Sentinel Brief

How to Stop Phishing Attacks: Controls That Actually Work

person reading suspicious email on laptop screen - person using black laptop computer

Photo by Firmbee.com on Unsplash

Key Takeaways
  • As of July 5, 2026, 3.4 billion phishing emails are sent daily — 82.6% of them AI-generated — making signature-based detection unreliable across the board.
  • AI-powered phishing achieves a 54% click rate versus 12% for conventional attacks; the median time between receiving a phishing email and clicking the link is just 21 seconds.
  • Phishing-resistant MFA blocks 99.9% of automated account takeover attempts even when credentials are stolen — it remains the single highest-leverage control available.
  • Smishing (SMS phishing) accounts for 35% of all phishing attacks, surging 40% year-over-year; QR code phishing detections rose 146% from January to March 2026.

The Threat: When the CFO Is a Deepfake

The finance team at a multinational corporation thought they were on a routine video call with their CFO and several colleagues. Every face on the screen was a deepfake. By the time the fraud was discovered, $25 million had already left the company's accounts. That incident is not an outlier — it is the new benchmark for where phishing attacks now operate.

According to AI Fallback, generative AI has compressed phishing campaign creation from roughly 16 hours of manual work to approximately 5 minutes per attack. The scale this enables is staggering: VikingCloud reports that 82.6% of the 3.4 billion phishing emails sent every single day are now AI-generated. These messages arrive without typos, mirror real brand voice, reference internal projects scraped from LinkedIn, and produce unique content on every send — rendering the signature-matching filters that protected inboxes for the past two decades effectively obsolete.

The Anti-Phishing Working Group (APWG) recorded 971,181 phishing attacks in Q1 2026, a 13.8% increase from Q4 2025's 853,244. Hoxhunt's research captures the velocity shift more starkly: measurable AI-assistance indicators in phishing emails jumped from 4% in November 2025 to 56% in December 2025 — a 14x end-of-year surge that signals the industrialization of AI-generated attacks did not arrive as a forecast; it detonated last winter.

The attack surface has also spread well beyond email. Smishing (SMS phishing) now accounts for 35% of all phishing attacks and surged 40% year-over-year. QR code phishing detections rose 146% from January to March 2026, exploiting the gap in email security gateways that cannot analyze image content. Voice and SMS phishing combined were responsible for 19% of all breaches in the period. And in May 2026, over 80 US companies discovered they had been victimized by AI-powered campaigns that bypassed every traditional perimeter defense by abusing legitimate remote management tools to slip past firewalls and antivirus software.

Blast Radius — Who's Actually in the Crosshairs

The financial damage makes the blast radius concrete. The FBI's Internet Crime Complaint Center (IC3) logged 191,561 phishing complaints in 2025, with $215.8 million in documented losses — a 208% year-over-year increase in financial damage despite essentially flat complaint volume. That gap matters: individual attacks are becoming more expensive per incident, not merely more frequent.

Business Email Compromise (BEC) — a targeted variant where threat actors impersonate executives or finance contacts to authorize fraudulent wire transfers — accounted for $3.046 billion in losses from 24,768 IC3 complaints in 2025 alone. Annual global phishing losses across all variants reached $25 billion. The FBI IC3 also began formally tracking AI-attributed phishing in 2025, recording 803 complaints with $10.3 million in losses in its first year of measurement — a baseline that will look small within two reporting cycles.

The most heavily targeted sector as of Q1 2026 is telecom, now representing 33% of all phishing attacks — a vertical that handled just 5.9% of attack volume in Q3 2025. That sector shift matters for downstream data protection: telecom-harvested credentials frequently grant access into other organizations. Anyone who processes carrier invoices, manages telecom accounts, or receives business SMS sits inside this blast radius.

