Every Phishing Method Attackers Use Right Now, From Classic Email Traps to AI Deepfakes
What if the next wire transfer your finance team approves is authorized by a voice that sounds exactly like your CFO, on a video call where every face looks real, but none of them are human? That scenario already happened. In early 2024, a multinational firm lost $25 million after an employee was deceived by a fully AI-generated video call impersonating the company's CFO and entire leadership team. The employee was invited to a conference call with other senior staff members, and everyone on the call was a deepfake. Scammers had scraped publicly available data from social media platforms like LinkedIn and fed it into AI to create matching video and audio.
This is not a thought experiment. It is the current state of phishing in 2026.
Over 90% of cyberattacks begin with phishing, making it the leading method threat actors use to breach networks and steal data. Understanding where this threat started and where it is going is no longer optional security hygiene. It is table stakes for anyone defending a network.
The Classic Playbook: How Traditional Phishing Works
The original phishing attack is simple by design. An attacker sends a mass email impersonating a trusted brand, a bank, a shipping carrier, an HR department, and waits for someone to click a link or open an attachment. The goal is credential theft, malware delivery, or direct financial fraud.
Microsoft remains the most imitated brand, with 43.1% of phishing attempts targeting it, according to the Zscaler ThreatLabz 2024 Phishing Report. That number makes sense. A stolen Microsoft 365 login is a skeleton key to email, SharePoint, Teams, and often the identity layer of an entire organization.
The click window is alarmingly short. The median time for users to click on a phishing simulation link was just 21 seconds, and 28 seconds to submit sensitive data, according to Verizon’s 2024 Data Breach Investigations Report. A security awareness program that drills “think before you click” is fighting against a biological reflex baked into routine work behavior.
Traditional phishing remains the foundation because it scales. An estimated 3.4 billion phishing emails are sent globally every single day. Even a tiny conversion rate on that volume produces millions of compromised accounts per year.
Spear Phishing: When the Attack Knows Your Name
Spray-and-pray email blasts are giving way to targeted campaigns that reference your actual job title, your manager, your clients, or a project you are actively working on. This is spear phishing, and it operates on the principle that context eliminates suspicion.
A 2019 study highlighted that spear phishing was the most popular attack method for cybercriminals, used by 65% of all known groups, with intelligence gathering as the primary motive in 96% of cases. The targeting information comes from LinkedIn profiles, company websites, press releases, and breached credential databases available on dark web marketplaces.
The variation targeting executives specifically is called whaling. A single whaling attack costs businesses $47 million on average. The mechanism is the same as spear phishing, but the research investment is heavier because the target has authority to approve large transactions.
Approximately 88% of organizations experience spear phishing attacks annually. If your organization has a public web presence and a LinkedIn company page, it is a spear phishing target. There is no threshold of size below which this stops being true.
Smishing and Vishing: Phishing Moves Off Email
At some point, attackers realized that corporate email filters had gotten better and that the same psychological levers work equally well over SMS and phone calls. The result was smishing (SMS phishing) and vishing (voice phishing), and both have grown dramatically.
Smishing exploits the trust that most people place in text messages. Smishing click-through rates range from 19 to 36%, significantly higher than email phishing’s 2 to 4%. Part of that gap is technical: mobile screens hide full URLs, making it harder to spot spoofed domains before tapping a link. In 2024, U.S. consumers reported $470 million in losses to text-message scams, a figure the FTC noted is five times higher than in 2020.
Vishing uses phone calls to manufacture urgency. A caller pretending to be IT support, a bank fraud team, or a government agency pressures a target into revealing credentials or authorizing a payment in real time. CrowdStrike observed an explosive increase in vishing incidents, with cases jumping 442% between early and late 2024.
The MGM Resorts ransomware attack, which caused extensive operational disruption, reportedly began when an attacker called the IT help desk and impersonated an employee to gain access. That is the defining feature of vishing: no malware required, just a convincing caller and a helpful employee following normal procedure.
Quishing: The QR Code Trap
QR codes were a niche technology until the pandemic normalized scanning them for menus, check-ins, and payments. Attackers noticed and pivoted quickly. Quishing embeds a malicious URL inside a QR code image, which email security filters cannot read the way they parse text-based links.
According to Abnormal Security, QR code attacks increased 400% between 2023 and 2025, with energy, healthcare, and manufacturing among the most affected sectors. The technique is particularly effective against executives. In Q4 2023, the average C-suite executive saw 42 times more QR code phishing attacks compared to the average employee.
56% of quishing emails involve Microsoft two-factor authentication resets, and only 39% of consumers can identify a malicious QR code. The delivery method also extends beyond email. Physical QR codes have been placed on parking meters, restaurant tables, and event signage, redirecting people who scan them for a legitimate purpose.
AI-Powered Phishing: The Threat That Broke the Old Rules
The “badly written email” heuristic that security awareness programs relied on for years is now dead. Generative AI produces grammatically flawless, contextually appropriate phishing content at industrial scale. In an experiment by IBM security researchers, AI needed only 5 prompts and 5 minutes to build a phishing attack as effective as one that took human experts 16 hours.
The numbers reflect this shift. Since December 2024, AI-generated phishing campaigns flooded inboxes with a 14x surge and now represent around half of all attacks reported by users. According to one external threat intelligence report, 67.4% of all phishing attacks in 2024 utilized some form of AI.
Deepfake Vishing and Executive Impersonation
AI voice cloning is now accessible to anyone willing to spend roughly $20 on dark web tooling. As Deloitte notes, there is now an entire dark web cottage industry selling AI-driven scamming tools for as little as $20, a democratization of fraud tech that is challenging traditional anti-fraud defenses.
