Phishing has been the most common initial attack vector for ransomware, BEC fraud and data exfiltration for two decades. What has changed: the quality of the attacks. Generative AI has wiped out the last easy detection signals — perfect grammar, credible tone, context-specific salutation. Anyone who, in 2026, still preaches “watch out for typos” as the core phishing-training message is training around the actual problem.
This article shows what really works against phishing in SMB practice in 2026 — technically and organisationally. No invented statistics; where numbers appear, they are BSI-sourced or clearly marked as experience.
What has changed in 2026
Four trends define the current phishing landscape:
1. AI-generated mails without detection signals
ChatGPT, Claude and similar LLMs produce perfectly worded German, English, French phishing mails — in seconds and individualised per victim. The old “spot the typo” training is largely worthless. Detection signals shift to:
- Sender domain (often lookalike:
microsoft-support.cominstead ofmicrosoft.com,daterev-online.cominstead ofdatev.de) - Unusual requests (transfer money, enter password, release MFA code)
- Context break (call from “IT” to a staffer who never deals with IT)
2. Deepfake audio in CEO fraud
Voice cloning is feasible with seconds of audio from LinkedIn videos or podcasts. The attack: call to the accountant’s smartphone, the cloned voice of the CEO demands an urgent transfer. The German BSI has documented such cases in its annual reports.
Protection: Clear four-eyes processes for payments above thresholds, mandatory callback over known phone numbers (not the one that called), code-word procedures for urgent payments.
3. QR phishing (quishing)
Email filters scan links — but rarely QR codes embedded in PDF attachments. Attackers ship PDFs with QR codes leading to phishing sites. Staff scan the code with their smartphone and land on a perfect login lookalike, filtered only by the personal phone’s browser (often less protected than the corporate mail client).
Protection: Training with concrete examples (“Don’t scan QR codes from emails”), MDM for corporate mobile devices with DNS filtering, reporting button also for PDF attachments.
4. MFA-fatigue attacks
For accounts with push-notification MFA (Microsoft Authenticator, Duo Push), attackers bombard the victim with dozens of requests — until the user impatiently approves. Famous example: the Uber incident in 2022. Still works in 2026, because many organisations rely on push-approve instead of number matching or FIDO2.
Protection: Enable number matching (user must enter a number from the login screen into the app), better still FIDO2 hardware keys.
The protection stack for SMBs in 2026
Phishing protection is a layered defence — no single tool stops everything. Recommended layers in order of effect:
Layer 1: Email authentication — SPF, DKIM, DMARC
These three standards prevent attackers from spoofing under your domain in the first place. We covered the details in Email security with SPF, DKIM, DMARC. Short version:
- SPF: DNS TXT record listing permitted sender servers of your domain
- DKIM: Server signs outgoing mails with a private key; receiver verifies with the DNS-published public key
- DMARC: Tells receiver servers what to do when SPF and DKIM fail (
quarantineorreject)
Important: DMARC should move to p=reject after a reporting phase — p=none does nothing against spoofing. The German BSI is actively pushing organisations towards DMARC reject in recent communications.
Layer 2: MTA-STS
MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption between mail servers. Prevents MitM attacks on SMTP transport. DNS record + HTTPS policy file. Effort: low. Effect: encryption becomes mandatory, not optional.
Layer 3: Phishing-resistant MFA
The only MFA form offering real phishing resistance:
| MFA type | Phishing resistance | 2026 assessment |
|---|---|---|
| SMS OTP | Low | Avoid — vulnerable to SIM swap, realtime phishing |
| TOTP apps (Google Authenticator, Authy) | Medium | Acceptable as minimum — realtime phishing can grab TOTP codes |
| Push notification without number matching | Low–medium | Vulnerable to MFA fatigue |
| Push notification with number matching | Medium–high | Markedly better, but not phishing-resistant per FIDO definition |
| FIDO2 / WebAuthn / Passkeys | High | Real phishing protection — origin-bound, no transferable code |
Concrete recommendation: FIDO2 hardware keys (YubiKey 5, Token2, Nitrokey) or passkeys (see passkey article) for all privileged accounts (admin, leadership, finance) — mandatory. For regular accounts at minimum TOTP, better FIDO2.
