Published: 26 May 2026 · Roy Morken, Datafolka
Phishing in 2026: 7 new techniques your employees don't know about
Verizon Data Breach Investigations Report 2025 found that 16 percent of all data breaches start with phishing, and that 60 percent of breaches involve a human action. Against small and medium-sized businesses, the picture is even sharper: 88 percent of SMB breaches involve ransomware, compared with 39 percent for larger organisations. Phishing is no longer just an email problem. It is the most common entry point ransomware attacks use.
Most employees have been trained on a version of phishing that no longer exists. "Check the email for grammar mistakes" worked in 2018. In 2026, the attacker writes flawless text with ChatGPT, pulls the profile picture and job title from LinkedIn, and references a real project from last quarter's report. Clicks do not happen because employees are careless. They happen because training from 2018 does not recognise the attack of 2026.
This guide covers seven phishing techniques that have become common in the past 18 months, how they work technically, what an employee actually sees, and what offers protection. At the end you will find a comparison of phishing simulator tools for SMBs and a 24-hour response plan for when someone clicks – because someone will click.
Why 2026 phishing is different
Three technological shifts have changed how phishing looks. Each shift is straightforward to explain, but the combination means that old recognition rules no longer hold.
AI-generated text eliminates grammar tells. The classic phishing email with odd inflections, strange punctuation, and broken phrasing was produced with Google Translate or by an attacker with no knowledge of Norwegian. ChatGPT, Claude, and Gemini write flawless text in seconds. Proofpoint's State of the Phish series has documented that AI-written lure messages measurably achieve higher click rates than manually written ones. Employees looking for language errors are looking for something that is no longer there.
Deepfake voices are production-ready. A 30-second audio sample from a podcast interview, a YouTube presentation, or a LinkedIn video is enough to clone the voice of a CEO or CFO using open source tools. Vishing – voice phishing – can therefore call an accounts payable manager using the managing director's voice, requesting an urgent transfer. Mnemonic and other Nordic threat intelligence providers have confirmed this is active in Norway against CFOs and finance managers.
OSINT is automated. What previously required an hour of research per target – who works together, who reports to whom, which vendors the company uses, which projects are active – can now be scraped from LinkedIn, company websites, and public contracts in a minute. The result is that each phishing email can be personalised to a specific role at a specific company without the attacker spending extra time on it. Mass spear-phishing is no longer a contradiction.
The 7 new techniques
Each technique is described with how it looks to employees, how it works technically, and what offers protection. The order reflects how prevalent each technique is for Norwegian SMBs in 2025–2026.
1. AI spear-phishing with LinkedIn scraping
The attacker retrieves an employee's LinkedIn profile, identifies their role, manager, and colleagues, and also fetches the company's latest client case or press release from the website. ChatGPT generates an email that appears to come from the manager, references the real project, asks for help with a quick task, and includes a link to a shared document.
The employee sees an email from a familiar sender, with a relevant context, and a link that looks like SharePoint or Google Drive. There are no typos. The greeting phrase matches how the manager actually writes, because the AI has trained on public examples.
Technical mechanics: The sender address is usually a lookalike domain (datafoLka.no with a capital L, or datafolka.co), or a compromised account at a vendor. The link points to a fake M365 login page or a Google Workspace spoof that captures the password and MFA code in real time.
Protection: DMARC, DKIM, and SPF on all domains mean lookalike emails often end up in junk – but not always. FIDO2 hardware keys are the only truly phishing-resistant control, because the key will not authenticate against a fake domain. Training: teach employees to check the sender domain character by character, not just the display name.
2. Quishing – phishing with QR codes
The QR code sits in the email as an image. The email filter scans text and URLs but not always the image content. The employee scans the code with their phone to avoid typing a long URL, and lands on a phishing page – which may not be subject to the company's network controls because the phone is running on 4G or home Wi-Fi.
Common covers: fake parking fines, fake vendor scan codes for invoices, fake MFA onboarding screens in lobbies or meeting rooms, fake ticket scan codes. Mnemonic and other Nordic security vendors have seen all these variants in Norway in the past 18 months.
Technical mechanics: The QR code reveals a URL only when scanned. The mobile browser sometimes previews the URL before opening it, but not always. If the company VPN is not active on the phone, the content filter that would have blocked the domain on a company PC is also bypassed.
Protection: Require employees to use a company phone with MDM (Microsoft Intune, Jamf, Workspace ONE) that routes all traffic through company DNS with a phishing filter. Training: NEVER scan a QR code in an email without zooming in on the URL preview first. If the URL is shortened (bit.ly, t.co): do not open. For physical QR codes on walls or tables: check whether the code has been stuck over an older one (a common takeover trick).
3. MFA fatigue and push bombing
The attacker already has the password, often from a data leak or credential stuffing. Verizon DBIR 2025 documented that 22 percent of breaches started with credential abuse. MFA is the second-to-last line of defence. The attacker logs in again and again, and each login attempt sends a push notification to the employee's phone. Eventually the employee approves it to make the notification go away, or because they think it is a bug.
