What is Phishing? Types, Examples, and How to Stop It in 2026

The Types of Phishing Attacks

Email Phishing

Email phishing is the original and most volumetrically significant form. Mass phishing campaigns send identical or near-identical messages to thousands or millions of recipients, relying on volume to compensate for low individual success rates. A campaign with a 0.1% success rate sent to one million addresses produces 1,000 compromised accounts. The messages typically impersonate well-known brands — Microsoft, Google, Amazon, PayPal, financial institutions — or create generic urgency scenarios: account suspension, security alert, package delivery failure, invoice payment required.

Spear Phishing

Spear phishing is targeted phishing crafted for a specific named individual using research and personal information. A spear phishing email to a CFO that references the company's recent acquisition, uses the correct internal email signature format, and appears to originate from the CEO's real email domain is not recognizable as phishing through the same heuristics that catch generic campaigns. Spear phishing success rates are orders of magnitude higher than mass phishing — and the targets are selected for the access they can provide.

Whaling

Whaling is spear phishing targeted specifically at C-suite executives and board members. The combination of high-value access, executive authority to authorize financial transactions and direct IT actions, and the assumption that sophisticated business leaders are less likely to be targeted makes whaling a high-ROI attack category. A compromised CEO email account provides access to the most sensitive communications in the organization and the authority to instruct others to take security-compromising actions.

Adversary-in-the-Middle (AiTM) Phishing

AiTM phishing is the evolution that makes MFA irrelevant. Rather than directing victims to a static fake login page that captures credentials, AiTM attacks use a proxy that relays traffic between the victim and the legitimate service in real time. The victim sees the real Microsoft login page, enters their real credentials, and completes their real MFA challenge — but the attacker's proxy captures the authenticated session token generated after MFA completion. The attacker then uses that token to access the account directly, without needing the credentials or the MFA device. This is the technique behind the MGM breach, the Caesars breach, and the majority of high-profile Microsoft 365 account takeovers in 2024-2026.

Vishing and Smishing

Voice phishing (vishing) and SMS phishing (smishing) extend the phishing attack surface to channels where security awareness training has historically focused less attention. Vishing calls impersonating IT support, bank fraud departments, or government agencies produce high success rates because the phone call medium carries social authority and urgency that email does not. Smishing exploits mobile users' higher link click rates and the personal, trusted nature of the SMS channel.

How AI Has Changed Phishing in 2026

Generative AI has materially elevated the quality ceiling for phishing attacks. The grammatical errors, awkward phrasing, and stylistic inconsistencies that once provided reliable phishing indicators are no longer reliable. AI-generated phishing content is grammatically perfect, culturally appropriate, and stylistically matched to legitimate communications from the impersonated sender.

The more significant AI-enabled capability is personalization at scale. Traditional spear phishing required manual research and writing — it was effective but labor-intensive, limiting the volume of targeted attacks any single threat actor could produce. AI tools can now consume a target's public digital footprint — LinkedIn profile, company website, press releases, social media — and generate highly personalized spear phishing content automatically. The marginal cost of adding another 1,000 personalized targets to a campaign has dropped to near zero.

AI voice cloning has transformed vishing. A convincing synthetic replica of a specific person's voice can be produced from 30 seconds of publicly available audio. Help desk staff who use voice recognition as a vishing defense heuristic — something sounds wrong about this call — no longer have a reliable signal. Video deepfakes have extended this to video calls, with documented cases of $25M financial fraud executed through deepfake video conference calls impersonating senior executives.

Why Security Awareness Training Is Insufficient

Security awareness training remains the most commonly deployed phishing defense and the one with the weakest evidence base for effectiveness against sophisticated attacks. Training that teaches employees to look for grammatical errors, suspicious sender addresses, and urgent language fails against AI-generated content that has none of these tells. Phishing simulation programs that send test emails and measure click rates produce a measurement; they do not necessarily produce meaningful behavior change under the cognitive load of actual work.

The more fundamental limitation is that phishing specifically targets human decision-making under conditions — urgency, authority, context — that systematically degrade even trained individuals' ability to evaluate legitimacy correctly. The organizations that have eliminated phishing as an initial access vector have done so through technical controls, not training.

Technical Controls That Actually Stop Phishing

The technical controls that address phishing most effectively operate at each phase of the attack chain: delivery prevention, credential protection, and post-authentication protection.

Email security gateways with attachment sandboxing, URL analysis against real-time threat intelligence, and ML-based message content analysis reduce the volume of phishing that reaches employee inboxes. They do not eliminate it — determined attackers route around gateway detection — but they catch the commodity campaigns that represent the majority of phishing volume.

Phishing-resistant MFA is the control that eliminates the credential theft objective of most phishing attacks. FIDO2 security keys and device-bound passkeys provide authentication that is cryptographically bound to the legitimate login origin. A FIDO2 response generated at a phishing site is invalid at the real Microsoft login page — the protocol verifies origin as part of the authentication exchange. This is the specific property that defeats AiTM attacks, where push notification and TOTP-based MFA provide no protection. Deploying FIDO2 for all user accounts, not just administrators, eliminates phishing as an effective credential theft vector.

Conditional Access policies that enforce device compliance, restrict access from high-risk IP ranges, and implement continuous access evaluation reduce the usefulness of session tokens captured through AiTM attacks. If a stolen token can only be used from a compliant, managed device, its value to an attacker operating from a cloud VM or residential proxy network is limited.

For PE operating partners, the phishing resilience question is one: has the organization deployed FIDO2 phishing-resistant MFA for all users, not just a subset? If the answer is no, the credential theft objective of every phishing campaign targeting that organization remains achievable. Everything else is noise reduction, not threat elimination.