Phishing Trends in 2026: What’s Really Changing (and What Isn’t)
See the top phishing trends for 2026—AI deepfakes, mobile/QR, SaaS consent abuse, and trust infrastructure. Practical defenses for SMEs.
If you work in security or compliance, it can feel like every year is declared “the year of phishing”. The bad news: that’s still true in 2026. The good news: the trends are more evolution than sci-fi.
Most of what we’ll see in 2026 builds directly on what’s already hurting organisations today: QR and mobile scams, SaaS consent abuse, business email compromise (BEC), and attackers going after trust itself rather than just passwords. Major threat reports from ENISA and Microsoft still list social engineering and phishing as top-tier risks, with smishing (SMS phishing) and QR-based attacks (“quishing”) growing fast (for example ENISA’s Threat Landscape summaries: ENISA Threat Landscape overview and the ENISA Threat Landscape 2023 report: ENISA Threat Landscape 2023 report, and Microsoft’s Digital Defense Reports: Microsoft Digital Defense Report portal).
This playbook walks you through 10 concrete phishing trends for 2026, why they matter specifically for SMEs, and what you can realistically do in the next 90 days—without needing a Hollywood budget.
The short list: what’s really changing in 2026
Here’s the elevator-pitch version for your next board or management meeting:
-
Deepfake-assisted BEC goes mainstream
Voice and video impersonation move from “wow, cool demo” to “the finance team actually got a call like this last week”. Microsoft’s newer Digital Defense Report editions explicitly call out deepfakes as an enabler for BEC (for example: Microsoft Digital Defense Report 2025 (PDF)). -
Phishing follows your chats and QR codes
WhatsApp, Signal, Teams, and QR login flows become prime targets, not side quests. ENISA’s sector reports and finance threat landscape highlight smishing and QR-based phishing as rising attack vectors: ENISA Threat Landscape – Finance Sector. -
Passwords matter less than tokens and consents
OAuth consent phishing and session-token theft give attackers durable access without ever “logging in”. See Microsoft’s “OAuth consent phishing explained and prevented”: Microsoft Entra blog – OAuth consent phishing explained and prevented. -
Abusing “trust infrastructure” beats spoofing your brand
Legit Microsoft/Google domains, web forms, site builders, and helpdesk tools are hijacked to deliver extremely convincing lures. -
Big data apps become one-click treasure chests
Data warehouses (Snowflake et al.) and file-shares are high-value, low-friction targets if a single identity or token is compromised. The UNC5537/Snowflake campaign is a prime example, documented here: Google Cloud / Mandiant – UNC5537 targets Snowflake and in the associated threat-hunting guide: Snowflake threat-hunting guide (PDF). -
Regulation finally catches up
Frameworks like NIS2 explicitly expect ongoing, auditable security awareness and phishing training—not just a one-off e-learning (see the NIS2 legal text on EUR-Lex: NIS2 Directive legal text and practical training guidance such as NIS2 training and awareness guidance).
And yes: automation wins. Organisations that continuously test, measure, and tune controls simply fare better than those running one “cyber awareness week” per year.
At a glance: 10 phishing trends and quick controls
| # | Trend | Why attackers love it | Quick control to start this month |
|---|---|---|---|
| 1 | Deepfake-assisted BEC | High ROI, low volume, highly personalised | Strong payment approvals + callback rules |
| 2 | Mobile & messaging + QR | Everyone lives in chat; QR = silent login | BYOD refresh, restrict linking on unmanaged devices |
| 3 | SaaS consent & OAuth abuse | Passwordless access with long-lived tokens | App consent governance, tenant allow-lists |
| 4 | “Trust infrastructure” abuse | First-party domains look “obviously safe” | URL-age filters, strict DMARC across all mail paths |
| 5 | Internal-looking phishing | “It came from inside” lowers suspicion | Harden connectors, monitor internal-looking mail |
| 6 | Credential-less phishing | Tokens, not passwords, are the new keys | FIDO2 keys, device-bound tokens, MFA fatigue controls |
| 7 | Industry-timed campaigns | Tax / travel / sports = click spikes | Calendar-driven advisories & simulations |
| 8 | Localised LLM lures | Native tone & jargon bypass “bad English” filter | Teach structural red flags, not language quality |
| 9 | Data-warehouse & file-share pivot | One account → millions of records | SSO + MFA everywhere, behaviour analytics |
| 10 | Regulatory pressure & audits | Boards must show due diligence | Quarterly simulations with clean audit trails |
Below we zoom into each trend with: What’s new in 2026 → What we’re seeing → Act now.
