Phishing remains the most persistent and damaging attack vector facing enterprises today. Despite significant investment in email security gateways, endpoint protection, and network controls, attackers continue to find ways through. And the threat is accelerating: Hoxhunt’s 2026 Phishing Trends Report found a 14x surge in AI-generated phishing emails in December 2025 alone.
The report paints a picture of a phishing landscape that is evolving rapidly. Threat actors are moving beyond email into LinkedIn, WhatsApp, and calendar invites. AI has lowered the barrier to entry for high-quality phishing to near zero, making attacks harder to detect and easier to scale.
Expert Insights spoke to David Badanes, Human Risk Leader at Hoxhunt, to discuss the key findings from the 2026 report, how AI is reshaping the phishing landscape, and why building a proactive security culture is the most effective defense organizations can invest in.
Watch on Substack:
Q. Can you give us an introduction to yourself and an overview of Hoxhunt?
I’m Human Risk Leader here at Hoxhunt. I came into this role having served as a director of cybersecurity at a global energy company, 10,000 employees, half of which don’t use a computer on most days. Thirteen different countries across 12 time zones, five languages. So I know the dangers and challenges of phishing firsthand and also some of the opportunities that come for getting the most critical information to all of your people. Hoxhunt is the leading platform for human cyber risk management. And we go above and beyond typical awareness and cyber awareness to actually drive measurable behavior change.
Q. Phishing is still the most common data breach vector, with some reports putting it at 80 to 95% of breaches. Despite all the investment in security tools and awareness, why is phishing still such a major issue?
I think I’m reminded by that quote of why do people rob banks, and that’s where the money is. One of the reasons that phishing works so well is because it’s effective. In the report that we’re talking about today, we’ve identified a statistic that’s been widely reported that the successful phishing breach has an average impact of $4.88 million. And that’s the uncomfortable truth. You can put millions of dollars into technologies and hackers are still going to find a way into your environment. Phishing persists and is successful because it exploits human psychology, not any sort of software vulnerability.
But all hope is not lost here. There are ways to improve phishing training and actually drive behavior change. And Hoxhunt is the leader in doing that. Because Hoxhunt has just a universe of information when it comes to the amount of phishing emails that we’re reviewing and receiving, we can put together really great threat reports that are able to tell CISOs and prepare security organizations of what are the trends that they’re seeing the most. This is not theoretical scenarios. This is direct intelligence that is fueled by actual users. So that’s really exciting to see.
Q. Hoxhunt has just released its 2026 Phishing Trends Report. Can you tell us about the scope of the report and what findings you found particularly interesting?
Our researchers spend nearly the year collecting data and then compiling this report. And the head of that project was Eliot Baker, and he deemed 2025 as “cloudy with a chance of Skynet,” which I absolutely love. Hoxhunt’s 2026 threat report is the industry’s leading benchmark for phishing attacks and because we’re getting information that bypasses all other security filters and we’re understanding what are those malicious messages that actually get through. So over 50 million data points were used to create this report based on four million Hoxhunt users throughout the world. It is incredibly powerful and I love the fact that it’s passed all the security filters because we’re seeing exactly what your end users are seeing.
There are three main themes. AI is raising the bar for phishing, both in quality and quantity. And we have the data and the metrics to back that up. We’re seeing all kinds of increased different types of attacks, like man-in-the-middle attacks. We’re seeing the use of calendar invites, the use of SVG files, things that kind of look like our regular business.
The format is also changing. Social engineering attacks are spilling beyond email into LinkedIn, social media, WhatsApp, recruitment platforms. This is what your users are seeing on a day-to-day basis, and we have stories and also the data to back it up.
Q. Just to clarify, the data in the report is based on phishing emails that have made it past the email gateway. So these are messages sophisticated enough to bypass that security?
Correct. This is all based on real data that we’re seeing. And that’s what makes us unique. Every month end users report over 400,000 email threats directly to Hoxhunt. And that’s real world. It’s filter-bypassing data, not theoretical. And that intelligence fuels everything that we do. So you can think of us as an organization that helps you turn your employees from a vulnerability into really your first line of defense.
Q. The top-level headline from the report for me was a huge surge in AI-generated and AI-powered phishing attacks. How do you see AI accelerating and changing the phishing landscape?
If you allow me to quote from the author William Gibson, the future is here, it’s just not very evenly distributed. That’s really what we’re seeing from a phishing perspective with regards to AI. AI has done something that is truly game-changing. It has democratized high-quality phishing. You used to need skill to write a high-quality phishing email and also develop a payload. And now you don’t.
