This article was originally published in Professional Security Magazine.
Why are organizations still losing to phishing in 2026?
Phishing has been the dominant attack vector for years. Despite this, organizations continue to be caught out by it. The UK government’s Cyber Security Breaches Survey 2026 confirms it remains the most prevalent and disruptive type of attack that businesses are facing. For those on the front line of incident response investigations globally, that finding is no surprise. The more useful question is, what has changed that keeps phishing so effective despite years of investment in cyber defenses?
Why MFA is Not Enough on its Own
Multi-factor authentication has become the standard answer to phishing risk. Organizations invest in it, report it as a control and move on. However, data suggests that it is not enough. LevelBlue’s Q1 2026 TTP briefing shows that in that period, 84% of organizations investigated had MFA in place. Attackers bypassed it in 95% of those cases.
That number should give security leaders pause. MFA matters, but methods like adversary-in-the-middle attacks, session token interception and gaps in phishing-resistant MFA coverage mean it needs active management to be effective. Deploying it and moving on is where organizations are leaving themselves exposed.
The Barrier to Accessing Sophisticated Phishing Has Lowered
Part of what the NCSC’s Breaches Survey captures and what our teams are seeing on the ground is that phishing attacks have become harder to spot. Unsurprisingly, AI is a massive contributing factor. The barrier to producing convincing, targeted phishing messaging has dropped considerably. What once required time and skills can now be assembled quickly and at scale.
We are also seeing attackers use trusted communication platforms in ways organizations are not prepared for. In Q1, threat actors were observed using Microsoft Teams to impersonate IT teams. In most cases, initial access was gained through a compromised external account or a misconfigured guest access setting that allowed outside users to message internal staff directly. Threat actors contacted employees requesting they download software or click links. Because such messages appear to come from within the organization, people trust them. It is social engineering dressed up in familiar tools, and it is becoming concerningly effective.
The Damage After Undetected Entry
One of the less discussed aspects of phishing is what happens after the initial access. LevelBlue’s data shows that 38 per cent of cases involved a dwell time of over 31 days before incident response teams were engaged. That is over a month of undetected access.
During that window, attackers are not sitting still. They are mapping the environment, locating sensitive data, and selling that access to other groups before any active attack begins. By the time response teams are brought in, attackers have typically moved through multiple systems, created additional access points, and, in some cases, exfiltrated data long before anyone noticed something was wrong. The initial compromise is rarely the hard part to investigate. Reconstructing five weeks of undetected activity is.
Getting Back to What Actually Works
There is a tendency in security to reach for new tools when a familiar threat resurfaces. That instinct is understandable but often misplaced. Most of what makes phishing so persistent comes down to the basics being inconsistently applied.
Phishing resistant MFA, where hardware keys or passkeys replace traditional push notifications, meaningfully reduces bypass risk. Regular, scenario-based security awareness training that reflects how attacks actually look today, not generic examples from five years ago, makes a difference. Basic visibility of your environment and who has access to what remains one of the most effective detection tools available.
A Strong Foundation for a Strong Defense
None of this is new advice, which is part of the problem. Organizations that spend heavily on security tools but test their controls infrequently, or train staff once a year on outdated examples, are not getting the return they think they are. Incident data consistently shows that the organizations that contain phishing attacks quickly are not necessarily the ones with the most sophisticated tooling. They are the ones that know their environment, test their defenses regularly and have clear processes for when something goes wrong. The UK Government’s Cyber Breaches Survey data is a useful reminder to ask whether the basics are actually being done well, not just done.
