AI-powered phishing in 2026: how the attack changed and what works against it
The "Nigerian prince with three typos" is gone. The replacement is fluent in your dialect, knows your boss's name, and can call you in your CFO's voice from 60 seconds of podcast audio. Here is what the data says, what defences are actually holding, and which "best practices" are now folklore.
For twenty years we taught users to "look for spelling mistakes and bad grammar." That advice is now actively harmful. Modern phishing emails are written by language models that produce flawless prose in your local dialect, address you by your first name and your project codename, reference a meeting you actually had, and arrive within ninety minutes of a public LinkedIn post about a deal closing. The tells are gone.
The interesting question is not "how do we spot it?" — you mostly cannot. The interesting question is which controls survive an attacker who is fluent, fast, and personal.
The new shape of the attack
Three things changed between 2023 and 2026. First, language quality went to zero cost. A spear-phishing email that used to take a careful human native speaker an hour to write now takes a script ninety seconds for any of forty languages. Second, voice cloning crossed the perceptual threshold. Roughly sixty seconds of clean audio — easily harvested from a podcast guest spot, a webinar, an Instagram reel, or a voicemail greeting — produces a clone that fools family members on a noisy phone line. Third, video deepfakes hit "good enough for one meeting." Live deepfake video over Zoom is still tell-able under scrutiny, but it does not need to survive scrutiny. It needs to survive ninety seconds of "yes, that's the CFO, approve the wire."
The numbers from the last twelve months tell the story. Roughly 85% of organisations report at least one deepfake-related security event in the prior year. US fraud losses crossed $12.5B, with business-email-compromise and impostor-CEO scams the fastest-growing categories. Average wire-fraud loss per successful incident is mid-six figures.
Defences that actually work
These are roughly in order of how much they pay back per dollar of friction:
- 1Passkeys / FIDO2 hardware-bound credentials. The phishing email can be perfect, the fake login page can be pixel-identical, but the passkey will not authenticate to a domain that is not the real one. The cryptographic origin binding does the work the user cannot. This is the single highest-leverage control in the list.
- 2Callback verification on any "money or access" request. If your CFO emails or calls asking for a wire, a vendor change, or an MFA reset, you call them back on a number you already had — not the one in the email signature, not the one the caller gave you. This single rule, written down and enforced, neutralises most BEC and most voice-cloning fraud.
- 3In-band / out-of-band split for wire transfers. Initiation in email, approval in a separate signed channel (a finance system, a phone callback to a known number, a physical signature). Two channels with different attack surfaces is the entire point.
- 4A family code-word for voice attacks. A single agreed phrase ("what was the dog's name in 2018?", "say the word we picked at Christmas") that the real person knows and a clone has no way to know. Costs nothing, works against the entire voice-cloning category.
- 5Domain controls — DMARC at p=reject, BIMI where it helps, brand-impersonation monitoring. These do not stop the attack, but they make spoofing your own domain back at you noticeably harder.
Defences that mostly do not work anymore
Awareness training as a primary control. It still has a role — people need to know callbacks are a policy and code-words exist — but the "spot the phish" muscle is no longer trainable, because the cues are gone. Treat training as policy enforcement, not pattern recognition.
SMS-based MFA. Phishable in real time by any half-decent kit; SIM-swap attacks remain effective. If you can replace SMS with passkeys or a hardware token, do.
Look-for-typos guidance. Worse than useless: it teaches users that fluent prose is trustworthy.
A worked example: the CFO call
Tuesday afternoon, the AP clerk's phone rings. The caller ID matches the CFO's mobile. The voice matches the CFO. The story matches a real acquisition that was in the news this morning: "We need to wire €240,000 to a new escrow account for the deal, the lawyers are on the other line, you have to do it in the next forty minutes."
Without policy, this works. With policy: the clerk says "I'll call you right back on the number in our directory," hangs up, calls the real number, gets voicemail, and the wire never happens. Total cost of the policy: one sticker on the monitor and one quarterly drill.
What we do internally
We are a small company; this is not a vendor pitch. Internally: passkeys are mandatory for production access, no SMS MFA anywhere, every payment over a low five-figure threshold requires a callback to a number from the personnel directory (not the requesting message), and we run a deepfake drill twice a year that includes a fake voice call to one of the engineers. The drill has caught one real attempted impostor since 2024. The clerk who fielded it had the policy taped above their desk.
The honest summary: you cannot out-train a language model. You can out-process one. Build the process, write it down, and practise it.
A short note on what the attacker is paying for
Phishing-as-a-service kits with deepfake voice add-ons cost roughly three figures a month on the relevant marketplaces. The dossier-building — scraping LinkedIn, identifying targets, mapping reporting lines — is largely automated. Per-target marginal cost is small. Volume is the business model. That means defenders cannot rely on being uninteresting; everyone is interesting at zero marginal cost. The control surface has to be the process, not the heuristic of "would they bother targeting me?" They would. They already did.
Frequently asked
Is awareness training useless now?+
Not useless, but no longer the primary control. Its value is teaching policy — that callbacks happen, that code-words exist, that an SMS code is not enough — rather than teaching pattern recognition on phishing emails. The "spot the typo" muscle is no longer trainable because the typos are gone.
How do I pick a callback number I can trust?+
Use a number that was in your contacts, your personnel directory, or printed material before the suspicious request arrived. Never use a number provided in the email, call, or message you are trying to verify, and be sceptical of "the new number" announcements that themselves arrive in-channel.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
SecurityPP · DispatchHow to read a no-logs audit (without the marketing gloss)Security · 8 minHow to read a no-logs audit (without the marketing gloss)
Every VPN claims "no logs". A small fraction back the claim with an audit. An even smaller fraction publish the audit. Here's how to actually read one.
SecurityPP · DispatchThe kill switch: the small detail that decides whether a VPN actually protects youSecurity · 6 minThe kill switch: the small detail that decides whether a VPN actually protects you
A VPN is only as good as the moment its tunnel drops. Here is what the kill switch is, why most implementations are weak, and how to verify yours actually works.
- SecurityPP · DispatchPost-quantum cryptography: why "harvest now, decrypt later" is the threat that mattersSecurity · 8 min
Post-quantum cryptography: why "harvest now, decrypt later" is the threat that matters
A large quantum computer is probably still years away. The recordings of your traffic from this afternoon are not. Here is what HNDL actually means, what NIST finalised in 2024, and what "post-quantum ready" looks like for a VPN that is not just selling a sticker.