Small businesses are not outside it. A Cobalt.io survey found 97% of cybersecurity professionals fear their organization will face an AI-driven incident, and 93% expect to see daily AI attacks in the coming year. (When 97% of security professionals are bracing for impact, "prediction" is probably the wrong word for it.) The assumption that sophisticated, targeted attacks only pursue large enterprises is one that threat actors abandoned long ago.

Why Traditional Filters Are Losing the Signal

Legacy email security relies on two mechanisms: pattern matching against known malicious URLs and indicators of compromise, and heuristics that flag suspicious grammar, unusual sender domains, or mismatched headers. AI-generated phishing disables both simultaneously. Because generative AI produces unique content for each campaign — sometimes each individual message — no stable signature exists to match. Security experts cited by APWG describe the consequence directly: "artificial intelligence is enabling attackers to create highly convincing phishing campaigns that are harder to detect than traditional scams," with the uniqueness of AI-generated content making signature-based filters obsolete. The grammar and stylistic tells that security awareness training previously taught employees to recognize no longer reliably appear.

The click-rate data quantifies the result:

Phishing Click Rate: AI-Powered vs. Traditional Attacks0%20%40%60%12%TraditionalPhishing54%AI-PoweredPhishing

Chart: AI-powered phishing emails achieve a 54% click rate versus 12% for conventional attacks, based on security research data current as of July 5, 2026.

A 4.5x increase in click rate changes the campaign economics: fewer emails are needed to reach a target yield, which means lower send volume, lower detection risk, and higher returns per operation. The industry consensus is direct: "no software catches 100 percent of phishing attempts, especially new or highly targeted attacks." Combining technical controls with security awareness is the minimum viable defense — not an optional upgrade.

The Defense Stack That Changes the Math

One control alone blocks the most consequential downstream consequence of a successful phishing click: phishing-resistant multi-factor authentication (MFA — a second verification step required before account access is granted). Even when credentials are stolen, phishing-resistant MFA blocks 99.9% of automated account takeover attempts. CISA's current guidance explicitly frames phishing-resistant MFA "as part of applying Zero Trust principles" — a security model that assumes no user or device should be trusted by default — and treats DMARC (Domain-based Message Authentication, Reporting, and Conformance, a protocol that instructs receiving mail servers to reject emails spoofing your domain) set to "reject" as a baseline expectation for 2026, not an aspirational best practice.

The cybersecurity best practices that hold across organization sizes break into three layers:

Technical controls: Deploy DMARC at the reject policy for all sending domains. Enable phishing-resistant MFA using FIDO2/passkey methods or hardware security keys — not SMS-based codes, which smishing attacks can intercept before you see them. Configure email security gateways with behavior-based analysis and real-time threat intelligence feeds, rather than relying solely on signature matching. Implement DNS-layer filtering to block connections to newly registered domains, which supply a disproportionate share of phishing infrastructure. Restrict which remote management applications are permitted to run on endpoints — the May 2026 wave of 80-plus company compromises leveraged legitimate tools that endpoint detection did not flag.

Process controls: Enforce a verification callback procedure — a separate, out-of-band confirmation via a known phone number — for any wire transfer request received by email, regardless of how legitimate it appears. The $25 million deepfake CFO incident succeeded specifically because the process that would have stopped it either did not exist or was bypassed under urgency. DMARC protects your domain from being spoofed outbound; the callback process protects against impersonation that passes all technical inspection.

People controls: Security awareness training needs to evolve past the instruction to look for typos. Modern programs should simulate QR code phishing scenarios, smishing drills, and voice phishing exercises — because 35% of attacks now arrive via SMS and 19% of breaches involve voice or SMS as the initial entry vector. Updating employee mental models, not just refreshing slide decks, is what the current threat environment requires.

Ship This Control Today

If only one change happens after reading this, make it phishing-resistant MFA on every account that touches financial systems, email, or remote access. Not SMS-based two-factor authentication — a hardware security key or passkey-based authenticator app. The 99.9% automated attack blocking figure cited by CISA applies specifically to phishing-resistant methods; SMS codes remain interceptable via smishing attacks that redirect them before the legitimate user sees them.

