Back to blog

Phishing Trends 2026: AI Attacks, Emerging Vectors, and Defense That Works

Report

Report

Written by

Brightside Team

Published on

In 2022, the average gap between an initial-access broker breaking into a network and handing that access off to a ransomware crew was about eight hours. By 2025, according to Google Cloud's Mandiant M-Trends 2026 report, that handoff window had collapsed to 22 seconds.

That figure says more about what actually changed in phishing this year than any headline statistic about AI-generated email volume. The attacks themselves are not fundamentally new. What changed is the machinery behind them: how fast a stolen credential moves from a phishing kit to a working session, how cheaply a convincing lure can be produced, and how little of the old detection advice (spelling errors, generic greetings, obviously spoofed domains) still applies.

Most 2026 phishing coverage leads with an AI-generation statistic and stops there. That framing undersells the real story. The more consequential shift is where the attack surface moved: away from the email inbox, which is now heavily filtered and increasingly a minor initial-access vector, and toward identity systems, help desks, and voice channels, where a single convincing conversation can unlock an entire SaaS ecosystem. This piece works through what the 2026 primary threat reports actually show, uses the campaigns and court cases that make the shift concrete, and ends on what holds up as a defense once the inbox stops being the front line.

What AI Actually Changed About Phishing Content

The clearest, most rigorously sourced evidence on AI-generated phishing effectiveness comes from a human-subjects study by researchers including Fred Heiding, published via arXiv. In a controlled experiment comparing fully AI-automated spear phishing against human-crafted campaigns, AI-generated emails achieved a 54% click-through rate, statistically on par with phishing written by human experts (also 54%), and well above a 12% baseline for generic phishing. The AI-generated version cost roughly $0.04 per email to produce, using automated open-source intelligence gathering to personalize each message. It is the most important data point in this space, not because it is the highest figure circulating but because it comes from a controlled study rather than a vendor's marketing deck, and it directly demonstrates what AI removed: the skill and time barrier to writing a convincing, personalized lure.

This matters because AI-generated text eliminated the read that used to work for a lot of people. A phishing email used to be identifiable by clumsy phrasing, a generic "Dear Customer," or a mismatched sender domain. Large language models produce fluent, contextually appropriate text by default, and academic work on the topic (including a systematization paper on the generation-detection gap in LLM-produced phishing) shows that the line between a persuasive legitimate email and a malicious one is now a matter of intent, not content quality. There is no longer a reliable stylistic tell.

The personalization layer compounds this. Attackers pull from publicly available information, LinkedIn profiles, company websites, prior breach data, to generate messages that reference a real project, a real manager's name, or a real vendor relationship. A related academic study demonstrated that as few as ten public social media posts per target were enough to generate a contextualized, personalized lure, and in a blind user study the AI-generated phishing was rated less suspicious on average than real-world phishing samples, and in some cases less suspicious than benign control emails.

It is worth being precise about which statistics in this space deserve weight. A number of widely circulated figures, including claims that 82.6% of phishing emails now contain AI-generated elements, or that phishing volume increased by more than 1,000% since the release of mainstream generative AI tools, trace back to vendor statistics roundups and aggregator blog posts rather than a named, methodologically transparent primary source. These numbers get repeated across dozens of articles until they read as settled fact, but the underlying methodology is often unclear or unverifiable. Treat them as industry-reported directional signals, not measured ground truth. The Heiding study's 54%-versus-12% finding, by contrast, is safe to cite directly.

The Perimeter Moved From the Inbox to Identity

If there is one structural fact that should reorganize how a security team thinks about phishing in 2026, it is that the inbox is no longer where most initial access happens.

Mandiant's M-Trends 2026 report, drawn from more than 500,000 hours of frontline incident investigations in 2025, found that email phishing accounted for just 6% of initial infection vectors, a sharp drop. Voice phishing, meanwhile, rose to 11% and became the second most common initial-access vector overall, trailing only vulnerability exploitation at 32%. Palo Alto Networks' Unit 42, drawing on more than 750 incident-response engagements in its 2026 Global Incident Response Report, found identity weaknesses material in roughly 90% of investigations, with 65% of initial access identity-driven, and 87% of intrusions spanning two or more attack surfaces rather than a single point of failure.

