A Single Phishing Email Just Cost a Healthcare System $65 Million
If you follow phishing news, you already know the headlines keep getting worse. Change Healthcare's 2024 breach — triggered by compromised credentials and the absence of multi-factor authentication — led to a reported $22 billion disruption across the U.S. healthcare system. The aftershocks are still being felt. And that was just one attack from one threat actor group.
This post is your briefing on what's actually happening in phishing right now: the techniques that are landing, the industries getting hit hardest, and the specific steps I've seen work in organizations that refuse to become the next case study. If you're responsible for protecting people, data, or systems, this is the phishing news that matters.
Why Phishing News Dominates Every Threat Report in 2026
The Verizon 2024 Data Breach Investigations Report confirmed that phishing and pretexting accounted for over 73% of social engineering breaches. That number has been climbing steadily. The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the number one reported cybercrime type by volume in their 2023 annual report, with over 298,000 complaints filed that year alone.
Those numbers only reflect what gets reported. In my experience consulting with mid-size organizations, fewer than one in five phishing incidents ever makes it into an official report. The real volume is staggering.
The Shift From Spray-and-Pray to Surgical Precision
The phishing news cycle used to be dominated by mass-blast campaigns — Nigerian prince emails, fake lottery wins, obvious grammar errors. That era is over. Today's threat actors conduct detailed reconnaissance using LinkedIn, corporate websites, and even SEC filings to craft messages that are nearly indistinguishable from legitimate business communications.
Business email compromise (BEC) is the clearest example. A threat actor studies your organization's leadership, mimics their writing style, and sends a targeted request to someone in finance. No malware. No suspicious links. Just a convincing email asking for a wire transfer or a change to vendor payment details. The FBI IC3 reported BEC losses exceeding $2.9 billion in 2023.
AI-Generated Phishing: The Game Changer
Generative AI has removed the last reliable detection signal many employees had: poor grammar and awkward phrasing. Threat actors now use large language models to generate phishing emails in flawless English — or any other language. They can localize content, match corporate tone, and produce dozens of unique variants in minutes.
I've reviewed phishing simulations where AI-generated lures achieved click rates above 35%. That's not a typo. When the email reads exactly like something your CEO would write, your employees click. This is why phishing awareness training for organizations has become a non-negotiable investment, not a checkbox exercise.
The Attack Vectors Making Phishing News Right Now
QR Code Phishing (Quishing) Is Exploding
One of the biggest stories in phishing news over the past year has been the rise of QR code phishing, sometimes called "quishing." Attackers embed malicious QR codes in emails, PDF attachments, and even physical mailers. When scanned, these codes redirect victims to credential theft pages that perfectly mimic Microsoft 365 login portals, banking sites, or HR platforms.
Why does this work? Most email security gateways don't scan QR codes embedded in images or PDFs. The attack bypasses your technical controls entirely and relies on the human clicking — or in this case, scanning — without thinking. CISA issued guidance on this emerging vector, reinforcing the need for updated cybersecurity best practices that address mobile device threats.
Multi-Factor Authentication Bypass Kits
Here's a piece of phishing news that should concern every security team: adversary-in-the-middle (AiTM) phishing kits now routinely bypass multi-factor authentication. Tools like EvilProxy and Evilginx2 act as reverse proxies, sitting between the victim and the legitimate login page. The victim enters their credentials and MFA token. The attacker captures the session cookie in real time.
This doesn't mean MFA is worthless. It means MFA alone isn't enough. Organizations need to pair MFA with phishing-resistant authentication methods like FIDO2 hardware keys, conditional access policies, and a zero trust architecture that validates every session continuously.
Callback Phishing and Voice-Based Social Engineering
Another trend dominating phishing news: callback phishing. The victim receives an email about a charge, subscription renewal, or account issue. There's no malicious link — just a phone number. When the victim calls, a live social engineering operator walks them through installing remote access software or divulging credentials.
This technique surged after the Conti ransomware group popularized it through their BazarCall campaigns. It's now a standard playbook item for multiple threat actor groups because it completely sidesteps email filtering, link scanning, and URL reputation checks.
What Is the Biggest Phishing Threat in 2026?
The biggest phishing threat organizations face in 2026 is credential theft at scale through AI-powered, multi-channel social engineering. Attackers combine convincing emails, fake voice calls (vishing), SMS phishing (smishing), and even deepfake video to compromise a single high-value target. The attack doesn't rely on one channel — it uses multiple touchpoints to build trust and urgency. Defending against this requires layered security awareness training, phishing-resistant MFA, continuous identity verification aligned with zero trust principles, and regular phishing simulation exercises to keep employees sharp.
