Phishing Examples: Real Attacks & How to Spot Them

Learn to recognize phishing attacks before they steal your credentials.

Phishing is responsible for over 90% of successful data breaches.

Attackers have moved beyond obvious scam emails. Modern phishing uses pixel-perfect website clones and domains that look identical to real brands.

The FBI’s Internet Crime Complaint Center received 193,407 phishing complaints in 2024. It was the most reported crime type.

Here are real phishing examples and the tactics attackers use to trick your employees and customers.

What Is Phishing?

Phishing is a social engineering attack where criminals impersonate trusted entities to steal credentials and financial information.

Unlike technical exploits that target software vulnerabilities, phishing targets human psychology. Attackers create urgency and fear to bypass your natural skepticism.

The Anti-Phishing Working Group observed over 1.1 million phishing attacks in Q2 2025 alone. That number keeps climbing each quarter. Financial institutions remain the most impersonated sector, followed by social media and webmail services.

Phishing works because it exploits trust. When you see an email from your bank or a package notification from a shipping company, your instinct is to act quickly. Attackers count on that reaction.

What Are the Main Types of Phishing Attacks?

Phishing has evolved beyond basic email scams. Attackers now use multiple channels and targeted approaches to increase their success rates.

Email Phishing

Email phishing is the most common type. Attackers send mass emails impersonating banks and retailers. These messages typically claim there’s a problem with your account and urge you to click a link to “verify” your information.

Common email phishing examples:

• “Your account has been suspended. Click here to restore access.”
• “Unusual login detected. Verify your identity immediately.”
• “Your payment failed. Update your billing information.”
• “You have a pending refund. Claim it now.”

The links go to fake login pages that capture your credentials. Some emails include malicious attachments disguised as invoices or shipping documents.

Spear Phishing

Spear phishing targets specific individuals using personalized information. Attackers research their targets on LinkedIn and company websites to craft convincing messages.

A spear phishing email might reference a real project you’re working on or impersonate your actual vendors. This personalization makes the attack far more effective than generic phishing.

According to Verizon’s 2024 Data Breach Investigations Report, spear phishing is involved in 93% of successful data breaches.

Whaling

Whaling targets executives and senior leaders. These attacks aim for bigger payouts or access to sensitive corporate systems.

Whaling emails often impersonate board members or legal counsel. They request urgent wire transfers or confidential documents.

Example whaling scenario: An attacker impersonates your CEO and emails the CFO requesting an urgent wire transfer for a “confidential acquisition.” The email comes from a domain like “company-executive.com” and references real company initiatives found in press releases.

Vishing (Voice Phishing)

Vishing uses phone calls instead of emails. Attackers impersonate tech support and banks to extract information or convince victims to install malware.

Common vishing tactics:

• Fake tech support claiming your computer has a virus
• Bank fraud departments asking you to “verify” transactions
• IRS impersonators threatening arrest over unpaid taxes
• Utility companies threatening service disconnection

Caller ID spoofing makes these calls appear to come from legitimate numbers, increasing their effectiveness.

Smishing (SMS Phishing)

Smishing delivers phishing attacks through text messages. These often impersonate delivery services and banks.

Common smishing examples:

• “Your package couldn’t be delivered. Reschedule here: [link]”
• “Suspicious activity on your account. Verify at: [link]”
• “Your verification code is 847291. If you didn’t request this, click here.”

Smishing is growing because text messages have higher open rates than emails. People tend to trust SMS more than email, making them less cautious about clicking links.

What Are Real Examples of Phishing Domains?

Phishing domains are fake websites designed to steal credentials. Attackers register domains that look almost identical to legitimate brands using several techniques.

Typosquatting Examples

Typosquatting exploits common typing mistakes to redirect users to malicious sites.

Character substitution:

• amaz0n.com (zero instead of ‘o’)
• paypa1.com (one instead of ’l')
• we11sfargo.com (ones instead of ’l’s)

Missing characters:

• gogle.com
• amazn.com
• microsft.com

Extra characters:

• googgle.com
• amazoon.com
• linkedinn.com

Adjacent key errors:

• amazom.com (m instead of n)
• paypak.com (k instead of l)
• gmial.com (i and a swapped)

Homoglyph Attack Examples

Homoglyph attacks use Unicode characters that look identical to Latin letters. These are nearly impossible to detect visually.

Cyrillic substitutions:

• “аmazon.com” uses Cyrillic ‘а’ (U+0430) instead of Latin ‘a’
• “micrоsoft.com” uses Cyrillic ‘о’ (U+043E) instead of Latin ‘o’
• “facеbook.com” uses Cyrillic ‘е’ (U+0435) instead of Latin ’e’

Modern browsers detect mixed-script domains and display Punycode (xn–) instead of the spoofed text. But email clients and messaging apps often render these domains as they appear, making them effective in phishing emails.

Subdomain Spoofing Examples

Attackers place legitimate brand names in subdomains of domains they control.

Examples:

• paypal.com.secure-verify.net
• amazon.com.order-status.com
• chase.com.account-alert.org
• microsoft.com.password-reset.net

Users who only check the beginning of a URL see the trusted brand name and miss the actual domain at the end.

Keyword Addition Examples

Adding security-related words makes domains appear more legitimate.

Examples:

• chase-security.com
• paypal-verify.com
• amazon-prime-support.net
• microsoft365-login.com
• bankofamerica-secure.com

Who Gets Targeted Most by Phishing?

Some industries get hit harder than others because of the data they hold.

Financial services remain the top target. Banks and credit card companies face constant impersonation attacks. Attackers can immediately monetize stolen banking credentials.

Payment apps like PayPal and Venmo are heavily targeted during transaction confirmations. Attackers send fake notifications about incoming payments that require “verification.”