Put together, these numbers describe a genuine shift in what "phishing defense" needs to mean. For years, the operating assumption was that phishing is primarily an email-filtering problem: block the malicious link, flag the spoofed domain, quarantine the suspicious attachment. That assumption is increasingly obsolete. The more common attack now looks like a phone call to a help desk, a request to reset a password or approve an MFA push, and a pivot through single sign-on into whatever SaaS platform that identity can reach. There is no malware, no exploit, and no email filter to trip.

This is also why ransomware and extortion increasingly decouple from encryption entirely. Unit 42's 2026 report found that encryption was present in only 78% of 2025 extortion cases, down from more than 90% in prior years. Data-theft-only extortion, where attackers steal the data, threaten to leak it, and skip the ransomware payload altogether, is now a standard operating model rather than an edge case. That shift only makes sense once you understand that identity compromise, not malware deployment, is the mechanism doing the work.

Vishing Went Industrial: ShinyHunters and Scattered Spider

Two campaigns from 2025 and 2026 illustrate this shift concretely, and both are worth understanding in detail because they show how repeatable and low-tech the mechanism actually is.

The group tracked as ShinyHunters (overlapping with clusters identified as UNC6040 and UNC6240) industrialized a two-part playbook. First, an attacker calls an employee, impersonating IT support, and talks them into approving a fraudulent multi-factor authentication prompt or resetting credentials for a single sign-on account, typically Okta. Second, once inside, the group pivots into connected SaaS platforms, most often Salesforce, and either exfiltrates data directly or runs automated scans for misconfigured Salesforce Experience Cloud guest permissions across hundreds of organizations at once. Confirmed or reported victims through 2026 include ADT (more than 10 million records, April 2026), Workday, Charter Communications, Google, Qantas, and Adidas, among others. In several of these cases the entire intrusion required no malware and no software vulnerability. One phone call, or one overlooked permission setting, was the whole breach.

Scattered Spider ran a parallel playbook against UK retail. In the Marks & Spencer, Co-op, and Harrods incidents, attackers used help-desk social engineering, impersonating a legitimate employee convincingly enough to get a password reset or an MFA removal approved, then escalated privileges and ultimately deployed DragonForce ransomware inside M&S's environment. The business impact was severe: an estimated £300 to £500 million hit to M&S, a 46-day suspension of online ordering, and disruption across roughly 1,400 stores. The technical sophistication was minimal; the social engineering was the attack.

A third example, Silent Ransom Group (tracked as UNC3753, also known as Luna Moth), targeted U.S. law firms and other professional-services organizations between January and May 2026 using a callback-phishing pattern known as TOAD (telephone-oriented attack delivery): an invoice-themed email, followed by a phone call from someone posing as IT support, followed by a remote-support session using legitimate tools like AnyDesk or Zoho Assist, followed by rapid document theft and an extortion demand, sometimes within 30 minutes of the data leaving the network.

The common thread across all three is that voice-based social engineering, not email content, is now doing the initial-access work in some of the highest-profile campaigns of the year. That is the practical meaning of "the perimeter moved to identity": defenders who focused entirely on the mail gateway missed where the actual attack was happening.

MFA Bypass, Not MFA Breakage

A related and frequently muddled point deserves a precise explanation, because getting it wrong leads to the wrong defensive investment.

Multi-factor authentication is not being cryptographically defeated in most of these incidents. It is being bypassed through adversary-in-the-middle (AiTM) phishing kits, commodity tools like Tycoon 2FA, EvilProxy, and Evilginx, that sit as a reverse proxy between the victim and the real login page. The victim enters their real credentials and their real MFA code into what looks like a legitimate site; the kit relays that session to the actual service and steals the resulting authenticated session token. The attacker never has to guess a code or break an algorithm. They steal the cookie that proves the user already logged in successfully.

