Cybersecurity has developed a whole family of attack types ending in “-ishing”, all based on deception—tricking people into giving up access, data, or trust. I am adding a page for a comprehensive list (or near comprehensive) of common “ishing” attacks, each with a clear explanation and real-world context.
Phishing – The classic attack.
Fraudulent emails or messages impersonate trusted entities (banks, Microsoft, HR, etc.) to trick users into:
- clicking malicious links
- entering credentials
- downloading malware
Spear Phishing
A targeted version of phishing.
Attackers customize messages using personal details (name, job, company).
Example: Email pretending to be your manager asking for a document.
Whaling
Phishing aimed at high-value targets like executives (CEO, CFO).
Often used in financial fraud or data theft.
Example: Fake legal notice sent to a CEO.
Smishing (SMS Phishing)
Uses text messages instead of email.
Example: “Your package is delayed. Click here to reschedule delivery.”
Vishing (Voice Phishing)
Uses phone calls or voicemail.
Attackers impersonate banks, IT support, or government agencies.
Example: “This is your bank—there’s suspicious activity on your account.”
Clone Phishing
Copies a legitimate email you’ve already received, but replaces links or attachments with malicious ones.
Looks identical to a real message.
Angler Phishing
Targets people via social media customer support impersonation.
Example: Fake “Twitter support” responding to your complaint.