Phishing Trends 2025–2026 — 7 Shifts Every Security Team Should Know

AI-generated attacks, QR-code phishing (quishing), MFA bypass, supply-chain pivots, Deepfake social engineering, and Phishing-as-a-Service. A structured tour of the trends shaping the phishing landscape through 2026 and the countermeasures that actually move the needle.

Honestly, the 2024 phishing numbers surprised even those of us who'd been watching the space for years.

The APWG recorded over 960,000 phishing attacks in Q1 2024 alone — the highest quarterly figure in three years. Global economic losses from phishing surged to $17.4B, up roughly 45% year-over-year.

These aren't vendor-inflated numbers. They line up with what we see responding to incidents on the ground — attackers getting substantially more sophisticated and more patient.

So what does 2025–2026 look like? Based on our observations and cross-vendor telemetry, here are the seven shifts every security team should plan around.

1. AI-generated phishing is no longer experimental

Since the ChatGPT launch, phishing email volume has increased ~1265% (multiple security vendors' monitoring data — not marketing fiction).

The classic rule — "check for grammar mistakes and awkward phrasing" — is dead. Attackers now produce:

  • Target-customized emails drawn from public company data
  • Executive writing-style mimicry
  • Multi-language parallel campaigns
  • Department-specific phrasing

One recent campaign we analyzed targeting financial-services customers had fluent copy, proper formatting, and even legitimate-looking signature blocks with real job titles. Without looking at the sending domain, there was no way to tell the email from a real one on content alone.

Our take: stop relying on "the user will spot it". Layer domain monitoring + sender authentication + content analysis into a defense-in-depth stack.

2. QR-code phishing (quishing) is surging, especially in APAC

Quishing is a regional standout in Japan and broader Asia-Pacific.

Think about it: how many QR codes does an average person scan in a day now? Payments, menus, friend adds, forms. The scan action has become reflexive — which attackers weaponize.

Common variants:

  • Fake parking violation / delivery notifications — physical stickers leading to fake payment pages
  • Meeting-room "Wi-Fi password" QR codes — common in coworking spaces; scanning either downloads malware or opens a credential-harvesting page
  • Internal IT notifications — "system update" posters asking employees to scan and "update their password"

Quishing is hard to block at the email gateway because most security gateways only inspect URLs in the email body — QR codes are images, invisible to traditional URL-based filtering.

Our take: build QR-scenarios explicitly into user security training. On the technical side, email gateways that decode QR payloads are now table stakes.

3. MFA alone is no longer sufficient

Two years ago, "just turn on MFA" was the default answer. It's no longer enough.

MFA-bypass attacks grew ~146% in 2024. The dominant technique is AiTM (Adversary-in-the-Middle): the attacker stands up a reverse proxy, the victim enters credentials + MFA code on the phishing page, and the session cookie is captured in real time. With the session cookie, the attacker logs in as the victim — no password, no MFA code required after that point.

Microsoft and Google account bypass cases in the wild.

Our take:

  • Enable device-based authentication (FIDO2 keys are the cleanest option)
  • Monitor for anomalous sign-in patterns (new device, unusual geography)
  • Rotate / clean active sessions on a schedule

4. Mobile is now the primary battleground

In 2024, mobile-targeted phishing attempts exceeded desktop-targeted by 25–40%. The trend will continue because:

  • Mobile screens make URL inspection harder
  • SMS and messenger apps carry higher trust than email
  • Mobile endpoint security is generally weaker than desktop

Emerging techniques:

  • Fake app-store pages pushing trojaned app downloads
  • SMS phishing (smishing) paired with convincing fake bank / government portals
  • WhatsApp / LINE / Signal abuse for phishing-link distribution

Our take: bring mobile into scope of enterprise security controls. For BYOD, require at minimum the corporate security agent.

5. Supply-chain phishing is getting more subtle

Attackers have started using the detour.

Direct attacks on large enterprises are getting harder, so targeting has shifted to suppliers, outsourced teams, and partner companies. Breach the weakest link, then use legitimate business-email access to pivot into the real target.

What makes it dangerous: the phishing email comes from a known contact, from their real business account.

An incident we responded to: attackers compromised the external accounting firm serving a target company, then sent "invoice verification" emails from the accountant's real account. The links went to a well-crafted fake OneDrive that harvested Microsoft credentials.

Our take:

  • Add human verification to high-risk operations (payment-destination changes, privilege escalation)
  • Establish a security liaison channel with suppliers for fast verification of suspicious activity

6. Deepfake social engineering is showing up in real attacks

Video calls are becoming a new attack vector.

Mass-scale deepfake phishing isn't here yet, but targeted cases are. Attackers generate deepfake audio/video of executives and impersonate them in calls to authorize urgent wire transfers.

The widely-reported case where attackers stole ~HK$200M from a company in Hong Kong by faking a multi-participant executive video call is the most-cited example. The finance employee on the call had no reason to doubt what they were seeing.

The cost of high-quality deepfake video has collapsed. A few minutes of public executive footage is now enough to produce convincing synthesis.

Our take: for wire transfers or sensitive operations triggered in video calls, add a second-channel verification step (separate communication medium, not in the same call).

7. Phishing-as-a-Service (PhaaS) is democratizing the attacker side

Darkweb phishing kits keep getting better and cheaper. A few hundred dollars buys:

  • Template packs impersonating major SaaS providers
  • Automated credential harvesting and exfiltration
  • CAPTCHA and security-scanner evasion tooling
  • Even "customer support" for the kit

Translation: running a phishing campaign no longer requires technical skill. Motive alone is sufficient.

Number of attackers is rising. Quality of attacks is rising. This is the worst combination.

How should companies respond?

First — acknowledge that legacy defenses are insufficient

Email gateway + annual awareness training isn't enough anymore. You need active defense:

  • Domain monitoring to catch lookalike sites as soon as they're registered
  • Honeytoken deployment to track attacker behavior
  • Threat-intel feeds specific to your industry

Second — shrink time-to-response

Average phishing-site lifetime is 24–48 hours, but damage lingers far longer. The window from detection to complete takedown has to be as short as possible. Automation is the lever.

Third — extend defense to the supply chain

Evaluate supplier security posture. Include security clauses in contracts. Build the emergency contact path before you need it.

Fourth — keep investing in user awareness

Not annual training. Continuous, scenario-based drills. People need to experience what a modern phishing attack looks like, not memorize the anatomy of a 2018 one.


Phishing isn't going away. It will keep evolving. The defenders' job is to learn and adapt faster than the attackers.

If you're looking for more active anti-phishing tooling, OpenBait's detection pipeline catches lookalike sites at registration time. For the takedown side, see our guides on registrar abuse reports and browser blocklist reporting. Questions: [email protected].

Protect your brand from phishing

Start monitoring domain impersonation and social media brand abuse — free.

Get Started Free

Related articles

Building an Anti-Phishing Defense That Actually Works in 2026

How mid-market security teams should layer detection, takedown, and customer-side protection into one operational flow. Field notes from a year of running this stack against AI-generated phishing campaigns — what saves time, what wastes budget, and where vendors over-promise.

Phishing Trends 2025–2026 — 7 Shifts Every Security Team Should Know | OpenBait