Tycoon 2FA illustrates both how far this scaled and how limited disruption efforts can be. By mid-2025, it reportedly accounted for a majority of the phishing volume Microsoft was blocking. In March 2026, a joint takedown effort involving Microsoft, Europol, Cloudflare, and Intel 471 disrupted its infrastructure, and detected volume dropped noticeably. Within weeks, operators had shifted to new hosting providers and top-level domains and partially recovered. Disruption bought time, but it did not eliminate the underlying technique, because the technique does not depend on any single piece of infrastructure.

This is precisely why standard MFA methods (SMS codes, authenticator app codes, push notifications) do not close the gap: all of them can be relayed through an AiTM proxy, because the phishing page simply forwards whatever the user provides. The only widely deployed method that genuinely resists this is FIDO2/WebAuthn-based authentication, including hardware security keys and passkeys, which cryptographically bind the authentication response to the specific origin (domain) requesting it. A phishing site presenting a fake login page cannot get a valid response out of a FIDO2 key, because the key checks that it is talking to the real domain before it will respond at all.

The catch, and the reason FIDO2 rollouts still get bypassed in practice, is the fallback problem. Most organizations that deploy passkeys or hardware keys leave SMS or email-based account recovery active as a fallback for lost devices or new employees. Attackers target that fallback path instead of the passkey itself, and get the same result: an authenticated session obtained by tricking a human rather than breaking a cryptographic protocol. A phishing-resistant MFA rollout that keeps a phishable fallback path active is not actually phishing-resistant.

Deepfakes Went From Novelty to Courtroom Evidence

For several years, deepfake fraud was discussed mostly through a handful of dramatic but somewhat abstract examples, most notably the January 2024 case in which a finance employee at Arup's Hong Kong office authorized 15 wire transfers totaling $25.6 million after joining a video call where every other participant, including someone who appeared to be the company's CFO, was an AI-generated deepfake. That case established the template for deepfake video fraud, but it also left room to treat the threat as a rare, high-production-value outlier.

The Amsterdam ABN AMRO case, adjudicated in the Netherlands in June 2026, removes that ambiguity. It is a fully court-documented criminal case, not a vendor case study or an anonymized incident report, and the verdict (case reference ECLI:NL:RBAMS:2026:6093) lays out the entire attack chain in detail.

The defendant, convicted and sentenced to 30 months (six suspended), opened 47 fraudulent ABN AMRO bank accounts in other people's names over an eight-month period in 2025. The method worked in five stages. First, he harvested identity documents by posting a fake apartment-rental listing on the Dutch classifieds site Marktplaats and asking prospective "tenants" to submit ID scans and payslips as part of a rental application, a straightforward but effective repurposing of an ordinary rental-scam tactic. Second, he used those harvested ID photos to synthesize deepfake face-swap imagery combining his own face with each victim's identity document. Third, and most technically significant, he used virtual camera software to inject that synthesized video directly into ABN AMRO's mobile onboarding app's data stream, bypassing his device's physical camera entirely, a technique the Dutch prosecutor's office explicitly characterized as a biometric "injection attack" rather than the more common "presentation attack" of holding a photo or mask up to a camera. Fourth, he moved cash through the fraudulent accounts, reportedly aided by network-evasion infrastructure (though the specific "residential proxy" detail circulating in secondary reporting on this case has not been independently verified against the primary court record and should be treated as reported but unconfirmed). Fifth, investigators recovered searches on the defendant's phone in which he had used ChatGPT to research how to bypass bank identity verification, evidence the court cited as demonstrating clear intent.

The case matters for reasons beyond its details. It confirms that biometric injection attacks, feeding synthetic video directly into a system rather than presenting it to a camera, are the more scalable and harder-to-catch deepfake vector, a distinction that current identity-proofing standards (including NIST SP 800-63A-4's presentation attack detection requirements, based on ISO/IEC 30107-3) are only beginning to address comprehensively. It also demonstrates something uncomfortable for anyone hoping deepfake defense can be solved by getting better at "spotting the fake": the fraud surfaced only because a woman's passport photo ended up paired with a male applicant's selfie. What flagged it was an operational mismatch in the paperwork, not a detection algorithm catching a visual glitch.

