There are countless phishing methods, but some stand out as tried-and-true favorites for cybercriminals. Most revolve around forging a sense of urgency or trust. They’ll use big company logos, official-sounding language, corporate-looking graphics, or even personal details (like your manager’s name) to trick you into thinking everything’s legit.
Here are a few that show up over and over:
Email phishing
This is one of the oldest and most common types of phishing. Attackers send emails pretending to be anything from banks and delivery services to major brands. The emails usually include a link or attachment that leads to a fake login page or drops malware onto your device.
Whaling
This tactic targets high-level individuals—CEOs, CFOs, or other executives—because they often have access to valuable data or can authorize major payments. Attackers research their targets thoroughly before they start, so the request seems genuine.
Domain spoofing
Cybercriminals set up websites (or use look-alike email domains) that seem to match your bank, a vendor, or even your own company. A phishing email will send you to the fake site and direct you to enter your credentials, tricking you into unknowingly handing them over to attackers. Domain spoofing is especially tricky because, at a glance, the URLs appear legitimate. In most cases, the URL is only slightly off from the real one.
Spear phishing
This is more targeted than the random blasts you see with phishing attacks. Attackers gather personal info—maybe from social media or news articles—and write messages that reference your projects or coworkers. It feels personal, of course, so you’re more inclined to trust the request.
Even though these forms of phishing vary, they share the same principle: create a believable scenario and pressure you into taking action—like clicking a link or downloading an attachment—before you think to stop and question its authenticity.