Welcome to the Phish Tour Nobody Asked For

In March 2025, a finance employee at a mid-size manufacturing firm received a Microsoft Teams message from someone impersonating the CFO. The message included a link to a SharePoint page that looked flawless. Within 90 seconds, the employee entered their credentials. Within four hours, the threat actor had initiated a $2.3 million wire transfer. The money was gone before lunch.

That's one stop on the phish tour — a guided look at the evolving phishing landscape that's costing organizations billions every year. If you think phishing still means a poorly written email from a Nigerian prince, you're about a decade behind. This post walks you through every major phishing attack method active in 2026, shows you what each one actually looks like, and gives you practical steps to harden your defenses at every stop.

According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting accounted for over 73% of social engineering breaches. That number hasn't gone down. It's gotten worse as attackers layer AI-generated content onto proven playbooks.

Stop One: The Classic Email Phish (Still Deadly in 2026)

I've seen security teams dismiss email phishing as a solved problem. It isn't. The classic email phish has evolved into a precision instrument. Threat actors now use AI to generate grammatically perfect, contextually relevant messages that reference real projects, real vendors, and real deadlines inside your organization.

The days of "Dear Valued Customer" are over. Modern phishing emails pull data from LinkedIn, public SEC filings, press releases, and even leaked databases to craft messages that feel personal. The attacker doesn't need to fool everyone — they need to fool one person, one time.

What This Looks Like on the Ground

A typical 2026 email phish might arrive as a DocuSign notification tied to a real contract your legal team is working on. The sender domain is one character off — maybe "docusign-notifications.com" instead of "docusign.com." The landing page is pixel-perfect. The credential harvesting form sends your username and password to a server in Eastern Europe before redirecting you to the real DocuSign login, so you never suspect a thing.

This is why organizations need ongoing phishing awareness training tailored for teams. One annual training session doesn't build the reflexes your employees need to catch these attacks in real time.

Stop Two: Spear Phishing and Business Email Compromise

Spear phishing is the sniper rifle version of the shotgun email blast. The attacker picks a specific target — usually someone with financial authority or system access — and crafts a message designed for that individual. Business Email Compromise (BEC) takes this further by either spoofing or actually compromising an executive's email account.

The FBI's IC3 reported that BEC losses exceeded $2.9 billion in 2023 alone, making it the costliest cybercrime category by dollar amount. In my experience, BEC attacks succeed because they exploit trust and urgency — two things that bypass technical controls entirely.

The Anatomy of a BEC Attack

Here's a pattern I've seen repeated dozens of times:

  • Attacker compromises a vendor's email account through credential theft.
  • Attacker monitors email threads for weeks, learning communication patterns.
  • Attacker inserts themselves into a real invoice thread with updated banking details.
  • Accounts payable processes the payment to the attacker's account.
  • Nobody notices until the real vendor calls about the missing payment — often 30-60 days later.

Multi-factor authentication on all email accounts is non-negotiable. But MFA alone won't stop a compromised vendor's account from sending you a convincing invoice. Your people are the last line of defense.

Stop Three: Smishing, Vishing, and the Phone in Your Pocket

This phish tour doesn't stay in your inbox. Smishing (SMS phishing) and vishing (voice phishing) have exploded because people trust their phones more than their email. A text from "your bank" about a suspicious charge creates instant panic and bypasses the skepticism most people now apply to email.

In 2025, the FTC documented a sharp increase in reports of text-based scams impersonating delivery services, banks, and government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) has issued multiple advisories about voice phishing campaigns targeting corporate employees working remotely.

AI Voice Cloning Changes Everything

Here's what keeps me up at night. AI voice cloning tools can now replicate a person's voice from just a few seconds of audio — easily pulled from earnings calls, YouTube videos, or conference presentations. Imagine getting a phone call that sounds exactly like your CEO asking you to process an urgent payment. This isn't hypothetical. It happened to a UK energy firm back in 2019, costing them $243,000, and the technology has become exponentially more accessible since then.

Training your team to verify out-of-band — meaning through a separate, trusted channel — is the single most effective defense against vishing. If the CEO calls and asks for a wire transfer, you hang up and call back on a known number. Every time. No exceptions.

Stop Four: QR Code Phishing (Quishing)

Quishing emerged as a serious threat in 2023 and has only accelerated. Attackers embed malicious QR codes in emails, physical mailers, parking meters, and even restaurant menus. When scanned, the QR code directs the victim to a credential harvesting page or triggers a malware download.

The reason quishing works is simple: most email security gateways can't read QR codes. The malicious URL is encoded in an image, not a clickable link, so it sails past traditional filters. And most people scan QR codes without a second thought.

Defending Against Quishing

  • Train employees to preview QR code URLs before opening them. Both iOS and Android show the destination URL on scan.
  • Never scan a QR code from an unexpected email, especially one claiming to be from IT, HR, or payroll.
  • Implement mobile device management (MDM) that can flag known malicious domains.

This is a perfect example of why security awareness has to evolve with the threat landscape. Static training decks from 2022 don't mention quishing at all. Your employees need current, practical cybersecurity awareness training that reflects what attackers are actually doing right now.

