Most people still picture phishing as a clunky email full of typos, a fake lottery win, or a random “prince” asking for bank details. That image is outdated. Today’s phishing campaigns are cleaner, faster, and far better targeted - and the advice that worked five years ago only covers part of the problem now.

Phishing remains the starting point for over 90% of cyberattacks. Not because attackers lack imagination, but because it works. And in 2026, it works better than ever, largely because the tools to build convincing attacks have become cheap, fast, and widely available.

Understanding where these attacks have evolved and what are the actual weak points is more useful than a checklist. Here’s how the threat landscape looks right now.

Why Phishing Has Gotten So Much Harder to Detect

The biggest change isn’t the delivery method. It’s the quality. AI-generated phishing emails now make up more than 80% of detected campaigns, up over 50% from the previous year. These aren’t just grammatically correct but also contextually relevant. They match the tone of the brand being spoofed, reference plausible scenarios, and don’t contain the tell-tale errors people were trained to catch.

What used to take a skilled attacker the better part of a workday to craft now takes around five minutes. That speed changes the math on scale. Highly personalized phishing emails - the kind that reference your name, your company, a recent transaction - can now be sent to thousands of targets simultaneously.

The cost of getting it wrong is significant. IBM’s 2025 data puts the average breach cost from a phishing incident at $4.88 million. That figure accounts for incident response, legal exposure, regulatory penalties, and downtime. Not the longer-term reputational damage, which is harder to quantify but just as real.

Email Phishing: Same Channel, Different Playbook

Volume-based email phishing is still the dominant attack method, but the mechanics have shifted. Microsoft tops the list of most-impersonated brands globally, appearing in over half of all phishing campaigns. Google, Telegram, Netflix, and Amazon follow closely - all platforms that trigger habitual, low-scrutiny responses from users.

One development worth paying close attention to; a growing share of phishing now originates from legitimate compromised accounts. When the sending address belongs to a real vendor or a colleague whose account was taken over, it often clears authentication checks entirely. There’s no suspicious domain to flag. The email looks exactly like it should.

QR Code Phishing (“Quishing”)

QR code phishing has grown roughly 400% since 2023, and it’s specifically designed to bypass email security tools. Most scanners analyze text-based links. A QR code is just an image - there’s nothing to scan until a human points a phone at it.

These attacks typically show up as emails or printed materials asking users to scan a code to confirm a delivery, verify an account, or access a document. The destination URL is only revealed on the mobile device, where the full address is often hidden by the browser. Healthcare, manufacturing, and energy sectors have seen the highest volume of quishing attacks, but the tactic is spreading well beyond those industries.

Voice Phishing and AI-Cloned Audio

Vishing - phishing over phone calls - jumped over 440% in the second half of 2024. A significant driver of that increase is AI voice cloning. Attackers can now generate audio that closely mimics a specific person’s voice using a short sample pulled from a public video or recording. Several documented cases involve cloned executive voices used to instruct employees to authorize wire transfers.

SMS phishing accounts for roughly 70% of mobile-based attacks. Short messages, familiar brand names, and a single link that asks for just one action. The simplicity is the point - there’s not much to scrutinize before the damage is done.

Business Email Compromise

BEC is the most financially damaging phishing variant and among the hardest to catch. The average fraudulent wire request now exceeds $83,000 per incident. These aren’t bulk campaigns - they’re targeted operations where the attacker has researched the organization’s structure, vendor relationships, and payment processes before sending a single message. Finance teams, HR departments, and anyone with payment authority are the preferred targets.

Red Flags That Still Hold Up in 2026

The Sender Address Versus the Display Name

Email clients show a friendly display name by default. Most users never look past it. Checking the actual sending address — specifically the domain after the @ symbol — takes two seconds and catches a lot. Legitimate emails from PayPal come from @paypal.com. Not @paypal-secure.net, not a long subdomain that buries the fake root domain at the end, not a string of random characters.

This is also where email authentication standards make a real difference. Protocols like DMARC, DKIM, and SPF verify that an email genuinely came from the domain it claims. Brands that additionally adopt BIMI (Brand Indicators for Message Identification) paired with a Verified Mark Certificate (VMC) get their authenticated logo displayed directly in the inbox - a visible, verified signal that the email is legitimate. When a well-known brand email shows none of that, it’s worth a second look before clicking anything.

Urgency That Doesn’t Match How Organizations Actually Operate

Phishing messages almost always carry a time pressure. Account suspension, suspicious activity, failed payment, legal action - something that demands immediate action. That urgency is engineered. It’s designed to override careful thinking and push a reflexive response.

Real banks, platforms, and institutions don’t typically work this way. Banks call their customers. IT departments open tickets. Legal teams send formal correspondence. Any message that combines high urgency with a request for credentials or payment deserves extra skepticism, regardless of how professional it looks.

On desktop, hover over the link and check where it actually goes in the status bar. If the domain doesn’t match the real site, or it’s hidden behind a shortened URL, don’t trust it. Open the site yourself in a new tab and navigate there directly. On mobile, you don’t get that visibility. That’s exactly why attackers lean on it.

Unexpected Attachments

HTML files are now the most common attachment type in phishing emails, making up over a third of cases. They open in a browser, can redirect to credential harvesting pages and often slip past attachment scanners that look for macros or executables. PDFs and Office documents are still close behind.

The principle is straightforward: if an attachment wasn’t expected, verify with the sender through a completely separate channel - a phone call, a separate message thread, anything that doesn’t route through the same email that may already be compromised.

Acting quickly limits the damage. If a suspicious link was clicked or an attachment opened, here’s the order that makes the most sense:

  1. Disconnect the device from the network immediately. Cut off any potential malware callback before doing anything else.
  2. Run a full antivirus or endpoint security scan. Don’t dismiss what it finds.
  3. Change passwords starting with email, then every account that shares that password. Assume the worst until everything has been rotated.
  4. Enable multi-factor authentication wherever it isn’t already active. An authenticator app is preferable to SMS. Even if credentials were stolen, MFA closes the door on unauthorized access.
  5. Report it. Phishing emails can be forwarded to the FTC at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@antiphishing.org. Financial data exposure should be reported at IdentityTheft.gov. If banking credentials were involved, contact the bank directly using the number on the card - not any contact information in the suspicious message.

The Bigger Picture for Organizations

Individual awareness matters, but phishing at scale is an organizational problem. Employees can be trained to pause before clicking, however a single lapse under a carefully timed convincing attack is always possible. The infrastructure around email needs to be protected for that.

DMARC enforcement, SPF, and DKIM authentication reduce the risk of domain spoofing significantly. Organizations that go a step further and implement BIMI with a VMC give their email communications a verified identity signal in the inbox. This makes it harder for attackers to convincingly impersonate the brand, and easier for recipients to trust the real thing.

Phishing cannot be solved at once. The attack methods shift, tools improve, and targeting gets sharper. Staying ahead of it means treating security awareness as an ongoing practice, not a single training session and making sure the technical stack actually supports the habits being taught.