How Phishing Attacks Work in 2026 — Techniques, Examples & Defense
How Phishing Attacks Work in 2026 — Techniques, Examples & Defense
TLDR: Phishing remains the single most common entry point for cyberattacks — responsible for over 90% of all data breaches according to Cisco's 2024 Cybersecurity Threat Trends report. But calling it "email scams" in 2026 is like calling a Formula 1 car a "vehicle." Technically true, dangerously misleading. AI-generated phishing emails are now grammatically perfect, psychologically calibrated, and personalised at scale. Bulk spray-and-pray attacks have given way to surgical spear phishing campaigns researched over weeks. This post breaks down exactly how modern phishing is constructed, why it still works on smart people, what the red flags look like, and what your team should do the moment someone clicks.
Phishing by the Numbers
Let's start with the scale of the problem, because the numbers are the kind that should make any business leader sit up.
According to the KnoowBe4 2025 Cybersecurity Threat Trends Report, phishing accounts for over 90.9% of data breaches. Not 90.9% of phishing-related breaches. 90.9% of all data breaches, across all industries, begin with a phishing email.
The Anti-Phishing Working Group (APWG) reported over 1 million unique phishing attacks detected in 2025 alone — a figure that has roughly doubled every two years for the past decade. The IBM Cost of a Data Breach Report 2025 placed the average cost of a breach initiated by phishing at $4.4 million, the highest it has ever been.
And perhaps the most sobering figure: Verizon's 2025 Data Breach Investigations Report found that the median time for a user to click a phishing link after receiving it is 21 seconds. The median time to submit credentials on a phishing page after clicking is 28 seconds. Less than a minute from delivery to compromise — before your security team has any realistic chance to intervene.
This is not a shrinking problem. It is an accelerating one. And in 2025 and 2026, the arrival of accessible AI tools changed the game in ways that most organisations haven't fully reckoned with yet.
How a Basic Phishing Attack Is Constructed, Step by Step
Most people imagine phishing as a blunt instrument — a mass email sent to millions of addresses hoping someone clicks. And while that still exists, even the "basic" attack in 2026 is more sophisticated than most people realise. Here's how one is built from the ground up.
Step 1: Target selection and reconnaissance. The attacker picks a target organisation — or more likely, purchases a list of email addresses for employees at companies within a particular industry or revenue band. They then spend time on LinkedIn, company websites, press releases, and social media to understand the org chart, identify who reports to whom, what tools the company uses, and what projects are publicly discussed. This information costs nothing and takes very little time.
Step 2: Infrastructure setup. The attacker registers a domain that closely resembles the impersonated organisation or a trusted third party. Think support-microsoft365.com instead of microsoft.com, or invoices-vendorname.net instead of the vendor's real domain. They set up a convincing copy of a legitimate login page on this domain — often a pixel-perfect clone pulled directly from the real website. They configure email sending infrastructure with SPF and DKIM records to improve deliverability and avoid spam filters.
Step 3: Lure construction. The attacker crafts an email designed to create urgency, establish authority, and minimise suspicion. Common lures include: a security alert requiring immediate password change, an invoice or payment request from a known vendor, a shared document notification from Google Drive or Microsoft SharePoint, an HR communication about benefits or payroll, or a meeting invitation from a senior executive.
Step 4: Delivery and evasion. The email is sent — sometimes in bulk to thousands of addresses, sometimes to a single carefully chosen target. Modern phishing kits include features to detect sandbox analysis (the automated systems email providers use to evaluate links before delivering them) and serve harmless content to those systems while serving the malicious page to real users.
Step 5: Credential harvesting or payload delivery. The victim clicks the link, arrives at a convincing login page, enters their credentials — which are captured in real time by the attacker — and is redirected to the real website with a message like "session expired, please try again." The victim assumes they mistyped their password, logs in successfully on the real site, and moves on with their day. The attacker now has valid credentials.
The whole process, from email delivery to credential capture, can happen in under 60 seconds. The victim may not know anything is wrong for days.
Spear Phishing vs. Bulk Phishing — Why Targeted Attacks Win
Bulk phishing — the spray-and-pray approach — still exists because it doesn't need a high success rate to be profitable. If you send a million emails and 0.1% of recipients click and 0.01% submit credentials, you've still captured a hundred sets of credentials that can be sold, used for account takeover, or leveraged to access corporate systems.
But spear phishing is an entirely different category of threat.
