Phishing that actually works in 2026: what your team should know

Generic Nigerian-prince emails are not the threat. The threat is a perfect-looking message from your CFO at 4:47 PM on a Friday asking for a quick wire.

What we are seeing

1. Lookalike domains. Off-by-one-character versions of your real vendors and partners.
2. Reply-chain hijacks. Attacker compromises a vendor, then replies into a real existing thread with a payload.
3. QR code phishing ("quishing"). A QR in the email body bypasses URL filtering.
4. MFA fatigue. Bombarding a user with push prompts until they tap "Approve" to make it stop.
5. SMS for the password reset, voice for the urgency. A text and a phone call together feel real because two channels are saying the same thing.

Five-second checks anyone can do

• Hover the link. Does the domain match what the email claims?
• Is the sender's address actually the domain you expect, or a freemail clone?
• Did the request appear out of nowhere, or is it part of a real conversation you remember?
• Does the urgency feel manufactured?
• If in doubt, contact the supposed sender through a channel you initiated.