Phishing trends in 2026 signal a fundamental shift. AI-generated cyberattacks now account for the overwhelming majority of phishing emails; multi-channel social engineering has expanded well beyond the inbox.
The numbers are stark. Phishing remains a significant initial access vector in confirmed breaches, accounting for 16% of all incidents according to the Verizon DBIR, while the average data breach now costs $4.44 million (IBM, 2025).
The article covers global cyberattack volumes, AI-driven personalization, emerging vectors such as quishing and deepfake-enabled voice phishing, and the financial case for modernizing phishing defense. Understanding how these phishing trends converge is the first step toward defending against the next generation of phishing threats before they reach employees.
Key Takeaways
- Phishing trends in 2026 show AI-generated attacks dominating inbox volume, with personalized lures now achieving dramatically higher click rates than human-crafted ones.
- Multi-channel cyberattacks spanning email, voice, SMS, and deepfake video have made email-only defense strategies structurally inadequate.
- Global phishing losses exceed $25 billion annually, with business email compromise alone accounting for over $3 billion in reported losses.
- Phishing-as-a-Service platforms have collapsed the technical barrier to entry, allowing low-skill cyberattackers to rent sophisticated capabilities.
- Continuous, multi-channel phishing simulation paired with point-of-error training reduces susceptibility far more effectively than annual compliance modules.
- Zero-trust architecture, phishing-resistant authentication, and regulatory pressure are reshaping how organizations measure and fund human-layer defense.
The Current State of Phishing: Volume, Velocity, and What the Data Reveals
Phishing has not simply grown; it has calcified into a permanent, high-volume assault on every organization with an internet connection. The APWG observed 1,003,924 phishing cyberattacks in the first quarter of 2025, the highest quarterly total since late 2023.
That plateau is not a sign of progress. It means cyberattackers have industrialized phishing at a scale no perimeter defense can fully absorb. These phishing trends make clear that volume alone no longer separates a resilient organization from a vulnerable one.

Defining Phishing Trends and Why Tracking Them Matters
Phishing trends encompass four dimensions: cyberattack volume, technique evolution, targeting patterns, and defensive countermeasure effectiveness. Tracking these dimensions determines whether a security team is preparing employees against yesterday's cyber threats or the ones arriving next week.
Volume data from the APWG's quarterly trends reports provide the most authoritative longitudinal benchmark in the industry. The organization aggregates phishing site detections, email lure reports, and crimeware propagation data from its global membership of security vendors, financial institutions, and law enforcement agencies.
When the APWG reports that wire transfer business email compromise (BEC) cyberattacks jumped 33% quarter-over-quarter in Q1 2025, that signal is cross-referenced from the unified submission pipeline of multiple independent detection systems, rather than a single vendor's marketing claim.
Technique evolution matters because cyberattackers continuously rotate delivery mechanisms; QR code phishing exploded in 2025 as criminals embedded malicious codes directly into email bodies, sidestepping URL scanners that only inspect hyperlinks.
Defensive countermeasure tracking closes the loop, since organizations that measure phishing simulation failure rates, reporting speed, and remediation time can determine whether their phishing-trend-informed investment reduces susceptibility or merely checks a compliance box.
Global Phishing Volume and Growth Trajectory
The critical insight around global phishing volume is the phishing volume plateau: cyberattack counts are not doubling annually as they did in the early 2020s, but they are sustaining at historically unprecedented levels with no downward trend.
This stabilization at extreme volume reflects a mature criminal supply chain. Phishing-as-a-Service (PhaaS) platforms sell turnkey cyberattack kits, including spoofed login pages, email templates, and hosting infrastructure, for a few hundred dollars per campaign. The barrier to entry has collapsed: a motivated cyberattacker no longer needs technical expertise, only a credit card and a target list.
Even advanced filtering by Microsoft, Google, and dedicated email security gateways cannot eliminate the residual volume that lands in employee inboxes. Every filtered message that slips through becomes a live-fire test of whether an employee recognizes the cyberattack, reinforcing why current phishing trends demand continuous conditioning rather than one-time filtering confidence.
Phishing as the Dominant Breach Vector
Phishing does not merely coexist with other cyberattack vectors; it is the primary on-ramp to organizational compromise. The 2026 Verizon Data Breach Investigations Report (DBIR) confirmed phishing as an important access vector in confirmed breaches, with the human element present in 62% of all breaches. Phishing specifically was involved in 16% of breaches.
The DBIR finding carries structural weight because it draws from one of the largest breach datasets in existence, spanning contributions from over 80 organizations globally. When a single cyberattack vector accounts for more than a third of all breaches across industries, geographies, and organization sizes, the implication for security program design is unambiguous: no technology-only defense stack can meaningfully reduce organizational risk without addressing the human layer.
Adding urgency to this picture is the multi-channel expansion of phishing beyond email. Voice phishing (vishing) cyberattacks surged 442% between the first and second halves of 2024, according to the 2025 CrowdStrike Global Threat Report.
Cyberattackers now coordinate across channels: an urgent email from a spoofed executive arrives, followed by a confirming voice call, then a text message with a malicious link, all designed to overwhelm the target's skepticism through sheer consistency of signals. Email-only phishing simulation programs that ignore voice, SMS, and deepfake video channels are training employees for a fraction of the cyberattack surface they actually face.
The Velocity Problem
Cyberattack speed has compressed from weeks to hours, and that compression breaks the foundational assumption behind annual training cycles. The CrowdStrike 2025 Global Threat Report documented that the average adversary breakout time, the interval between initial access and lateral movement within a compromised environment, dropped to 48 minutes, with the fastest recorded breakout clocking in at just 51 seconds.
When cyberattackers move from phishing click to credential theft to data exfiltration in under an hour, an employee who completed a security awareness training module six months ago has no contextual muscle memory to draw on.
The velocity problem intensifies when layered with AI-generated cyberattack content. Generative AI tools allow adversaries to produce unique, grammatically flawless phishing lures at machine speed, eliminating translation errors, formatting inconsistencies, and obvious red flags.
Each target receives a personalized message that references their actual role, recent company events, or publicly available professional details sourced from LinkedIn and corporate websites via open-source intelligence (OSINT) gathering.
The combination of velocity and personalization means that the signature-based detection approaches that worked against template-driven phishing five years ago are structurally inadequate against today's campaign architecture, a central thread running through current phishing trends.
Bridging this velocity gap requires continuous phishing simulation and just-in-timetraining rather than periodic check-the-box modules. Organizations that reduce phishing susceptibility across email, voice, SMS, and deepfake video channels do so by running phishing simulations frequently enough that recognition becomes reflexive, rather than by delivering a single annual refresher course that employees forget within weeks.
When cyberattack timelines measure in minutes, the training cadence must operate on an equivalent tempo, and the tools used to deliver it must mirror the multi-channel reality employees face every time they open an inbox, answer a phone, or read a text message.
How AI Is Fundamentally Rewriting the Rules of Phishing Attacks
Generative AI has converted phishing from a volume game into a precision weapon. The consequence for organizations is that every employee, regardless of role or seniority, now faces hyper-personalized cyberattacks built from their public digital footprint, at a cost so low that cyberattackers can target everyone rather than executives alone.
Traditional email filters and annual awareness training were designed for an era when phishing was sloppy, template-driven, and constrained by human labor costs. That era is over, and these phishing trends confirm the shift is structural rather than temporary.

What Scale Has AI-Generated Phishing Reached?
The overwhelming majority of malicious messages landing in inboxes were not typed by a human cyberattacker at a keyboard; they were generated by large language models producing grammatically flawless, contextually relevant text at machine speed.
The velocity is accelerating faster than most security teams realize. By December 2025, AI-generated phishing campaigns had surged 14x compared to earlier in the year, rising to 56% of all phishing cyberattacks according to threat researchers tracking enterprise inboxes. This trajectory shows no sign of plateauing.
What generative AI content engines enable that template-based phishing never could is polymorphic variability. A traditional phishing template might produce a single version sent to thousands of recipients, making signature-based detection viable and allowing employees to warn each other about a suspicious email circulating internally. AI systems instead generate thousands of unique variants, each with different subject lines, body phrasing, and sender details tailored to its target.
- No two recipients see the same message;
- Pattern recognition fails at the technical filter layer;
- Employee heuristics break down because familiar warning signs no longer repeat;
- Incident response workflows struggle to correlate a coordinated campaign.
How Does AI Use OSINT to Personalize Phishing at Machine Scale?
The reconnaissance phase of phishing has been automated to a degree that even human cyberattackers could not match. AI-powered tools now systematically harvest open-source intelligence (OSINT) and feed it into message generation pipelines in real time.
- LinkedIn profiles reveal reporting structures;
- Corporate websites expose writing style and internal terminology;
- Social media activity surfaces personal interests and travel schedules;
- GitHub repositories identify technical staff.
The result is a phishing email that references an employee's actual manager by name, mentions a project presented at a recent all-hands meeting, uses the same internal acronyms the team relies on, and arrives at a time when the recipient's calendar shows availability between meetings. A cyberattacker who scraped a finance employee's LinkedIn connection to a new vendor can generate a fake invoice email referencing that exact relationship within seconds.
Traditional red flags, including poor grammar, generic greetings, and awkward phrasing, have been systematically eliminated since large language models produce native-level fluency across more than 50 languages, making linguistic tells obsolete as a detection strategy.
This shift forces a fundamental rethink of what security awareness training must accomplish: employees can no longer rely on whether a message "looks suspicious" as a primary defense; instead, they must verify the legitimacy of every high-stakes request through out-of-band channels, regardless of how authentic the communication appears. A phishing simulation program that only tests email click rates is measuring the wrong behavior, a gap that recurring phishing trends data continues to expose.
What Has AI Done to the Economics of Phishing?
A campaign that once required $5,000 in labor and several days of research can now be executed for near-zero marginal cost in under five minutes. IBM X-Force researchers demonstrated this firsthand when an AI model built a complete phishing campaign faster than their human red team could, using only five well-crafted prompts.
This economic transformation has fueled the explosion of phishing-as-a-service (PhaaS) platforms, commercialized cybercrime toolkits that package AI-powered phishing capabilities into subscription services with dashboards, customer support, and turnkey deployment.
Platforms like EvilProxy, Tycoon2FA, and Kali365 now offer adversary-in-the-middle capabilities that bypass multi-factor authentication, sold on monthly subscription models that make advanced cyberattack capabilities accessible to threat actors with minimal technical skill.
The democratization effect is profound. A low-skill cyberattacker who could never have mounted a credible spear phishing operation two years ago can now rent access to a PhaaS platform that generates contextually perfect lures for thousands of targets simultaneously. The barrier to entry has dissolved, meaning organizations are no longer defending solely against nation-state adversaries and sophisticated criminal groups but against anyone with a subscription and a grudge.
Why Do AI-Generated Lures Outperform Human-Written Ones?
Controlled research tells a stark story: AI-generated phishing emails achieve a 54% click-through rate compared to just 12% for emails crafted by human cyberattackers, according to a 2024 study led by Harvard researchers that validated these findings against live human subjects. The effectiveness gap represents a fundamentally different cyber threat category, rather than a marginal improvement.
Three factors explain the performance delta. First, AI eliminates the cognitive friction that triggers suspicion, since human-written phishing emails contain subtle irregularities such as slightly off-brand tone, minor formatting inconsistencies, and culturally awkward phrasing, while AI-generated text exhibits none of these telltale signs.
Second, AI achieves perfect contextual alignment by ingesting target-specific OSINT data that a human cyberattacker would need hours to collect and synthesize. Third, AI-generated campaigns maintain consistent quality across thousands of messages, whereas human cyberattackers fatigue and produce declining-quality lures as volume increases.
Security researchers have identified telltale signs that can reveal AI origin, though these require technical inspection most employees cannot perform. HTML comments referencing model prompts, placeholder text fragments that LLMs occasionally hallucinate into messages, and subtle formatting artifacts from automated generation pipelines all appear in AI-crafted phishing emails.
These markers require dedicated analysis tools and trained security operations center (SOC) analysts to catch, and they offer little help to an employee making a split-second trust decision late on a Friday afternoon.
Fred Heiding, a research fellow at Harvard University who led one of the first controlled studies validating AI's superiority over human cyberattackers in spear phishing campaigns, noted that the scale is changing. His research demonstrated that AI can now execute end-to-end phishing campaigns, including reconnaissance, message generation, and delivery, without human intervention, matching or exceeding the effectiveness of expert human social engineers.
The asymmetry is baked in: defenders must protect every employee across every channel every day, while cyberattackers need only one employee to make one mistake through one channel. AI has tilted that asymmetry further by making the cyberattack side cheaper, faster, and more effective than ever before. Organizations that still rely on annual phishing simulations built on static templates are not preparing their people for the cyber threats they actually face.
The same generative AI engines that now produce flawless phishing emails at scale are also powering synthetic voices and deepfake video capable of impersonating executives in real time, a vector that renders email-only defenses dangerously incomplete.
The Escalating Financial Toll of Phishing: From Individual Breaches to Global Losses
The 2025 IBM Cost of a Data Breach Report pegged the global average breach cost at $4.44 million. Phishing-originated breaches can carry above-average price tags because cyberattackers who gain access through compromised credentials spend longer moving laterally before detection, inflating both containment costs and data exfiltration volumes.
Industry context makes the per-breach numbers even starker. Segments with high breach costs share a common vulnerability: they handle large volumes of sensitive data and employ large workforces that cyberattackers can target. A single successful phishing email to a hospital billing clerk or a bank wire specialist can trigger a breach that costs the organization more than its annual security awareness training budget by orders of magnitude, underscoring why these phishing trends carry direct budget implications.
The root cause breakdown reveals phishing's outsized role. Phishing does not just cause more incidents; it causes more expensive ones, because the median time to identify a phishing-enabled breach stretches beyond 200 days when cyberattackers use stolen credentials to blend into normal traffic patterns.
How Much Does Business Email Compromise Cost Organizations?
Business email compromise (BEC) is a targeted form of phishing in which cyberattackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds or exposing sensitive data. Unlike broad-based phishing campaigns that cast wide nets, BEC cyberattacks are researched, personalized, and calibrated to bypass both technology filters and human skepticism.
The scale of BEC losses has reached staggering proportions. The FBI's 2025 Internet Crime Report documented over $3 billion in BEC-related losses, making it the second-costliest cybercrime category, behind only cryptocurrency investment fraud.
The financial services, real estate, and legal sectors face disproportionate targeting because their business models depend on high-value wire transfers that cyberattackers can intercept with a single well-timed impersonation email. Modern BEC campaigns increasingly combine email with voice and video deepfake components, creating multi-channel deception that overwhelms legacy verification processes and dramatically increases the probability of a successful wire transfer.
What Are the Global Annual Losses From Phishing?
When a phishing email leads to ransomware deployment, the organization absorbs two cost cascades simultaneously: the phishing-enabled breach costs plus the ransomware-specific expenses of system downtime, data recovery, ransom negotiation, and forensic investigation.
For security leaders building the business case for phishing defense investment, this cost-per-minute framing transforms an abstract cyber threat into a balance sheet argument. Every minute an organization operates without phishing-specific controls and employee conditioning represents measurable financial exposure.
Phishing Attack Types and Techniques Proliferating in 2026
The phishing cyber threat landscape has fragmented into a spectrum of specialized attack types, each engineered to exploit distinct psychological vulnerabilities and organizational gaps. Mass phishing campaigns prioritize volume, blasting generic credential-harvesting lures to thousands of recipients simultaneously.
Spear phishing narrows the aperture to a single organization through open-source intelligence (OSINT)-enriched personalization, while whaling escalates further, targeting C-suite executives and board members with meticulously researched pretexts designed to authorize large wire transfers or disclose market-moving information.
Microsoft Threat Intelligence found that credential phishing accounted for 94% of all malicious payload-based cyberattacks in March 2026. Across every variant, the objective remains the same: steal credentials that unlock email, file storage, and every downstream service connected through single sign-on, a pattern central to current phishing trends.
Mass Phishing vs. Spear Phishing vs. Whaling: What's the Difference?
Mass phishing is the spray-and-pray approach. Cyberattackers send identical, low-effort emails to thousands or millions of recipients, typically impersonating a well-known brand and urging the recipient to click a link, open an attachment, or verify account credentials.
The economics work because even a 0.1% click-through rate produces enough compromised accounts to monetize. These campaigns overwhelmingly target cloud-based services such as Microsoft 365 and Google Workspace, where a single stolen credential can unlock email, document storage, and internal collaboration tools.