Spear phishing targets a specific individual or small group within an organisation. The attacker invests significant time researching their target — studying their LinkedIn profile, their social media posts, their company announcements, their email signature patterns, even their out-of-office messages. The resulting email is crafted to reference real projects, real colleagues, real vendors, and real context that the target would recognise as legitimate.
A spear phishing email doesn't say "Dear Customer." It says:
"Hi Sarah — following up on the Q4 vendor renewal we discussed at the all-hands last Tuesday. I've attached the updated contract for your review. Our finance team needs the signed version by EOD Thursday to process before the quarter closes. Let me know if you can't access the SharePoint link and I'll send another way. — David"
"David" doesn't work at the company. The SharePoint link goes to a credential harvesting page. But if Sarah is real, the all-hands was real, the vendor renewal is real, and "David" is using the name of the actual account manager — which is all information available publicly — then Sarah has no reasonable way to identify this as an attack from the email alone.
Business Email Compromise (BEC) is the high-value variant of spear phishing, where attackers impersonate executives or finance personnel to authorise fraudulent wire transfers. The FBI's 2023 Internet Crime Report reported BEC losses of over $2.9 billion in the United States alone in a single year — making it the costliest cybercrime category by a substantial margin.
AI-Generated Phishing: What Changed in 2025 and 2026
For years, one of the most reliable signals of a phishing email was poor writing — broken grammar, unusual phrasing, awkward sentence structure. This was partly a deliberate filter: attackers used poor writing to pre-qualify their victims, ensuring that only the least discerning recipients would proceed. But it also reflected a genuine language barrier for many threat actor groups operating internationally.
That filter is now gone.
Large language models — the same technology that powers tools like Claude and ChatGPT — can generate phishing emails that are grammatically flawless, tonally appropriate, and contextually convincing in any language at effectively zero marginal cost. A threat actor can now prompt an AI to write a phishing email in the specific style of a CFO's communications, tailored for a particular industry, referencing current events, and personalised to the recipient — in seconds, at scale.
In late 2023, researchers at IBM X-Force demonstrated that AI-generated phishing emails performed comparably to human-written ones in click-through rates — and took a fraction of the time to produce.
What's more concerning is the emergence of voice-based AI phishing. Deepfake audio technology — capable of cloning a person's voice from as little as three seconds of sample audio — is now being used in vishing attacks to impersonate executives in real-time phone calls. In 2024, an employee at a multinational firm was reportedly manipulated into transferring $25 million after a video call with what appeared to be their CFO — who turned out to be an AI-generated deepfake. The case was reported by CNN and marked a significant escalation in the sophistication of AI-assisted social engineering.
The arms race between attackers and defenders has always existed. AI has handed attackers a significant new weapon.
The Psychology Behind Why Smart People Click
Understanding why phishing works is not an exercise in victim-blaming. It's an exercise in understanding how human cognition actually functions — and why it consistently loses to well-designed manipulation.
Urgency overrides scrutiny. When an email conveys that something bad will happen imminently — your account will be locked, the payment will be missed, the document will expire — the brain shifts from reflective thinking to reactive thinking. In that state, people do not carefully examine URLs or question sender domains. They act.
Authority suppresses scepticism. Emails purportedly from the CEO, IT department, HR, or a regulator trigger a compliance instinct that most people don't consciously examine. Questioning authority feels professionally risky. Most employees, when faced with an urgent request from a person of perceived authority, comply first and question later.
Familiarity creates trust shortcuts. When an email mentions a real colleague's name, a real project, or a real tool the company uses — the brain registers familiarity and interprets it as legitimacy. These heuristics exist for good reason — they work almost all the time in normal life. Attackers exploit the exceptions.
Cognitive load is the attacker's best friend. People receive dozens or hundreds of emails daily. Decision fatigue is real. When someone is in flow, working toward a deadline, or handling multiple simultaneous demands, their capacity for careful evaluation of each email is dramatically reduced. Attackers time campaigns for early Monday mornings and late Friday afternoons deliberately.
This is not a failure of intelligence. It's a feature of human cognition that has existed for as long as humans have. No amount of general intelligence protects against a well-constructed phishing email delivered at the right moment. Training and process do.
7 Signs of a Phishing Email Your Team Must Know
These are the signals your team should be able to identify instinctively. They won't catch every phishing email — the most sophisticated ones are designed to evade exactly this checklist — but they catch the overwhelming majority.
1. The sender domain doesn't match the organisation it claims to be from. billing@amazon-support-center.com is not Amazon. noreply@microsoftonline-alerts.net is not Microsoft. The display name can say anything — the domain is what matters. Train your team to hover over sender addresses and examine the domain carefully.
