The 5 phishing patterns we see most this year
Credential harvesting pages have gotten more convincing. BEC scams have gotten more personal. Here is what our data shows.
The 5 phishing patterns we see most this year
Phishing is not static. Attackers iterate on what works, abandon what gets blocked, and adapt to new platforms. Based on incident reports and simulation data across our customer base, here are the five patterns appearing most frequently right now.
1. Fake IT helpdesk with MFA nudge
The email claims to be from IT support and warns of "suspicious sign-in activity." It asks the employee to verify their identity by completing an MFA push — which is actually an attacker-initiated real auth session. This works because it exploits both urgency and the employee's familiarity with legitimate MFA flows.
2. DocuSign and e-signature spoofs
Attackers register domains that look like DocuSign or Adobe Sign and send realistic-looking "document ready to sign" notifications. The link leads to a credential harvesting page styled identically to the real service. These are particularly effective because recipients are often genuinely expecting a document.
3. Shared-drive notification lures
"Someone shared a file with you" is one of the most clicked email types in existence. Spoofed Google Drive, SharePoint, and Dropbox notifications route victims to OAuth consent screens that grant the attacker access to the victim's real account.
4. CEO fraud (Business Email Compromise)
Highly targeted emails impersonating executives — often sent to Finance or HR — requesting wire transfers, gift card purchases, or payroll redirections. These rarely contain links or attachments, which means spam filters often pass them. The attacker relies on authority and urgency.
5. Package delivery failures
Parcel delivery notifications have become ubiquitous and trusted. Fake DHL, FedEx, or UPS alerts claiming a delivery failed and requesting payment or address confirmation to redeliver. These work especially well because the recipient is often actually expecting a delivery.
The common thread
All five exploit the same human factors: familiarity, urgency, and the path of least resistance. Recognizing the pattern matters more than recognizing the specific lure — attackers change the costume, not the play.