Subscribe to the Non-Human & AI Identity Journal

Why do hybrid work models increase phishing risk?

Hybrid work pushes more communication into email, chat, and messaging tools, where impersonation is easy and verification is often weak. Attackers benefit when staff are moving quickly and informal checks disappear. Strong email signing, user verification workflows, and out-of-band confirmation reduce that exposure.

Why This Matters for Security Teams

Hybrid work changes the attack surface because trust decisions move from shared office routines to digital cues that are easy to imitate. Phishing becomes more effective when workers rely on email, collaboration chat, SMS, and ticketing tools for approvals, file sharing, and urgent requests. That shift weakens informal verification and makes impersonation of executives, IT support, payroll, and vendors far more believable. Guidance in the NIST Cybersecurity Framework 2.0 fits this reality because phishing is not just a user-awareness problem; it is also an identity, process, and detection problem.

The practical risk is that hybrid work expands the number of places where a malicious message can look normal. A message that would seem suspicious in person may be accepted when it arrives during back-to-back calls, on a mobile device, or in a cross-functional chat thread. Security teams often underestimate how quickly convenience replaces verification when staff are remote or distributed. In practice, many security teams encounter phishing only after a payment request, account takeover, or device compromise has already occurred, rather than through intentional verification.

How It Works in Practice

Hybrid environments increase phishing risk through three mechanics: more remote communication, less contextual verification, and more reliance on self-service actions. Attackers exploit that combination by sending messages that imitate internal language, current projects, or common workflows. Once a user is distracted, the attacker only needs one successful click, credential entry, or approval.

Phishing in hybrid work often follows a predictable sequence:

  • Impersonation of a known sender, such as a manager, HR, finance, or IT support.
  • Delivery through channels that feel routine, including email, chat, SMS, and calendar invites.
  • Use of urgency, secrecy, or account friction to push a fast response.
  • Redirection to a credential harvest page, malicious file, or callback scam.

Controls need to account for both message authenticity and user behaviour. Email authentication, such as DMARC, SPF, and DKIM, helps reduce spoofing, but it does not stop lookalike domains, account compromise, or social engineering inside legitimate accounts. That is why stronger verification workflows matter, especially for payments, password resets, privilege changes, and vendor requests. Security awareness also works better when it is task-specific rather than generic. Training should focus on the exact channels and decision points employees use most.

Detection is equally important. Threat hunting and SIEM correlation should look for unusual login patterns, impossible travel, mailbox rule changes, forwarding attempts, and repeated consent prompts. Where hybrid work uses mobile devices and personal endpoints, endpoint controls must also watch for browser session theft and token abuse. Current guidance suggests combining preventative controls with rapid reporting paths, because the first person to notice the phish is often the one who received it.

These controls tend to break down when organisations allow informal approvals over chat or voicemail, because attackers can blend into normal collaboration patterns.

Common Variations and Edge Cases

Tighter verification often increases friction, requiring organisations to balance phishing resistance against user convenience and business speed. That tradeoff is real, especially in sales, finance, executive support, and incident response, where fast approvals are part of the operating model. The goal is not to block every message, but to make high-risk actions harder to fake.

Some environments need extra handling. Executive teams are frequent targets for business email compromise because their requests are often acted on quickly. Distributed contractors may not share the same identity controls as employees, which makes account hygiene and access governance more important. If collaboration platforms are integrated with external guests, phishing can spread through trusted workspaces even when email security is strong. For that reason, best practice is evolving toward channel-specific protections, such as stronger domain controls, device trust checks, and step-up verification for sensitive actions.

Phishing risk also changes with identity maturity. Where organisations use single sign-on and strong authentication, attackers often shift from password theft to session hijacking, token replay, or malicious consent grants. That is where identity governance and monitoring become part of the anti-phishing strategy, not separate from it. Frameworks such as OWASP guidance, when paired with identity-aware policy, help teams focus on the actual abuse path rather than the message alone.

For hybrid work, the key question is not whether people can recognise a phishing email. It is whether the organisation has made it safe to slow down before approving anything that matters.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AT Security awareness and role-based training reduce phishing susceptibility in distributed work.
MITRE ATT&CK T1566 Phishing is the core adversary technique behind the risk described in this FAQ.
OWASP Agentic AI Top 10 Where chatbots or agentic workflows mediate approvals, prompt and tool abuse can amplify phishing.

Train users on channel-specific phishing cues and reinforce reporting for suspicious requests.