How phishing changed in 2025 and what to expect in 2026 and beyond | perspective | SC Media - SC Media

Perfect phishing at the perfect time targeting the perfect person. That's where we’re headed. Bolster AI tracked more than 11.9 million malicious domains in 2025. The most effective scams are no longer isolated messages or one-off impersonations. Attackers are building full fraud lifecycles guiding victims from discovery to conversion across multiple trusted channels, including search results, paid ads, document signing and approval requests, and online marketplaces. They’re targeting sectors where trust exists at scale, including tech platforms, government services, and financial institutions, which accounted for 63% of phishing activity. Related reading: Foiling modern phishing across the attack chain Phishing emails target AI defenses with unique obfuscation Over 300 orgs impacted by global AI-powered phishing campaign Today’s scams are closer to a buyer’s journey. Attackers are planning ahead, deliberately choosing distribution channels, and reusing what converts. They’re abusing high trust, every day activities to scam people. And they’re creating sophisticated, ready-to-use kits so other scammers can execute fraud at scale with minimal time, energy, and cost. New Year new scams 2025 set the stage for 2026. Scams will continue to evolve. Here’s what we expect: Trusted platforms will replace suspicious links. We’re already seeing this. Scammers recently abused Microsoft’s Power BI platform and created fake PayPal business profiles to send fake invoice and money request emails. The emails pass authentication checks because they don’t contain malicious links or attachments. The domains are considered trustworthy because the emails come from the company. The emails are real. The scam is the fake customer support phone number in the email. Identity platforms will act as force multipliers. Attackers will continue targeting cloud platforms, SaaS tools, and identity providers. Because a single compromised identity can unlock email, collaboration tools, internal applications, and third-party integrations. Expect more OAuth abuse, consent phishing, MFA fatigue, session hijacking, and spoofed access notifications. Financial fraud will become faster and more targeted. Attackers will exploit the digital banking and instant payment systems use to streamline user experience to accelerate fraud.  Attack strategies will focus on smaller, higher-conversion operations designed to move money quickly.  Typical attack chains will include credential harvesting through trusted workflows, account takeover, payment manipulation, and follow-on Business Email Compromise (BEC). Political events will drive high visibility scams. Expect fake voter registration portals, donation scams, political organization impersonation, “vote verification” phishing, and misinformation amplified through SEO, paid placement, and social sharing. Beyond financial loss, these scams will contribute to broader erosion of trust in civic institutions and public information.  Infrastructure rotation will outpace reactive defense. Attackers will prioritize short-lived domains, rapid rotation, and abuse trusted hosting providers and CDNs.  Many campaigns will appear briefly, achieve their objective, and disappear, often before confirmation, investigation, or takedown processes complete. The future is perfectly personalized phishing Attackers will use AI to create precise attacks that can be scaled just in time. And it’s already happening. Varonis identified a malware toolkit that enables phishing via sophisticated website spoofing. The kit allows operators to select individual targets and configure URL hijacking rules specifically for that user.  Palo Alto Networks’ Unit 42 created a proof of concept to show how scammers could create dynamic and personalized phishing websites using generative AI (GenAI). Victims could be directed to a webpage. An LLM API would generate a unique, personalized JavaScript code. The code would be executed in browser and create a personalized phishing page. And it would go undetected because there isn’t any malicious code. Okta recently identified a scam where threat actors profile victims and identify the apps and IT support phone numbers they use. Then they use kits to create and distribute a customized phishing site and call the victims using a spoofed company or support phone number. Google’s vice president of security engineering, Heather Adkins, said it’s a matter of time before someone puts all the pieces together on the Google Cloud Security podcast. She fears someone will end up with the capability to type “go hack [company]” into a LLM prompt and it will do all the research and come back with a root prompt for attacks. Attackers are no longer experimenting blindly. They are continuously testing, measuring, and optimizing scam performance and shifting tactics as soon as better outcomes emerge. They are creating repeatable playbooks that blends trust, timing, and legitimacy into coordinated campaigns designed to activate quickly and monetize before defenses respond. These attacks will increasingly look, sound, and feel personalized, which means consumers and companies will have to be even more vigilant to avoid falling for them.