Skip to content
Breachroad
Back to the blog
Phishing

Phishing in 2026: why training alone isn't enough

Phishing still accounts for most successful breaches. We explain why employee education alone isn't enough and what to add to your defences.

KR
Karol Rapacz
28 May 2026 · 11 min read
Phishing in 2026: why training alone isn't enough

Phishing remains the most common way to gain initial access to a corporate network. Not because it is technically sophisticated, but because it targets the hardest element to patch — the human being. The standard response is training, but treating it as the only defence is a serious mistake. The scale shows in the data: in CERT Polska’s 2025 report, phishing accounted for 78,391 incidents — around 30% of all reports.

Why education alone fails

Training raises awareness, but it does not eliminate risk. It only takes one person in a hundred clicking at the right moment — when they are tired, in a hurry, and the message convincingly impersonates a known partner. Modern campaigns are polished: correct language, real logos, context drawn from social media, and increasingly content generated by language models.

The assumption that you can train people to be a hundred per cent effective is unrealistic. A better question is: what happens when someone does click? A well-designed defence assumes it will happen, and limits the impact.

A technical layer that works regardless of vigilance

MFA is absolutely essential. If an employee enters their password on a fake page but the account is protected by a second factor, the attacker still cannot log in immediately. Note that not all MFA is equally resistant — SMS codes can be intercepted, and push notifications are vulnerable to MFA fatigue. The strongest protection comes from hardware keys and passkeys based on the FIDO2 standard, which are phishing-resistant by design.

Mail filtering and sender authentication. Properly configured SPF, DKIM and DMARC make it harder to impersonate your domain and trusted senders. Flagging messages that come from outside the organisation is a simple yet effective warning signal.

Limiting the impact of an account takeover. The principle of least privilege means a compromised regular-employee account does not grant access to the whole infrastructure. Monitoring unusual logins (a new location, impossible travel) lets you detect abuse quickly.

The new generation of attacks: AI, quishing and adversary-in-the-middle

Classic advice (“look for typos”, “check the sender”) is no longer sufficient, because the technology on the attackers’ side has changed:

  • AI-generated content. Language models write flawless, personalised copy and can mimic a specific person’s style based on their public statements. Recognising phishing “by the language” is less and less effective.
  • Adversary-in-the-middle (AiTM). Modern phishing kits (such as Evilginx-style tooling) don’t fake the login page — they proxy the real login and capture the session together with the MFA code. That’s why SMS codes and push-notification apps don’t protect against this scenario; FIDO2 keys and passkeys do.
  • Quishing. QR codes in emails and on printouts bypass mail filters because the malicious URL is hidden inside an image, and the victim opens it on a personal phone, outside corporate monitoring. We covered this in more depth in our analysis of QR code phishing.
  • Voice phishing and deepfakes. Email campaigns are increasingly reinforced with a phone call “from IT” or a voice cloned from recordings — especially in CEO fraud (BEC).

The practical takeaway: when designing your defence, assume the message will be flawless, the login page will look genuine, and the “second channel” (a phone call) may also be part of the attack.

How to design a defence programme step by step

Mature phishing protection is a programme, not a one-off project. A sensible rollout order:

  1. Technical foundation (weeks 1–4): DMARC in monitoring mode → quarantine → reject; flagging external mail; blocking delivery from domains registered in recent days.
  2. Phishing-resistant authentication (months 1–3): passkeys or hardware keys for admins, the board and finance first, eventually for everyone. Disable legacy protocols (password-based IMAP/POP3) and any login paths without MFA.
  3. A reporting path (month 1): a “report phishing” button in the mail client, an automatic acknowledgement for the reporter and feedback on what happened with the report.
  4. Measurement (quarterly): a controlled phishing campaign measuring not just clicks but above all the rate and speed of reports.
  5. Response (ongoing): a playbook for a compromised account — force sign-out of sessions, credential reset, a review of mailbox rules (attackers often add a rule forwarding mail externally).

Controlled phishing campaigns

The best way to assess an organisation’s real resilience is to run a controlled, authorised phishing campaign. This isn’t about “catching out” employees, but about hard data: what share of people clicked, how many entered credentials, how quickly anyone reported the suspicious message.

That last metric — the time and rate of reports — is often more important than the number of clicks. An organisation where employees quickly report suspicious messages gives the security team a chance to react before the attack develops.

A reporting process that doesn’t punish

If an employee is afraid to admit they clicked, you will learn about the incident at the worst possible time — when it is already too late. The key is to build a culture where reporting a mistake is rewarded rather than stigmatised, and to provide a simple, one-click way to report suspicious messages.

Summary

Phishing is a problem that neither technology alone nor education alone will solve. An effective defence combines three layers: phishing-resistant MFA, technical email controls and aware employees with an easy reporting path. If you’d like to know your company’s real resilience, ask about a controlled phishing campaign — we’ll run it ethically and deliver concrete conclusions.

Frequently asked questions (FAQ)

What click rate in a simulated campaign is “normal”? In first campaigns a typical result is 10–30% clicks, depending on the scenario. The trend and the reporting rate matter more: mature organisations reach over 50% of reports within the first hour. A single number without scenario context says little — compare results between your own campaigns, not against internet benchmarks.

Is SMS-based MFA better than no MFA? Yes, definitely — it blocks mass attacks that rely on passwords alone. But against targeted attacks (AiTM, SIM swapping) it is not a barrier. The strategy: SMS as a minimum for everyone, passkeys/FIDO2 for privileged and finance accounts now, and for the whole organisation over time.

How often should we run simulated campaigns? Quarterly, with varying scenarios and target groups. More frequent campaigns cause fatigue and a “guessing game” effect; less frequent ones don’t build the habit. After each campaign, communicating the results is key — without naming and shaming, but showing what the attack looked like.

What should we do first when an employee entered their password on a fake page? Immediately: invalidate all active sessions for the account, reset the password, check mailbox rules and recent logins, and if the account has access to critical systems — review activity in those systems. Only then analyse how the message got past the filters.

Do small companies need DMARC too? Yes — also because without DMARC someone can impersonate your domain towards your customers and partners. For a small organisation the configuration is usually a few hours of work, and it protects the brand, not just mailboxes. We check it as standard in our security audits.

Share this article

Services Book a consultation