Remote Support Start download

Phishing Waves 2026: Concrete Protection Measures for SMBs

SecurityPhishingEmailMFA
Phishing Waves 2026: Concrete Protection Measures for SMBs

Phishing has been the most common initial attack vector for ransomware, BEC fraud and data exfiltration for two decades. What has changed: the quality of the attacks. Generative AI has wiped out the last easy detection signals — perfect grammar, credible tone, context-specific salutation. Anyone who, in 2026, still preaches “watch out for typos” as the core phishing-training message is training around the actual problem.

This article shows what really works against phishing in SMB practice in 2026 — technically and organisationally. No invented statistics; where numbers appear, they are BSI-sourced or clearly marked as experience.

What has changed in 2026

Four trends define the current phishing landscape:

1. AI-generated mails without detection signals

ChatGPT, Claude and similar LLMs produce perfectly worded German, English, French phishing mails — in seconds and individualised per victim. The old “spot the typo” training is largely worthless. Detection signals shift to:

  • Sender domain (often lookalike: microsoft-support.com instead of microsoft.com, daterev-online.com instead of datev.de)
  • Unusual requests (transfer money, enter password, release MFA code)
  • Context break (call from “IT” to a staffer who never deals with IT)

2. Deepfake audio in CEO fraud

Voice cloning is feasible with seconds of audio from LinkedIn videos or podcasts. The attack: call to the accountant’s smartphone, the cloned voice of the CEO demands an urgent transfer. The German BSI has documented such cases in its annual reports.

Protection: Clear four-eyes processes for payments above thresholds, mandatory callback over known phone numbers (not the one that called), code-word procedures for urgent payments.

3. QR phishing (quishing)

Email filters scan links — but rarely QR codes embedded in PDF attachments. Attackers ship PDFs with QR codes leading to phishing sites. Staff scan the code with their smartphone and land on a perfect login lookalike, filtered only by the personal phone’s browser (often less protected than the corporate mail client).

Protection: Training with concrete examples (“Don’t scan QR codes from emails”), MDM for corporate mobile devices with DNS filtering, reporting button also for PDF attachments.

4. MFA-fatigue attacks

For accounts with push-notification MFA (Microsoft Authenticator, Duo Push), attackers bombard the victim with dozens of requests — until the user impatiently approves. Famous example: the Uber incident in 2022. Still works in 2026, because many organisations rely on push-approve instead of number matching or FIDO2.

Protection: Enable number matching (user must enter a number from the login screen into the app), better still FIDO2 hardware keys.

The protection stack for SMBs in 2026

Phishing protection is a layered defence — no single tool stops everything. Recommended layers in order of effect:

Layer 1: Email authentication — SPF, DKIM, DMARC

These three standards prevent attackers from spoofing under your domain in the first place. We covered the details in Email security with SPF, DKIM, DMARC. Short version:

  • SPF: DNS TXT record listing permitted sender servers of your domain
  • DKIM: Server signs outgoing mails with a private key; receiver verifies with the DNS-published public key
  • DMARC: Tells receiver servers what to do when SPF and DKIM fail (quarantine or reject)

Important: DMARC should move to p=reject after a reporting phase — p=none does nothing against spoofing. The German BSI is actively pushing organisations towards DMARC reject in recent communications.

Layer 2: MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) enforces TLS encryption between mail servers. Prevents MitM attacks on SMTP transport. DNS record + HTTPS policy file. Effort: low. Effect: encryption becomes mandatory, not optional.

Layer 3: Phishing-resistant MFA

The only MFA form offering real phishing resistance:

MFA typePhishing resistance2026 assessment
SMS OTPLowAvoid — vulnerable to SIM swap, realtime phishing
TOTP apps (Google Authenticator, Authy)MediumAcceptable as minimum — realtime phishing can grab TOTP codes
Push notification without number matchingLow–mediumVulnerable to MFA fatigue
Push notification with number matchingMedium–highMarkedly better, but not phishing-resistant per FIDO definition
FIDO2 / WebAuthn / PasskeysHighReal phishing protection — origin-bound, no transferable code

Concrete recommendation: FIDO2 hardware keys (YubiKey 5, Token2, Nitrokey) or passkeys (see passkey article) for all privileged accounts (admin, leadership, finance) — mandatory. For regular accounts at minimum TOTP, better FIDO2.