Trend 1: Deepfake-assisted BEC goes mainstream
What’s new in 2026
Business email compromise has been one of the costliest cyber threats for years, and Microsoft’s Digital Defense Reports and other vendor analyses still show BEC as a top attack by impact (e.g. the 2023 report: Microsoft Digital Defense Report 2023 (PDF)).
What’s changing is the quality and accessibility of deepfake tooling:
- Voice-cloning services can produce a credible “CFO on Bluetooth in a taxi” in minutes.
- Off-the-shelf tools can generate short video clips that pass a quick sanity check in a rushed Teams call.
- Regulators and financial-crime units are explicitly warning about fraud schemes using deepfake audio and video in high-value transactions (see section on deepfake-enabled fraud in the Microsoft Digital Defense Report 2025: Microsoft Digital Defense Report 2025 (PDF)).
The result: classic BEC stories, but with a synthetic face and voice attached.
What we’re seeing in the field
Attackers increasingly skip long email threads and move straight to “urgent calls” to push payment changes, new beneficiary accounts, or high-risk transfers—referencing genuine projects and internal jargon they’ve scraped from email, LinkedIn and leaked data.
Act now
- Policy:
- Require out-of-band verification (phone callback to a verified number from your ERP/CRM) for all new or changed bank details and large transfers.
- Control:
- Configure payment holds and dual approvals above thresholds—ideally two approvers from different departments.
- Awareness:
- Train staff that “I saw them on video” is not a control. Do live role-plays where a fake “CFO” calls during a busy moment.
Trend 2: Mobile & messaging phishing + QR codes as auth tokens
What’s new in 2026
Phishing is no longer just an email problem:
- Smishing and messaging-app phishing (WhatsApp, Signal, Telegram, corporate chat) have surged, with URL-based attacks and QR code tricks used to hijack accounts. ENISA’s finance-sector threat landscape notes that phishing, smishing and vishing are among the most common attack types against European financial institutions: ENISA Threat Landscape – Finance Sector.
- Attackers increasingly abuse QR codes as login mechanisms, tricking people into scanning codes that link their accounts to an attacker-controlled device or session. This pattern appears in several recent case writeups about messaging-account takeovers and mobile malware campaigns.
Combined with BYOD and shadow messaging channels, it’s an ideal playground.
What we’re seeing in the field
Real-world cases show government officials and executives losing messaging accounts via malicious QR codes, and threat reports highlight huge growth in URL- and QR-based phishing campaigns versus classic attachments (for example ENISA’s overview of social engineering attack vectors: ENISA Threat Landscape overview).
Act now
- Policy:
- Update BYOD and messaging policies: which apps are OK for work, which are not, and what’s strictly forbidden (e.g., sharing login QR codes or screenshots of authentication prompts).
- Control:
- Enforce number-matching and device-binding for MFA; restrict linking accounts to new devices from unmanaged endpoints where possible.
- Awareness:
- Run simulations that mimic delivery notices, MFA prompts, and chat invites—including QR codes—to train people to pause before scanning.
Trend 3: SaaS consent phishing & OAuth token abuse
What’s new in 2026
Instead of stealing passwords, attackers simply ask your users to click “Accept”.
In OAuth consent phishing, a user is lured to a legit-looking consent screen that asks for permissions to read email, files, or calendars. Once they approve, the attacker gets a long-lived access token—no password, no MFA prompt, and often no obvious sign-in log to triage. Microsoft’s official explainer covers this pattern in detail:
Microsoft Entra blog – OAuth consent phishing explained and prevented
Independent researchers are also tracking how consent phishing is evolving to bypass detection controls, for example:
Push Security – How consent phishing is evolving and
Valence Security – The rising threat of consent phishing
Recent campaigns even piggyback on AI agents and low-code tools; compromised bots can be used to steal OAuth tokens at scale (for example the “CoPhish” technique abusing Microsoft Copilot Studio agents: TechRadar – Copilot Studio agents hijacked to steal OAuth tokens).