For small business owners who can move only one dial today: go to your email provider's admin security settings, enable MFA on the admin account, then enable DMARC for your sending domain. Both actions take under an hour and meaningfully reduce the blast radius of the attack types documented in the APWG Q1 2026 report. For incident response purposes, the FBI's IC3 portal at ic3.gov accepts direct complaint submissions that feed the threat intelligence used to track and attribute campaigns — filing takes ten minutes and contributes to the collective picture.

When I review these numbers — $215.8 million in FBI-logged losses against 191,561 complaints, a 208% increase in financial damage with flat complaint volume — my read is that the individual attack is getting sharper and more expensive, not just more common. Defenders who treat phishing as a volume filtering problem will keep losing ground to adversaries who have moved to precision. The organizations that hold the line are the ones who accept that some phishing will always reach an inbox and build controls around what happens after the click, not only before it.

Frequently Asked Questions

How do I identify a phishing email in 2026 when AI removes the grammar errors?

In 2026, scanning for typos and awkward phrasing is no longer a reliable signal — AI-generated phishing produces clean, contextually accurate copy that mirrors real brand voice and internal project terminology. Instead, focus on behavioral indicators: unexpected urgency or pressure to act quickly, requests that deviate from normal business process such as wire transfers or credential resets, sender domains that differ by one character from legitimate ones, and hyperlinks whose hover destination does not match their display text. Security awareness training updated to include simulated AI-generated phishing scenarios is now the standard approach for building this detection instinct across a team.

Can antivirus software stop phishing attacks on its own?

Antivirus software addresses a narrow slice of the phishing threat — specifically, malware delivered as file attachments. It does not reliably catch credential-harvesting phishing pages, Business Email Compromise attacks that contain no malware whatsoever, or smishing via SMS. The industry consensus across researchers cited by APWG and others is direct: no single software product catches all phishing attempts, particularly AI-generated attacks with unique content signatures that change on every send. Effective phishing protection requires layered controls working in combination — email security gateways with behavioral analysis, phishing-resistant MFA, DMARC on your sending domain, DNS-layer filtering, and trained human judgment. Each layer catches what the others miss.

What should I do immediately after clicking on a phishing link?

Act within minutes. First, disconnect the device from the network — disable WiFi and unplug ethernet — to limit lateral movement if malware was deployed. Second, change any passwords that may have been captured, starting with email and any accounts tied to financial systems, before re-enabling network access. Third, notify your IT team or managed security provider and initiate your incident response procedures; also report the incident to the FBI IC3 at ic3.gov, as these reports feed the threat intelligence used to attribute campaigns. Fourth, if credentials to financial accounts were potentially exposed, contact your bank immediately — banks can often halt unauthorized wire transfers if notified quickly. Enable phishing-resistant MFA on affected accounts as part of recovery. The sequence is: isolate, rotate credentials, report, harden.

What is the best phishing protection software for small businesses in 2026?

No single product provides complete phishing protection — the research is unambiguous on this point. For small businesses, the highest-leverage stack combines three elements: a business email security gateway with behavioral analysis (Microsoft Defender for Office 365, Proofpoint Essentials, and Mimecast are commonly reviewed options in this tier), phishing-resistant MFA on all accounts (Google Workspace and Microsoft 365 both include built-in FIDO2 passkey support at no additional cost), and DMARC set to reject on your sending domain, which is free to implement through most domain registrars in under an hour. DNS-layer filtering services such as Cisco Umbrella or Cloudflare Gateway add another blocking layer. A security awareness training platform that delivers simulated phishing drills — including smishing and QR code scenarios — rounds out the people layer. The stack matters more than any individual product in it.

Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Statistics and organizational guidance are drawn from publicly reported research and government sources. Always consult a qualified cybersecurity professional for your organization's specific needs. Research based on publicly available sources current as of July 5, 2026.