847 active alerts monitored as of July 6, 2026 — Updated daily

Overview

Phishing remains the most prevalent entry point for both consumer fraud and enterprise breaches. The Anti-Phishing Working Group (APWG) recorded over 1.3 million unique phishing sites in 2024, a figure that understates actual volume because many campaigns operate for hours before being taken down. The FBI IC3 received 298,878 phishing-related complaints in 2023, with reported losses exceeding $18.7 million—a figure that represents only a fraction of actual losses given the low rate of consumer reporting.

What has changed in the past two years is the quality and delivery mechanism of attacks. AI-generated phishing emails are now indistinguishable from legitimate communications in the majority of cases. Smishing (SMS phishing) and QR code attacks have expanded rapidly because they route victims through channels where traditional email security tools have no visibility.

298K Phishing complaints to FBI IC3 in 2023
60 sec Median time for a victim to click a phishing link after receipt (Hoxhunt)
77% Of organizations targeted by phishing in the past 12 months (Proofpoint 2024)

Active Attack Vectors

  • 01

    Email Phishing (AI-Enhanced)

    Traditional phishing emails were detectable by their grammatical errors, generic greetings, and generic urgency. AI-generated phishing removes all three of these tells. Messages now correctly address recipients by name, reference real account details obtained from data breaches, and are written in native-quality prose. They pass standard spam filters because they are not mass-generated templates—each is generated individually from a profile of the target compiled from breach data and public records. The most impersonated brands in current campaigns are Microsoft, Amazon, Wells Fargo, Chase, and the IRS.

  • 02

    Smishing (SMS Phishing)

    Text-based phishing campaigns impersonating USPS package delivery failures, bank fraud alerts, and toll payment notices (iPass, SunPass, E-ZPass) have run at scale across the US and Canada throughout 2025 and into 2026. The messages contain shortened or look-alike URLs and direct victims to credential-harvesting pages that closely mimic the impersonated brand. Mobile devices do not display full URLs by default, making spoofed domains harder to identify before clicking.

  • 03

    Quishing (QR Code Phishing)

    QR codes embedded in emails, physical mail, and posted signage redirect victims to phishing pages without a visible URL at the point of scanning. Email security tools cannot analyze the destination URL because it is encoded in an image rather than a link. The FBI and CISA both issued warnings about quishing campaigns targeting corporate employees in 2024; consumer-facing campaigns impersonating parking meters, restaurant menus, and utility bills have expanded the vector into everyday physical environments.

  • 04

    Vishing (Voice Phishing) and AI Voice Cloning

    Voice phishing calls impersonating bank fraud departments, government agencies, and technical support have been augmented by AI voice synthesis. Scammers can now generate a convincing voice clone of a known individual—a family member, a manager, a customer service representative—from as little as three seconds of public audio. AI-voice grandparent scams, in which a cloned grandchild's voice is used to request emergency money, have resulted in documented losses of $11,000 to $35,000 per incident in reported cases.

What Happens After Credentials Are Stolen

Harvested credentials are rarely used immediately by the attacker who collected them. The market for stolen login data is well-organized: credentials are sold in bulk on dark web marketplaces within hours of collection, sorted by institution type (banking credentials command a higher price than streaming service logins) and verified status (confirmed-live credentials sell at a premium over unverified dumps).

Account takeover (ATO) is the primary downstream crime. A compromised bank login is used to initiate wire transfers or Zelle payments to mule accounts. A compromised email account is used to access connected financial accounts through password reset flows. Compromised phone numbers are used in SIM-swap attacks that bypass SMS-based two-factor authentication. The chain from a phishing click to a drained bank account can complete in under 60 minutes in targeted attacks.

Most Impersonated Brands (2025–2026)

Microsoft, Amazon, Wells Fargo, Chase, USPS, PayPal, the IRS, Apple, Netflix, and Meta account for the majority of consumer-facing phishing campaigns by volume. Impersonated brand does not indicate any compromise of the brand itself; fraudsters choose recognizable names to lower victim suspicion.

How to Identify a Phishing Attempt

  • The message creates urgency: "Your account will be suspended in 24 hours," "Verify now or lose access"
  • The sender domain does not exactly match the company's real domain (e.g., "amazon-security.com" instead of "amazon.com")
  • The link destination, when hovered or previewed, does not match the displayed text
  • You are asked to enter login credentials, payment information, or a verification code on a page you reached through a link in a message
  • A QR code in a message or on a physical surface directs you to a login page
  • A caller claiming to be from your bank, a government agency, or a tech company asks you to confirm your full password, PIN, or one-time code
  • A text message about a package delivery, toll payment, or account issue contains a shortened URL
Protective Measures
  1. Use a password manager. Unique passwords per site eliminate the credential-stuffing risk when one site is breached. Password managers also refuse to autofill on look-alike domains, providing automatic phishing detection.
  2. Enable hardware security keys (YubiKey, Google Titan) or passkeys for your most sensitive accounts—email, banking, password manager. These cannot be phished because authentication is tied to the physical device and the legitimate domain.
  3. Never enter a one-time code (SMS or authenticator app) after someone calls you claiming to need it for account verification. Legitimate institutions do not initiate calls requesting OTPs.
  4. Navigate to your bank, government portal, or service provider directly by typing the URL or using a saved bookmark. Do not use links from emails or texts, regardless of how legitimate they appear.
  5. When scanning a QR code, preview the destination URL before proceeding. All major mobile browsers show the URL before you navigate to it; check that it matches the expected domain exactly.
  6. If you believe you have entered credentials on a phishing page, change the password immediately on the real site, revoke any active sessions, and enable or update your two-factor authentication method. If the compromised account is connected to banking, contact your bank the same day.
Sources: Anti-Phishing Working Group (APWG) Phishing Activity Trends Report Q4 2024; FBI IC3 2023 Annual Report; Proofpoint State of the Phish 2024; Verizon Data Breach Investigations Report 2024; IBM X-Force Threat Intelligence Index 2025; CISA Quishing Advisory AA23-040A; Hoxhunt Phishing Trends Report 2024.