Phishing is no longer just an email problem
Modern phishing is better understood as identity and workflow compromise.
The message may arrive through email, SMS, a QR code, collaboration chat, cloud document, OAuth prompt or synthetic phone call. The attacker may be seeking a password, but increasingly the real objective is one of these:
- An authenticated session
- An OAuth authorization
- A new authentication method
- A payment or beneficiary change
- Access to company data
- A privileged support action
- Trust inside an existing business relationship
Recognizing spelling errors or hovering over links is no longer an adequate defence.
The challenges defining 2026
Eight shifts define how phishing works now. Each moves the attack away from the inbox and toward identity, process and automation.
- AI-generated personalization at scale
Generative AI enables attackers to produce convincing, multilingual messages using information gathered from websites, professional networks, breached data and previous conversations.
Grammar and writing quality are no longer reliable signals. Employees must evaluate the requested action, communication context and verification path.
- Session hijacking and adversary-in-the-middle attacks
Modern phishing infrastructure can proxy a legitimate authentication page, capture credentials and intercept session establishment. Once the attacker obtains a valid session token, changing the password alone may not terminate access.
Defence requires:
- Phishing-resistant authentication
- Managed-device requirements
- Conditional access
- Session monitoring
- Rapid token revocation
- Protection of authentication-method changes
- OAuth and device-code phishing
Attackers may ask users to approve an application or enter a legitimate device code rather than provide a password. The victim can authenticate on a real platform while unknowingly granting access to email, files or other resources.
Organizations should restrict user consent, review application permissions and detect unusual authorization grants.
- Collaboration-platform phishing
Compromised accounts can distribute malicious requests through trusted Teams, Slack, cloud-storage and document-sharing environments.
These messages often appear inside existing projects or conversations, reducing the value of external-sender warnings.
- QR and mobile-first phishing
QR codes move users away from protected corporate devices and into mobile browsers where URLs, certificates and redirects are harder to inspect.
They can appear in emails, printed documents, meeting rooms, invoices and physical deliveries.
- Synthetic voice and video
AI-generated voice and video increase the credibility of executive impersonation, supplier fraud and help-desk manipulation.
The primary defence is not detecting every synthetic artefact. It is ensuring that sensitive actions cannot be authorized through voice, video or an inbound message alone.
- Business-process manipulation
Some of the most damaging attacks contain no malicious attachment or credential-harvesting page. Attackers may compromise a real mailbox and request:
- Bank-account changes
- Urgent payments
- Payroll updates
- Confidential documents
- Password resets
- MFA replacement
- Changes to supplier details
These attacks must be addressed through business controls as well as security technology.
- Phishing against AI-enabled workflows
As organizations connect AI agents to email, documents and business tools, malicious content may attempt to influence both employees and automated systems.
Untrusted messages and documents should never automatically authorize an agent to disclose information, modify records or perform consequential actions.
Build a modern defence
- Move to phishing-resistant authentication
Prioritize:
- Passkeys
- FIDO2 security keys
- Platform-bound authentication
- Device-bound credentials
- Separate administrator authentication
NIST's current digital identity guidance requires phishing resistance at higher assurance levels. SMS, one-time codes and approval-based push MFA improve on passwords alone but are not generally phishing-resistant. CISA also recommends FIDO / WebAuthn-based authentication.
- Protect identity and SaaS administration
Implement:
- Conditional access
- Managed-device requirements
- Legacy authentication removal
- Restricted OAuth consent
- Privileged role separation
- Authentication-method change alerts
- Session and token revocation procedures
- Review of dormant applications and accounts
- Secure communication channels
Use:
- SPF, DKIM and enforced DMARC
- Domain and impersonation monitoring
- Email and collaboration-platform protection
- Malicious-link and attachment analysis
- External forwarding restrictions
- Secure document-sharing policies
- Protection for newly registered lookalike domains
Email controls remain important, but they must cover more than email.
- Protect financial and administrative workflows
Require independent verification for:
- New beneficiaries
- Bank-account changes
- Payroll modifications
- Sensitive-data requests
- Authentication resets
- Privileged access
- Supplier-contact changes
Verification should use a previously established channel, not contact details supplied in the suspicious request.
- Train by role and decision
Replace generic annual awareness with scenario-based training for:
- Finance and accounts payable
- Executives and assistants
- Human resources
- IT support and help desks
- Developers
- Sales and customer support
- Procurement
- Privileged administrators
Training should focus on decisions, escalation and verification rather than memorizing visual indicators.
Score your phishing resilience
Tick the controls already true for your organization. Your resilience score updates live in your browser - it is a directional self-check, not a formal audit. Nothing leaves your device unless you choose to email yourself the results.
8-point phishing resilience check
Honest answers only - the gaps are where we start a scoping call.
Detect compromise earlier
Monitor for the signals that a convincing message has already turned into access:
- New OAuth grants
- Suspicious mailbox rules
- External forwarding
- Session reuse from unusual devices
- New authentication methods
- Device-code authentication
- Privileged-role changes
- Mass file access
- Unusual collaboration messages
- Payment-detail changes following email activity
A suspicious message is useful intelligence even when nobody clicks it. Reporting should trigger investigation across all recipients.
Modern phishing incident response
When compromise is suspected, work the sequence - speed on sessions and tokens matters more than certainty:
- Preserve the message, headers, links and conversation context.
- Identify all recipients and related messages.
- Revoke active sessions and tokens.
- Reset affected credentials.
- Review registered authentication methods.
- Remove malicious OAuth grants.
- Inspect mailbox rules and forwarding.
- Investigate the endpoint and browser.
- Review accessed data and actions.
- Contact finance or banking partners where fraud is possible.
- Notify affected parties where required.
- Validate remediation before restoring access.
Measure what matters, then improve
Avoid using click rate as the main measure of programme success. Track:
- Phishing-resistant authentication coverage
- Reporting rate and reporting speed
- Time to revoke compromised sessions
- Time to remove malicious OAuth access
- Payment-verification adherence
- Help-desk verification failures
- DMARC enforcement coverage
- Repeat exposure by role
- Detection of mailbox and identity changes
- Completion of incident exercises
A 90-day improvement plan turns this into momentum:
- First 30 daysIdentify high-risk roles, review MFA methods, restrict OAuth consent and verify financial approval procedures.
- Within 60 daysDeploy role-based simulations, strengthen identity monitoring and establish token-revocation playbooks.
- Within 90 daysExpand phishing-resistant authentication, exercise executive impersonation scenarios and test cross-team incident response.
Not employees who can spot every deceptive message, but an organization where one convincing message cannot become an authenticated session, unauthorized payment or uncontrolled data breach.
