What is phishing? Types, examples, and how to defend in 2026

Phishing is the practice of impersonating a trusted entity — a colleague, a bank, an IT department, a vendor — to trick a target into clicking a link, opening an attachment, or revealing information. It is the single most common initial-access vector for cyberattacks; Verizon's annual breach reports consistently place it in the top three.

The taxonomy

• Email phishing: mass-distributed messages, low effort per recipient.
• Spear-phishing: targeted at a specific person, with research-based personalization.
• Whaling: spear-phishing targeting executives.
• Smishing: phishing via SMS.
• Vishing: phishing over phone calls. See the 2023 MGM Resorts incident — vishing to the help desk defeated MFA.
• Quishing: QR-code phishing. Increasingly common in 2024–2025 because security tooling rarely scans inside images.
• Business Email Compromise (BEC): not always phishing in the click-a-link sense; often a compromised mailbox impersonating a vendor or executive to redirect a wire transfer.
• Clone phishing: a copy of a legitimate message resent with the link or attachment swapped out.
• Pharming: DNS-level redirection that sends users to fake sites regardless of the URL they type.

What makes a successful campaign

• Authority cue: an executive, IT department, or regulator, with the right logo and tone.
• Time pressure: a deadline, a missed payment, a security incident.
• Plausible context: tied to a known event (an upcoming filing, an actual vendor relationship, recent travel).
• Low-friction "fix": a single click, a quick login, a small wire transfer.

What actually defends

The fundamentals:

• Phishing-resistant MFA: FIDO2/WebAuthn security keys or platform passkeys. These are not phishable by design — the credential is bound to the legitimate origin. Standard TOTP and SMS MFA are increasingly broken by Adversary-in-the-Middle (AiTM) toolkits like Evilginx and Modlishka.
• Defang URLs in inbound mail: rewrite all links through a security gateway that detonates them in a sandbox first. Yes, even from "trusted" senders — the most credible phishing comes from compromised partner mailboxes.
• Number-matching MFA prompts: instead of "Approve?" with a single button, require the user to type a number the device shows. This breaks MFA-fatigue bombing.
• Help-desk verification protocols: never reset MFA based solely on a phone call. Require manager attestation, video confirmation, or callback to a known number.
• Reporting friction is the enemy: a one-click "Report phishing" button trains the user base. The faster reports come in, the faster you contain the campaign in your tenant.
• Tabletop the AiTM scenario: most security teams have not actually walked through what happens when a user's session cookie is stolen post-MFA. Build the runbook before you need it.

Why it matters

Most major incidents in this catalog began with one of the variants above:

• MGM Resorts (2023) — vishing to IT help desk.
• Change Healthcare (2024) — initial access through Citrix portal without MFA; the access broker likely harvested credentials via phishing.
• Colonial Pipeline (2021) — reused VPN password, almost certainly from a prior credential-stuffing or phishing exposure.

Phishing is not a "user training" problem. It is an engineering problem about which controls remove human judgement from the chain.