The Emerging Vector List Is Growing Faster Than Training Content

Beyond vishing and deepfakes, several other vectors expanded sharply enough in 2025 and 2026 to warrant their own line item in any current threat assessment, and most email-only simulation programs do not test for any of them.

QR-code phishing, commonly called quishing, exploits the fact that most email security tools scan text and links but historically struggled to inspect an image containing an embedded malicious URL. Microsoft's Threat Intelligence team, reporting on Q1 2026 email threat trends, recorded a 146% quarter-over-quarter increase in QR-code phishing attempts between January and March 2026.

CAPTCHA-gated phishing is a related evasion technique: attackers place a CAPTCHA challenge in front of the malicious payload or credential-harvesting page, which both looks legitimate to the victim and blocks automated security scanners from ever reaching the malicious content behind it. Microsoft's same Q1 2026 report recorded a 125% increase in CAPTCHA-gated phishing volume in March alone, reaching 11.9 million detected attacks, with one campaign delivering 1.2 million SVG-file-based CAPTCHA messages across 53,000 organizations in 23 countries over three days.

Business email compromise, meanwhile, is evolving its own pacing strategy. Microsoft's data shows the large majority of initial-contact BEC messages contain no financial request at all. The first message is purely about establishing rapport and legitimacy; the ask comes later, once trust is established, which makes early-stage BEC messages nearly indistinguishable from ordinary business correspondence to both human reviewers and automated filters.

The pattern across all of these vectors is consistent: attackers diversify delivery mechanisms specifically to route around whatever the dominant defensive control currently catches. A security awareness program built entirely around simulated email phishing is now testing employees against a shrinking fraction of how they will actually be attacked.

Where the Data Pushes Back on the Hype

It is worth pausing on a genuine tension in how this material gets reported, because getting it wrong in either direction leads to bad decisions.

Mandiant's M-Trends 2026 report is notably explicit on this point: it states directly that 2025 should not be considered "the year breaches were the direct result of AI." Most successful intrusions documented in the report still trace back to conventional causes, unpatched vulnerabilities, weak identity controls, human error, rather than some novel AI-enabled technique that did not exist before. Separately, threat-landscape analysis referencing the 2026 Verizon Data Breach Investigations Report data found that less than 2.5% of observed AI-assisted malicious activity involved genuinely novel techniques rather than AI-accelerated versions of known ones.

This does not mean AI's impact on phishing is overstated in every respect; the volume, personalization, and speed evidence above is solid and well-sourced. It means the "AI invented entirely new categories of attack" framing, common in vendor marketing, is not well supported. The better-supported claim, and the one this article has built its case around, is narrower and more useful operationally: AI compressed the cost, time, and skill floor required to execute known techniques at scale, and it compressed operational timelines within a single intrusion, back to that 22-second handoff window. That is a different, more actionable problem than "attackers now have a genuinely new weapon," and it points toward a different set of defensive priorities: reduce the value of a single stolen identity rather than try to detect every possible AI-generated lure.

A related caution applies to more speculative claims about autonomous, agentic AI attackers. Several academic benchmarks demonstrating AI agents exploiting vulnerabilities or orchestrating multi-step attacks are frequently cited as evidence that fully autonomous AI-driven breaches are imminent. Read the methodology sections of these papers carefully, and a recurring limitation appears: most of these benchmark environments do not model active human defenders, realistic enterprise noise, or the non-deterministic failure conditions of real production systems. They demonstrate a capability trajectory worth watching closely, not a settled description of current reality. Treat this category of claim as emerging, not arrived.

What Actually Holds Up: Identity Controls, Verification, and Continuous Simulation

The defensive implications of all this are fairly concrete, and they sort into three priorities.

The highest-leverage technical control remains phishing-resistant multi-factor authentication built on FIDO2/WebAuthn, deployed without a phishable fallback path left active. CISA's guidance on implementing phishing-resistant MFA is explicit that not all MFA is equivalent: SMS, voice callback, and push-based one-time codes all remain vulnerable to AiTM relay attacks, while hardware security keys and platform passkeys are not, because of their origin-binding cryptographic design. Organizations that have removed phishable fallback methods entirely, rather than merely adding passkeys alongside them, report meaningfully lower rates of phishing-driven account takeover.