Stop Five: Adversary-in-the-Middle (AiTM) Phishing

This is the stop on the phish tour that makes experienced security professionals nervous. Adversary-in-the-Middle phishing kits — tools like EvilProxy, Evilginx, and their successors — sit between the victim and the legitimate login page. The victim sees the real Microsoft 365 or Google Workspace login. They enter their credentials. They complete MFA. And the attacker captures the session token, bypassing MFA entirely.

Microsoft's threat intelligence team documented widespread AiTM campaigns throughout 2023 and 2024 targeting enterprise Microsoft 365 tenants. These attacks are not theoretical edge cases — they are industrial-scale operations run by organized threat actors.

What Does This Mean for Your MFA Strategy?

It means MFA is necessary but not sufficient. To defend against AiTM attacks, organizations should:

  • Deploy phishing-resistant MFA methods like FIDO2 security keys or passkeys.
  • Implement conditional access policies that block sign-ins from unrecognized devices and locations.
  • Monitor for impossible travel alerts and anomalous session token usage.
  • Adopt a zero trust architecture where authentication is continuous, not one-and-done.

The NIST Cybersecurity Framework emphasizes continuous verification as a core principle. AiTM phishing is the reason why.

What Exactly Is a Phish Tour?

A phish tour is a structured walkthrough of the phishing techniques, tools, and tactics that threat actors use to compromise individuals and organizations. Think of it as a guided tour of the battlefield — you see how each attack works, where the traps are set, and what defenses actually stop them. Security teams use phish tours as educational exercises, often paired with phishing simulation campaigns, to give employees concrete examples of what they're up against.

Stop Six: Ransomware's Favorite Front Door

Most ransomware attacks begin with a phish. The Verizon DBIR has confirmed this pattern year after year. A single clicked link or opened attachment delivers initial access. From there, the attacker moves laterally, escalates privileges, exfiltrates data, and deploys ransomware — often all within 24 to 48 hours.

The financial impact is staggering. IBM's Cost of a Data Breach Report 2024 pegged the global average cost of a data breach at $4.88 million. Ransomware incidents often exceed that figure when you factor in downtime, recovery costs, regulatory fines, and reputational damage.

If phishing is the front door for ransomware, then your anti-phishing defenses are your most important investment. That means:

  • Layered email security with sandboxing, URL rewriting, and attachment detonation.
  • Regular phishing simulation exercises that test employees with realistic scenarios.
  • Incident response procedures that empower employees to report suspicious messages without fear of punishment.
  • Endpoint detection and response (EDR) tools that catch what email filters miss.

The most resilient organizations I've worked with treat phishing defense as a continuous program, not a checkbox. They run phishing simulations and awareness training monthly, not annually.

Stop Seven: Social Media and Collaboration Platform Phishing

Your attack surface isn't limited to email. Threat actors increasingly target Slack, Microsoft Teams, LinkedIn, and even Discord to deliver phishing payloads. These platforms often enjoy higher trust levels than email, which means click-through rates on malicious links are significantly higher.

The Microsoft Teams attack I described at the top of this post isn't an outlier — it's a trend. In 2024, researchers documented multiple campaigns where attackers used compromised Microsoft 365 accounts to send Teams messages containing malicious links to hundreds of employees simultaneously.

Extending Your Defenses Beyond the Inbox

Your security awareness program must cover every communication channel your organization uses. If your training only covers email phishing, you're leaving massive gaps. Employees need to understand that a suspicious link in Teams, Slack, or a LinkedIn direct message is just as dangerous as one in their inbox.

A comprehensive security awareness training program covers all of these attack vectors — not just the ones that were popular five years ago.

The $4.88M Lesson Most Organizations Learn Too Late

Every stop on this phish tour has one thing in common: the human element. Technical controls are essential. Email gateways, EDR, SIEM, zero trust architecture — all critical. But every one of these attacks ultimately succeeds or fails based on whether a human makes the right decision in a three-second window.

That's why the organizations with the lowest breach rates invest heavily in their people. Not once-a-year compliance training. Continuous, engaging, scenario-based training that keeps pace with the threat landscape.

Here's what I recommend for any organization that takes this seriously:

  • Monthly phishing simulations with varied, realistic scenarios across email, SMS, and collaboration platforms.
  • Just-in-time training that delivers a learning moment immediately when someone falls for a simulation.
  • Executive buy-in — leadership must participate in training and simulations, not exempt themselves.
  • Metrics that matter — track click rates, report rates, and time-to-report, not just completion percentages.
  • Phishing-resistant MFA deployed across all critical systems.
  • Zero trust principles applied to network access, identity verification, and data handling.

Your Next Move

You've just completed the phish tour. You've seen the classic email phish, spear phishing, BEC, smishing, vishing, quishing, AiTM attacks, ransomware entry points, and collaboration platform threats. Every one of these is active, evolving, and targeting organizations exactly like yours right now.

The gap between organizations that get breached and those that don't isn't budget — it's preparation. Start building that preparation today with cybersecurity awareness training that actually reflects the current threat landscape. And if phishing is your biggest concern — and statistically, it should be — get your team enrolled in dedicated phishing awareness training built for the threats of 2026, not 2020.

The attackers are running their own tour. Make sure your team has already seen the show.