Spear phishing flips the model entirely. Instead of casting a wide net, cyberattackers research a specific individual or team using publicly available information: job titles from LinkedIn, conference speaking engagements, organizational charts, and social media activity.
The resulting email references real projects, colleagues, and workflows, making it functionally indistinguishable from legitimate internal communication. A finance manager might receive what appears to be a vendor invoice from a known supplier, complete with accurate project codes and the correct internal approvers copied.
Whaling represents the apex of targeted phishing. These cyberattacks impersonate CEOs, CFOs, general counsel, or board members to authorize fraudulent wire transfers, release sensitive financial data, or redirect payroll.
The cyberattacker studies the executive's communication style, email cadence, signature formatting, and common phrases to produce a message that reads exactly like the person being impersonated. Whaling cyberattacks frequently bypass technical controls because the email itself contains no malicious links or attachments; it relies on pure social engineering, exploiting the recipient's deference to authority and fear of delaying an urgent executive request.
Business Email Compromise (BEC): The Conversation-Based Attack
Business email compromise is the most financially devastating form of phishing, distinguished by its reliance on conversation rather than technical payloads. BEC cyberattacks do not use malware, malicious links, or credential-harvesting pages; instead, the cyberattacker builds trust through a sequence of seemingly innocuous messages before making the fraudulent request.
Microsoft's Q1 2026 email threat report quantified exactly how this pattern works at scale. Of the approximately 10.7 million BEC cyberattacks Microsoft detected during the quarter, 82% to 84% of initial contact emails contained no financial ask whatsoever. The first message is almost always a casual check-in asking whether the recipient is available.
The cyberattacker waits for engagement, a reply that confirms the target is responsive and unsuspicious, before introducing the fraudulent request in the third or fourth message. Only 9% to 10% of initial BEC messages made explicit financial or document requests.
- Vendor impersonation is the most common BEC variant, in which cyberattackers compromise or spoof a legitimate supplier's email account, then send modified invoices with updated payment instructions to the target's accounts payable team;
- CEO fraud, the second major variant, impersonates an executive to instruct a finance employee to execute an urgent wire transfer;
- Payroll redirection rounds out the triad, with cyberattackers impersonating an employee and requesting that HR update direct deposit information.
Credential Harvesting, Invoice Scams, and Payment Fraud
Credential harvesting dominates the phishing payload landscape because stolen credentials are the skeleton key to cloud environments. Rather than delivering malware, cyberattackers direct victims to convincing replicas of Microsoft 365, Google Workspace, or Okta login pages. Once credentials are captured, the cyberattacker gains persistent access to email, file storage, and any downstream services connected through single sign-on.
Organizations that run realistic phishing simulations across multiple channels condition employees to recognize these credential-harvesting pages before they enter their passwords, closing the gap that email filters alone cannot cover.
Invoice and payment fraud lures exploit the universal fear of missing a financial deadline. Tax-themed phishing surges predictably during filing seasons, with cyberattackers impersonating IRS or HMRC notifications about refunds, audits, or missing documentation. Payment and delivery scams use fake shipping notifications from carriers like FedEx, UPS, or DHL, claiming that a package requires payment confirmation or settlement of a customs fee before delivery.
PDF attachments are the delivery mechanism of choice for these campaigns. Microsoft tracked a 50% month-over-month increase in malicious PDFs in March 2026, reaching their highest volume in over a year. Cyberattackers favor PDFs because they feel authoritative, bypass basic attachment filters that flag executable files, and often embed QR codes that shift the credential-harvesting page to an unmanaged mobile device outside corporate security controls.
Social Media and Relationship-Based Phishing
Phishing has expanded well beyond the inbox. Angler phishing exploits brand trust on social media platforms by creating fake customer support accounts that intercept users publicly complaining about a product or service.
When a frustrated customer posts publicly about a canceled flight, the angler responds from a near-identical handle, linking to a fake resolution portal that harvests login credentials or payment card data. The cyberattack succeeds because it arrives in a context where the target is already seeking help.
Blagging, sometimes called pretexting, exploits personal relationships rather than brand familiarity. A cyberattacker might impersonate a colleague's spouse emailing HR about an insurance enrollment deadline, or pose as a journalist requesting comment on a sensitive topic to extract internal information. The defining feature of blagging is the construction of a fictional scenario compelling enough to override the target's normal skepticism.
Recruitment scams represent a fast-growing blagging variant: cyberattackers create fake job postings on LinkedIn, conduct realistic video interviews using AI-generated deepfake avatars, and ultimately request identity documents or onboarding fees from candidates. Platforms like Calendly and Facebook Events are routinely impersonated to send fake interview-scheduling links that lead to credential-harvesting pages or malware.
Brand Impersonation Patterns: Who Gets Spoofed Most
Microsoft remains the most impersonated brand in phishing campaigns by a wide margin. According to Schneider Downs' Q4 2025 brand phishing analysis, Microsoft accounted for 22% of all brand-impersonation cyberattacks, followed by Google at 13%, Amazon at 9%, and Apple at 8%.
The pattern is consistent across reporting periods: cyberattackers target platforms where credential compromise yields maximum lateral movement, since a stolen Microsoft 365 login provides access to email, Teams, SharePoint, and any third-party service connected through that identity.
DocuSign impersonation has emerged as a leading inbox threat because electronic signature requests are routine in virtually every industry. Employees are conditioned to click DocuSign links quickly, since delaying a signature can hold up a contract, a hiring decision, or a payment. Cyberattackers exploit this urgency by sending fake document-signing notifications that redirect to credential-harvesting pages mimicking the DocuSign login portal.
HR platform impersonation follows the same logic: fake notifications about benefits enrollment, performance reviews, or payroll updates arrive in contexts where employees expect and act on HR communications. Cyberattackers increasingly route phishing through free webmail services rather than compromised corporate accounts, exploiting the fact that legitimate business communication often originates from Gmail and Outlook addresses in smaller organizations and B2B contexts.
For security teams, that expanding cyberattack surface means training programs must cover the full spectrum of channels cyberattackers are already exploiting. An employee who can spot a phishing email but has never encountered a vishing call or a deepfake video remains an open target.
Emerging Attack Vectors Reshaping the Phishing Threat Landscape
Security teams that only run phishing simulations against email are testing a fraction of their real cyberattack surface. Six vectors have surged in velocity and sophistication over the past eighteen months, each exploiting a gap traditional email-centric defenses were never designed to close.
Multi-channel phishing simulations that test susceptibility across email, voice, SMS, and authentication flows reveal where an organization is actually exposed and direct training toward the channels where failure rates spike. The vectors below are not theoretical; every one has produced documented breaches and is actively deployed at scale against organizations of every size.
What Are the Fastest-Growing Phishing Attack Vectors in 2026?
1. QR Code Phishing (Quishing) Bypasses Email Defenses
QR code phishing, or quishing, embeds malicious URLs inside image-based QR codes that text-scanning email filters cannot read. In Q1 2026, Microsoft Threat Intelligence tracked a 146% quarter-over-quarter surge in quishing cyberattacks, climbing from 7.6 million detections in January to 18.7 million in March, making it the fastest-growing cyberattack vector of the quarter.
PDF attachments delivered 70% of these malicious QR codes by March, with the remainder split between DOC/DOCX files and a late-quarter spike in QR codes embedded directly in email bodies; that inline technique surged 336% in March alone and eliminates the need for any attachment.
The core evasion mechanism is simple and effective: the QR code is an image, so traditional URL-scanning and link-rewriting tools see nothing. Victims scan a code on a mobile device, which typically lacks the endpoint protections and corporate network filtering found on managed laptops, thereby redirecting them to credential-harvesting pages that exist entirely outside the organization's security perimeter.
2. AI-Powered Voice Phishing and Callback Attacks
Callback phishing, also called telephone-oriented attack delivery (TOAD), combines a benign-looking invoice or subscription notice with a phone number that pressures the victim to call. Once on the line, a live operator, often supported by AI-cloned audio of a company executive, walks the target through credential entry or wire transfer instructions.
The psychological mechanism differs from email phishing: hearing a human voice, particularly one that sounds like a known leader, activates authority bias and urgency in ways that text alone cannot. The rapid pivot toward hybrid voice-and-email campaigns signals that cyberattackers have recognized a fundamental gap, since most organizations train employees to scrutinize links but not phone calls.