What we’re seeing in the field
Cloud security teams report more “mystery data access” incidents where no password change or suspicious login is visible—only a newly consented app with broad scopes to mailboxes and SharePoint.
Act now
- Policy:
- Define which teams can approve new apps and what “high-risk scopes” (e.g.
Mail.ReadWrite,Files.Read.All) require formal review.
- Define which teams can approve new apps and what “high-risk scopes” (e.g.
- Control:
- Use your IdP’s app consent governance: disable user-driven consent where possible, maintain tenant allow-lists, and enable continuous access evaluation or equivalent.
- Awareness:
- Include consent screens and “Sign in with…” flows in training—most users don’t realise those pop-ups can be malicious.
Trend 4: “Trust infrastructure” abuse (forms, site builders, support tools)
What’s new in 2026
Why bother spoofing your domain if an attacker can send links on:
*.microsoft.com(Forms, SharePoint, Copilot, etc.)*.google.com(Docs, Drive, Sites)- Well-known site builders and support platforms (ticket systems, RMM tools, CRM emailers)
Major threat reports note that malicious URLs hosted on legitimate services now outnumber classic malicious attachments by a wide margin (see, for example, Microsoft’s Digital Defense Reports and ENISA’s summaries of social engineering trends:
Microsoft Digital Defense Report portal
ENISA – Emerging technologies make it easier to phish).
What we’re seeing in the field
We’re seeing more campaigns where the entire flow—from form to file to follow-up email—runs through legit cloud infrastructure, making it much harder for legacy filters that rely on domain reputation alone.
Act now
- Policy:
- Require that any customer-facing forms collecting sensitive data are documented and centrally registered (so you can spot fakes).
- Control:
- Use secure email gateways or cloud-native tools that inspect URL age, hosting context, and file types instead of just sender reputation; enforce DMARC alignment for all legitimate mail paths, including support and ticketing tools. The ENISA “Threat Landscape” overview has a good summary of such vectors: ENISA Threat Landscape overview.
- Awareness:
- Teach users: “Legit domain” ≠ legit request. Ask “Was I expecting this form/file/support email?” as a reflex.
Trend 5: Internal-looking phishing without actual compromise
What’s new in 2026
Many cloud email systems offer features like Direct Send, connectors, and relays so apps and devices can send mail “as internal”. Misconfigured, they enable:
- Emails that appear to be from inside your organisation or trusted partner tenants
- System or ticketing emails that bypass intensive filtering
Attackers increasingly abuse these features, or compromise a single service account, to send “internal” phishing without hacking any human mailbox.
What we’re seeing in the field
Incident responders frequently report “internal” phishing campaigns originating from unexpected IP ranges, misconfigured relays, or compromised shared mailboxes, not from the CEO’s laptop.
Act now
- Policy:
- Inventory all systems allowed to send as your domain, and define owner + business justification. No owner, no sending.
- Control:
- Tighten mail connectors: lock them to specific IP ranges and authentication methods; monitor for spikes in internal-to-internal traffic with unusual patterns.
- Awareness:
- Add a mantra to awareness training: “Internal ≠ safe by default”. Encourage reporting of any odd internal request, not just external ones.
Trend 6: Credential-less phishing – tokens, sessions & MFA fatigue
What’s new in 2026
If your strategy is “strong passwords + MFA and we’re good”, 2026 says hi.
Current breach analyses show attackers pivoting to session cookies, refresh tokens, and MFA fatigue techniques instead:
- Stealing browser tokens via malware or infostealers
- “Push bombing” users until they accept authentication prompts by accident
- Capturing tokens in real-time via adversary-in-the-middle phishing kits
The Snowflake/UNC5537 campaign is a textbook case of what happens when stolen credentials and lack of MFA meet a powerful data platform:
Google Cloud / Mandiant – UNC5537 targets Snowflake
Snowflake threat-hunting guide (PDF)
A good high-level summary is also available from the Cloud Security Alliance: Cloud Security Alliance – Unpacking the 2024 Snowflake data breach.
What we’re seeing in the field
In big incidents like the Snowflake-related data theft, attackers often used previously stolen credentials and tokens to access high-value data platforms, then exfiltrate and extort at scale.
Act now
- Policy:
- Mandate phishing-resistant MFA (FIDO2 security keys or passkeys) for admins and high-risk roles first.