Layer 4: Secure mail gateway filters
An upstream mail filter (Mailcow + Rspamd, Microsoft Defender for Office 365, external services like Proofpoint, Hornetsecurity, etc.) sorts out obvious phishing before delivery. Important capabilities:
- URL rewriting with sandbox inspection on click
- Attachment sandbox (open suspicious Office files in an isolated environment)
- Reputation filter (RBL lists, sender score)
- Anti-spoofing (DMARC evaluation, ARC)
For the self-hosted variant see Mailcow for SMBs.
Layer 5: Browser and DNS protection
- DNS filters (AdGuard Home Enterprise, Pi-hole, Cloudflare Gateway, NextDNS) block known phishing domains in DNS already
- Browser extensions like uBlock Origin or an enterprise web filter block in the browser
- EDR/XDR solutions detect post-phishing damage (credential theft, suspicious process chains)
Layer 6: Staff training — done differently than usual
Classic phishing training is often counterproductive: shock mails to all, “you would have fallen for a phishing attempt”, shame as a learning reinforcer. Doesn’t work.
What demonstrably works (per BSI and ENISA recommendations):
- Concrete real-world examples instead of synthetic phishing tests
- Reporting button in the mail client — let users one-click report, IT verifies and replies
- Positive reinforcement — those who report phishing are praised. Nobody is shamed for falling for one
- Short, regular micro-trainings (5-minute updates monthly) instead of an annual 90-minute block
- Awareness for the new vectors — deepfake audio, QR phishing, MFA fatigue
- Clear processes for suspected incidents — what do I do if I think I clicked? Call IT, don’t hide.
Layer 7: Incident-response preparation
Despite everything, someone will eventually click. Preparation:
- Forensic lead time: who has administrative access, who can lock an account immediately?
- Password reset process in < 15 minutes
- MFA reset process with a second person for identity verification
- Mailbox audit: has phishing already been forwarded from the account?
- Bank communication prepared for fast-fraud calls
- Reporting obligations (NIS2, GDPR for personal data) practised
See also Disaster recovery for SMBs.
What BSI and ENISA currently recommend
The official 2026 recommendations:
- BSI: State-of-the-Nation Cybersecurity Report — phishing remains top attack vector; DMARC and FIDO2 named as central measures
- ENISA: Threat Landscape Report — social engineering as a persistent trend; AI-augmented phishing highlighted
- Alliance for Cybersecurity: free materials for staff training
We deliberately avoid invented statistics (“X % of all mails are phishing”) — the real numbers vary widely by industry and methodology. The qualitative statements above are derivable from BSI and ENISA reports and consistent with DATAZONE field experience.
Practice checklist — what SMBs should complete by end of 2026
In this order:
- SPF, DKIM, DMARC set up — DMARC at
p=reject - MTA-STS policy published
- FIDO2 mandatory for all admin accounts
- TOTP / FIDO2 mandatory for all regular accounts
- Push MFA with number matching or replaced by FIDO2
- Reporting button in the mail client for all staff
- DNS filter (internal or cloud-based)
- Mail gateway with URL rewriting and attachment sandbox
- Four-eyes principle for payments above threshold
- Code-word procedure for CEO-fraud resistance
- Monthly micro-trainings with real examples
- Incident-response process practised — annual tabletop minimum
- Backup strategy with air-gap (3-2-1 rule)
DATAZONE recommendation
Phishing protection is not a purchasing decision — it is a process of technology, training and discipline. No product protects on its own. But the interplay of email authentication, FIDO2 MFA, training with a reporting button and a prepared incident response makes your mid-market company an unattractive target — and in practice that is the best protection result there is.
We at DATAZONE support the rollout — from DMARC DNS configuration through FIDO2 rollout planning to choosing a fitting mail gateway. More under our IT security consulting for SMBs.
Sources and further reading
More articles
Linux Server Hardening: 15-Minute Checklist
Ten concrete hardening steps for a freshly installed Debian, Ubuntu or Rocky Linux server — SSH, updates, firewall, auditing, sudo, limits, services, NTP, logging, kernel sysctl. With commands, doable in a quarter of an hour.
Backup Encryption: Key Management Done Right
Encrypted backups are useless if key management is sloppy. Symmetric vs. asymmetric, vault options, rotation, recovery scenarios and the tool-level practice for PBS, Restic and TrueNAS.
CER Directive: Resilience Obligations for the Mid-Market
The EU CER Directive (Critical Entities Resilience) and the German CER-UmsG oblige critical entities to physical and operational resilience. Scope, transposition deadline, delineation from NIS2 and concrete measures for the mid-market.