Back to Blog
Phishing

The Most Common Phishing Tactics in 2026

Phishing has evolved far beyond Nigerian prince emails. Modern attacks are personalised, technically sophisticated, and increasingly hard to distinguish from legitimate communication.

EEmil Gheonea5 March 20268 min read

Phishing in 2026: A Very Different Threat

The era of badly-written "you won a prize" emails is long gone. Modern phishing is targeted, convincing, and often automated at scale using AI. Here is what to know.

1. Spear Phishing

Spear phishing is targeted at a specific individual or organisation. Attackers research their target — LinkedIn, company websites, social media — and craft a message that feels entirely plausible.

A finance employee might receive an email that looks like it is from their CEO, referencing a real project name and asking for an urgent bank transfer.

2. AI-Generated Phishing Emails

LLMs can now produce phishing emails that are grammatically flawless, culturally appropriate, and personalised at scale. Previously, typos and awkward phrasing were useful indicators of phishing — that advantage is gone.

3. QR Code Phishing (Quishing)

PDF attachments and malicious links both trigger email filters. QR codes often do not. Attackers embed QR codes in emails or physical flyers that direct victims to credential-harvesting pages. Because the URL is in an image, it bypasses most text-based link scanners.

4. Business Email Compromise (BEC)

BEC attacks do not need malware at all. The attacker either compromises a real email account or spoofs a domain (see our article on SPF, DKIM, and DMARC) and uses it to request wire transfers, gift cards, or sensitive data.

Loss from BEC attacks globally (2025): estimated at over $3.5 billion.

5. Adversary-in-the-Middle (AiTM) Phishing

Standard phishing pages that steal a password are becoming less effective thanks to multi-factor authentication. AiTM kits like EvilProxy and Modlishka act as a reverse proxy — sitting between the user and the real website — intercepting the session cookie after authentication is complete. This bypasses MFA entirely.

6. Vishing and Smishing

  • Vishing — phishing over voice calls. AI voice cloning makes it possible to fake a colleague's or executive's voice convincingly.
  • Smishing — phishing via SMS. Fake parcel delivery notifications are a perennial favourite.

How to Defend Yourself

  1. Verify unexpected requests through a separate, trusted communication channel — not by replying to the same message.
  2. Use hardware security keys (FIDO2/WebAuthn) — they are resistant to AiTM phishing because the key binds to the origin URL.
  3. Hover over links before clicking, and verify the actual domain — not just the display text.
  4. Report suspicious emails to your security or IT team immediately.
  5. Scan attachments before opening them — even PDFs can be malicious.

The Single Best Mitigation

No technical control beats a sceptical mindset. Treat any unexpected request for action — especially involving money, credentials, or personal data — as suspicious until verified independently.

E

Emil Gheonea

Software Developer & Security Enthusiast

Full-stack developer with a focus on cybersecurity tooling and infrastructure. I built VirusPurge to make fast, private file scanning accessible to everyone — and I write about security topics to keep the knowledge sharp.

Connect on LinkedIn

Related reads

Email Security9 min

SPF, DKIM, and DMARC: The Three Email Security Standards Explained

Read article
File Safety6 min

How to Spot a Malicious File Before You Open It

Read article
Back to all articles