- Control:
- Enforce device-bound tokens, conditional access (impossible travel, unusual IPs), and automatic token revocation after suspicious events.
- Awareness:
- Train staff that repeated MFA prompts = emergency, not annoyance. Simulate MFA fatigue scenarios in your phishing program.
Trend 7: Industry-timed campaigns (tax, travel, sports, grants)
What’s new in 2026
Attackers are excellent at calendar OSINT:
- Tax deadlines
- Major sports events
- Grant and subsidy windows
- Common travel seasons
Threat intel reports show phishing campaigns clustering tightly around such events, with lures promising refunds, tickets, or urgent compliance tasks. ENISA and various sector reports list social engineering as a major factor in fraud and finance-related incidents, for example:
ENISA Threat Landscape – Finance Sector and a readable summary here: ComplexDiscovery – Rising cyber threats in Europe’s financial sector.
What we’re seeing in the field
SMEs increasingly report short, intense waves of highly tailored phishing right when everyone’s rushing to submit forms, buy tickets, or claim discounts.
Act now
- Policy:
- Build a “cyber calendar” alongside your business calendar: note high-risk periods for your sector and geography.
- Control:
- Pre-configure email banners or warnings for specific keywords (tax, refund, ticket, grant) around those windows.
- Awareness:
- Run timed phishing simulations and just-in-time tips a week before predictable risk events.
Trend 8: Localised LLM lures (language & tone mimicry)
What’s new in 2026
Large language models (LLMs) have largely killed the old “bad spelling = phishing” heuristic.
- Attackers can generate perfectly localised emails in Austrian German, UK English, Brazilian Portuguese… including idioms and politeness levels.
- Public data (websites, social media, job ads) lets them mimic your organisation’s tone of voice uncomfortably well.
ENISA explicitly notes that emerging technologies like AI and automation help attackers analyse behaviour and launch better-targeted phishing: ENISA – Emerging technologies make it easier to phish.
Awareness campaigns across Europe now highlight AI, deepfakes, and smishing as central topics (for example: ENISA – Promoting security in the digital world during European Cybersecurity Month).
What we’re seeing in the field
More organisations report phishing emails where language quality is indistinguishable from genuine internal communication—right down to signatures and standard phrases. Articles like this TechRadar summary describe how AI-generated phishing emails now look cleaner and more convincing than many legitimate emails:
TechRadar – AI is making phishing emails far more convincing.
Act now
- Policy:
- Ban guidelines like “look for spelling mistakes” from official training material; they are now actively misleading.
- Control:
- Invest in content-aware detection that looks at intent, links, and attachments—not just simple signatures or blocklists.
- Awareness:
- Teach structural cues instead: unexpected urgency, unusual channels, requests to break process, or sign-in pages that don’t match normal flows.
Trend 9: Data-warehouse & file-share pivot (Snowflake, Drive, SharePoint & friends)
What’s new in 2026
Data-centric systems like Snowflake, BigQuery, S3 data lakes, and collaboration platforms hold incredible volumes of customer and operational data.
Recent investigations into the 2024 Snowflake-related data theft show how attackers used stolen credentials and tokens to access multiple customer environments and launch large-scale extortion campaigns, as described by Mandiant and Snowflake:
Google Cloud / Mandiant – UNC5537 targets Snowflake
Snowflake threat-hunting guide (PDF)
A good vendor-neutral narrative is also provided by the Cloud Security Alliance:
Cloud Security Alliance – Unpacking the 2024 Snowflake data breach
and the public overview on Wikipedia gives context to the broader impact:
Wikipedia – Snowflake data breach
For attackers, these platforms are a dream:
- One compromised identity can provide access to millions of records.
- Data can be exfiltrated quietly through normal-looking queries.
What we’re seeing in the field
Even smaller organisations now rely on cloud data warehouses and shared drives for everything from CRM exports to HR reports—often with service accounts and over-privileged roles that nobody reviews.
Act now
- Policy:
- Treat data platforms as “crown jewels” in your risk register; require explicit approvals for who can access what and why.
- Control:
- Enforce SSO + MFA for all access; reduce standing privileges; monitor for anomalous queries, exports, and downloads.