2. The email creates pressure to act immediately. Legitimate organisations rarely require urgent action that bypasses normal process. "Your account will be permanently deleted in 24 hours unless you verify now" is a pressure tactic, not a real policy.
3. The link URL doesn't match the organisation's real domain. Hover before you click. The URL that appears in the email and the URL that appears in the browser's status bar when you hover over it should both lead to the expected, legitimate domain. If they don't match, or if the domain looks unusual, don't click.
4. The email requests credentials, payment details, or sensitive data. Legitimate IT systems do not ask you to submit your password via email. Legitimate finance teams do not initiate payment requests through unsolicited email links. Any email that asks for credentials or payment information should trigger verification through a separate, trusted channel.
5. Unexpected attachments, especially with double extensions. Files named invoice.pdf.exe or report.docx.zip are a common delivery mechanism for malware. Even familiar file types like PDFs and Word documents can contain malicious macros or links. If you weren't expecting an attachment, verify with the sender before opening.
6. Generic greetings from organisations that should know your name. "Dear Customer" or "Dear User" from your bank, your software vendor, or your HR platform is a red flag. These organisations have your name. If they're not using it, question why.
7. Something just feels slightly off. This one sounds vague, but it's important. An unusual tone from a known colleague, a request that's slightly out of character, a subject line that doesn't quite match what's in the body. Phishing emails are constructed to be convincing, not perfect. That residual feeling of something being slightly wrong is worth acting on — always verify before you proceed.
What to Do If You Click — Incident Response Basics
One of the most counterproductive outcomes in security is the culture where employees hide that they've clicked a phishing link out of fear of blame or embarrassment. The decision to hide an incident costs an organisation, on average, days of additional exposure. The decision to report it immediately allows the security team to contain the damage before it becomes catastrophic.
If someone on your team clicks a phishing link, here is what should happen within the first hour.
Immediately disconnect the device from the network. If credentials were entered on a phishing page, the attacker is potentially already using them. Disconnecting limits lateral movement.
Report to the security team or IT department without delay. This is not the moment for internal deliberation about whether it was "really" a phishing email. Report it and let the security team make that determination.
Change compromised passwords immediately from a clean, unaffected device. Not from the same device that visited the phishing page.
Revoke and reissue any sessions or tokens associated with the compromised account. Changing a password does not invalidate existing authenticated sessions in many systems. The security team needs to force session termination.
Review access logs for the period after the click. What was accessed? What was sent? What was downloaded? Understanding the blast radius of the compromise determines the scope of the response.
If payment details or banking credentials were involved, contact the relevant financial institutions immediately. Fraudulent transfers can sometimes be reversed if flagged quickly enough.
The goal is speed. Every hour of undetected access is an hour in which an attacker can move laterally, exfiltrate data, or establish persistence mechanisms that outlast the initial credential reset.
How Kuboid Secure Layer Can Help
The most reliable way to understand how your team actually responds to phishing — rather than how you hope they would — is to test them in a controlled, consequence-free environment.
At Kuboid Secure Layer, we run realistic phishing simulations tailored to your organisation: using your real domain naming conventions, your actual vendors and tools, and the kinds of lures most likely to succeed against your specific team. The output isn't a number on a dashboard — it's a clear picture of which departments are most vulnerable, which lures are most effective against your organisation, and exactly where security awareness training needs to be focused.
We pair simulations with targeted training that addresses the specific gaps the simulation surfaces — not generic content, but context-specific guidance that your team can actually apply. If you'd like to run a phishing simulation for your team, reach out to us here. The results are often more instructive than any assessment report.
Final Thought
Phishing has persisted as the dominant entry point for cyberattacks for one reason: it works. It worked in 2005. It worked in 2015. It works in 2026, better than ever, with AI as a force multiplier and a global threat landscape that has professionalised and industrialised the practice beyond anything that was imaginable a decade ago.
The answer isn't to make your team paranoid about every email they receive. That's not sustainable, and it would bring your business to a halt. The answer is to give your team the specific knowledge, the practiced habits, and the clear processes that make the real red flags instinctive to spot — and that make reporting a suspected attack feel like the obvious, blame-free thing to do.
Phishing works because it exploits the gap between what people know and how they behave under pressure. Close that gap, and you've addressed the single biggest driver of data breaches in the world today.
Kuboid Secure Layer provides phishing simulations, security awareness training, and comprehensive cybersecurity assessments for growing businesses. Learn more at www.kuboid.in.