Layer 4: Secure mail gateway filters

An upstream mail filter (Mailcow + Rspamd, Microsoft Defender for Office 365, external services like Proofpoint, Hornetsecurity, etc.) sorts out obvious phishing before delivery. Important capabilities:

  • URL rewriting with sandbox inspection on click
  • Attachment sandbox (open suspicious Office files in an isolated environment)
  • Reputation filter (RBL lists, sender score)
  • Anti-spoofing (DMARC evaluation, ARC)

For the self-hosted variant see Mailcow for SMBs.

Layer 5: Browser and DNS protection

  • DNS filters (AdGuard Home Enterprise, Pi-hole, Cloudflare Gateway, NextDNS) block known phishing domains in DNS already
  • Browser extensions like uBlock Origin or an enterprise web filter block in the browser
  • EDR/XDR solutions detect post-phishing damage (credential theft, suspicious process chains)

Layer 6: Staff training — done differently than usual

Classic phishing training is often counterproductive: shock mails to all, “you would have fallen for a phishing attempt”, shame as a learning reinforcer. Doesn’t work.

What demonstrably works (per BSI and ENISA recommendations):

  1. Concrete real-world examples instead of synthetic phishing tests
  2. Reporting button in the mail client — let users one-click report, IT verifies and replies
  3. Positive reinforcement — those who report phishing are praised. Nobody is shamed for falling for one
  4. Short, regular micro-trainings (5-minute updates monthly) instead of an annual 90-minute block
  5. Awareness for the new vectors — deepfake audio, QR phishing, MFA fatigue
  6. Clear processes for suspected incidents — what do I do if I think I clicked? Call IT, don’t hide.

Layer 7: Incident-response preparation

Despite everything, someone will eventually click. Preparation:

  • Forensic lead time: who has administrative access, who can lock an account immediately?
  • Password reset process in < 15 minutes
  • MFA reset process with a second person for identity verification
  • Mailbox audit: has phishing already been forwarded from the account?
  • Bank communication prepared for fast-fraud calls
  • Reporting obligations (NIS2, GDPR for personal data) practised

See also Disaster recovery for SMBs.

What BSI and ENISA currently recommend

The official 2026 recommendations:

We deliberately avoid invented statistics (“X % of all mails are phishing”) — the real numbers vary widely by industry and methodology. The qualitative statements above are derivable from BSI and ENISA reports and consistent with DATAZONE field experience.

Practice checklist — what SMBs should complete by end of 2026

In this order:

  • SPF, DKIM, DMARC set up — DMARC at p=reject
  • MTA-STS policy published
  • FIDO2 mandatory for all admin accounts
  • TOTP / FIDO2 mandatory for all regular accounts
  • Push MFA with number matching or replaced by FIDO2
  • Reporting button in the mail client for all staff
  • DNS filter (internal or cloud-based)
  • Mail gateway with URL rewriting and attachment sandbox
  • Four-eyes principle for payments above threshold
  • Code-word procedure for CEO-fraud resistance
  • Monthly micro-trainings with real examples
  • Incident-response process practised — annual tabletop minimum
  • Backup strategy with air-gap (3-2-1 rule)

DATAZONE recommendation

Phishing protection is not a purchasing decision — it is a process of technology, training and discipline. No product protects on its own. But the interplay of email authentication, FIDO2 MFA, training with a reporting button and a prepared incident response makes your mid-market company an unattractive target — and in practice that is the best protection result there is.

We at DATAZONE support the rollout — from DMARC DNS configuration through FIDO2 rollout planning to choosing a fitting mail gateway. More under our IT security consulting for SMBs.

Sources and further reading

Need IT consulting?

Contact us for a no-obligation consultation on Proxmox, OPNsense, TrueNAS and more.

Get in touch