- Awareness:
- Include “data at scale” scenarios in training—staff should know that one compromised analytics account can be worse than 100 inboxes.
Trend 10: Regulatory pressure → auditable awareness and phishing programs
What’s new in 2026
Regulations like the NIS2 Directive (EU) explicitly raise the bar for governance, risk management, and staff awareness across many sectors, including mid-sized organisations.
The legal text is available here:
https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
Practical explainers make the expectations clearer:
- https://www.nis-2-directive.com/
- https://advisera.com/articles/nis2-training-awareness/
- https://www.isms.online/nis-2/requirements/cyber-hygiene-and-training/
Key themes:
- Security awareness is not optional for in-scope entities—regulators expect evidence.
- Boards and management bodies are explicitly accountable for cyber risk oversight.
- Documentation matters: policies, training records, and incident handling must stand up to scrutiny.
What we’re seeing in the field
SMEs that once ran an annual slide deck are now scrambling to show structured, recurring phishing simulations, attendance tracking, and documented follow-ups—especially when dealing with regulated customers.
Note: Nothing in this article is legal advice. Always consult your legal/compliance team for interpretations of NIS2 and related laws in your jurisdiction.
Act now
- Policy:
- Define a formal security awareness and phishing policy: frequency, target groups, measurements, and responsibilities.
- Control:
- Implement a platform that provides anonymisation options, opt-outs where needed, and clean reporting aligned with works council and GDPR expectations—for example, the privacy-friendly modes described in AutoPhish’s anonymisation guide at https://autophish.io/anonymization (or your local equivalent URL).
- Awareness:
- Communicate clearly that phishing simulations are about learning, not punishment—a no-blame culture actually improves reporting rates.
What SMEs should prioritise this quarter (90-day plan)
You don’t need to fix everything at once. Here’s a realistic 90-day roadmap.
Weeks 1–4: Get visibility & quick wins
- Run a baseline phishing test across a broad user group to understand click and report rates.
- Map your critical business processes that could be hit by phishing (payments, HR changes, remote access, data exports).
- Enable or tighten MFA for all accounts, prioritising admins and external access.
- Review mail connectors/relays and document which systems send as your domain.
Weeks 5–8: Harden high-risk flows
- Roll out phishing-resistant MFA (FIDO2 / passkeys) to finance, HR, and IT admins.
- Implement basic app consent governance: disable open consent where possible, define an allow-list for business apps.
- Update BYOD and messaging policies, including rules for QR logins and chat-based approvals.
- Configure security banners and filters for tax, grant, and payment-related messages ahead of known busy periods.
Weeks 9–12: Build sustainable, auditable practices
- Move from one-off tests to a recurring simulation program (e.g. monthly small campaigns + one quarterly “big one”).
- Introduce a simple, one-click reporting button in mail and train staff to use it.
- Document your program: policies, schedules, anonymisation settings, and summary metrics—this will help with NIS2 and customer audits.
- Align phishing simulations with other security initiatives (incident response drills, tabletop exercises, vendor assessments).
If you do nothing else in 2026, getting these basics in place will put you ahead of a lot of peers.
How AutoPhish helps (without the buzzword bingo)
Tools don’t magically fix culture—but they can make the right things easier and the wrong things harder.
AutoPhish is built specifically for SMEs that need modern phishing training without turning into full-time SOCs:
- Run automated, calendar-driven phishing campaigns that mirror the trends above (mobile, QR, consent screens, BEC-style lures).
- Use privacy-friendly modes and anonymisation options that make works councils and data protection officers much less nervous (see the public anonymisation guide, for example: AutoPhish anonymisation guide).
- Align with regulations like NIS2 by providing clean audit trails: who was targeted, how campaigns were configured, and which improvements resulted.
- Combine role-based templates (finance, HR, executives, IT) with localised content so users see realistic, language-appropriate lures.
- Integrate simulations with your existing training content, including vendor videos and your own awareness materials.
If you’re currently comparing tools, see our deep dives on:
- Automated phishing testing vs. manual campaigns (example URL: Automated phishing testing vs. manual campaigns)
- Open-source phishing tools vs. managed platforms (example URL: Open-source phishing simulation vs. managed platforms)
- 10 wild phishing stories from 2024–2025 (example URL: 10 wild phishing stories from 2024–2025)
FAQ: Phishing in 2026
Is phishing still mostly about email?