The second priority is procedural: out-of-band verification for any high-risk request that arrives through a single channel, particularly wire transfers, credential resets, and MFA changes initiated by phone. The Arup and Amsterdam cases both worked because the target trusted a single real-time channel (a video call, a mobile banking app) without an independent way to confirm the other party's identity. A defined callback protocol, using a known and separately verified phone number rather than the number the caller provides, closes much of this gap without requiring any new technology.

The third priority is training design, and here it is worth being honest about what the research actually supports rather than what vendor marketing claims. Academic literature on security awareness training, including systematic reviews and meta-analyses cited in current human risk management research, consistently finds a real but modest positive effect: training measurably improves knowledge and stated intentions, but behavioral change (actual click rates and reporting rates under realistic conditions) improves by a smaller margin, and the more rigorous the study design, the smaller that behavioral effect tends to look. The conclusion from this literature is not that training does not work. It is that training works best as one layer among several, paired with the identity and verification controls above, rather than relied on as a standalone defense against an AI-accelerated attacker.

What training can still do well, particularly as attack vectors diversify beyond email, is measure the right thing. Click rate on a simulated email is an increasingly narrow signal in a year where voice phishing outranks email phishing as an initial-access vector. More useful measurements include reporting rate (does the employee flag the attempt to security, regardless of whether they clicked), callback-verification compliance (does the employee independently verify an unusual request through a known channel), and performance across multiple channels rather than email alone, since a program that only tests inbox behavior has no visibility into how employees would respond to a vishing call or a QR code on a printed flyer.

Try our vishing simulator

Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.

Brightside AI: the Most Effective Phishing Simulation Platform

Matching a security awareness program to the vectors covered above means testing employees across the channels attackers are actually using: email, voice, and increasingly deepfake video, not just the inbox.

Brightside AI is a Swiss cybersecurity awareness and simulation platform built specifically around the multi-channel shift described throughout this article. Its most distinctive capability is a live vishing simulator: rather than delivering a scripted voicemail or a template callback, it places an outbound AI phone call to an employee that adapts in real time based on what the person says, using a configurable caller persona, a selectable social-engineering tactic (pretexting, authority impersonation, fear or urgency framing, social proof, and others), and either a preset voice or a cloned voice built from a one-to-two-minute recording, useful for testing resistance to executive-impersonation scenarios specifically. The platform also supports "Hybrid Attacks," combining a live vishing call with a coordinated phishing email in a single simulation, which mirrors how campaigns like ShinyHunters' actually operate. That combination of live adaptive vishing and coordinated hybrid attacks in one workflow is what backs the "most effective" framing here: it is the mechanism, not raw template count, that maps most directly onto the voice- and identity-driven vectors this article has walked through.

Simulation content itself is template-based and human-reviewed rather than generated live by an unconstrained model. The platform personalizes each simulation through AI-powered OSINT spear-phishing, drawing on the target employee's profile (role, department, tenure, and the specific tools they use) to select and fill the most fitting template, so a marketer might receive a lure that appears to come from an ad platform they actually work in. Results track through a Delivered → Opened → Clicked → Entered → Reported pipeline. Brightside does not claim real-time breach detection or communication monitoring, and its interactive training companion, Brighty, is a scripted guide rather than an adaptive AI system.

This makes Brightside a strong fit for organizations that specifically need coordinated, multi-channel simulation realism across email and live voice, run from one platform, rather than the broadest possible content library. As a newer entrant, its email-template catalog is smaller than some longer-established platforms.

Pros

  • Live, adaptive AI vishing calls rather than scripted voicemail or callback templates

  • Hybrid Attacks combine vishing and email in one coordinated simulation

  • Voice cloning support for realistic executive-impersonation scenarios

  • AI-powered OSINT spear-phishing personalizes each simulation to the target's role and tools

  • Multilingual support (English, French, German, Italian)

Cons

  • Smaller email-template library than longer-established competitors

  • No real-time breach detection or communication monitoring (by design, not a gap in a training-focused platform)

  • Newer platform with a shorter market track record than the largest incumbents