Phishing attacks are nothing new, and we’ve probably published 10+ blog posts over the years warning against them in one form or another. Now it’s time to get ready for yet another evolution in AI-powered phishing attacks. Here’s what you need to know for 2026.
Catching Up: Current State of Phishing Attacks
We’ve already warned about how generative AI is making it easier for scammers to create convincing, legitimate-looking content at scale. 10 years ago, phishing emails almost always had tell-tale signs like weird writing, typos, and graphic design that just looked off.
But today those red flags are much harder to spot. The grammar is as good as your favorite genAI model’s, and it’s easier than ever to spin up a fake website thanks to those same tools.
So we’ve already shifted our guidance away from looking for visual evidence. Now we warn businesses to look for directional evidence instead. Things like:
- Urgent calls to do things: “Click now to login or your account will be deleted!”
- Crises that sound a little suspicious: Even though the words telling you about the crisis sound professional, the IRS still doesn’t actually have a warrant out for your arrest.
- Prices or perks that sound too good to be true: 50% off what literally everybody else is charging, on a site you’ve not shopped on or seen before? Click this link and Microsoft will donate a dollar for every Facebook friend you have? Probably not.
That’s all still good advice. If someone’s trying to short-circuit your logic center with urgency, crisis, or something tantalizing, they’re probably up to no good.
Unfortunately, that advice may not be completely sufficient for what’s coming next.
The Future of Scams May Be Dynamic Content
When GenAI first hit the scene, marketers dreamed of something called a dynamic website: essentially, because GenAI can generate copy and code, it can create a simple website in near real-time. So the theory goes that soon, GenAI tools might be able to create tailored landing pages for individual users. Companies would take what they know about you (purchasing history, location, device type, and so on) and create a landing page that works especially well for you, even if it wouldn’t work very well for the next guy.
If that sounds unrealistic, well, it is for now. While it’s probably possible, doing it at scale and with good-enough results remains so complex and expensive that no one’s really doing this.
…except the bad guys.
They don’t need perfectly modeled dynamic websites, but some of the principles here cross over, with some security research saying this approach is theoretically viable (even if it’s not widespread yet).
The phishing email is still the same, essentially. It’s the link where things get interesting. That link takes you to a website that is itself not harmful. But the page calls to a GenAI service to start generating content, even potentially on newly formed pages.
Because scammers aren’t locked into a single domain, their links can’t be easily caught or blacklisted. And the content can’t be flagged in the way current systems work, because it’s different every time — potentially even personalized to specific end users.
Evolving Threats Require Evolving Security Approaches
We’ve already evolved past “don’t click that super sketchy link” to “watch out for what kind of behaviors you’re being pushed toward.” That’s still good advice, but we can definitely see how it’s getting harder to spot that behavioral push.
The next evolution in security approach is all about limiting damage. Multi-factor authentication still matters because a fraudulent website might steal your username and password, but it can’t also launch a request for that authentication code. And without that code, the bad guys can’t accomplish much if anything with your credentials.
Secure browsers, firewalls, and strong email filtering also still make a big difference. So do other strategies like segmentation and access control, which limit how much an attacker can access if they do get through.
As threats evolve, so should your security response. Need help taking that next step? Reach out to our team anytime.