You talked about that hockey stick that happened in December. It was something that we were hearing anecdotally from CISOs, but the metrics completely bore it out, that 14 times the number of AI-generated phishing emails came in December than in the previous months. Those trends are on page four of the cyber threat report. And I encourage everyone to take a look at it. It’s not just the quantity, but it’s also the quality. They’re writing in the natural language that you’ve associated with regular communication. We previously used to tell our employees, look for spelling mistakes, look for challenges in English or in grammar. That’s just not the case anymore. You really need to stop, think before you click or take action on an email.
Q. Is AI changing the way that phishing works fundamentally, or is it just that the risk is amplified because there’s a higher volume and a lower barrier to entry?
I truly believe it has. I think the quality has improved so much. The quantity is there. We’re going to talk about the multi-pronged phishing attacks where somebody messages on LinkedIn and follows up with an email that follows up with a WhatsApp message. They’re injecting themselves in the regular cadence of business based on understanding the way that business works. The volume and higher quality is an absolute brutal combination. And the barrier for entry is completely gone. So yes, it is somewhat of a perfect storm for phishing and for susceptibility.
Q. How can the Hoxhunt team tell the difference between an AI-written phishing email versus a human-written one? Are there any telltale signs?
We used to tell people look for misspellings, look for grammatical errors. That’s really not the case anymore. I think in some sense, actually look for things that are almost too well written. That’s kind of an interesting balance. Those of you who have played around with your ChatGPT, your Claude, your Copilot, your Gemini, you know that there’s a certain way that GenAI prompts typically work. Sometimes they overly use dashes. They overly use emojis to write. So take a look at that.
Also look at potentially English sentence structure. That could still be a place where there could be that very subtle awkwardness. Of course, if there’s placeholders in there that say, insert victim domain or insert name here, that could still be a dead giveaway. And look, frankly, this is a volume business for them. So they still make mistakes too. But I would say overall, look for things that look a little unusual. We’re seeing a rise in SVG image graphic attacks as well as calendar attacks. So if it’s not something that looks like you would typically receive, we want our users to stop. Does this request make sense? Question the routine, not just the urgency.
Q. What are the trends you’re seeing in how threat actors are crafting phishing emails and the hooks they’re creating?
I would say it all points back to human nature and almost Maslow’s hierarchy of needs. People care about themselves a lot and in a lot of ways. So if something deeply affects them, whether it’s a recruitment scam or a potential HR email, these are the types of things that people are most focused on and are most likely to touch, for lack of a better word. It’s like when your parents said, don’t touch that pan, that stove is too hot. What do people do? They touch it anyway.
Our report shows that there are three universal human instincts. One, curiosity. Two, urgency. And three, that desire for recognition. In the report, we show how HR is very much at the top. There’s also Microsoft and Google and supply chain. People are impersonating those domains as well, but it’s back to what you would think. It’s that urgency, curiosity, trust-seeking, reward-seeking. Lists of who’s going to be on the bonus list, who’s going to be potentially on the performance improvement list.
In recruitment scams, we’re seeing a huge rise. We were seeing attackers scrape job sites like Indeed and LinkedIn to post those jobs themselves. And then they’re going to route their targets to fake calendar pages and then harvest their credentials. Those are really effective because you’re preying on people that are really looking to seek that job and it can be extremely effective in creating chaos within your environment.
Q. You’ve mentioned multi-pronged phishing strategies where it’s not just a one-off email. The attackers are using AI to create multi-step campaigns that users can really get immersed in. Can you tell us more about that?
They’re recognizing that the same enterprise security controls that you might have on your email might not be the same that someone has on their LinkedIn, much less on their text messaging or SMS or WhatsApp. So in order to do a multi-pronged attack like that, one, it’s kind of mimicking the regular business cadence that people are seeing already. So if they’re mimicking what it looks like to do a recruitment exercise or for your boss or a potential headhunter to follow up with you, or for a critical supply chain to say, hey, we’re having some downtime coming up, just want to make sure that you saw that. I’m reaching you out in a different channel. One of those might be blocked, but that’s okay, because their message is getting through.
That is particularly challenging for the user and a lot of times this is actually becoming difficult to detect even in the enterprise email box because there’s not a malicious link in the email itself. It’ll say something to the effect of, I’m going to send you a message on WhatsApp or LinkedIn with instructions on how to follow through on this. So there’s nothing to particularly block that message within Outlook.
Q. You’ve also highlighted the increase in callback phishing scams and malicious calendar invites. Why are these attack vectors so significant?
