Sarah PetersonWhat Is a Phishing Scam? How AI-Powered Attacks Are Costing Americans $20.9 Billion in 2026
Americans lost $20.9 billion to cybercrime in 2025 — a 26% jump from the prior year — and phishing remains the single most reported attack method, according to the FBI's Internet Crime Complaint Center (IC3). In 2026, phishing has evolved dramatically: 83% of all phishing emails are now AI-generated, and they're working. Understanding what a phishing scam is, and how the threat has changed, is no longer optional for individuals or businesses.
What Is a Phishing Scam?
A phishing scam is a cyberattack in which criminals impersonate a trusted entity — a bank, a government agency, a coworker, or a popular service — to trick you into revealing sensitive information or clicking a malicious link. The term comes from "fishing": attackers cast a wide net and wait for victims to take the bait.
Phishing can arrive via email (the most common vector), text message (called smishing), phone call (vishing), or even QR code (quishing). Once you click the link or provide credentials, attackers gain access to email accounts, banking systems, payroll software, or corporate networks.
The FBI's 2024 IC3 Annual Report logged 193,407 phishing and spoofing complaints in a single year, making it the leading cybercrime category by volume. Reported direct losses from phishing alone hit $70 million — a 273.8% increase versus the prior year.
How AI Has Changed Phishing in 2026
Traditional phishing was easy to spot: broken grammar, generic greetings, obvious fake domains. That era is effectively over. Artificial intelligence has transformed phishing from a clumsy, high-volume game into a precision weapon.
According to KnowBe4's 2025 Phishing Trends Report, 83% of phishing emails are now AI-generated. These messages are grammatically flawless, contextually relevant, and personalized using publicly available data — your LinkedIn profile, your company's press releases, your recent social media posts. The click-through rate for AI-generated phishing is 54%, compared to just 12% for traditional phishing.
Business Email Compromise (BEC) — a type of phishing where attackers impersonate executives or vendors to authorize fraudulent wire transfers — caused $3 billion in losses in 2025 across roughly 21,000 cases. The FBI noted a 136% quarter-over-quarter increase in wire-transfer BEC attempts in Q4 2025 alone. Forty percent of those BEC emails were AI-generated.
Beyond email, voice cloning (deepfake audio) now enables attackers to impersonate a CFO's voice in a phone call, directing a finance employee to wire funds to a fraudulent account. Deepfakes account for 11% of global fraud in 2026. The attack only requires a few seconds of public audio — a podcast appearance, an earnings call recording, or a YouTube video is enough.
What Businesses Are Losing
The average cost of a phishing-driven data breach reached $4.88 million in 2024, according to IBM's Cost of a Data Breach Report — a 10% increase from the prior year. More alarming: the average time to identify and contain a phishing breach is 261 days. That means an attacker can be inside your systems for nearly nine months before you know it.
Small and mid-sized businesses are disproportionately affected. Unlike large enterprises, they typically lack dedicated security operations centers, phishing simulation training programs, or advanced email filtering. Yet the financial fallout can be just as devastating on a per-employee basis.
Tax season 2026 saw Proofpoint document over 100 distinct tax-themed phishing campaigns in the US market alone — impersonating the IRS, payroll providers like ADP and Paychex, and state revenue agencies.
The New Attack Vectors You Should Know
QR code phishing (quishing): Roughly 25% of current campaigns embed malicious links inside QR codes, which bypass standard email link-scanning tools. The codes typically redirect to credential-harvesting pages designed to look like Microsoft or Google login screens.
Callback phishing: Emails contain a phone number rather than a URL, asking you to "call to dispute a charge" or "verify your account." Phone calls bypass email security filters entirely. This technique saw a 500% increase in Q4 2025.
Session token hijacking: Some phishing kits now harvest session cookies rather than passwords, bypassing multi-factor authentication. Even if you have MFA enabled, attackers can reuse your authenticated session without needing your password or OTP code.
Phishing-as-a-Service (PhaaS): Criminal platforms rent out complete phishing toolkits — customizable templates, fake login pages, and automated credential collection — lowering the barrier for unsophisticated attackers to launch sophisticated attacks.
What Experts Recommend: Seven Defensive Steps
IT security professionals consistently point to the same foundational defenses:
1. Implement phishing-resistant MFA. FIDO2 hardware keys or passkeys block over 99% of credential phishing attacks. Avoid SMS-based one-time passwords, which can be intercepted via SIM-swapping or SS7 attacks.
2. Configure DMARC, SPF, and DKIM. These email authentication standards prevent attackers from spoofing your domain. Setting DMARC to a "reject" policy stops most impersonation attacks before they reach employee inboxes.
3. Run quarterly phishing simulations. Organizations that run regular phishing simulations and training see employee failure rates drop from 34% to below 2% after 12 months, according to security training firm KnowBe4. Employees who can recognize phishing are your last line of defense.
4. Require out-of-band verification for all payment requests. Any wire transfer or payment instruction received via email should be confirmed via a phone call to a number you already have on file — never the number provided in the email.
5. Sandbox file attachments. PDF and SVG files are now the top two malicious attachment types, together accounting for nearly 29% of malicious files. Email gateways should detonate attachments in an isolated environment before delivery.
6. Monitor for lookalike domains. Attackers register domains that are one character off from your company name (e.g., "expertzo0m.com") and use them to impersonate your brand. Automated monitoring tools can alert your security team when these domains appear.
7. Train employees on new techniques. Generic "don't click bad links" training is insufficient. Staff need to understand QR code phishing, callback lures, and deepfake voice calls — all techniques that have risen sharply in 2025-2026.
When to Call an IT Security Expert
If your organization has experienced an increase in suspicious emails, a recent employee click on a phishing simulation, or an unplanned account lockout, do not wait. The average breach takes 261 days to detect — by which point, credentials, client data, and intellectual property may already be exfiltrated.
An IT security consultant can conduct a phishing risk assessment, audit your email authentication configuration, run simulated phishing campaigns, and build an incident response playbook so you know exactly what to do if an attack succeeds.
Phishing is not a technology problem you solve once. It is an ongoing arms race, and the attacker's side just received a major upgrade courtesy of artificial intelligence. Expert guidance makes the difference between catching an attack in minutes and finding out nine months too late.
Disclaimer: This article is for informational purposes only. Consult a certified IT security professional for a risk assessment and guidance tailored to your organization.
