By Kevin Townsend, Security Week
Click here to read the entire article.
You can no longer recognize a phishing email by simply counting the typos. And you will get caught if you simply respond to a genuine-looking email without thinking.
Analysis of almost 800,000 email attacks across more than 4,600 organizations shows attackers moving away from exploiting technical vulnerabilities in favor of targeting behavioral and organizational weaknesses. In short, email attackers are now targeting their victims with tailored tactics that exploit trusted relationships and routine workflows.
The three primary email attack methods are phishing, business email compromise (BEC) and vendor email compromise (VEC). Phishing remains predominant, accounting for 58% of all attacks. BEC comprises 11% of attacks, while VEC (a subtype of BEC) accounts for more than 60% of all BEC attacks. Details are provided in Abnormal AI’s 2026 Attack Landscape Report.
Phishing varies by target.
File-sharing lures are concentrated on industries and roles where document exchange is common and expected. Brand impersonation aligns with the complexity of the target’s software footprint. In both cases, the lure is designed to blend into the workflows and tools that employees use. “The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” says the report.
More than 20% of phishing attacks use redirect chains to obscure the final malicious page from both users and their security tools. Just over 10% of these use link shorteners, with tinyurl (31.6%) and t.co (26.6%) dominating. Tinyurl is a free service, while t.co is automatically and freely applied by X/Twitter to outbound links. In both cases the URL can appear legitimate and security teams are reluctant to impose automatic blocks.
BEC is less frequent, involves more attacker craftsmanship, and is more impactful.
BEC and VEC are less frequent but potentially more impactful than phishing. (BEC targets employees within an organization, while VEC relies on a compromised vendor account to then target the vendor’s customers or suppliers.)
In BEC, VIP impersonation is used in 43% of attacks at small enterprises, but only 7% at large enterprises. Lateral attacks within an organization, where one compromised account targets another account, is the reverse: less than 1% at small organizations rising to more than 23% in large organizations. Noticeably, higher education is especially susceptible to such lateral attacks, where 33% of the BEC attacks are lateral, “Highlighting,” writes Abnormal, “how open, high-turnover environments create ideal conditions for internal spread.”