Voice cloning technology can replicate executive voices using as little as three seconds of audio obtained from earnings calls, podcasts, or conference presentations. One of the first documented cases occurred in 2019 when a UK energy firm lost $243,000 after a subordinate was convinced by an AI-cloned CEO voice to wire funds to a fraudulent account. The 2024 Arup incident involving $25 million in losses represented a direct escalation of the same method, now extended to video.
The CEO of WPP was also targeted by scammers who cloned his voice and used it on a fake Teams-style call, with the voice sounding authentic and instructing staff to share sensitive access credentials and transfer funds. That attempt was identified before financial loss occurred, but it demonstrates that no profile is too public or too prominent to be targeted.
Malicious LLMs and Phishing-as-a-Service
The ecosystem around AI phishing has professionalized. Threat actors have created malicious large language models including WormGPT, FraudGPT, Fox8, and DarkBERT to help them create malware, malicious code, and other illegal materials at scale. These tools strip out the ethical guardrails that commercial AI platforms enforce and are sold on subscription through dark web forums.
Phishing-as-a-Service (PhaaS) kits have grown 21%, giving even low-skilled actors the tools to run large-scale campaigns. The barrier to entry for a sophisticated, multi-channel phishing operation is now measured in dollars and hours rather than weeks of technical expertise.
What a Modern Attack Actually Looks Like
A current high-sophistication campaign does not rely on a single vector. 41% of phishing incidents now involve multi-channel attacks combining SMS, QR codes, and voice calls, with 40% of campaigns extending beyond traditional email to platforms like Slack, Teams, and social media.
The sequence typically runs as follows. An initial email establishes context, referencing a real internal project scraped from LinkedIn. A follow-up SMS creates urgency. A phone call from someone claiming to sound like a known colleague closes the loop. Each step by itself might trigger a flag. Together they build a narrative that overrides normal skepticism.
Phishing-related breaches take an average of 254 days to identify and contain, the third-longest dwell time of any breach vector, and organizations often do not realize they are compromised until attackers have established a firm foothold.
What Actually Works Against These Threats
Security controls need to match the threat model, not the one from five years ago. Password policies and standard email gateways were designed for a different era. Adversary-in-the-Middle (AiTM) frameworks like EvilGinx2 bypass MFA by proxying the authentication session and stealing the session cookie after MFA completes, with Microsoft reporting over 10,000 AiTM attacks per month targeting its users in 2024.
Training still matters but only if it evolves. Users who had more recent training reported phishing emails at a rate of about 21%, compared to a base rate of 5%, a four times relative increase. The content of that training needs to shift from “spot the typo” to “verify the request through a separate channel regardless of how convincing the communication appears.”
Out-of-band verification is the most consistently effective control against deepfake voice and video attacks. Organizations that require a callback over a pre-registered number, or a confirmation through a second authenticated channel, break the social engineering chain even when the impersonation is technically flawless.
The threat has become multi-modal, AI-assisted, and deeply personalized. The organizations that keep pace are the ones that treat verification as a process requirement, not a judgment call made under pressure.
SOURCES AND FURTHER READING
Hoxhunt Phishing Trends Report: https://hoxhunt.com/guide/phishing-trends-report
Hunto AI Phishing Attack Statistics 2026: https://hunto.ai/blog/phishing-attack-statistics/
Zensec Phishing Statistics 2025-2026: https://zensec.co.uk/blog/2025-phishing-statistics-the-alarming-rise-in-attacks/
Keepnet Phishing Statistics: https://keepnetlabs.com/blog/top-phishing-statistics-and-trends-you-must-know
Guardz 33 Phishing Statistics 2025: https://guardz.com/blog/33-phishing-statistics-every-msp-should-know-about/
AAG Phishing Statistics: https://aag-it.com/the-latest-phishing-statistics/
Brightside AI Phishing Risk Analysis 2025: https://www.brside.com/blog/ai-generated-phishing-vs-human-attacks-2025-risk-analysis
Right-Hand AI Deepfake Vishing 2025: https://right-hand.ai/blog/deep-fake-vishing-attacks-2025/
Norton Top 5 AI and Deepfakes 2025: https://us.norton.com/blog/online-scams/top-5-ai-and-deepfakes-2025
CybelAngel Rise of AI Phishing: https://cybelangel.com/blog/rise-ai-phishing/
StrongestLayer AI Phishing 2026: https://www.strongestlayer.com/blog/ai-generated-phishing-enterprise-threat
Jericho Security Deepfake Phishing: https://www.jerichosecurity.com/blog/deepfake-phishing-the-ai-powered-social-engineering-threat-putting-cisos-on-high-alert-in-2025
TechTarget AI Phishing Dangers: https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous
Hoxhunt AI Phishing Infographic: https://hoxhunt.com/blog/ai-phishing-attacks
Keepnet Smishing Statistics: https://keepnetlabs.com/blog/smishing-statistics-the-latest-trends-and-numbers-in-sms-phishing
Keepnet Quishing Statistics: https://keepnetlabs.com/blog/qr-code-phishing-trends-in-depth-analysis-of-rising-quishing-statistics
CaptainDNS Phishing Trends 2025-2026: https://www.captaindns.com/en/blog/phishing-trends-2025-2026-statistics
Bright Defense Phishing Statistics: https://www.brightdefense.com/resources/phishing-statistics/
Parachute Cloud Phishing Statistics 2026: https://parachute.cloud/phishing-attack-statistics/
Controld Global Phishing Statistics: https://controld.com/blog/phishing-statistics-industry-trends/