Real Breaches That Started With a Phishing Email
MGM Resorts (2023)
The MGM Resorts breach that brought Las Vegas operations to a standstill started with a social engineering call to the IT help desk. The Scattered Spider threat actor group used information gathered from LinkedIn to impersonate an employee, reset credentials, and gain access to MGM's Okta environment. The resulting disruption cost MGM an estimated $100 million.
Twilio (2022)
Twilio employees received SMS phishing messages directing them to a fake login page. The attackers captured credentials, accessed internal systems, and ultimately reached data belonging to over 130 Twilio customers — including the secure messaging app Signal. The attack demonstrated how a single phishing vector could cascade across an entire supply chain.
The Lesson in Every Case
In every major breach I've analyzed that traces back to phishing, the pattern is identical. Technical controls either missed the initial lure or didn't exist for that vector. The human was the last line of defense — and they weren't prepared. That's not a criticism of individual employees. It's a failure of organizational training.
Investing in cybersecurity awareness training that goes beyond annual compliance videos is the single highest-ROI security investment most organizations can make.
Your Phishing Defense Playbook: What Actually Works
1. Run Realistic Phishing Simulations Monthly
Annual simulations are useless. Threat actors don't attack once a year. Run monthly phishing simulation campaigns that mirror real-world techniques — QR codes, BEC lures, callback phishing scenarios. Track metrics over time. Identify repeat clickers and provide targeted coaching, not punishment.
2. Deploy Phishing-Resistant MFA
Standard SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping and AiTM attacks. Move to FIDO2 security keys or passkeys for your highest-risk accounts. Conditional access policies that evaluate device compliance, location, and risk signals add another critical layer.
3. Implement a Zero Trust Architecture
Zero trust assumes breach. Every access request gets verified regardless of whether it originates inside or outside your network perimeter. This limits the damage a compromised credential can cause. If a phished employee's session token gets stolen, zero trust policies can detect anomalous behavior and revoke access before lateral movement begins.
4. Build a Reporting Culture, Not a Blame Culture
Your employees are your sensors. If they're afraid to report a suspicious email because they clicked a link, you've already lost. Build a culture where reporting is fast, easy, and rewarded. A dedicated "Report Phish" button in your email client reduces friction. Publicly acknowledge employees who catch real attacks.
5. Layer Email Security Controls
No single product catches everything, but stacking controls dramatically reduces risk. Deploy DMARC, DKIM, and SPF to prevent domain spoofing. Use an advanced email security gateway that inspects attachments, sandboxes URLs, and flags anomalies. Supplement with an AI-based post-delivery protection tool that can claw back emails after they reach inboxes.
6. Train for the Threats of Today, Not 2019
If your security awareness program still focuses primarily on recognizing misspelled emails from unknown senders, you're training for threats that barely exist anymore. Modern training must cover AI-generated lures, QR code phishing, callback phishing, deepfake voice attacks, and social media reconnaissance. Programs like our phishing awareness training are designed around these current attack patterns.
Phishing News You Should Be Tracking
Staying current on phishing news isn't optional if you're in security. Here are the sources I check regularly:
- CISA Alerts and Advisories — Real-time threat notifications from the Cybersecurity and Infrastructure Security Agency.
- FBI IC3 Annual Reports — Hard data on phishing complaint volumes, financial losses, and emerging trends.
- Verizon DBIR — The gold standard for breach pattern analysis, updated annually.
- NIST Cybersecurity Framework — Foundational guidance for building and measuring your security program.
I also recommend subscribing to threat intelligence feeds from your email security vendor and participating in industry ISACs (Information Sharing and Analysis Centers) relevant to your sector.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report has consistently found that phishing is among the most expensive initial attack vectors, with the global average cost of a data breach reaching $4.88 million in their 2024 report. Organizations with security awareness training programs and incident response plans in place consistently cut that cost by over a third.
The math is straightforward. Investing in continuous training, realistic simulations, and modern authentication saves millions compared to the cost of a single successful phishing attack. Your organization can start building that resilience now with structured cybersecurity awareness training that covers the full spectrum of social engineering threats.
What Comes Next in Phishing
Deepfake audio and video phishing will become mainstream attack tools. We're already seeing threat actors clone executive voices from earnings calls and YouTube interviews to authorize fraudulent transactions over the phone. Multi-channel attacks — combining email, voice, SMS, and messaging apps in a single campaign — will become the norm rather than the exception.
The organizations that survive this next wave won't be the ones with the best firewalls. They'll be the ones whose people can recognize social engineering in any form, on any channel, at any time. That's a training problem, a culture problem, and a leadership problem — all at once.
Stay sharp. Stay skeptical. And make sure your people are ready for the phishing news that hasn't been written yet.