Phishing

What Is Smishing and Phishing? Types of Phishing Attacks Explained

The plain-language guide to every major type — email, text, voice, targeted, and executive scams — with a real example and the one tell that gives each away.

What is smishing and phishing? Phishing is the umbrella term for scams that trick you into revealing passwords, payment details, or access — usually through a fake message and a link or phone call. Smishing is the same scam delivered by SMS text instead of email. Other types of phishing attacks use voice calls (vishing), personalized targeting (spear phishing), or executive targets (whaling). The channel changes; the goal does not: get you to act before you think.

If you have ever wondered whether that delivery text, that "bank security" email, or that urgent call from "IT" counts as phishing — this guide answers that. I run phishing simulations for a living; these are the categories we use, explained the way I wish everyone learned them on day one.

What is phishing?

Phishing is a social-engineering attack: someone pretends to be a trusted person or organization and pushes you to click a link, open an attachment, log in on a fake page, or share a verification code. The name comes from "fishing" — casting a wide net and seeing who bites. It remains the most reported type of internet crime: the FBI's Internet Crime Complaint Center (IC3) logged 193,407 phishing and spoofing complaints in 2024 — more than any other category in its annual report.

Classic email phishing might look like: "Your PayPal account has been limited. Click here to verify." The link goes to a fake login page that steals your credentials. Or an attachment labeled "Invoice.pdf" installs malware when opened.

The tell that gives email phishing away: you did not expect the message, it creates urgency, and it wants you to click or reply instead of going to the real site yourself. The FTC's guide on recognizing phishing scams and CISA's phishing resources both stress the same habit: do not use the link you were sent — open the real app or type the address yourself.

What is smishing?

Smishing is phishing by SMS (text message). "SM" + phishing. Same playbook, different inbox.

A typical smishing text: "USPS: Your package could not be delivered. Confirm your address and pay a $1.99 redelivery fee: [link]" — sent to thousands of numbers, hoping someone is expecting a package. Tap the link and you land on a fake payment page or a site that asks for personal details.

Other common smishing themes: unpaid tolls, bank fraud alerts, tax refunds, and prize winnings. Because texts feel personal and immediate, people tap faster than they would on email. The scale is real: in 2024, consumers reported losing $470 million to scams that started with a text message, according to FTC data.

The tell that gives smishing away: a delivery, bank, or government agency texting a link you did not ask for. Real organizations rarely ask you to solve account problems through a text link. Delete the message and check through the official app or website instead.

What is vishing?

Vishing is voice phishing — scam calls where the caller impersonates someone you trust. "V" for voice + phishing.

Example: you answer and hear, "This is your bank's fraud department. We detected unauthorized charges. To cancel them, please confirm your card number and the one-time code we just texted you." They are not your bank. They triggered the text code by trying to log into your account, and they need you to read it aloud.

Other vishing scripts: fake IRS or Social Security threats, tech-support calls claiming your computer is infected, and "your relative is in jail and needs bail money" scams.

The tell that gives vishing away: unsolicited urgency on a call you did not initiate. Hang up. Call back using a number from your card, your statement, or the organization's official website — never the number the caller gave you.

How spear phishing attacks differ from standard phishing

Standard phishing is bulk. One generic email to ten thousand people: "Dear customer, your account will be closed." Most recipients ignore it; a few click.

Spear phishing is targeted. The attacker researches one person or a small team and crafts a message that fits their real life. Example: an email to a finance assistant that appears to come from the CFO, references a real vendor name, and attaches a fake invoice for an amount that looks normal for that company.

Because spear phishing uses your name, your company, or a current project, it bypasses the "this looks generic" instinct that catches bulk scams. That is exactly why attackers invest the effort.

The tell that gives spear phishing away: the message is plausible — almost too tailored — but something is slightly off. A slightly wrong email address (cfo@company-secure.com instead of company.com), an unusual payment request, or a tone that does not match how that person usually writes. When in doubt, verify through a separate channel: call the person on a known number or walk over to their desk.

What is whaling phishing?

Whaling is spear phishing aimed at big fish — CEOs, CFOs, board members, or anyone with authority to approve wire transfers, sign contracts, or access sensitive data. The scams are among the most polished because the payoff can be enormous.

Example: a whaling email to a CEO, appearing to come from the board chair, requesting an urgent wire transfer for a confidential acquisition. Or a fake legal notice threatening regulatory action unless the executive clicks a link and "verifies" credentials.

Whaling also shows up as fake calendar invites, compromised executive email accounts used to instruct staff, and LinkedIn messages from impersonated leaders.

