17 types of phishing attacks and how to spot them

Phishing remains one of the most reliable and cost-effective attack vectors for adversaries because it exploits human trust, business workflows, and implicit communication patterns, not only technical weaknesses. As email infrastructures harden, attackers shift to vectors that mimic legitimate behavior, impersonating trusted vendors, embedding text inside images, hiding payloads in HTML files, or using QR codes and calendar invites to bypass traditional filters.

AI-generated text and automation have also increased the volume and believability of phishing attempts. What once looked like simple spam now resembles high-fidelity internal communication.

Modern phishing attacks rarely rely on obvious indicators. Attackers use behavioral mimicry, cloud infrastructure, and AI to blend into legitimate communication. Legacy categories like “bulk phishing” or “link-based attacks” no longer capture how threats operate. The list below reflects the phishing techniques that security teams encounter in real environments, including cross-channel attacks, MFA bypass methods, and image-based obfuscation.

This guide breaks down 17 modern phishing attack types that SOC analysts, detection engineers, and security leaders need to understand, and it explains how to detect them effectively using the Sublime Security Platform powered by explainable detection logic, behavioral modeling, and agentic AI.

Main takeaways

• Phishing now spans email, collaboration platforms, OAuth flows, QR codes, calendar invites, and image-based obfuscation.
• The most dangerous social engineering attacks contain no obvious payloads and rely on tone, timing, and context.
• Traditional filters miss these because they lack context, transparency, and behavioral understanding.
• Sublime Security provides explainable detections, message lineage, behavioral baselines, and agentic automation through ASA and ADÉ.
• Continuous analysis, backtesting, and organization-specific detection logic are now essential for staying ahead of attackers.
  
  

Why phishing attacks succeed

Phishing succeeds because it blends technical evasion with human manipulation. Attackers know that even strong perimeter controls cannot prevent every malicious message from landing in an inbox. Once a message arrives, the user becomes the vulnerability.

Technical blindspots

• Misconfigured or absent SPF, DKIM, and DMARC records
• Legacy filters that rely on static signatures or global models
• Obfuscation techniques such as HTML smuggling, image-based text, QR-based redirects, or encoded scripts

Human vulnerabilities

• Urgency such as “your account will be closed”
• Authority such as “per your CFO’s request”
• Fear such as “your password expires today”
• Curiosity or reward such as “your bonus statement is attached”

Modern evasion techniques

• AI-generated messaging that appears legitimate
• Thread hijacking inside active conversations
• Calendar invites that bypass inbox-based filtering
• OAuth consent flows that look benign

Traditional email security struggles because most solutions are black box, one-size-fits-all, and slow to adapt. The Sublime Security Platform uses transparent detections, behavioral modeling, and autonomous AI agents to identify attacks based on signals that reflect how your organization actually communicates, not generic global patterns.

The 17 modern types of phishing attacks and how to detect them

This list removes outdated categories and focuses on the phishing techniques that organizations face today.

1. Email phishing

Mass phishing campaigns designed to steal credentials or deliver malware. Often includes spoofed brands or deceptive login pages.

How to spot it: suspicious language, mismatched domains, payment-themed lures, unfamiliar senders.

Sublime detects it through:

• Behavioral baselining
• Who-to-who relationship modeling
• NLU-based intent detection
• Transparent message lineage

Keywords added: basic phishing attacks, phishing techniques, brand impersonation phishing.

2. Spear phishing

Targeted attacks against specific individuals or teams that reference internal context or personal details.

How to spot it: personalized details, tone shifts, requests inconsistent with historical behavior.

Sublime detects it through:

• Organization-specific behavioral profiles
• NLU models for persuasion, coercion, and urgency
• DDM adaptation to internal norms

Added variants: targeted phishing attacks, tailored phishing lures.

3. Business email compromise (BEC)

Impersonation of executives, employees, or vendors to manipulate financial or data workflows. Often contains no links or attachments.

How to spot it: unexpected payment changes, domain lookalikes, new supplier instructions.

Sublime detects it through:

• VIP and supplier-specific baselines
• Intent models for financial fraud
• Message-lineage explanations

Variants added: payload-free phishing, social engineering fraud.

4. Whaling

A subtype of BEC that targets senior leaders.

How to spot it: unusual approval requests, sudden high-pressure messages.

Sublime detects it through:

• Executive communication baselines
• Role-sensitive anomaly detection

Variants added: executive phishing attacks.

5. Clone phishing

Attackers copy a legitimate email and resend it with malicious links or attachments.

How to spot it: altered URLs, unexpected attachments in previously trusted threads.

Sublime detects it through:

• Content similarity analysis
• Modified payload detection
• Thread-context modeling
  
  

Variants added: email cloning attacks, replicated phishing emails.

6. Thread hijacking or reply-chain attacks

An attacker replies within an existing conversation after compromising an account.

How to spot it: new attachments or links in an old thread, abrupt tone changes.

Sublime detects it through:

• Thread-origin anomalies
• Compromise indicators
• Behavioral deviations from historical communication
  
  

Variants: reply-chain phishing, account takeover phishing.

7. Man-in-the-middle phishing (AiTM)

Reverse proxy phishing that steals credentials and session tokens. Allows attackers to bypass MFA.

How to spot it: suspicious login prompts, unexpected device enrollment messages.

Sublime detects it through:

• Landing-page analysis
• Detection of known AiTM kits
• URL behavior modeling

Variants: MFA bypass phishing, session hijacking attacks, reverse proxy phishing.

8. Credential phishing

Fake login portals impersonating Microsoft 365, Google, Okta, payroll systems, or financial apps.