Variant: the attacker calls the employee after the first push and says "hi, this is IT, we are testing the MFA system, can you approve your push". That is social engineering combined with a technical attack. The classic example was the 2022 Uber breach, but it still happens against SMBs where IT is an internal person or an external provider whose voice employees do not recognise.
Technical mechanics: The attacker attempts login without seeing the MFA code. Push-based MFA implementations (Microsoft Authenticator standard, Duo) send only an "approve/reject" notification without number matching. Each approval grants the login.
Protection: Enable "number matching" in Microsoft Authenticator (requires the employee to type a code from the login screen into the app). Set up risk-based login in Microsoft Entra Conditional Access – block logins from unknown countries, unknown devices, or after multiple failed attempts in a short time. For admin accounts: replace push MFA with a FIDO2 key. Training: "if IT calls and asks you to approve an MFA push, decline and call back on a number you find in the company directory".
4. Vendor email compromise
The attacker compromises an email account at a vendor – typically a smaller sub-contractor or an accountant without MFA. From there, an invoice or payment instruction is sent to customers, with the correct sender, the correct signature, and a changed bank account number in the final detail. The customer pays in good faith.
This is the most common variant of business email compromise. The Verizon DBIR series has documented that a significant share of financial losses in data breaches come from exactly this mechanism. NSM Risiko 2025 also notes that supply chain attacks often begin with a smaller sub-contractor that lacks basic security controls.
Technical mechanics: The vendor's account is real and compromised, so DMARC, DKIM, and SPF pass with a green light. The email filter cannot tell the difference between a genuine and a fraudulent email from the same sender. Even phishing-resistant hardware at the customer's end does not help – it was not the customer's account that was compromised.
Protection: Establish an internal policy that any change to a vendor's bank account is always verified by phone on a number found in the company's supplier register, not from the signature in the email. Set a threshold for payments requiring dual authorisation. Use email tagging in M365 or Google Workspace that clearly flags emails from external senders – many employees forget that an email from a familiar vendor is still technically external. Train the finance team: any bank detail change arriving by email is verified by phone.
5. Vishing with deepfake voice
Vishing – voice phishing – is not new. What is new is that the attacker calls using a cloned voice. Thirty seconds of publicly available audio is enough to train on. An employee receives a call from "the managing director" requesting an urgent transfer to a new vendor because a client is about to be lost. The voice matches. The background noise fits (driving noise, café). The pressure to act quickly feels real.
This has been documented across many jurisdictions and is not a hypothetical threat. For SMBs in Norway, Mnemonic and other Nordic security teams have reported it actively – particularly against CFOs, finance managers, and accounts payable staff at companies with fewer than 50 employees, where the managing director's voice is easily recognisable but no formal verification procedures exist.
Technical mechanics: Voice synthesis from public audio is openly available. ElevenLabs and similar tools generate convincing clones. Caller ID spoofing makes the phone display a familiar name from the contact book.
Protection: Establish a fixed procedure for urgent transfers – any payment above an agreed threshold (typically 50,000 kr) requires two approvals, and at least one of those approvals comes face-to-face or via a verified channel that is not the same call. Agree on a passphrase to use verbally in urgent situations. Train employees: "if the managing director calls and requests an urgent transfer, say you need to check in the accounting system and will call back on the number listed there". A genuine managing director will never take offence at that.
6. Browser-in-the-browser
The employee opens a link. A popup appears that looks like a standard login window for Microsoft, Google, or another familiar service. The address bar says microsoft.com or google.com. The logo is correct. The certificate icon is there.
It is not a real popup window. It is an HTML element on the original phishing page rendered to look like a popup window, including a fake address bar. The employee's password and MFA code are entered into a form that is sent to the attacker, not to Microsoft.
Technical mechanics: JavaScript and CSS make a div container look like an operating system popup. The user cannot drag the "popup" out of the browser tab, but few people notice. Password managers that autofill credentials will not autofill here, because they recognise the actual domain – which is the attacker's domain, not microsoft.com.
Protection: Use a password manager (1Password, Bitwarden, Microsoft Edge, browser-native) for all logins. If the password manager does not offer to autofill, the page is not genuine. Teach employees never to type passwords manually. Set up Conditional Access requiring FIDO2 for admin accounts – the browser-in-the-browser trick does not work against hardware keys.
7. Calendar invite phishing
The attacker sends a calendar invitation in Outlook or Google Calendar. The description contains a link to a "preparation document", "agenda", or "Zoom room". If the employee simply accepts the invitation, it lands in the calendar and the link appears to come from a familiar colleague – because it is the calendar displaying it, not an email from an unknown address.
Common variant: an invitation from an external "customer" or "partner" with a Teams or Zoom link. When the employee clicks to join, they land on a fake login page. Or an invitation with an "agenda.pdf" attachment containing a macro trojan.
Technical mechanics: The ICS format supports rich text and links in the description. Many email clients accept calendar invitations without scanning links as thoroughly as regular emails. Outlook displays the invitation alongside the inbox, not inside it, so the email filter does not always apply.
Protection: In Microsoft 365 and Google Workspace: require manual approval of calendar invitations from external senders before they land in the calendar. Enable Safe Links or equivalent scanning of links in calendar descriptions. Training: teach employees to check the sender on calendar invitations as carefully as on email, and not to click links in invitation descriptions without confirming the sender.
