The Most Common Phishing Tactics in 2026

Emil Gheonea

Software engineer & founder of LinkThreatScan · 11 March 2026

Phishing remains the most successful initial access vector for cyberattacks, year after year. According to multiple industry reports, over 80% of organisations experienced a phishing attempt in the past 12 months. The techniques have evolved dramatically: today's phishing campaigns combine social engineering, technical deception, and platform abuse to target individuals with surgical precision.

Spear phishing: targeted and personalised

While traditional phishing casts the widest possible net, spear phishing targets a specific individual or organisation. Attackers harvest information from LinkedIn, company websites, and social media to craft messages that reference the victim's employer, role, recent activities, or colleagues by name. The message may appear to come from a trusted colleague and relate to an ongoing project. This personalisation dramatically increases click rates.

QR code phishing (quishing)

Attackers embed malicious URLs in QR codes — in emails, physical flyers, or even overlaid on legitimate QR codes in public spaces. Most email security gateways scan URLs in email bodies but cannot read the encoded URL inside a QR code image. Victims who scan the code with their phone are sent directly to a phishing page. This technique spiked considerably in 2024–2025 and shows no sign of slowing.

Adversary-in-the-middle (AiTM) phishing

AiTM attacks use a reverse proxy positioned between the victim and the real website. The victim interacts with what appears to be the legitimate login page (because it's proxying the real site in real time), while the attacker captures both the credentials and the session cookie. Even multi-factor authentication (MFA) is bypassed because the victim completes the full authentication flow on the real site. Platforms like Evilginx2 have made AiTM attacks accessible to less technical attackers.

Vishing and smishing

Not all phishing happens via email. Vishing (voice phishing) involves attackers calling targets and impersonating bank fraud departments, tech support teams, or government agencies to extract credentials or authorise transactions. AI-generated voice cloning has dramatically lowered the barrier to convincing audio impersonation. Smishing (SMS phishing) delivers malicious links via text message, often impersonating parcel delivery services, banks, or toll authorities.

Business email compromise (BEC)

BEC attacks don't necessarily involve malware or malicious links. Instead, attackers compromise a legitimate email account (or spoof one convincingly) and use it to request fraudulent wire transfers, gift card purchases, or W-2 tax forms. Because the messages look authentic and relate to business processes, they regularly bypass both technical filters and user awareness. BEC attacks cost organisations billions annually.

Phishing via legitimate platforms

Attackers increasingly abuse legitimate platforms to host phishing content — Google Docs, SharePoint, Dropbox, and WeTransfer. Because these domains are trusted and often whitelisted by security tools, a link to a phishing page hosted on drive.google.com is far less likely to be caught by an email gateway. The phishing page simply redirects to the actual credential-harvesting site after passing through the trusted platform.

How to stay protected

Use phishing-resistant MFA (hardware security keys like YubiKey, or passkeys) wherever possible. Treat every link in email, SMS, or messaging apps as potentially suspicious until verified. Hover over links to inspect the real URL. Use a link scanner before you visit. Enable DMARC reject policies on your email domain to prevent spoofing. Keep browser and OS security features updated. Report suspected phishing attempts to your IT team and to Google Safe Browsing or PhishTank to help protect others.