Skip to main content

Understanding Phishing Attacks

The 2026 phishing playbook — AI-written emails, deepfake voicemails, QR-code phishing, and Business Email Compromise. How to spot it, what to do.

Old advice no longer works

"Look for typos." "Watch for bad grammar." "Hover over the link." All of that was useful for 2015's phishing emails. In 2026, generative AI writes flawless English in any tone, mimics your CEO's writing voice from public LinkedIn posts, and even adapts to the language of the country you're in. The defense has to shift from spotting the message to verifying the request.

The 2026 phishing taxonomy

Email phishing (still the volume king)

Mass-distributed emails impersonating Microsoft, DocuSign, your bank, FedEx, the IRS, or your HR system. The 2026 versions look pixel-perfect, send from compromised real domains, and route to credential-harvesting pages that pass MFA prompts to the real service in real time (an "adversary-in-the-middle" or AiTM attack). Your password and MFA code both get stolen — and the attacker gets your session cookie, which means your existing MFA is bypassed for weeks.

Spear phishing

Targeted at one person. The attacker knows your name, role, recent project, and recent travel. The email references something specific and asks for something specific. AI scrapes LinkedIn, Twitter, and company press releases to write these in seconds.

Business Email Compromise (BEC)

The single most expensive form of cybercrime against businesses. The attacker impersonates a trusted party — CEO, vendor, lawyer, HR — and asks finance to send money. Sub-types:

  • CEO fraud: "Quick wire please, in a meeting" from the boss's lookalike email.
  • Vendor invoice swap: A real-looking email from a real vendor saying "our banking changed."
  • Payroll diversion: An "employee" asks HR to update direct deposit.
  • Real-estate wire fraud: Around a closing, instructions arrive that look correct but redirect funds — losses regularly hit hundreds of thousands.

Smishing (SMS phishing)

Text messages impersonating delivery services ("your USPS package can't be delivered, click here"), banks, toll authorities, or the IRS. The 2026 spike comes from spoofed iMessage and RCS — encrypted and harder for carriers to filter.

Vishing (voice phishing) — including deepfakes

A phone call from "your bank's fraud department" or "the IRS" or "Microsoft support." Sometimes a voicemail from "your CEO" or "your daughter" — voice cloned from 30 seconds of social media audio. The 2026 escalation: real-time voice cloning during a live call, where the attacker's voice is converted to your CFO's in transit.

Quishing (QR-code phishing)

QR codes embedded in emails, printed flyers, parking meters, restaurant tables, even tampered stickers placed over real QR codes. They route to credential-harvesting pages or auto-trigger downloads. Email security tools historically didn't scan inside QR images — that's improving but not universal.

Callback phishing

An email saying "you've been charged $499 for antivirus auto-renewal — call this number to dispute." You call. A polite scammer walks you through "canceling," which involves remote-control software and your bank login.

Red flags in 2026

Skip the typo hunt. Look for these instead:

Pressure signals

  • Urgency: "Today only," "before EOD," "or your account closes."
  • Authority: Invoking a senior person you can't easily verify with ("the CEO needs this," "IRS notice").
  • Secrecy: "Don't tell anyone," "this is confidential until announced."
  • Unusual channel: Your boss texting your personal phone for a wire — your CEO doesn't usually text you.

Money signals

  • Any request to change a payment account, vendor banking, or direct deposit.
  • Wire transfers, gift cards, crypto, prepaid cards. Legitimate businesses don't request payment in iTunes cards.
  • "Refund" you weren't expecting — especially when they need your bank login to "process" it.

Technical signals

  • Login pages that look right but the URL is off by one letter, or uses a different TLD (.co instead of .com).
  • Email "from" name says one thing, the actual address is something else (always check on mobile too — many clients hide it).
  • Unsolicited attachment with a generic name (invoice.html, statement.zip, doc.htm).
  • QR code in an email asking you to scan with your phone — phones bypass corporate email filters.

The verification protocol

The single best defense — used by every mature security team — is a simple, mandatory verification step:

  1. Stop. Don't act inside the inbox. Phishing thrives on the muscle memory of clicking and replying.
  2. Switch channels. If the request came by email, verify by phone. If by phone, verify by email or in person. Attackers usually only control one channel.
  3. Use a known-good contact. Call the number on file in your contacts or a printed directory — never the number in the suspicious message.
  4. Ask a question only the real person could answer. Reference a private detail (last meeting, shared doc, family code word).
  5. For money: dual approval. Any transfer, banking change, or new vendor onboarding requires a second person to confirm via the verification protocol.

If you clicked or responded

  1. Don't engage further. Disconnect the call, close the tab.
  2. Change passwords from a different device — especially email, then anything reusing that password. Sign out of all sessions.
  3. Revoke active session tokens. In Microsoft 365 / Google Workspace admin, this is "sign out of all sessions" or "revoke refresh tokens." Critical because session theft survives password reset.
  4. Notify your IT / security team or MSP immediately. Speed matters; an account compromised at 9am with fast response usually contains, at 5pm usually doesn't.
  5. If money moved: contact your bank within 72 hours and request a recall. File at IC3.gov the same day — the FBI's Financial Fraud Kill Chain has a real (though small) success rate when reported within 72 hours.
  6. Run endpoint scans. If you ran any attachment or remote-control tool, assume the device is compromised and rebuild it.

Reporting phishing

  • Forward suspicious email to your IT/security team and to reportphishing@apwg.org (Anti-Phishing Working Group).
  • Smishing: Forward the text to 7726 (SPAM) on most US carriers — it's free.
  • BEC and wire fraud: File at IC3.gov.
  • Consumer scams: reportfraud.ftc.gov.
  • Brand impersonation: Most major brands (Microsoft, PayPal, Apple, etc.) have a phishing@ or abuse@ address — forward there.

Last updated April 28, 2026. Phishing tactics shift fast — bookmark the Threat Intel page for current advisories.

Train your team

Get free phishing-awareness training for your Vermont organization through CyberAware Initiative.

Contact Us