3. CAPTCHA-Gated and Multi-Stage Phishing Attacks
CAPTCHA-gated phishing cyberattacks more than doubled in March 2026, surging 125% to 11.9 million cyberattacks, the highest monthly volume Microsoft observed in over a year. These cyberattacks insert a fake CAPTCHA verification step between the victim and the credential-harvesting page, serving two purposes: automated scanning tools from email security providers see a legitimate CAPTCHA page and stop probing, while the human victim interprets the security check as proof the destination is trustworthy.
A single three-day campaign in late February 2026 delivered more than 1.2 million SVG-based CAPTCHA phishing messages to over 53,000 organizations across 23 countries, using themes like 401(k) updates, past-due invoices, and voice message notifications to drive engagement.
The broader trend signals commoditization: Tycoon2FA's share of CAPTCHA phishing infrastructure fell from over 75% at the end of 2025 to just 41% by March 2026, meaning the technique is now standard playbook material across the entire threat actor ecosystem rather than the specialty of a single platform.
4. Advanced Attachment-Based Attacks Exploit Trusted Formats
Threat actors are abandoning traditional malware-laced Office macros in favor of file formats that users and security tools trust by default. SVG files, Scalable Vector Graphics that render natively in every browser, have become a significant phishing delivery mechanism, executing JavaScript when opened, hosting embedded phishing forms, and rarely triggering suspicion.
Malicious.ICS calendar invite files pose an even sharper threat because calendar applications automatically render invites and often add them to the user's calendar, allowing these cyberattacks to persist in the victim's schedule even after the original email is deleted. Researchers at Rapid7 documented how the "invisible click" problem makes calendar-based phishing especially dangerous, where a single tap on an.ICS file can trigger a redirect before the user registers what happened.
The ClickFix social engineering technique compounds these attachment vectors by instructing victims to copy and paste malicious commands into their terminal or Run dialog under the guise of completing a human-verification step, bypassing download protections entirely.
5. AiTM, Device Code Phishing, and the MFA Bypass Problem
Adversary-in-the-middle (AiTM) phishing has rendered standard multi-factor authentication insufficient against determined cyberattackers. Tools like EvilProxy and the EvilTokens framework place a transparent proxy between the victim and the legitimate login page, capturing both the password and the session token after MFA is complete, thereby producing an authenticated session that bypasses MFA checks entirely.
Microsoft Threat Intelligence also documented an emerging device code phishing technique in early 2026, where cyberattackers exploit the device code authentication flow used by Microsoft Entra ID and other identity providers: the victim is tricked into entering a device code on a legitimate Microsoft login page, which grants the cyberattacker a token that authenticates as the victim on a separate device.
The practical implication is clear: SMS-based and push-notification MFA no longer provide sufficient protection against session hijacking. Organizations must migrate toward phishing-resistant MFA, FIDO2 security keys, Windows Hello, or certificate-based authentication, while simultaneously training employees to recognize the multi-stage social engineering that precedes an AiTM cyberattack.
6. Phishing-as-a-Service Commoditizes Sophisticated Attacks
The barrier to launching advanced, multi-stage phishing campaigns has collapsed. Phishing-as-a-Service (PhaaS) platforms now offer subscription-based access to pre-built phishing kits with AiTM capabilities, CAPTCHA evasion, and credential-harvesting infrastructure. Availability increased roughly 50% year-over-year, turning what once required a skilled operator into a point-and-click transaction.
The Tycoon2FA platform exemplifies both the scale and the resilience of this model. Before Microsoft's Digital Crime Unit, in coordination with Europol and industry partners, disrupted its infrastructure in March 2026, Tycoon2FA had become one of the most widespread PhaaS operations globally. Associated email volumes dropped 15% following the takedown, and targets' ability to reach active phishing pages was substantially reduced.
However, Tycoon2FA operators rapidly adapted, shifting hosting providers and migrating to .RU top-level domains for over 41% of new registrations, partially restoring operations within weeks. The lesson for defenders is that disruption buys time but does not eliminate the cyber threat, since PhaaS platforms reconstitute quickly because the underlying economics, low operating cost paired with high credential resale value, remain unchanged.
Who Phishing Targets: Industries, Demographics, and Behavioral Patterns
Phishing is not a random scattershot cyber threat. It follows precise targeting logic shaped by data value, organizational structure, and predictable human behavior. Financial services, SaaS and webmail providers, and social media platforms consistently top cyberattacker target lists because they concentrate the most monetizable data and credential access pathways in a single breach.
Different internal roles face fundamentally different cyberattack profiles. Finance departments are bombarded with invoice fraud and BEC; HR teams confront credential harvesting disguised as benefits portals, and IT help desks navigate pretexting cyberattacks designed to exploit their authority to reset credentials and bypass access controls.
Generational differences produce a counterintuitive pattern: Gen Z, despite being digital natives, falls for phishing at roughly twice the rate of Baby Boomers, driven by overconfidence, higher online transaction volume, and platform-native trust in digital communication. The rapid shift to mobile-first phishing exploits the reduced URL visibility and truncated interface cues that make cyber threat detection significantly harder on smartphones than on desktops.
Which Industries Face the Highest Phishing Risk?
Phishing cyberattackers do not distribute their efforts evenly. They concentrate where the return on effort is highest, and industry risk rankings reveal a clear hierarchy that has remained remarkably consistent even as cyberattack techniques evolve.
Financial services sit squarely in the crosshairs and the reason is straightforward: compromised financial credentials translate directly into monetizable access, and a single set of online banking credentials can be liquidated within hours on dark web marketplaces.
SaaS and webmail providers rank as the most targeted category overall because they serve as gateways to entire organizational ecosystems. A compromised Microsoft 365 or Google Workspace credential unlocks email archives, file storage, calendar data, and internal communication threads, all of which fuel more sophisticated downstream cyberattacks. Social media platforms round out the top three, prized for the personal data they expose and the trust relationships they enable cyberattackers to exploit.
Healthcare tells a different story: not the most frequently attacked, but one of the most expensive when a breach succeeds. The cost premium reflects the sensitivity of protected health information (PHI), mandatory breach notification requirements, and the life-critical nature of hospital operations, where a ransomware incident triggered through a phishing email can delay surgeries and divert ambulances.
Click rate variations across sectors reveal another dimension of risk. Organizations in hospitality and retail routinely post higher phishing simulation click rates than financial services and technology firms do, not because their employees are less capable, but because they typically invest less in security awareness infrastructure. The gap between sectors is often a function of training investment, rather than innate susceptibility.
Which Departments and Roles Do Attackers Prioritize?
Cyberattackers select targets based on access, rather than seniority. Three internal functions absorb a disproportionate share of phishing volume: finance, human resources, and IT help desks.
Finance teams are the primary target for BEC and invoice fraud. Cyberattackers impersonate CFOs, vendors, and payment processors to trigger wire transfers, often layering the request across email and voice channels for credibility.
The impersonation of a known executive, combined with manufactured urgency around a deal deadline or regulatory filing, short-circuits standard verification protocols, and even a 0.1% failure rate in judgment among finance employees processing high-value transactions daily, produces catastrophic outcomes.
HR departments face a different cyber threat profile. Cyberattackers send fake benefits enrollment links, payroll portal credential harvesting pages, and fraudulent employment verification requests, all designed to capture the personally identifiable information (PII) that HR systems contain by design. A single compromised HR account can expose the Social Security numbers, bank details, and home addresses of an entire workforce.
IT help desks are uniquely dangerous targets because their job is to resolve access issues. Pretexting cyberattacks against service desks exploit this dynamic: a cyberattacker poses as an employee locked out of their account, applies social pressure, and convinces a technician to bypass multi-factor authentication or reset credentials to a phone number controlled by the cyberattacker.
These cyberattacks succeed not by technical sophistication but by weaponizing the help desk's institutional mandate to be helpful, since the IT service desk is the one function authorized to grant access, making it the most valuable target for cyberattackers who understand organizational workflows.
Executive exposure compounds these risks. Senior leaders have elevated system privileges and authority that make their accounts disproportionately valuable, yet executives are also among the least likely to complete routine security awareness training, creating a dangerous asymmetry between the accounts with the most access and the people with the least recent defensive conditioning.
OSINT sources, including LinkedIn profiles, conference speaking videos, podcast appearances, and earnings call recordings, provide cyberattackers with the raw material to build highly personalized spear-phishing campaigns that exploit both executive authority and executive blind spots.