E-commerce gets hit hardest during holiday shopping seasons. Black Friday and Cyber Monday see massive spikes in fake Amazon and Walmart phishing sites.

Healthcare gets targeted during open enrollment periods. Attackers impersonate insurance providers and government healthcare portals.

Government services face heavy targeting during tax season. IRS impersonation remains one of the most common phishing themes in the United States.

According to CISA, organizations in critical infrastructure sectors should implement multi-factor authentication to reduce their risk.

How Do Phishing Campaigns Work?

Modern phishing operates as an organized criminal industry with specialized roles and services.

Phishing-as-a-Service (PhaaS) platforms sell complete attack kits. For a subscription fee, criminals get website templates and hosting. Some even include customer support. Google’s lawsuit against the Lighthouse phishing kit revealed operations that “harmed more than a million victims across 120 countries” using templates targeting over 400 organizations.

Credential harvesting happens in real-time. When victims enter credentials on phishing sites, attackers immediately test them on legitimate sites. If they work, attackers access the real account before victims realize anything happened.

Real-time proxy attacks bypass multi-factor authentication. Tools like Evilginx act as a reverse proxy between victims and real sites, capturing passwords and session tokens as they’re issued. Microsoft found a 146% increase in these attacks.

Dark web marketplaces distribute stolen credentials within hours. Attackers sell fresh credentials in bulk to other criminals who specialize in account takeover and fraud.

The entire cycle from phishing email to credential sale can happen in under 24 hours. This speed makes reactive security measures like blacklists ineffective.

How Can You Spot Phishing Attempts?

Detecting phishing requires examining multiple elements of suspicious communications.

Check the Sender

Email address inspection: Look past the display name. “PayPal Support” might show as the sender name, but the actual email address could be “support@paypa1-secure.net”. Always check the full email address.

Domain verification: Legitimate companies send from their official domains. Chase Bank emails come from @chase.com, not @chase-alerts.com or @secure-chase.net.

Examine Links Before Clicking

Hover to reveal: Hover over links without clicking to see the actual URL. The displayed text might say “www.paypal.com” but link to “paypal.com.malicious-site.net”.

URL structure: Learn to identify the actual domain. In “secure.chase.com.verify-account.net”, the real domain is “verify-account.net”, not chase.com.

HTTPS isn’t enough: Phishing sites use SSL certificates too. The padlock icon only means the connection is encrypted, not that the site is legitimate.

Recognize Psychological Manipulation

Urgency: “Your account will be closed in 24 hours” Fear: “Suspicious activity detected on your account” Greed: “You’ve won a $500 gift card” Curiosity: “Someone shared a document with you”

Legitimate companies rarely create artificial urgency. When in doubt, contact the company directly through their official website.

Verify Through Official Channels

If an email claims there’s a problem with your account, don’t click the links. Instead:

1. Open a new browser tab
2. Type the company’s official URL directly
3. Log in normally
4. Check for any actual notifications

How Can Organizations Protect Against Phishing?

Defending against phishing requires layers of technical controls and human awareness.

Technical Controls

Email filtering blocks obvious phishing emails before they reach inboxes. Modern filters use machine learning to identify suspicious patterns, but advanced attacks still get through.

DNS filtering prevents access to known malicious domains. When someone clicks a phishing link, DNS filtering can block the connection.

Multi-factor authentication limits damage from stolen credentials. Even if attackers capture passwords, they can’t access accounts without the second factor. Phishing-resistant MFA like hardware keys provides the strongest protection.

Domain monitoring detects typosquatting and brand impersonation. Attack surface management tools alert you when attackers register domains similar to yours.

Employee Training

Simulated phishing tests employee awareness. Regular phishing simulations identify who needs additional training and measure improvement over time.

Reporting culture encourages employees to report suspicious emails without fear of punishment. Fast reporting helps security teams identify and block campaigns before they spread.

Real examples are more effective than generic training. Show employees actual phishing emails that targeted your industry.

Incident Response

Response procedures should be documented before attacks happen. Who investigates? Who notifies affected parties? Who contacts domain registrars for takedowns?

Credential monitoring detects when employee credentials appear in breaches. Dark web monitoring alerts you when stolen credentials surface on criminal forums, giving you time to force password resets.

Takedown requests to registrars and hosting providers can remove phishing sites. Report to the registrar’s abuse contact and the hosting provider. Google Safe Browsing and Microsoft SmartScreen also accept phishing reports.

What Should You Do If You Clicked a Phishing Link?

If you realize you’ve clicked a phishing link or entered credentials on a suspicious site, act immediately.

Change your password on the affected account right away. If you use that password anywhere else, change it there too.

Enable MFA if you haven’t already. This prevents attackers from accessing your account even if they have the password.

Check account activity for unauthorized logins and password changes. Many services show recent login locations.

Report the phishing to your IT security team and the impersonated company. This helps protect others from the same attack.

Monitor your accounts for unusual activity over the following weeks. Attackers sometimes wait before using stolen credentials.

Scan for malware if you downloaded any attachments. Some phishing attacks install keyloggers or remote access tools.

Conclusion

Phishing remains the most common entry point for cyberattacks because it exploits human psychology rather than technical vulnerabilities. Attackers constantly refine their techniques, from mass email campaigns to highly targeted spear phishing.

Over 90% of breaches start with phishing. It was the most reported crime to the FBI in 2024.

Protection requires multiple layers. Technical controls like email filtering and MFA reduce risk, but they can’t stop everything. Employee awareness training helps, but even trained users occasionally click. The most effective defense combines prevention with detection.

Monitor for phishing domains impersonating your brand. Watch for leaked credentials that attackers might use in targeted attacks. Build response procedures before you need them.

Check your organization’s exposure to see if employee credentials have already been compromised in phishing attacks or data breaches.