The tell that gives whaling away: any request to move money, share credentials, or bypass normal approval processes — especially when marked urgent and confidential. Organizations should require a second approval channel for wire transfers; individuals should treat executive urgency as a reason to slow down, not speed up.

Types of phishing attacks compared

All of these are phishing. They differ by channel (how the message reaches you) and targeting (how personal the message is).

Phishing types at a glance

  • Email phishing — Channel: email. Target: bulk, anyone. Example: fake bank login link. Tell: unexpected urgency + link.
  • Smishing — Channel: SMS text. Target: bulk. Example: fake delivery fee text. Tell: link in an unsolicited text.
  • Vishing — Channel: phone call. Target: bulk or scripted. Example: fake fraud-department call. Tell: they called you first and want codes or card numbers.
  • Spear phishing — Channel: usually email (also text/LinkedIn). Target: one person or small group. Example: fake invoice with your real vendor name. Tell: personalized but verify the sender out of band.
  • Whaling — Channel: email or messaging. Target: executives. Example: urgent wire-transfer request from a fake board member. Tell: money or credentials + confidentiality pressure.

Notice the pattern: every type pushes you to act fast and through their channel. Slowing down and switching channels — type the URL yourself, call back on a known number, confirm in person — defeats all of them.

How to spot any type of phishing attack

Channel-specific tells help, but these five checks work across email phishing, smishing, vishing, spear phishing, and whaling:

  1. You did not initiate contact. The message or call arrived unprompted. Treat that as the default suspicious state.
  2. Artificial urgency. "Act in 30 minutes," "account frozen today," "warrant issued" — pressure exists to stop you from verifying.
  3. Wrong channel for the request. Banks do not ask for full card numbers by text. The IRS does not threaten arrest by phone. IT does not ask for your password by email.
  4. Something small is off. A misspelled domain, a slightly wrong sender address, a logo that looks blurry, a greeting that uses your email username instead of your name.
  5. It asks you to bypass normal process. Wire money now, disable security, share a login code, buy gift cards, or click a link instead of logging in normally.

When a message passes the smell test but you are still unsure, assume it is phishing until you verify independently. For fake login pages specifically, see our guide on how to spot a fake website before you get scammed.

How to report phishing in Outlook

Reporting suspicious messages helps your email provider block the same campaign for others. In Outlook on the web or desktop, select the message, click Report (or JunkPhishing), and follow the prompts. Microsoft documents the full steps in its guide on reporting suspicious emails in Outlook.

You can also forward phishing emails to phishing@outlook.com (for messages received at Outlook.com addresses) and report to the FTC at reportfraud.ftc.gov. Reporting does not replace securing your accounts — but it helps authorities and providers track campaigns.

Clicking alone does not always compromise you — but it depends what happened next. If you only viewed a page and closed it, risk is lower (though you should still clear your browser data and watch for odd login alerts). If you entered a password, downloaded a file, or shared a verification code, treat it as a potential breach.

Do not enter more information on the suspicious page. Change passwords for affected accounts from a device you trust, enable two-factor authentication, and follow a full recovery sequence. Our step-by-step guide covers exactly that: what happens if you click on a phishing link and what to do in the first ten minutes.

Frequently asked questions

What is the difference between phishing and smishing?

Phishing is the broad category. Smishing is phishing via SMS text — same scams, different delivery method. Email phishing lands in your inbox; smishing lands as a text with a link or a callback number.

What is vishing?

Voice phishing — scam phone calls where someone impersonates your bank, government agency, tech support, or a colleague. They want passwords, payment details, or one-time codes read aloud.

How do spear phishing attacks differ from standard phishing attacks?

Standard phishing is generic and sent in bulk. Spear phishing targets specific people with personalized details — your name, company, or a real project — making it far more convincing.

What is whaling phishing?

Spear phishing aimed at executives or high-authority targets. Common hooks: urgent wire transfers, fake legal threats, or confidential requests that bypass normal approval.

What are the main types of phishing attacks?

Email phishing, smishing (SMS), vishing (voice), spear phishing (targeted), and whaling (executive spear phishing). They differ by channel and how personalized the message is.

What should I do if I clicked a phishing link?

Stop entering information, secure your accounts, enable 2FA, and follow a recovery checklist. See what to do if you clicked a phishing link for the full sequence.

The bottom line

What is smishing and phishing? Phishing is the family; smishing, vishing, spear phishing, and whaling are the variants — different channels and levels of targeting, same goal of tricking you into acting before you verify. Learn the one tell for each type, run the five universal checks when something feels off, and report suspicious messages when you can.

Knowing the definitions is step one. Step two is finding out whether you would actually spot these attacks in the moment — not in theory, but under pressure. That is what the quiz is for.