Phishing remains a persistent cyber threat for financial services, with barriers to entry lowering and creating conditions for more experimentation and growth in this type of attack in 2026.
Jason Steer, CISO at cyber threat intelligence specialists Recorded Future, looks at the importance of building intelligence to strengthen cyber resilience.
The phishing problem
Recent findings from the UK Government’s Cyber Security Breaches Survey 2025/2026 underline the scale of cyber-attacks and phishing. Nearly half (44%) of finance and insurance firms identified cyber breaches or attacks in the past year, which is slightly above the UK cross-sector average.
Security incidents for the average person, typically and sadly, include the hacking of online bank accounts, theft of bitcoin from peoples’ wallets, takeover of social media accounts or even the unauthorised accessing of files or networks by unknown people. The most prevalent threat vector to accomplish this was phishing, which was experienced by 38% of businesses surveyed in the latest version of the Cyber Security Breaches Survey.
The prominence of phishing continues a recurring trend identified in recent editions of the annual government Survey, where this form of threat has consistently ranked as the leading type of breach or attack affecting organisations.
For the financial services industry, where trust is paramount, the persistence of phishing (a well-known tactic) presents a paradox and a warning.
A not-so-predictable problem
Cybercriminals tend to continuously change and rotate attack techniques in an attempt to remain harder to predict and stop. There’s every possibility that a known modus operandi (aka Tools, Techniques and Procedures; what we call TTP’s) become easier to detect, making it harder for threat actors to beat security defences. So, it can seem quite unusual that adversaries regularly rely on phishing, and it remains a go-to form of attack. Why? There are two factors in play here.
First, phishing targets people, and human vulnerability consistently outpaces technological safeguards. Even seasoned professionals can struggle to distinguish increasingly sophisticated phishing attempts from legitimate communications. Expecting non-specialists to consistently identify them correctly can be a huge challenge.
Second, phishing is highly adaptable. While the core tactic of deception to obtain credentials or sensitive data remains unchanged, the execution evolves rapidly. Campaigns are now tailored with remarkable precision, often varying significantly between organisations, sectors, and even individual employees.
This combination of human fallibility and tactical flexibility ensures phishing remains both scalable and reliable for attackers.
From crude scams to industrialised deception
What once relied on poorly written emails riddled with grammatical errors has evolved into a far more refined threat. Advances in Artificial Intelligence (AI) and automation have dramatically lowered the barriers to entry for phishing. Today’s threat actors can generate highly convincing phishing messages in multiple languages, localise content to match regional tone and context, and even deliberately mimic informal language patterns or minor errors to appear authentic.
There has also been a rise in Phishing-as-a-Service (PhaaS) models. PhaaS provides adversaries with ‘off-the-shelf’ tools and 24/7 support services to quickly launch and adapt phishing campaigns that require little skill, preparation and minimal cost. This type of cybercriminal subscription model is creating conditions for more experimentation and growth in phishing in 2026, which is contributing to the prevalence of phishing attacks.
In 2025, we saw cyber criminals using open-source LLMs to advance sophisticated and convincing phishing kits, which can be sold at scale and easily used by threat actors. These tools have names such as EvilTokens and Labhost, and there remains a competitive market for these services on the dark web.
Building intelligence of evolving threats
To better predict, prioritise and prevent phishing attacks, finance organisations need to develop a strong, informed understanding of how attack techniques are evolving. Phishing attempts often prove successful, because they catch people off guard, particularly when awareness of emerging tactics is limited. Without up-to-date knowledge, professionals may not recognise phishing threats that use cloned voices, deepfake videos or how adversaries add real-life references to attacks to make them seem genuine.
Cyber threat intelligence plays a critical role by providing timely, contextual insights about shifting threat methods, as well as pinpointing data leaks and compromised user credentials.
Advanced intelligence platforms can monitor real-time data from open, closed and proprietary sources, including the dark web and threat actor forums. This can help organisations to gain a clearer picture of what cybercriminals are doing and how they are planning to target businesses – and other trusted parties in supply chains – through social engineering.
By building and continually refreshing intelligence about evolving phishing techniques, organisations can better understand what threats look like to strengthen vigilance against phishing attacks.