AI-assisted phishing in 2026: what changed and what to do
Generative models removed every visible tell of a phishing email — bad grammar, awkward tone, generic greeting. The defense has to move up the stack.
The 'poorly written email' signal is gone. Attackers now generate fluent, context-aware messages in your users' native language, sometimes threaded into an existing conversation.
Assume any text can be forged
Stop training users on grammar and greetings. Train them on process: 'Did anyone ask you for this? Did the request come through the correct channel?' Verify out of band, always.
Harden the click and the credential
FIDO2 phishing-resistant MFA. Conditional access on impossible travel. Browser isolation for links in unexpected mail. These stop the attack even after the click.
Detect the payload, not the pretext
Modern EDR + email security look at the URL destination, the OAuth consent, the attachment sandbox result. The prose stopped being a useful feature months ago.