This works, frankly. This is something that we’ve seen targeting older generations and those susceptible groups as they’re becoming more and more using the internet. Callback phishing is particularly a sneaky type of hybrid attack. You’ll get an email often with a fake subscription renewal from a Microsoft, a PayPal, a Geek Squad, and a phone number there to dispute the charge. There, you’re obviously talking to a threat actor who social engineers you to give up your credentials or install a remote access tool within your environment. For those of us probably listening to this podcast, it’s incredulous to believe that people fall for this, but they do. Thousands and thousands of people every day. We’re seeing the rise of these types of attacks by over 25%. This is particularly relevant in North America.
I would also look at the malicious calendar invite attacks. I actually gave a talk on this recently at the Convene conference. We’re seeing a rise in this, and this is particularly challenging because the way that we have formulated most of our Outlook rules is that if you get a calendar invite, it automatically appears on your calendar before you’ve accepted it. So again, they are hooking themselves into regular business cadence and it becomes challenging for you to recognize that something is not real. And sometimes at the end of the day, you go through and you accept or you decline and respond to your meetings and you might not even realize what you’ve done.
This is particularly important also for people that have admins, because a lot of times your admin is controlling your meeting invites as a part of your overall email, but they might be accepting messages. So it just shows the importance of training your entire organization. When I worked at my other organization, we had a specific cybersecurity training devoted to our executive assistant group because they were so important. They’re the gatekeepers to our C-suite, to our leadership. And making sure that they know that not only are they a target, but they are a target because of who they represent and who they support. That’s incredibly important.
Q. Phishing is not a problem that can be solved with technology alone. How can users be more vigilant against phishing attacks?
I think it comes to us as security leaders to make sure to empower our users with the information so that they can know what to do. At my prior organization, trying to train people about cybersecurity, we came up with a very simple Cyber 6. These are the six things that we want you to do to be secure. And number one of that was think before you click. I think that embodies almost everything. We want people to pause, to verify, to act. Anything that you get, before clicking, before taking anything in, pause.
We used to think about this as taking a pause for safety. Those of us who work at companies where you’re out in the field and there’s risky conditions, if you pause to make sure that something is safe before you act, there will be no punishment, no retribution that something happens slower than it should because you were taking the step to make sure that something was safe. So we need to stop clicking as quickly and start questioning not just the routine and not just the urgency. If something is out of the blue, out of context, start questioning that. Why am I receiving that?
You can follow up through a different separate channel. Do voice, do some sort of verification of what I’m getting is real and set that culture from the top that your leadership says, if I reach out to you and I say that there’s an urgent payment that needs to be made, it’s likely a phishing attack. But in the one time out of a hundred that it is legitimate and you stop, give me a call, verify with my admin, verify with my chief of staff. If you do all that and it’s delayed, that’s okay because we need to put those organizational controls and that tone from the top in place. It needs to be a culture that embraces that as a value rather than speed as an overall value.
Q. How important is it to bring users along on that journey and to evangelize about the importance of security, as opposed to a punitive approach?
You’re touching a very timely topic. I was just at a conference and there was a whole conversation of the carrot versus stick mantra with regards to cyber phishing. I’m somebody who’s always landed more on the carrot side, because I think if you’re showing people the way that phishing attacks work, you’re bringing them behind the curtain. We actually instituted a cybersecurity champions program at our organization. We wanted people to be active, engaged. We actually wanted people who clicked on a phishing message to then report it. If you clicked on a message and you went to a malicious link, we really wanted you to report so that we knew whether we could check that email, check to see if it got through our web content filter, just check your endpoint manager to make sure that there was nothing on your machine.
That culture of being an approachable cybersecurity group is so effective. I actually think that it changes the culture of the cybersecurity team from the group of no to the group of how. You wouldn’t believe how many doors get opened if you make yourselves an approachable team within your organization.
Q. The report found that users are three times more likely to click on a phishing email on mobile compared to desktop, and less likely to report it. How should organizations be thinking about protecting mobile users?
I just think this is an example of we need to be agile as security leaders and security technology of meeting people where they are. What are the devices that they’re using? Because people are using their mobiles and they’re doing it at different times of day, first thing when they wake up, they’re rubbing their eyes and they’re pulling out their phone and they’re responding to emails. That’s the time that they’re vulnerable. Or they’re in the car up line at their school and they’re looking at it there, or they’re in line at Starbucks. That’s the opportunity where the threat actor has a chance to get them.
We’re seeing that the click rate on desktops is 6% and the mobile click rate is 19%, three times. This is explored in depth in the cyber threat report, which I encourage everyone to take a look at. Why is that the case? You’re looking at a smaller screen. It’s hiding those key signals. You can’t see the full URL. The sender details are somewhat truncated. Those red flags are sometimes invisible. And context switching is faster. I’m jumping from my LinkedIn to my Instagram to my Spotify to my Outlook to my SMS. I’m not really fully there. And therefore, I’m more susceptible. And reporting is harder.
