Phishing in 2026: what IAM teams need to watch now

TL;DR: Phishing accounted for 58% of nearly 800,000 observed email attacks across 4,600+ organisations, with attackers increasingly using redirect chains, link shorteners, file-sharing lures, and brand impersonation to blend into normal workflows, according to Abnormal AI. Static awareness training is no longer enough when the attack pattern is calibrated to routine behaviour rather than obvious errors.

NHIMG editorial — based on content published by Abnormal AI: phishing tactics that adapt to enterprise workflows

By the numbers:

• Phishing represents 58% of ~800K observed attacks across 4,600+ orgs.
• Approximately one in five phishing attacks, 21.6%, use redirect links.
• In the hospitality industry, nearly one in four phishing attacks, 24.1%, feature brand impersonation.

Questions worth separating out

Q: How should security teams reduce phishing risk when attacks blend into normal work?

A: Treat phishing as a workflow and trust problem, not only an email-filtering problem.

Q: Why do link shorteners make phishing harder to stop in enterprise environments?

A: Link shorteners hide the final destination behind a trusted-looking intermediate URL, which weakens reputation checks and slows inspection.

Q: What do security teams get wrong about file-sharing phishing?

A: They often assume a shared document notification is suspicious only when the message looks obviously fake.

Practitioner guidance

• Instrument redirect resolution before delivery Expand secure email and browser controls so shortened and multi-hop links are expanded and inspected before the user sees them.
• Baseline document-sharing norms by business unit Measure what normal file-sharing traffic looks like in finance, construction, hospitality, and other high-collaboration teams, then flag prompts that break those patterns even when the sender or platform appears legitimate.
• Rebuild awareness content around real lures Replace generic phishing examples with scenarios that mirror shared-document notifications, branded login prompts, and collaboration requests that employees already expect in their daily workflow.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

• Breakdown of redirect and link-shortener use by organisation size, including the relative shift between smaller firms and large enterprises.
• Industry-specific phishing distributions for financial services, construction, hospitality, healthcare, technology, and education.
• Examples of the exact services attackers are borrowing for brand impersonation, including file-sharing and reservation platforms.
• Survey and telemetry context from the 2026 Attack Landscape Report that supports the observed attack mix.

👉 Read Abnormal AI's analysis of phishing tactics, link shorteners, and brand impersonation →

Phishing in 2026: what IAM teams need to watch now?

Explore further

View Full Forum →  |  NHI Foundation Course →