Why Is Gen Z the Most Susceptible Generation to Phishing?
The assumption that digital natives are naturally phishing-resistant collapses under real data. A 2025 Yubico Global State of Authentication survey found that Gen Z was the demographic most likely to fall for phishing cyberattacks, with 17% of Gen Z respondents reporting they had fallen victim to an online scam, more than double the 7% reported by Baby Boomers.
The root causes are behavioral, rather than technical. Gen Z spends more hours online and transacts across more platforms than any previous generation, which multiplies their cyberattack surface. They are conditioned to trust digital interfaces, app notifications, direct messages, and platform-native payment flows, and they complete transactions faster, with less friction-seeking behavior around verification.
Overconfidence plays a measurable role. Younger users consistently self-report greater confidence in their ability to detect phishing but fail phishing simulation tests at higher rates than older colleagues. The gap between perceived competence and demonstrated performance is widest in the under-30 cohort, a pattern security awareness program managers must account for when designing role-based phishing simulations.
Geographic patterns add another layer. The World Cybercrime Index, developed by University of Oxford researchers and published in PLOS ONE, identified Russia, Ukraine, China, the United States, Nigeria, and Romania as the top six countries of cybercriminal origin, a ranking that has remained stable across multiple categories of cybercrime, including data theft, phishing, and scams.
On the receiving end, the Netherlands consistently ranks as the most targeted European nation per capita in terms of cybercrime volume, while Moldova has emerged as a disproportionately victimized country relative to its population size.
Training performance also varies meaningfully by region. Organizations deploying security awareness training across multiple countries report different baseline click rates and different improvement trajectories by geography, shaped by local cybercrime exposure, cultural attitudes toward authority and digital trust, and the prevalence of phishing in the native-language digital environment. Programs that treat a global workforce as a monolith miss these regional risk concentrations entirely.
When Are Phishing Attacks Most Likely to Land?
Timing is not incidental to phishing success; it is engineered. Cyberattackers schedule campaigns around predictable dips in human attention and surges in situational trust.
Sundays and Fridays are the peak days for phishing email delivery, with Sundays accounting for approximately 22% of weekly phishing volume and Fridays roughly 19%. The strategy is deliberate: weekend emails reach employees who are checking inboxes casually on personal devices, outside the security context of office networks, and with reduced access to IT support. Friday afternoons exploit end-of-week fatigue and the temptation to clear outstanding items before logging off, suppressing the verification instinct.
Seasonal campaign themes amplify these patterns. Tax season, spanning January through April in the United States, triggers a surge in IRS impersonation emails, W-2 phishing attempts targeting HR departments, and fake tax filing portals. Holiday shopping periods generate waves of delivery notification scams, fake order confirmations, and fraudulent charity appeals. Back-to-school season brings a spike in education-sector credential harvesting, often disguised as tuition invoices, financial aid portal updates, or campus login resets.
Each seasonal theme exploits a different trust context, since an employee who would never click a generic password reset link will open a shipping notification without hesitation. The speed at which phishing works makes these timing patterns especially dangerous. Cyberattackers need less than a minute of inattention from a single employee to gain a foothold, and they time their campaigns for the moments when that inattention is most predictable.
Why Is Mobile Phishing Harder to Defend Against?
The smartphone has become the cyberattacker's preferred delivery platform, and the defensive gap is widening. Zimperium's 2024 zLabs Global Mobile Threat Report found that 82% of phishing sites now specifically target mobile devices. Cyberattackers optimize landing pages for mobile screens because the inspection behavior is fundamentally different: users on phones are less likely to hover over links, less likely to examine full URLs, and more likely to tap and move on.
Three structural disadvantages make mobile phishing detection harder than desktop detection:
- Truncated URLs in mobile browsers hide the domain, since a spoofed domain and a legitimate one are indistinguishable in a mobile address bar that shows only the first 30 characters;
- Smaller screens compress visual cues, making the layout anomalies, awkward spacing, and low-resolution logos that signal fraud on a desktop monitor far less visible at mobile scale;
- Mobile notification culture trains users to tap first and read later, with push notifications from Slack, Teams, and email apps creating a reflexive interaction rhythm that cyberattackers exploit by timing phishing messages to arrive within that notification flow.
The SMB exposure gap compounds the mobile phishing problem. Small and mid-sized businesses are attacked at disproportionately high rates relative to their security investment. SMBs face the same phishing cyber threat landscape as enterprises but operate with a fraction of the defensive infrastructure. Their employees, who often juggle multiple roles and access multiple systems, present a wider cyberattack surface per person than employees at larger organizations with more segmented access controls.
The convergence of mobile-first phishing design, reduced URL inspection behavior, and under-resourced SMB defenses creates a cyberattack surface that traditional email gateways were never designed to address. Defenses that treat phishing as an inbox problem overlook the reality that the most dangerous click often occurs on the device in the employee's hand, rather than on the one on their desk.
How Phishing Simulations and Security Awareness Training Reduce Organizational Risk
Organizations that run continuous phishing simulations combined with mandatory follow-up training cut employee susceptibility nearly in half within six months, according to a 2025 longitudinal study spanning 20 companies and over 1,300 employees published on arXiv. The same study found that 70% of employees who fell for a simulated phishing attempt once never repeated the unsafe behavior after receiving immediate, just-in-time corrective training.
The effect is measurable and substantial, but it only materializes when training is continuous, contextually relevant, and reinforced at the moment of error; annual compliance modules delivered in isolation produce no comparable behavioral shift.

The Training Effectiveness Data
The study cited above brings an interesting finding: baseline phishing susceptibility started at 8.5% and dropped to 4.2% within six to eight months, a 52% reduction, and stabilized near the 4.1% industry benchmark for organizations running mature, continuous training programs.
The study distributed more than 13,000 simulated phishing emails engineered with varied emotional triggers, including fear, curiosity, altruism, and authority. When employees clicked, they were immediately routed to mandatory corrective training rather than receiving a passive failure notification. This just-in-time feedback loop proved decisive: 64.5% of employees never engaged unsafely across the entire year-long campaign, and of those who did click, the vast majority did so only once.
The distinction between behavior-basedtraining and compliance-checkbox approaches is stark. A 2024 scoping review of 42 studies found that point-of-error training, delivering instruction the moment someone clicks a simulated phishing email, reduces susceptibility by an average of 40%, significantly outperforming every other delivery method, including follow-up emails, videos, and gamified modules.
Researchers at Carnegie Mellon University's CyLab confirmed this pattern: embedded training triggered by actual failure produces durable behavioral change, while annual cybersecurity awareness sessions that track only seat time and completion percentages show no measurable reduction in real-world click rates.
The mechanism is straightforward. When training arrives disconnected from a lived mistake, the brain files it as abstract information, but when it arrives seconds after a consequential error, the lesson encodes alongside the emotional and contextual cues that produced the mistake.
Microlearning amplifies this effect further. The arXiv study's training modules ran under 10 minutes each and were assigned automatically based on the specific phishing template an employee fell for, with a credential theft scenario triggering a credential-focused module and a fake HR notification triggering training on identifying internal impersonation.
This contextual matching produced consistently declining susceptibility month over month, even as the simulation templates grew more sophisticated. Traditional annual training delivers the same generic content to every employee regardless of role, risk profile, or failure history.
How Do Phishing Simulation Programs Actually Work?
Phishing simulation programs operate on a deceptively simple cycle: test, measure, train, and repeat. The organization deploys realistic yet safe phishing messages via email, voice calls, SMS, or deepfake videos to employees who do not know they are being tested.
When an employee engages in unsafe behavior, the platform captures the event, redirects the employee to a brief corrective training module, and logs the failure in the individual's risk profile. When an employee correctly identifies and reports the phishing simulation, that positive signal is logged as well, and over time, the program builds a dynamic portrait of human risk across the organization.
What separates effective phishing simulation programs from checkbox exercises is multi-channel coverage. Cyberattackers do not restrict themselves to email: smishing, quishing (QR code phishing), and deepfake video calls have all become standard cyberattack vectors. A simulation program that tests only email phishing leaves employees completely untrained for the phone call from a fake IT support line or the SMS that appears to come from the CEO and arrives during a busy afternoon.
Industry and Role Benchmarking
Not all employees and not all industries face equal phishing risk, and effective programs benchmark accordingly. Marketing and sales teams consistently show greater susceptibility than operations or engineering teams, with certain benchmarks showing click rates two to three times the organizational average. Finance and HR departments face heavier targeting because cyberattackers know these roles handle payments and personnel data.
