As we navigate the start of 2026, the cybersecurity landscape has reached a critical inflection point. For managed services providers (MSPs), the challenge is no longer just identifying “the bad guys;” it’s identifying the “perfectly simulated guys.”
In 2025, phishing as a service (PhaaS) evolved from a dark web niche into a highly industrialized subscription economy. According to recent findings from Barracuda threat analysts, the number of known phishing kits doubled during 2025, lowering the barrier to entry for low-skilled attackers while drastically raising the technical sophistication of the threats themselves. More alarming still, 90% of high-volume phishing campaigns observed over the past year now rely on these pre-packaged, AI-enhanced kits.
While the themes – invoices, payroll and legal notices – remain familiar, the execution has become nearly indistinguishable from legitimate business operations. To protect your customers, you must help them look past the subject line and understand the “relentless innovation” occurring beneath the surface.
1. Payment and invoice scams: The AI branding revolution
Payment and invoice fraud remained the most common lure in 2025, accounting for 19% of all phishing emails analyzed. Today’s attackers no longer rely on generic templates; they use generative AI to scrape a target’s digital footprint and craft compelling emails that mirror the vendor’s tone, style and branding.
- The mobile pivot: A signature tactic in 2026 is embedding QR codes in digital invoices. By forcing a user to scan a code, attackers move the victim from a secure, monitored desktop environment to a less-protected personal mobile device.
- The result: Mobile devices often lack the robust endpoint detection and URL filtering present on corporate PCs, significantly increasing the likelihood of a successful attack.
2. Voicemail and vishing: The sound of deception
“Vishing” (voice phishing) has seen a massive resurgence, fueled by AI-driven voice cloning and sophisticated “secure voicemail” portals.
- Platform spoofing: Attackers are no longer just sending random links; they’re spoofing the familiar designs of services like Microsoft Teams or SharePoint to notify users of an “urgent missed voicemail.”
- Polymorphic evasion: PhaaS operators now use GenAI to generate hundreds of variations of a single phishing script. This allows messages to bypass traditional filters that scan for known malicious patterns. When a user clicks “listen,” they enter a portal designed to harvest corporate credentials and bypass multi-factor authentication (MFA).
3. Financial and legal scams: High-fidelity spear phishing
In 2026, “spray and pray” has been replaced by precision-guided spear phishing. Attackers conduct deep reconnaissance on organizations to gain insights into key executives and their specific communication styles.
- Account hijacking: We’re increasingly seeing attackers use compromised accounts to insert themselves into existing email threads. By hijacking a legitimate conversation about a financial transfer, they use GenAI to eliminate any linguistic errors that might tip off a victim.
- The personal touch: These messages feel authentic because they reference real projects and internal deadlines, creating a false sense of security before requesting a fraudulent transfer.
4. Signature and document review scams: Exploiting the perimeter
With digital workflows being the lifeblood of hybrid work, attackers have doubled down on impersonating platforms like DocuSign and Adobe Sign.
- Technical evasion: Next-generation phishing kits, such as GhostFrame and Tycoon 2FA, now feature advanced obfuscation and MFA-bypass methods (like session token theft).
- Perimeter break: Just like invoice scams, these document requests frequently use QR codes to redirect the interaction to a mobile device, effectively stepping outside the corporate security perimeter, where “Zero Trust” policies might be less strictly enforced.
5. HR-related scams: Exploiting professional anxiety
Human resources themes – benefits, payroll updates and employee handbooks – accounted for 13% of phishing cases in 2025. These remain effective because they tap into a user’s professional curiosity and anxiety.
- Strategic timing: Attacks are meticulously aligned with tax deadlines and payroll cycles to exploit a natural sense of urgency.
- Policy “quishing”: A common 2026 tactic involves sending a “New Employee Handbook” as a PDF. The document contains a QR code to “confirm receipt,” bypassing email link filters that may not scan images or code embedded in PDFs.
Shifting from filters to intelligence
As an MSP, your role is to convince your customers that traditional defenses – filters, blocklists and basic awareness training – are no longer enough. In 2026, a “good enough” security stack is a liability.
To stay ahead, organizations must shift toward a proactive, identity-centric model:
- AI-powered detection: Use security tools that don’t just look for bad URLs, but analyze communication patterns, behavioral anomalies and linguistic intent in real-time.
- Continuous identity validation: Move beyond static MFA toward phishing-resistant authentication (e.g., FIDO2) and continuous session monitoring to prevent token theft.
- Multi-layered controls: Protection must follow the user. This means implementing security across email, collaboration apps (Teams/Slack) and especially mobile devices.
Your phishing defense roadmap for 2026
The phishing scams of 2026 are successful because they leverage the very same tools that businesses use to stay productive: AI, automation and convenience. As an MSP, your goal is to help clients transition from “vulnerable compliance” to “active resilience.”
By educating your customers on the execution of these attacks – rather than just the theme –and deploying AI-integrated security layers you can build a defense-in-depth strategy that is as sophisticated as the threats themselves. Now is the time to audit your clients’ current security stacks and replace legacy filters with identity-first protection.
This article was originally published at Managed Services Journal.
Photo: babar ali 1233 / Shutterstock
This post originally appeared on Smarter MSP.