How to spot it: subtle visual discrepancies, unusual redirect flows.

Sublime detects it through:

• OCR and computer vision for fake login pages
• NLU for text inside image-based lures
• Intent modeling

Variants: credential theft phishing, login-page impersonation.

9. OAuth consent phishing

Instead of stealing passwords, attackers trick users into granting malicious apps access.

How to spot it: unfamiliar apps requesting broad permissions.

Sublime detects it through:

• OAuth URL and scope inspection
• Behavioral modeling of expected app usage

Variants: cloud app phishing, token-grant phishing attacks.

10. Malware phishing

URLs or attachments that deliver loaders, stealers, or RATs.

How to spot it: unexpected attachments such as .html, .zip, or .img files, encoded scripts.

Sublime detects it through:

• FileExplode for encoded or hidden payloads
• Behavioral heuristics for loaders and droppers

Variants: malware delivery phishing, phishing with malicious attachments.

11. Ransomware distribution

Phishing emails used to initiate ransomware operations.

How to spot it: suspicious invoices, password-protected archives.

Sublime detects it through:

• Sandbox integration
• Multi-stage payload detection
• Retrohunting across historical mail

Variants: ransomware phishing, initial access phishing attacks.

12. HTML smuggling

JavaScript inside HTML files reconstructs malware on the client device.

How to spot it: unexpected HTML attachments, encoded script blocks.

Sublime detects it through:

• FileExplode deobfuscation
• Smuggling-pattern detection
• Transparent code-level lineage

Variants: HTML-based phishing, encoded payload phishing.

13. QR code phishing (quishing)

Email content or attached documents contain QR codes that redirect to credential harvesting sites.

How to spot it: invoices or IT notifications containing unexpected QR codes.

Sublime detects it through:

• Computer vision QR extraction
• Landing-page intent analysis
• ASA auto-triage
  
  

Variants: QR phishing, QR credential theft attacks.

14. Vishing or callback phishing (TOAD)

Emails that instruct users to call a phone number that leads to live social engineering.

How to spot it: fake subscription renewals, invoice disputes, help desk alerts.

Sublime detects it through:

• NLU for callback patterns
• Phone-number intelligence
• ASA automation
  
  

Variants: callback phishing, hybrid phishing phone scams.

15. Smishing

Phishing delivered through SMS, often connected to broader account takeover attempts.

How to spot it: SMS messages with shortened URLs or requests for MFA codes.

Sublime detects it through:

• Email-to-SMS bridge detection
• Cross-channel correlation

Variants: SMS phishing attacks, mobile phishing threats.

16. Social media platform phishing

Phishing delivered via Slack, Teams, LinkedIn, or X notifications that surface in email.

How to spot it: unusual invites or impersonated corporate accounts.

Sublime detects it through:

• Brand impersonation models
• Cross-channel behavioral correlation

Variants: collaboration-platform phishing, social network phishing attacks.

17. ICS or calendar phishing

Malicious .ics files inject phishing links directly into users’ calendars.

How to spot it: unexpected meetings with embedded links, especially from external senders.

Sublime detects it through:

• ICS parsing
• Link and metadata inspection
• Automated cleanup of malicious events
• DDM adaptation to calendar behavior

Variants: calendar invite phishing, scheduling-based phishing attacks.

18. Image-based phishing

Attackers embed text inside images to evade NLP filters. Common in fake login screenshots, invoices, or security alerts.

How to spot it: image-heavy messages where text cannot be selected.

Sublime detects it through:

• OCR to extract text inside images
• Computer vision to detect fake login pages and brand abuse
• NLU to interpret intent

Variants: image-only phishing, OCR-evasive phishing, image-obfuscated phishing.

Stay ahead of phishing attacks with Sublime Security’s agentic AI

Modern phishing evolves too quickly for static rules or global black box AI. Sublime’s agentic architecture provides a fundamentally different approach.

ASA: Autonomous Security Analyst

Triages, investigates, and remediates suspicious and user-reported phishing automatically.

ADÉ: Autonomous Detection Engineer

Creates new detection coverage within hours and eliminates vendor bottlenecks.

DDM: Distributed Detection Model

Adapts protections to your environment and learns from your communication patterns.

Together, these capabilities reduce false positives, accelerate investigations, and catch the modern attacks that legacy vendors miss.

FAQs about phishing attacks

What are the most common types of phishing attacks?
Common phishing attack types include email phishing, spear phishing, business email compromise (BEC), credential phishing, thread hijacking, HTML smuggling, QR code phishing, and callback phishing. These represent the majority of real-world incidents handled by SOC and detection engineering teams.

Which phishing attacks are the hardest to detect?
The most difficult attacks to detect include BEC with no payloads, image-based phishing where text is hidden inside images, and ICS or calendar phishing. These require behavioral analysis, NLU, OCR, and organization-specific modeling.

What are the red flags of a phishing attack?
Reliable indicators include urgent or unusual tone, domain mismatches, unexpected attachments, HTML files, QR codes, image-contained text, sudden thread replies, and requests for payment changes or sensitive data.

How do attackers make phishing emails look legitimate?
Threat actors rely on AI-generated text, cloned login pages, lookalike domains, thread hijacking, image-based lures, and OAuth consent screens that appear authentic. Sublime detects these through computer vision, OCR, NLU, and behavioral baselines.

How does phishing bypass traditional email security tools?
Modern phishing bypasses legacy tools by avoiding typical IOCs, using HTML smuggling, embedding lures in images or QR codes, delivering attacks through calendar invites and collaboration apps, hijacking legitimate threads, and using reputable cloud infrastructure.