Industry verticals diverge sharply. Healthcare organizations carry the highest breach costs. Financial services firms contend with business email compromise (BEC) and wire fraud attempts that average six-figure losses per successful incident. Technology companies confront credential theft and supply chain impersonation at higher rates than other sectors.
Organizations can benchmark their program performance against industry peers using standardized metrics: phish-prone percentage, reporting rate, and time-to-report are the three most commonly compared indicators. A program that reduces its phish-prone percentage below 5% within 12 months is performing at the top of industry benchmarks.
From Training Completion to Behavioral Change
CAT completion percentages are the most commonly tracked security awareness metric and the most misleading. A 2025 Fortinet survey found that 42% of organizations evaluate training effectiveness primarily by completion rate, yet completion rates reveal nothing about whether an employee can recognize a real phishing attack three months later. It certifies attendance, rather than competence.
Dr. Lorrie Cranor, Director of Carnegie Mellon University's CyLab Security and Privacy Institute, made the point in a 2026 discussion on security awareness design that constant, generalized vigilance is not a sustainable defense strategy in itself.
Her broader argument, that security training must produce usable skills rather than generalized anxiety, underscores why behavioral risk scores matter more than completion logs. A risk score built from phishing-simulation click rates, reporting frequency, credential-exposure data, and open-source intelligence (OSINT) vulnerability data reveals whether an employee actually makes safer decisions.
The organizations achieving the strongest outcomes have shifted from tracking whether training happened to tracking whether it worked, measuring repeat offender rates, reporting velocity, and simulation difficulty progression. These metrics capture behavioral change.
The Multi-Channel Simulation Imperative
When roughly 40% of phishing campaigns now arrive through channels other than email, running email-only phishing simulations leaves every other entry point unguarded. Smishing volume has risen steadily year over year as cyberattackers exploit the fact that mobile devices rarely carry the same filtering protections as corporate email systems.
Each channel exploits a different psychological vulnerability. Email phishing preys on inattention and volume. Vishing exploits voice authority and real-time pressure. Smishing exploits the casual SMS reading mode most people adopt on personal devices, where suspicion thresholds are lower. Deepfake video exploits the near-absolute trust most people still place in visual and auditory evidence.
A simulation program limited to email leaves employees exposed on every other front, training them to scrutinize links in Outlook while leaving them defenseless when the same cyberattack arrives through a messaging app, a phone call, or a video meeting.
Multi-channel programs close these blind spots by conditioning verification habits across every surface. Employees who have experienced a simulated vishing call from a fake help desk are far less likely to comply when a real cyberattacker tries the same script. Employees who have watched a deepfake video of their own CEO in a training context are inoculated against the visceral trust response that makes these cyberattacks so effective.
Organizations that run phishing simulations across email, voice, SMS, and video see faster susceptibility reduction and more durable behavioral change than those testing email alone. In an era when cyberattackers move fluidly across channels, defending only one channel is no longer defensible.
Major Phishing Breaches and the Lessons They Teach
When phishing succeeds, the consequences unfold at a staggering scale. $25 million vanished in a single video call. 192 million patient records were exposed due to one missing MFA setting. A $400 million retail profit was wiped out by a phone call to the help desk. These are not edge cases; they are the defining phishing trends reshaping enterprise risk in 2026.
Each breach reveals a specific failure pattern that security leaders can address before their organization becomes the next case study. The common thread is unmistakable: cyberattackers target human trust, rather than infrastructure, meaning the most expensive breaches in history now begin with a conversation rather than a piece of malware.

The $25M Deepfake CFO Scam: How a Video Call Became a Wire Fraud Weapon
In early 2024, a finance employee at Arup, the global engineering and design firm, received an email purportedly from the company's CFO requesting an urgent transfer. Suspicious at first, the employee's skepticism evaporated when they joined a video conference call where every other participant, including the CFO and several colleagues, was an AI-generated deepfake.
]The employee authorized $25 million in transfers before anyone realized the call was a fabrication. Hong Kong police later confirmed the perpetrators developed deepfakes by harvesting publicly available video and audio of Arup executives, then used them to populate an entirely fake meeting.
What made this cyberattack uniquely effective was its multi-channel orchestration. The initial phishing email established the transfer request, and the video call, populated with lifelike deepfakes of multiple trusted colleagues, neutralized the employee's hesitation.
This exploited a psychological vulnerability that single-channel phishing cannot reach: when someone sees and hears a person they recognize giving them a direct instruction, the instinct to comply overrides security protocols, according to a World Economic Forum analysis of the Arup case.
The cyberattack revealed that verification protocols designed to detect email phishing are useless against a convincing face on a video call. Checking the sender or hovering over links offers no protection when a deepfake CEO is looking directly through a webcam. Every organization that wires money internationally is now a target for this cyberattack pattern, and the barrier to entry for criminals is dropping fast.
Healthcare Under Siege: The Change Healthcare Breach and Third-Party Risk Concentration
In February 2024, the ALPHV/BlackCat ransomware group accessed a Change Healthcare Citrix portal using compromised credentials. The portal did not have multifactor authentication turned on, a fact UnitedHealth Group CEO Andrew Witty confirmed in testimony before the House Energy and Commerce Committee.
Cyberattackers moved laterally for 9 days, exfiltrated roughly 6 TB of sensitive data, and then deployed ransomware. The breach ultimately exposed 192.7 million patient records and cost UnitedHealth $872 million in direct financial impact in the first quarter, a figure that eventually swelled to more than $2.3 billion when including advance payments to providers.
The Change Healthcare breach is a masterclass in concentrated third-party risk. As a subsidiary processing claims for one in three U.S. patient records, Change Healthcare was a single point of failure for the entire American healthcare payment system. One stolen credential cascaded into the most disruptive cyberattack on U.S. critical infrastructure to date: pharmacies could not process prescriptions, and providers could not submit claims or make payroll.
The breach laid bare an uncomfortable truth: when a critical third party skips basic controls like MFA, every downstream organization inherits that exposure. Healthcare CISOs learned in 2024 what the rest of the economy is now absorbing: that security posture is only as strong as the most compromised credential in the supply chain, and that credential often arrives via a phishing campaign.
The Marks & Spencer Ransomware Attack: When the Help Desk Became the Front Door
In April 2025, cyberattackers did not bypass Marks & Spencer's security controls; they called the help desk and asked to be let in. The UK retailer's IT service desk, operated by Tata Consultancy Services, received a social engineering phone call from cyberattackers posing as internal IT staff.
The caller, a native English speaker, convinced help desk personnel to provide credentials and access, which the cyberattackers then used to infiltrate M&S's network and deploy the DragonForce ransomware. CEO Stuart Machin later told reporters the company was simply unlucky and that the result was due to human error, according to Reuters' reporting on the incident.
The operational damage was catastrophic. Automated ordering and stock systems were shut down across 1,400 stores and 65,000 employees, forcing staff to track fresh food shipments on paper. Online shopping was suspended for 46 days, and customer data including names, addresses, phone numbers, and order histories, was exfiltrated.
M&S quantified the hit at £300 million (approximately $400 million) in lost operating profit for 2025-26. The cyberattackers, later identified as the Scattered Spider group, used the same playbook to hit Co-op and Harrods within days.
The M&S breach rewrites the risk calculus for every organization that outsources IT support. The help desk is a customer-facing cyberattack surface, and every agent who resets a password is a potential entry point for a nine-figure breach.
Organized Cybercrime Alliances: Inside "The COM" and the Industrialization of Phishing
The most dangerous development in the phishing landscape is not any single technique; it is the emergence of fluid, collaborative cybercrime alliances that share access, tools, and targets. The alliance of Scattered Spider, LAPSUS$, and ShinyHunters, operating under the banner of "The COM," a loosely organized English-speaking cybercriminal ecosystem, represents a tectonic shift in how phishing-driven breaches are carried out.
According to Resecurity's deep-dive analysis of the alliance, Scattered Spider specializes in social engineering and initial access, ShinyHunters handles data exfiltration and extortion, and LAPSUS$ contributes expertise in SIM-swapping and MFA-bypass. Together, they have breached the environments of Qantas, Adidas, Salesforce (over 1.5 billion records from 760 companies), and Jaguar Land Rover.