Email remains a major vector, but URL- and chat-based phishing has overtaken classic attachment-based attacks, and smishing plus QR-based scams are growing fast. ENISA’s threat-landscape summaries and sector reports give good data on this trend:
ENISA Threat Landscape overview
ENISA Threat Landscape – Finance Sector
Can phishing really happen over phone or WhatsApp?
Yes. Voice calls, voicemail, SMS, and messaging apps are all used for vishing, smishing, and chat-based phishing. ENISA’s materials for European Cybersecurity Month explicitly focus on social engineering, smishing and deepfakes:
ENISA – Promoting security in the digital world during European Cybersecurity Month
Are phishing emails actually illegal?
In most jurisdictions, phishing involves fraud, identity theft, or computer misuse offences. Even if a phishing attempt fails, sending such messages can violate laws on unauthorised access or data misuse. Consult local legal counsel for specifics, especially if you’re designing internal simulations.
Does AI make phishing unstoppable?
No—but it does make low-effort phishing higher quality. The balance shifts from spotting obvious spelling errors to recognising suspicious context, requests, and flows. Reports like ENISA’s “Emerging technologies make it easier to phish” and TechRadar’s overview of AI-boosted phishing show how both attackers and defenders are adapting:
ENISA – Emerging technologies make it easier to phish
TechRadar – AI is making phishing emails far more convincing
With the right mix of controls, culture, and continuous testing, AI-boosted phishing is very manageable.
How often should we run phishing simulations?
For most SMEs, a good starting point is:
- One small campaign per month (targeted themes, small groups)
- One larger, organisation-wide campaign per quarter
- Extra, event-driven simulations around tax season, big product launches, or other busy periods.
The key is making it predictably recurring and non-punitive, so people engage rather than game the system.
Further reading & sources
Here are some reputable starting points used while writing this article (all with full URLs):
- ENISA Threat Landscape overview: ENISA Threat Landscape overview
- ENISA Threat Landscape 2023 report (PDF): ENISA Threat Landscape 2023 report (PDF)
- ENISA Threat Landscape – Finance Sector 2024 (PDF + HTML):
- HTML summary: ENISA Threat Landscape – Finance Sector
- PDF direct link: Finance TL 2024 (PDF)
- ENISA – Emerging technologies make it easier to phish: ENISA – Emerging technologies make it easier to phish
- Microsoft Digital Defense Report portal: Microsoft Digital Defense Report portal
- Microsoft Digital Defense Report 2023 (PDF): Microsoft Digital Defense Report 2023 (PDF)
- Microsoft Digital Defense Report 2025 (PDF, deepfakes and BEC). Example hosted copy: Microsoft Digital Defense Report 2025 (PDF)
- Microsoft Entra blog – OAuth consent phishing explained and prevented: Microsoft Entra blog – OAuth consent phishing explained and prevented
- Push Security – How consent phishing is evolving: Push Security – How consent phishing is evolving
- Valence Security – The rising threat of consent phishing: Valence Security – The rising threat of consent phishing
- Google Cloud / Mandiant – UNC5537 targets Snowflake customer instances: Google Cloud / Mandiant – UNC5537 targets Snowflake
- Mandiant Snowflake threat-hunting guide (PDF): Snowflake threat-hunting guide (PDF)
- Cloud Security Alliance – Unpacking the 2024 Snowflake data breach: Cloud Security Alliance – Unpacking the 2024 Snowflake data breach
- Wikipedia – Snowflake data breach overview: Wikipedia – Snowflake data breach
- ENISA – Promoting security in the digital world during European Cybersecurity Month: ENISA – Promoting security in the digital world during European Cybersecurity Month
- TechRadar – AI is making phishing emails far more convincing: TechRadar – AI is making phishing emails far more convincing
- EUR-Lex – NIS2 Directive legal text: NIS2 Directive legal text
- High-level NIS2 explainer: High-level NIS2 explainer
- NIS2 training & awareness guidance:
Ready to see where you stand?
You don’t need a crystal ball to prepare for 2026.
Run a baseline phishing test this week, capture what happens, and decide which of the 10 trends above matters most for your organisation. If you’d like help doing that in a privacy-friendly, works-council-compatible way, you can start a trial of AutoPhish any time.