Phishing continues to be the most common means of cyberattack worldwide, with the first quarter of 2025 seeing over one million phishing attacks – the greatest number since late 2023. With the advent of ChatGPT in 2022, phishing attacks have skyrocketed by 4151%, according to SlashNext. And this is small wonder: phishing breaches cost a fortune, and are making the malicious actors behind them rich. 

As such, there is no sign of phishing attacks becoming less of a threat in 2026. In order to be prepared, it is imperative for brands to stay on top of what threats are most likely to arise in the future. BrandShelter’s research suggests that the following phishing trends will continue to be a problem in 2026 and beyond.

Quishing and Mobile-First Phishing 

Our mobile phones are our always-available portal to the digital world. Not only do we use them for personal banking and accessing our own sensitive information, but businesses are also increasingly asking employees to use their own devices for work purposes. Convenient – but risky: WhatsApp, iMessage, even Facebook or Insta messages have become the new platform for Mobile-First phishing attacks precisely because they are able to attack the weakest point in the cybersecurity chain: the human behind the screen. 

QR code-based phishing, or Quishing, is another threat that makes use of a mobile phone’s convenience and speed of access. QR codes are a quick, easy way for users to install new software, or directly navigate to relevant webpages. However, herein lies the threat: it is just as easy to install malware, or navigate to a malicious site, and the speedy nature of mobile access means that users are less likely to take the time to think about the inherent risks involved.  

Deepfake-Enabled Impersonation Attacks 

News of Deepfake-Enabled attacks have dominated the headlines in recent years, where millions have been lost due to deepfake fraud through video, audio and image fakes that are almost indistinguishable from the real thing. Deepfake technology has also been used to steal existing identities or even create new ones for the purpose of fraudulent activity, where accounts have been created using falsified documents or have even managed to fake the victim’s voice to gain access to privileged information. 

Audio deepfakes appear to be by far the most effective, and therefore the most risky. Financial institutions like banks are most at risk, with AI-fuelled fraud becoming a leading security concern. 

At this stage, it is still possible to recognise a deepfake if you’re on the lookout for it. Some signs include unnatural eye movement, a lack of blinking and unnatural movement. Audio is harder to identify, and may require solutions able to detect AI-generated voices in real time. That said, as AI continues to evolve and improve, deepfakes are likely to become even more realistic.  

Phishing-As-A-Service and AI Toolkits 

Initially only available on the dark web, Phishing-as-a-Service (PhaaS) has been increasingly offered via the regular internet in the last few years. Because more skilled hackers are now offering AI toolkits and PhaaS as products, less experienced malicious actors now have the opportunity to lead phishing campaigns. In turn, the risk of being phished has increased – with more people getting the ability to hack with AI toolkits and phishing products, this means that the risk of being hacked has increased – it’s purely a numbers game.  

This is exacerbated by the fact that Phishing-as-a-Service is affordable, with kits going for as little as $40. These kits include things like a list of potential targets, email templates directed to the victims, detailed instructions, and even a customer support function! Part of the reason for the low cost of a phishing kit is that some can send a copy of the stolen data to the creator of the PhaaS, creating yet another revenue stream by means of data sales or use in a future attack. 

Business Email Compromise and Financial Fraud 

Also known as email interception fraud, Business Email Compromise (BEC) involves cybercriminals pretending to be trusted entities or individuals in order to trick employees into transferring money or sending sensitive data. While phishing is more of a ‘spray and pray’ approach, sending out attacks on a larger but less-specific scale, BEC is a much more targeted attack, wherein the mark is carefully researched so as to make the mimicry far more convincing.  

One of the most targeted entities in an organisation for this type of attack is the CEO, where cybercriminals will carefully research the CEO in order to more convincingly impersonate them. Other types of Business Email Compromise Fraud include invoice fraud, where existing invoices are intercepted and altered to change payment details to other accounts, or supplier or vendor impersonation, where someone pretending to be a current supplier will ask for the payment details to be changed. 

Increased Regulation and Compliance Requirements 

In an attempt to combat fraud and the online abuse of data, more governmental regulations and compliance requirements are being put in place on an ongoing basis. This, unfortunately, can have the opposite of the intended effect, by placing an additional strain on those in your business responsible for ensuring compliance.  

The requirements to keep up with the evolving regulatory landscape, have full knowledge of the specific regulations that apply to your industry and location, and to ensure than the correct measures are in place to protect sensitive information, is a complex and time-consuming task that requires skill and focus. With everything else required of those in charge to simply keeping the business running, it could be worthwhile to engage with a trusted organisation in the business of ensuring you are compliant with and aware of recent changes in legislation. 

There can be no doubt that phishing attacks, as well as other types of cybercrime, will only become more of a threat in 2026, with attacker tactics and technologies evolving faster than ever before. Companies and corporations must therefore be properly prepared to defend the trust and reputation in their brands.  

One of the best ways to do so remains partnering with experts such as BrandShelter. Protecting your brand and intellectual property is our business – we worry about protecting your brand from threats so that you can focus on your core business. 

If you would like a more detailed analysis of potential cyberthreats to you and your business, download the BrandShelter Phishing Threat Report 2025.  

Share article