The COM model mirrors legitimate business specialization: one group phishes credentials, another converts access into data exfiltration, and a third monetizes through extortion or ransomware deployment. No single arrest dismantles the operation because membership is fluid, with actors constantly rebranding and reforming.
The FBI has issued multiple alerts about this convergence, warning that the boundaries between data theft, extortion, and ransomware are now operationally blurred. The lesson for defenders is stark: phishing defense must account for adversaries who are better coordinated, better funded, and more specialized than most in-house security teams.
The Lazarus/ByBit $1.5B Heist: When Phishing Meets Crypto
On February 21, 2025, North Korea's Lazarus Group pulled off the largest cryptocurrency theft in history, stealing $1.5 billion in Ethereum tokens from the Dubai-based exchange Bybit. The cyberattack combined social engineering with a supply chain compromise.
Cyberattackers exploited a vulnerability in Safe Wallet's user interface code during what appeared to be a routine multi-signature transaction, making the malicious destination wallet appear legitimate to every signer. The FBI confirmed attribution to TraderTraitor, Lazarus's crypto-focused subgroup, within days.
ByBit's CEO, Ben Zhou, signed off on what he believed was a standard transfer, but the hackers had manipulated the frontend to hide the true destination. At least $160 million was laundered within the first 48 hours, according to the Center for Strategic and International Studies.
The ByBit heist exposes a dangerous crossover between phishing and crypto fraud that most security frameworks have yet to address. Lazarus has stolen an estimated $3.4 billion in cryptocurrency, using phishing campaigns as the initial access vector to compromise developer workstations and seed malicious code into software supply chains, often beginning with fake recruiter profiles on LinkedIn.
The ByBit cyberattack demonstrates that even cold wallets and multi-signature protections collapse when the humans approving the transaction are deceived about what they are signing. For any organization touching digital assets, the cyberattack path now runs through the employee's inbox before it reaches the blockchain.
Law Enforcement Disruption: Proof That Coordinated Takedowns Work
The scale of phishing infrastructure is immense, but coordinated law enforcement action is producing measurable results. In March 2026, Microsoft's Digital Crime Unit, in partnership with Europol and industry collaborators, disrupted the Tycoon 2FA phishing-as-a-service platform.
By mid-2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, representing more than 30 million malicious emails in a single month and over 500,000 organizations impacted worldwide.
These numbers prove that when intelligence is shared across jurisdictions and private-sector telemetry feeds into law enforcement action, phishing infrastructure can be degraded at scale. The countermeasure is not purely technical; it requires the same collaborative aggression that the cyberattackers themselves model. Sustained pressure raises the cost and risk of running phishing operations, forcing criminals into closed channels, tighter access controls, and fragmentation that buys defenders measurable time.
The Future Outlook: Where Phishing Threats and Defenses Are Headed Next
The phishing cyber threat landscape through 2031 will be defined by a collision between AI-generated cyberattack velocity and regulatory, architectural, and industry-wide defensive shifts that are already underway.
The path forward demands coordinated action across regulation, architecture, insurance markets, and threat intelligence sharing, and these phishing trends will continue to shape how that coordination unfolds.
How Are GDPR, SEC Rules, and CCPA Changing Breach Notification for Phishing Incidents?
The SEC's cybersecurity disclosure rule, effective as of December 2023, requires public companies to file a Form 8-K within 4 business days after determining that a cybersecurity incident is material. A Cherry Hill Advisory analysis of two years of filings cataloged 47 mandatory Item 1.05 filings and documented the first AI root cause 8-K in May 2026, with Mayer Brown estimating that AI-enabled phishing or vishing was present in approximately 16% of cyber incidents in 2025.
GDPR's Article 33 imposes a 72-hour notification window for personal data breaches regardless of materiality, while CCPA grants consumers a private right of action when breached unencrypted credentials trace back to a phishing-originated incident.
Compliance-mappedtraining programs must now document role-specific phishing simulation frequency, click-through remediation rates, and executive exposure testing, rather than only annual completion percentages. Regulators are no longer asking whether organizations train employees; they are asking whether the organization can prove the training changed behavior before the breach occurred.
How Are Cyber Insurance Underwriters Adjusting Premiums Based on Phishing Defenses?
Cyber insurance underwriting has moved from actuarial modeling to technical verification. In 2026 renewal applications, carriers ask nine specific questions about phishing simulations: continuous program operation, campaign frequency, paired click-through and report rates, seven-day remediation training completion, executive inclusion, multi-channel coverage across SMS and voice, written security awareness policy, board-level reporting cadence, and incident history.
Moving from quarterly to monthly phishing campaigns has resulted in a 5% to 10% premium reduction across multiple carriers. Automated remediation training, where a failed simulation immediately assigns and tracks follow-up education, has shifted from a differentiator to table stakes. Multi-channel coverage increasingly separates above-baseline applicants from those denied or surcharged. A static, email-only, annual phishing program is now treated as effectively no program at all.
How Does Zero-Trust Architecture Reduce the Blast Radius of a Successful Phish?
Zero-trust architecture directly limits what a single compromised credential can reach. Microsegmentation divides the network into isolated zones where a phished finance employee's workstation cannot communicate with the HR database or engineering repositories without explicit, continuously verified authorization.
Least-privilege access ensures that even when cyberattackers capture valid credentials through a crafted login page, those credentials unlock only the narrowest set of resources required for the user's actual role.
Continuous verification, re-authenticating at every access request rather than trusting a single session token, disrupts the cyberattacker's ability to move laterally after initial compromise. When a phishing cyberattack that would have compromised 12 systems in a flat network is contained to one, the mean time to contain drops, the forensic scope shrinks, and the incident stays a security event rather than becoming a material disclosure.
What Browser-Native and Email Authentication Defenses Are Evolving Against AI Threats?
Google Safe Browsing's Enhanced Safe Browsing mode now provides real-time phishing protection with machine learning models delivering 25% more warnings than standard protection. Microsoft Defender SmartScreen in Edge has incorporated behavioral analysis models to detect zero-day phishing sites that have not yet been blocklisted. Apple's Fraudulent Website Warning in Safari uses Google Safe Browsing data to flag credential-harvesting pages.
DMARC enforcement directly prevents domain spoofing, the backbone of most CEO fraud and vendor impersonation phishing. Password managers eliminate the single largest phishing vulnerability: a human manually typing credentials into a convincing but fraudulent page.
When credentials auto-fill only on the legitimate domain, the entire class of credential-harvesting cyberattacks loses effectiveness. These browser-native and protocol-layer defenses do not replace human judgment, but they shrink the cyberattack surface before an employee ever sees a malicious link.
Why Are Attackers Targeting MSPs to Phish Downstream Clients?
Managed service providers represent the most effective phishing target in the modern cyberattack ecosystem. A single compromised MSP technician account with administrative access to dozens or hundreds of downstream clients turns one successful phish into a multi-organization breach cascade.
Cyberattackers now run open-source intelligence (OSINT) campaigns specifically targeting MSP help-desk staff, whose job requires opening attachments and clicking links from clients, exactly the behavioral pattern phishing exploits. MSP-focused training programs must simulate these relationship-based trust scenarios, rather than relying solely on generic credential phishing templates.
What Do Quantum Computing Advances Mean for Phishing Defense?
Quantum computing will not directly generate better phishing emails, but it will break the cryptographic underpinnings that make email authentication, digital signatures, and secure credential transmission trustworthy. RSA and ECC encryption, which protect everything from DMARC-signed emails to TLS-encrypted login pages, become vulnerable to Shor's algorithm at a sufficient qubit scale.
An ISACA survey in 2025 found that 63% of respondents believe quantum computing will increase or shift cybersecurity risks, yet few organizations have begun migrating to post-quantum cryptography. NIST published its first post-quantum cryptographic standards in August 2024, and the transition timeline directly affects phishing defense: if cyberattackers can forge digitally signed emails that pass DMARC validation or decrypt captured credentials from months earlier, the trust model on which email security depends collapses retroactively.
Organizations must begin inventorying cryptographic dependencies now, prioritizing the email authentication stack for post-quantum migration.
How Do ISACs and Threat Intelligence Sharing Improve Phishing Detection?
Information Sharing and Analysis Centers (ISACs) enable industry-specific collective defense. Financial services firms share phishing indicators through FS-ISAC, healthcare organizations through Health-ISAC, and state and local governments through MS-ISAC, often before any single member's security tools detect the campaign.
