Phishing

4 ways to combat the endless stream of phishing attacks

(Adobe Stock)

COMMENTARY: In my last piece for SC Media, I wrote about how business email compromise (BEC) attacks aren't a single playbook applied uniformly, but instead are calibrated to the structure of the target organization, shifting impersonation tactics based on company size, approval workflows, and how authority flows.

Phishing operates the same way, and as the most common email threat at 58% of all attacks observed in our 2026 Attack Landscape Report, phishing has become a much larger problem in terms of volume.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The conventional framing still puts the employee at the center: if people would slow down, scrutinize links, and think before clicking, most phishing attacks would fail. It's framing that's both tidy and increasingly beside the point.

Data we drew from nearly 800,000 attacks actually show that the techniques driving modern phishing aren't designed to catch employees off guard. They're designed to look like work—engineered around the workflows, tools, and communication norms of the target environment so that acting normally can easily help an attacker succeed.

Why attackers aim to get past the perimeter first

Before any lure reaches an employee, it has to survive link inspection—and that's a problem attackers have clearly thought through. Approximately one in five phishing attacks (21.6%) uses redirect links, routing recipients through intermediate URLs before landing at the malicious endpoint. For security tools scanning links at delivery, that chain of hops has been deliberately designed to obscure where a link actually goes.

Link shorteners add another layer of difficulty on top of that. TinyURL leads the list of most-used shortener services—not because it's especially sophisticated, but because it's frictionless. No account, no authentication, no record. Any attacker can generate a shortened link instantly and anonymously.

Twitter/X's redirect infrastructure—t[.]co—automatically gets applied to any link posted on the platform. Threat actors appear to post malicious links there specifically to generate a t[.]co-wrapped URL, exploiting the reality that security tools are extremely reluctant to block a globally trusted domain wholesale. The attacker gets a clean, reputable-looking URL without registering anything at all.

I also find the organization size breakdown especially telling. The use of link shorteners in phishing that targets small organizations sits at just 1.6%—for attackers hitting smaller targets, basic redirect chains are enough because the defensive infrastructure doesn't warrant more. At large enterprises, link shortener usage climbs to 3.5%, more than double. It's a small absolute number, but it implies a significant pattern: attackers are sizing up the defenses of their target and adjusting their evasion techniques accordingly.

When the lure matches the workflow

File-sharing phishing—impersonating SharePoint, Dropbox, Google Drive, DocuSign, or similar platforms to deliver a malicious link as a shared file notification—accounts for 12.4% of phishing overall, but nearly doubles in financial services (22.2%) and construction (21.3%).

To understand why, just think about what lands in a financial services employee's inbox on any given day: loan agreements, audit packages, compliance disclosures, investment reports, all moving constantly between parties. A notification that someone has shared a document with is often so unremarkable that users click on via muscle memory. Attackers are precisely mimicking something employees do dozens of times a week—not attempting to trick them with anything unusual.

Construction follows the same logic with a different cast of documents in a relentless volume of shared files. Drawings, RFIs, submittals, change orders, and bid packages are exchanged across general contractors, subcontractors, architects, engineers, and project owners, many of whom have never corresponded before. Most organizations are accustomed to receiving a document share from an unfamiliar sender. It’s simply how the construction business works. The lure doesn't need to be clever if it fits.

How bad actors borrow trust from familiar brands

Brand impersonation—making up 12% of all phishing attacks—happens when adversaries use the name and visual identity of a trusted company to make a credential-harvesting attempt look like a routine login prompt or notification.

This threat concentrates heavily in hospitality, where nearly one in four phishing attacks (24.1%) uses the tactic. A single hotel property might interact daily with a dozen branded services across booking, payment, staffing, and guest communication: booking sites, payment portals, loyalty programs, review platforms, scheduling tools. A convincing fake notification from any one of them lands in a context where that exact type of email arrives constantly.

Healthcare, by contrast, sees brand impersonation in only 7.1% of phishing attacks—roughly one-third of the hospitality rate. The difference here: healthcare workflows involve fewer consumer-facing branded platforms that make plausible impersonation targets. There’s a smaller attack surface, so the tactic shows up less.

All three phishing techniques tend to use the same techniques as BECs: tactics concentrate where they're most likely to blend in. The organizations best positioned to defend against phishing are the ones willing to stop asking: "Are our employees aware of phishing?" and start asking: "What does phishing actually look like in our environment?"

That means a few concrete shifts in how security teams operate:

  • Map the company’s own attack profile: Look over industry best practices, employee workflows, and platforms the team uses every day—and use that to predict where phishing pressure will most likely to land. A financial services firm should assume file-sharing lures are a primary risk. A hospitality organization should treat brand impersonation as a recurring threat. How employees behave at work shapes which techniques attackers will favor.
  • Audit URL inspection capabilities with redirect chains and shorteners in mind: If it’s a large enough organization in which attackers would bother layering evasion techniques, make sure the team’s detection tools are looking for them. Static link inspection alone won't catch a redirect chain through a trusted domain.
  • Revisit security awareness training (SAT): Ask a hard question: does the SAT reflect the attacks employees are actually encountering, or do they instead focus on the recognizable, obviously-suspicious examples that are easiest to build training around? Effective SAT in 2026 means training people to recognize a fake DocuSign notification or a spoofed Booking.com login prompt—not just a misspelled domain in the sender address.
  • Rethink the detection program: Detection that understands organizational context matters more than detection calibrated to generic threat signatures. The attacks that succeed in this landscape don't look like attacks. They look like a colleague sharing a document, or a platform sending a routine notification. Catching them requires behavioral AI that knows what normal looks like for the company’s specific organization and can surface the subtle anomalies—the unexpected sender, the atypical link path, the request that falls just outside established patterns—before employees have a chance to engage.

Just as phishing works because it exploits routine, the defenses that work are the ones built around understanding that routine even better than the attackers do.

Mick Leach, Field CISO, Abnormal AI

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds