# Phishing in 2026 and beyond SoCyber is a cybersecurity and compliance company for European SMEs. > Modern phishing is identity and workflow compromise, not just a bad email. What changed, and the controls that actually stop it. A practical guide to protecting identities, sessions, financial workflows and employees from AI-assisted, multichannel social engineering. Follow the contents on the left, score your resilience, and book a scoping call when you are ready to close the gaps. ## What you will learn - Why phishing is now identity and workflow compromise - The 2026 shifts: AI lures, adversary-in-the-middle, OAuth and QR - A modern defence built on phishing-resistant authentication - How to detect, respond and measure what actually matters ## Phishing is no longer just an email problem Modern phishing is better understood as **identity and workflow compromise**. The message may arrive through email, SMS, a QR code, collaboration chat, cloud document, OAuth prompt or synthetic phone call. The attacker may be seeking a password, but increasingly the real objective is one of these: - An authenticated session - An OAuth authorization - A new authentication method - A payment or beneficiary change - Access to company data - A privileged support action - Trust inside an existing business relationship **Recognizing spelling errors or hovering over links is no longer an adequate defence.** ## The challenges defining 2026 Eight shifts define how phishing works now. Each moves the attack away from the inbox and toward identity, process and automation. **1. AI-generated personalization at scale** Generative AI enables attackers to produce convincing, multilingual messages using information gathered from websites, professional networks, breached data and previous conversations. Grammar and writing quality are no longer reliable signals. Employees must evaluate the requested action, communication context and verification path. **2. Session hijacking and adversary-in-the-middle attacks** Modern phishing infrastructure can proxy a legitimate authentication page, capture credentials and intercept session establishment. Once the attacker obtains a valid session token, changing the password alone may not terminate access. Defence requires: - Phishing-resistant authentication - Managed-device requirements - Conditional access - Session monitoring - Rapid token revocation - Protection of authentication-method changes **3. OAuth and device-code phishing** Attackers may ask users to approve an application or enter a legitimate device code rather than provide a password. The victim can authenticate on a real platform while unknowingly granting access to email, files or other resources. Organizations should restrict user consent, review application permissions and detect unusual authorization grants. **4. Collaboration-platform phishing** Compromised accounts can distribute malicious requests through trusted Teams, Slack, cloud-storage and document-sharing environments. These messages often appear inside existing projects or conversations, reducing the value of external-sender warnings. **5. QR and mobile-first phishing** QR codes move users away from protected corporate devices and into mobile browsers where URLs, certificates and redirects are harder to inspect. They can appear in emails, printed documents, meeting rooms, invoices and physical deliveries. **6. Synthetic voice and video** AI-generated voice and video increase the credibility of executive impersonation, supplier fraud and help-desk manipulation. The primary defence is not detecting every synthetic artefact. It is ensuring that sensitive actions cannot be authorized through voice, video or an inbound message alone. **7. Business-process manipulation** Some of the most damaging attacks contain no malicious attachment or credential-harvesting page. Attackers may compromise a real mailbox and request: - Bank-account changes - Urgent payments - Payroll updates - Confidential documents - Password resets - MFA replacement - Changes to supplier details _These attacks must be addressed through business controls as well as security technology._ **8. Phishing against AI-enabled workflows** As organizations connect AI agents to email, documents and business tools, malicious content may attempt to influence both employees and automated systems. Untrusted messages and documents should never automatically authorize an agent to disclose information, modify records or perform consequential actions. ## Build a modern defence **1. Move to phishing-resistant authentication** Prioritize: - Passkeys - FIDO2 security keys - Platform-bound authentication - Device-bound credentials - Separate administrator authentication _NIST's current digital identity guidance requires phishing resistance at higher assurance levels. SMS, one-time codes and approval-based push MFA improve on passwords alone but are not generally phishing-resistant. CISA also recommends FIDO / WebAuthn-based authentication._ **2. Protect identity and SaaS administration** Implement: - Conditional access - Managed-device requirements - Legacy authentication removal - Restricted OAuth consent - Privileged role separation - Authentication-method change alerts - Session and token revocation procedures - Review of dormant applications and accounts **3. Secure communication channels** Use: - SPF, DKIM and enforced DMARC - Domain and impersonation monitoring - Email and collaboration-platform protection - Malicious-link and attachment analysis - External forwarding restrictions - Secure document-sharing policies - Protection for newly registered lookalike domains _Email controls remain important, but they must cover more than email._ **4. Protect financial and administrative workflows** Require independent verification for: - New beneficiaries - Bank-account changes - Payroll modifications - Sensitive-data requests - Authentication resets - Privileged access - Supplier-contact changes _Verification should use a previously established channel, not contact details supplied in the suspicious request._ **5. Train by role and decision** Replace generic annual awareness with scenario-based training for: - Finance and accounts payable - Executives and assistants - Human resources - IT support and help desks - Developers - Sales and customer support - Procurement - Privileged administrators _Training should focus on decisions, escalation and verification rather than memorizing visual indicators._ ## Score your phishing resilience Tick the controls already true for your organization. Your resilience score updates live in your browser - it is a directional self-check, not a formal audit. Nothing leaves your device unless you choose to email yourself the results. **8-point phishing resilience check** Honest answers only - the gaps are where we start a scoping call. - [ ] **Phishing-resistant authentication for high-risk roles** - Passkeys or FIDO2 keys for admins, finance and executives, not just push MFA. - [ ] **OAuth and app consent is restricted and reviewed** - Users cannot freely grant third-party apps access to email and files. - [ ] **Conditional access and managed-device requirements** - Sign-in is constrained by device health, location and risk. - [ ] **Out-of-band verification for money and data** - Payments, bank, payroll and supplier changes need a second, established channel. - [ ] **Session and token revocation is ready** - We can terminate active sessions and tokens quickly, not just reset passwords. - [ ] **Role-based, scenario phishing training** - Training matched to what people handle, not an annual tick-box. - [ ] **Monitoring for identity and mailbox changes** - Alerts on new OAuth grants, mailbox rules and new authentication methods. - [ ] **A phishing incident response plan** - Defined steps for preservation, revocation and notification, tested in advance. How to read your score: - Start here (0+ of 8): Tick the controls you already have in place to see where you stand. - At risk (1+ of 8): Real gaps remain across the basics. A scoping call turns this list into a prioritized plan. - Developing (4+ of 8): A solid start, but identity, verification and response pieces still need closing. - Nearly resilient (6+ of 8): You are close. A focused engagement clears the last gaps and assembles the evidence. - Resilient (8+ of 8): Strong coverage across the board. We can validate it and keep it that way. ## Detect compromise earlier Monitor for the signals that a convincing message has already turned into access: - New OAuth grants - Suspicious mailbox rules - External forwarding - Session reuse from unusual devices - New authentication methods - Device-code authentication - Privileged-role changes - Mass file access - Unusual collaboration messages - Payment-detail changes following email activity > **Report, do not just delete:** A suspicious message is useful intelligence even when nobody clicks it. Reporting should trigger investigation across all recipients. ## Modern phishing incident response When compromise is suspected, work the sequence - speed on sessions and tokens matters more than certainty: 1. Preserve the message, headers, links and conversation context. 2. Identify all recipients and related messages. 3. Revoke active sessions and tokens. 4. Reset affected credentials. 5. Review registered authentication methods. 6. Remove malicious OAuth grants. 7. Inspect mailbox rules and forwarding. 8. Investigate the endpoint and browser. 9. Review accessed data and actions. 10. Contact finance or banking partners where fraud is possible. 11. Notify affected parties where required. 12. Validate remediation before restoring access. ## Measure what matters, then improve Avoid using click rate as the main measure of programme success. Track: - Phishing-resistant authentication coverage - Reporting rate and reporting speed - Time to revoke compromised sessions - Time to remove malicious OAuth access - Payment-verification adherence - Help-desk verification failures - DMARC enforcement coverage - Repeat exposure by role - Detection of mailbox and identity changes - Completion of incident exercises A 90-day improvement plan turns this into momentum: - **First 30 days:** Identify high-risk roles, review MFA methods, restrict OAuth consent and verify financial approval procedures. - **Within 60 days:** Deploy role-based simulations, strengthen identity monitoring and establish token-revocation playbooks. - **Within 90 days:** Expand phishing-resistant authentication, exercise executive impersonation scenarios and test cross-team incident response. > **The goal:** Not employees who can spot every deceptive message, but an organization where one convincing message cannot become an authenticated session, unauthorized payment or uncontrolled data breach. ## FAQ **Are these guides legal or security advice?** They are practical, evidence-backed explanations written by security practitioners to help you understand modern phishing and act on it. For a formal opinion on your specific situation, pair them with qualified counsel - we are happy to work alongside yours. **Do you keep my self-assessment answers?** The check runs entirely in your browser and scores live, so by default nothing is stored, sent or shared. If you use the optional "email my score" form, we send your results to the address you give and keep it to follow up - nothing more. For a documented assessment with evidence, that is what a scoping call is for. **Is phishing really not just an email problem any more?** Correct. The lure may arrive by email, SMS, QR code, chat, a cloud document, an OAuth prompt or a synthetic call. The objective is usually an authenticated session, an authorization or a business action - so the defence has to protect identity and workflows, not just the inbox. **What is the single most effective control?** Phishing-resistant authentication (passkeys / FIDO2) for high-risk roles removes the most common path - credential and session theft. Pair it with restricted OAuth consent and out-of-band verification for money movement. --- **Reading is step one. We will handle the rest.** Bring us your resilience score and we will turn the gaps into a fixed-scope plan, with evidence your auditors trust and clarity your board understands. Book a scoping call: https://so-cyber.com/contact/ Read this guide online: https://so-cyber.com/guides/phishing-threats-2026