What’s important here, it’s absolutely critically important that you have mobile device management across your organization so that if they do click on a message from their mobile, that device is able to be isolated. And you want reporting to be as frictionless as possible and the steps that you can do to make it work and make it easy, just make it easy and smart for your user. And the most important thing is to be adaptable. If you’re recognizing that your users are shifting from one technology to another, think about the way that your training needs to adapt as well.
Q. How can phishing simulations and human risk awareness solutions like Hoxhunt help organizations to combat phishing attacks?
Hoxhunt’s approach to human risk management is fundamentally different than typical legacy cybersecurity awareness training. Hoxhunt is personalized, it’s customized, it’s continuous, it’s based on real-world information, real threats that we’re seeing, it’s based on data that’s bypassing threats, not last year’s templates, and it actually drives measurable behavior change. And that is so critically important. Organizations that are using Hoxhunt see significant sustained reductions in phishing susceptibility, and crucially, they also see increases in reporting rates.
I know this firsthand actually as a former customer of Hoxhunt. Clicking on a phishing email and reporting the phishing email, it is a learning moment. It provides that continual feedback and behavior change and pushing people to be trained at the edge of their comfortability. They are being challenged and the different training for different people is an absolute important thing, that individualized approach is so successful.
Hoxhunt, we have tons of data. I mentioned that our users are reporting 400,000 phishing attacks per month. That’s an intelligence loop that we’re getting back, that we’re figuring out both which of our phishing simulations are working and the actual attacks getting through. And then we’re also combining really cutting-edge AI with very traditional behavior science to figure out what are the things that really break through to drive meaningful behavior change.
Q. How is Hoxhunt innovating to keep pace with the way that phishing is evolving?
I think nobody said it better than the CEO of Hoxhunt, Mika Aalto, who said, human threat intelligence is a weapon. AI lets you transform your employees from a network of threat detection sensors that can plug into the security stack and augment your SOC and accelerate incident response. That boils down to what we’re trying to drive here of innovation, that you should never be training your users on last year’s attacks because the threat landscape is moving so quickly. We’ve talked about a number of ways that we’ve done that in this year’s threat report, talking about the rise of SVGs, talking about the rise of calendar invite attacks, talking about the out-of-band or business contact phishing schemes that we’re seeing. And we are using each of those to help make our product and help make our customers better when it comes to phishing attacks.
AI plays a dual role for us. It’s a threat that we’re helping organizations defend against, but also a tool that we are using to personalize and scale training. And we’re also doing it in different ways on the response side. We’re using AI at the incident response automation layer. We’re helping those SOC teams triage, enrich, and remediate faster from cyber events. The human layer that we talked about really doesn’t just stop at the inbox. It actually extends to how we get those threats escalated and contained.
Q. How do you see the future of phishing and human risk management changing over the next 12 months, and how should security leaders be preparing for the next phase of AI-driven social engineering?
For those that listened from the beginning, you remember that I talked about the weather here in Washington and how it looks cloudy. And I related that to how Eliot talked about cloudy with a chance of Skynet. I’m looking out at the weather right now and it looks like a sunny day, but I know a storm is coming. That’s what I think the moment that we’re looking at now. I think we have a lot of clarity on what the world looks like at the moment, but it’s changing rapidly and we need to be prepared for that.
It is clear that AI is here to stay. AI-generated phishing is getting better, faster, and more personalized. The gap between a human-written phishing email and an AI-generated one, it is now indistinguishable. So what does that mean? We need to train our users to be constantly vigilant, be able to report first anything that they feel like is out of the ordinary and to question things that look unusual.
In particular, I think we’re going to see an incredible rise of spear phishing at scale. Right now, I would say that AI phishing is being used mostly for bulk campaigns with somewhat imperfect personalization. But as AI improves hyper-localization and targeting, we’re going to see very, very personalized attacks. I just look at this background behind me. Someone watching my screen today and watching this video, they’re picking out different things, perhaps about places that I’ve traveled around the world or things that are important to me or pictures of my kids. Information out there can be distilled from this video to create hyper-localized and targeted phishing campaigns for me. And it’s something that we all should absolutely be aware of.
But it’s clear that organizations that will weather the next phase of these AI-driven social engineering campaigns are the ones that are going to build a genuine proactive security culture. And that’s what I encourage all of your listeners to do.
Learn more about Hoxhunt
