving it a much higher success rate.
Can AI-generated phishing emails get past spam filters?
In many cases, yes. AI-generated emails tend to be unique each time and read like legitimate messages, making them harder for pattern-based filters to catch.
What should you do immediately after clicking a phishing link?
Disconnect from the internet if malware may have downloaded. Change passwords for any account where you entered credentials, starting with email. Report the incident to your IT team and to ic3.gov if money or data was involved.
How do you protect yourself from phishing attacks on your phone?
Never tap links in unexpected texts and use a call-screening tool for unknown callers. Keep your phone updated and avoid scanning QR codes from unfamiliar sources. Using unique aliases for each account limits damage from any single breach.
