Phishing Attacks in 2026: New Tactics & How to Defend

Phishing in 2026 is no longer the broken-English Nigerian-prince email. AI-generated messages with perfect grammar, voice clones of executives, and deepfake video calls are now realistic threats — and Indian companies are seeing the increase.

The four new tactics

• AI-written spear phishing — personalised messages at scale, often impersonating an internal teammate using public LinkedIn data.
• Voice phishing (vishing) — cloned voice of a manager calling Finance to authorise an “urgent” wire transfer.
• QR code phishing (quishing) — QR codes in emails that bypass URL filters and lead to credential-harvest pages.
• OAuth consent phishing — fake apps requesting “read your mailbox” permissions on Google or Microsoft; user grants without realising.

What still works for defence

The boring controls have not changed. Phishing-resistant MFA (FIDO2 keys, not SMS). Anti-spoofing email standards (SPF, DKIM, DMARC at p=reject). DNS filtering. Restricted OAuth consent grants. User training that includes simulated phishing — not just slides.

For Finance teams specifically

A documented out-of-band verification process for any transfer above a defined threshold removes the entire wire-fraud category. The process must be impossible to short-circuit “this once” because that exception is exactly what attackers engineer.

If you click

Speed matters. Change the password and revoke active sessions. Report to IT or security within 30 minutes. Check OAuth-app grants for unauthorized additions. Do not delete the email — the security team needs the headers.

Career angle

Email and identity security skills are some of the most billable consulting capabilities in 2026. Specialising here is shorter than becoming a generalist red teamer and pays comparably well.