What ACTUALLY works against modern phishing
After seven techniques it is easy to feel overwhelmed. The good news is that four technical controls together stop most attacks – even AI-driven ones.
FIDO2 / hardware keys over SMS MFA
YubiKey and similar FIDO2 devices are phishing-resistant because the protocol will not authenticate against a fake domain. The browser-in-the-browser trick and lookalike domains both fail on this single technical fact. For admin accounts, finance access, and accounts with access to customer data, FIDO2 should be the standard. Cost: 600–900 kr per key, and each person should have two (one primary, one backup).
Conditional Access and risk-based login
Microsoft Entra (formerly Azure AD) and Google Workspace both support blocking logins based on risk signals: login from an unknown country, an unknown device, after multiple failed attempts, or from the TOR network. Enable these policies for admin accounts first, then for all employees. M365 Business Premium includes this at no extra cost. Google Workspace Business Plus includes the equivalent.
DMARC, DKIM, and SPF on all domains
These three handle email authentication at the sender domain level. SPF specifies which servers are allowed to send from your domain. DKIM signs emails cryptographically. DMARC ties SPF and DKIM together and tells receiving servers what to do with email that fails the checks. Configured correctly, this means attackers cannot send email that appears to come from @yourcompany.com. Check your configuration at dmarcian.com. Many SMBs have SPF but not DKIM or DMARC. That is a half-finished configuration.
Quarterly phishing simulations, not an annual course
Employees are the last line of defence, not the first. The training must be kept current. NorSIS's survey for 2024 shows that 30 percent of Norwegians received formal digital security training that year, and that 65 percent of those said their skills improved as a result. Those who received no training did not improve. Quarterly simulation with three-to-five minute follow-up micro-courses for those who click delivers more impact than one hour of annual e-learning.
Phishing simulator tools compared
Three options cover most SMB needs. The choice depends on in-house IT expertise, budget, and how much automation you want.
| Tool | Cost | Setup | Best for |
|---|---|---|---|
| GoPhish (open source) | 0 kr licence, internal time | 4–8 hours + ongoing maintenance | Companies with in-house IT expertise that want full control |
| Hoxhunt | 400–600 kr per employee per year | 1–2 hours onboarding | Companies that want continuous adaptive simulations with minimal admin overhead |
| KnowBe4 | 600–1,000 kr per employee per year | 2–4 hours onboarding | Companies that need a large course library and compliance reports |
For an SMB with fewer than 30 employees, Hoxhunt or KnowBe4 usually gives a better effort-to-result ratio than GoPhish. The internal time GoPhish requires is quickly worth more than the licence cost of a commercial service.
24-hour response plan when someone clicks
Assumption: someone will click. It is not a question of whether, but of when. The difference between an incident that takes two days and one that takes three weeks is often what happens in the first hours. The how-to list at the top of the article summarises the plan in seven steps. Here is the detail.
First hour: Isolate the machine. Disconnect Ethernet, turn off Wi-Fi. Do not shut down – memory data is needed for forensics. Change passwords from a separate, clean device. Force sign out all sessions. If MFA was active: regenerate recovery codes and check authorised devices.
First day: Check email rules and forwarding on the compromised account. Attackers often create silent forwarding rules or filters that move IT responses and bank confirmations straight to junk. Delete unknown rules. Notify your bank and key vendors that any email from you should be verified by phone before triggering a payment in the next 48 hours.
Within 72 hours: If personal data may have been compromised, notify Datatilsynet under GDPR Article 33. Our guide on Datatilsynet for SMBs explains how and what the notification must actually say. You can update it later when you know more.
Afterwards: Write it down. Timestamps, what was clicked, which accounts were active, what was done first, what took longest. Use the log in next quarter's phishing training and next year's incident response plan review. Incidents that are not documented are forgotten within six months, and the same mistake is repeated.
What now
Phishing in 2026 does not look like phishing in 2018. AI makes attacks linguistically invisible. Deepfakes make voices unreliable. QR codes bypass filters. Calendar invitations sneak in unnoticed. It is not employees' fault that they do not recognise attacks they have never been shown.
The four technical controls – FIDO2 keys, Conditional Access, DMARC/DKIM/SPF, and quarterly training – stop most attacks. None of them are advanced and all can be implemented within 4–6 weeks for a standard SMB. For a broader checklist of cybersecurity measures ranked by risk reduction per kroner spent, see our guide on eight measures you actually need to take in 2026.
Datafolka can help with Conditional Access setup, DMARC configuration, FIDO2 rollout, and phishing simulations for Norwegian SMBs. See our IT security services or get in touch for a free IT review.
Roy Morken runs Datafolka AS in Stavanger – a local IT partner helping small and medium-sized businesses with IT security, Private AI, and digital solutions. Data sources for this article: Verizon Data Breach Investigations Report 2025, NSM Risiko 2025, Proofpoint State of the Phish, Mnemonic threat intelligence, Microsoft Digital Defense Report 2024, NorSIS digital security culture 2024.