The Malware Information Sharing Platform (MISP), an open-source threat intelligence platform, allows organizations to share structured indicators of compromise, including phishing URLs, sender infrastructure, and email templates in a standardized, machine-readable format. When one organization tags a phishing campaign targeting accounts payable with a specific lure and sender pattern, every other MISP-connected organization in the same sector gains detection capability within minutes.
The Center for Internet Security's MS-ISAC processed millions of shared indicators in 2025, cutting the average detection time for shared threats by routing intelligence directly to members' SIEMs and email security gateways. Collective defense converts phishing from an asymmetric problem, one cyberattacker against thousands of defenders, into a symmetric one.
How Do Phishing Tactics and Success Rates Differ Across Regions?
Phishing is not a uniform global phenomenon. Latin American organizations faced 2,716 cyberattacks weekly in the first half of 2025, 39% above the global average, with ransomware and banking Trojans dominating the phishing landscape, according to Check Point Research.
APAC phishing campaigns skew heavily toward supply chain compromise, with cyberattackers impersonating regional manufacturing and logistics partners using localized language templates that evade English-trained detection models.
In the Middle East, geopolitical phishing lures tied to energy markets and regional conflicts drive higher executive-targeting success rates. African organizations experienced a slight easing in cyberattack volume in mid-2025 as cyberattackers' attention shifted toward Latin America, but mobile-money phishing via SMS and messaging apps remains pervasive.
Organizations operating across regions need simulation libraries localized not just by language but by lure type, since the fake invoice that works in São Paulo fails in Singapore. Defenders who ignore these regional fault lines leave entire offices exposed to cyber threats their headquarters-based security team has never seen.
Closing the Gap Between Phishing Innovation and Organizational Defense
The phishing trends reshaping the threat landscape in 2026 point toward a widening gap between how fast cyberattackers innovate and how slowly most organizations update their defenses. Phishing is no longer a narrow email problem solvable by spam filters; it is a multi-channel, AI-augmented assault on human decision-making that exploits the one layer of security most organizations underinvest in.
The mathematical necessity of shifting resources toward human risk management has overtaken any rhetorical debate about whether awareness training matters. The phishing trends documented throughout this landscape demand structural changes to how organizations fund, measure, and operationalize their human-layer defenses, rather than incremental tweaks to an annual training calendar.
Why Phishing Defense Is Fundamentally a Human Risk Management Problem
Technology alone cannot close the phishing gap because phishing is specifically engineered to bypass technology. Every email security gateway, AI-based cyber threat detector, and URL sandboxing tool exists to filter malicious content before it reaches an inbox.
Cyberattackers continuously study and adapt to technical controls; when a filter flags their templates, they regenerate new ones within minutes, and as URL scanning improves, they embed malicious QR codes as images that scanners cannot interpret.
Organizations that spend 85% to 90% of their security budgets on perimeter, endpoint, and network controls while allocating single-digit percentages to the human layer are structurally misaligned with the origins of breaches.
The Mismatch Between Threat Velocity and Training Cadence
AI has compressed phishing innovation from months to hours. A single operator using generative AI tools can now produce thousands of personalized spear phishing emails per hour, each tailored to the recipient's role, company, and recent activity. Meanwhile, most organizations still operate on an annual training cycle: a compliance module assigned once per year, completed by 70% of employees, and functionally forgotten within weeks.
This velocity mismatch means that by the time an employee completes the annual training, the cyberattacks they were trained to recognize are already obsolete. Cyberattackers are wielding tools that did not exist when most organizations designed their current awareness programs.
Continuous, automated awareness architectures, where training triggers are based on real-world threat intelligence updates, employee simulation failures, and changing risk profiles, are the only model that keeps pace. Annual training cycles leave organizations permanently behind cyberattackers, who iterate in hours, while continuous programs close the gap in near real time by updating content, simulations, and risk scoring as the cyber threat itself evolves.
Multi-Channel Threats Demand Multi-Channel Awareness
When cyberattackers coordinate across email, voice, SMS, and deepfake video in a single campaign, awareness programs limited to email phishing modules leave employees defenseless against the other three vectors. SMS-based phishing continues to account for an increasing share of cyberattacks as cyberattackers exploit the trust users place in text messages.
A finance employee trained to spot a suspicious email invoice may still comply when the same request arrives minutes later via a phone call from an AI-cloned version of their CFO's voice. Multi-channel phishing simulation across email, voice, SMS, and video must become the default scope of awareness programs, because multi-channel cyberattack coordination has already become the default strategy of cyberattackers.
From Compliance Checkbox to Behavioral Change
The traditional metric for security awareness training success, completion percentage, measures activity rather than outcomes. A 95% training completion rate tells a CISO nothing about whether the organization is actually safer. What matters is whether employees make different decisions under real cyberattack conditions, and answering that question demands a fundamentally different measurement framework.
Modern awareness programs track behavioral signals: phishing-simulation click rates, report rates, and time-to-report trends. These metrics reveal whether the program is changing actual decision pathways rather than checking boxes.
Department-level risk scoring identifies which teams remain vulnerable and which are improving fastest. Real-world behavior data, including open-source intelligence (OSINT) exposure levels that reveal what cyberattackers can discover about each employee, feeds into risk models that produce actionable intelligence, rather than just audit documentation. Training completion is an input metric; risk reduction is the only outcome that matters.
The Board-Level Case for Human-Layer Investment
CISOs have long struggled to translate the value of awareness programs into terms boards understand. Training completion rates and phishing simulation scores are operational metrics that do not answer the questions directors actually ask, including whether the organization is safer than last quarter, which departments pose the greatest human risk, and what return on investment the organization is generating.
Quantifying human risk in business terms changes that conversation entirely. Department-level risk scores enable CISOs to show the board exactly where human vulnerability is concentrated across finance, engineering, and customer support, and how that risk changes over time with structured intervention. Simulation failure trends indicate whether awareness investment is producing a measurable reduction or has plateaued. OSINT exposure data showing which employees have publicly accessible information that cyberattackers can weaponize turns an abstract cyber threat into a visible attack surface.
When the finance department's risk score drops 40% after targeted simulations and role-specific training, the board has a clear answer regarding what the spend achieved. A single prevented breach pays for years of awareness program investment, and the board-level risk data proves it is working before the breach ever arrives.
The math is straightforward, but the math only matters if security leaders can see it. Translating human behavior into a risk score that tracks movement over time is what turns awareness from an expense line item into a measurable control, one that boards can weigh against the cost of doing nothing while cyberattackers accelerate.
Phishing Trends FAQs
What are the biggest phishing trends security leaders need to watch in 2025?
The three biggest phishing trends security leaders must watch in 2025 are the industrialization of AI-generated cyberattacks, the explosion of multi-channel phishing beyond email, and the commoditization of sophisticated cyberattacks through phishing-as-a-service platforms.
PhaaS platform availability increased 50%, enabling low-skill cyberattackers to launch campaigns that once required advanced expertise. The convergence of these phishing trends means organizations face a threat landscape where personalized, multi-channel cyberattacks can be deployed at machine scale against every employee simultaneously.
Can phishing simulation programs measurably reduce an organization's risk of a breach?
Yes, phishing simulation programs can measurably reduce organizational risk when implemented as continuous, multi-channel programs rather than annual compliance exercises. Annual training modules yield only marginal improvement, whereas continuous simulation with immediate feedback drives lasting behavioral change.
Organizations that limit simulations to email alone leave employees exposed to the 40% of cyberattacks now arriving via SMS, voice, and QR codes. Multi-channel phishing simulation programs that mirror the diversity of real-world attacks yield the strongest measurable risk reduction.
See How Multi-Channel Simulations Reduce Phishing Risk Across Your Organization
Staying ahead of evolving phishing trends requires more than awareness; it requires conditioning across every channel cyberattackers actually use. Multi-channel phishing simulations spanning email, voice, SMS, and deepfake video, paired with OSINT-personalized scenarios, continuous risk scoring, and automated microlearning, close the gaps that real cyberattackers exploit in the moments after a message lands. A self-guided tour of the Adaptive Security platform shows how multi-channel simulation and continuous risk scoring work together to reduce organizational exposure.




As experts in cybersecurity insights and AI threat analysis, the Adaptive Security Team is sharing its expertise with organizations.
Contents









