There’s a conversation that hasn’t happened often enough in UK security circles, and it goes something like this: What happens when a phishing email doesn’t just steal someone’s password, it opens a door? Literally. Physical security teams and IT security teams have spent years operating in parallel. Different budgets, different reporting lines, different jargon. And that separation has quietly become one of the more exploitable gaps in modern organizational security. Attackers figured this out before most defenders did. Phishing attacks today aren’t just after your data. They’re after your building.
Most people have a rough idea of what phishing is. You get a dodgy email pretending to be your bank, you click a link, you type in your password, and someone on the other end now has it. Simple enough in concept. What’s less understood is why it keeps working, even in organizations with dedicated security teams, annual training programs, and email filters that cost serious money. The answer isn’t technology, it’s people, and the ways they can be pressured into making bad decisions quickly.
Phishing works because it puts targets under mild to severe psychological stress: urgency (“your account will be suspended”), authority (“message from the CEO’s office”), or fear (“suspicious login detected on your account”). When you’re stressed and pressed for time, you don’t scrutinize URLs. You act. The Avanan phishing analysis report makes this plain: a significant chunk of attacks now reach inboxes despite filters, not by breaking technical defenses but by being constructed carefully enough to look completely normal. The target isn’t the firewall. It’s the person sitting behind it.
Here’s the scenario that doesn’t get discussed enough. An employee in facilities management receives an email from what appears to be their access control software provider. Something about a platform migration: credentials need to be re-verified. The link’s right there. They click it, log in, only to have their credentials handed over to a phishing page. Now the attacker has legitimate login details for the system that controls who can enter which parts of the building.
That’s not a cyber incident in the traditional sense. That’s someone with the ability to unlock doors, disable entry logs, clone badge permissions, and create access credentials for people who shouldn’t have them. All without touching a single physical lock. This convergence is real, and it’s happening. Malware introduced through malicious software phishing attacks has been traced to compromises of networked security infrastructure in UK organizations, including CCTV management platforms, alarm systems, and visitor management software.Once an attacker is inside those systems, the physical perimeter is far less meaningful than the floor plan suggests.
Forget the cliched image of a badly written email full of typos. That’s fifteen years out of date. The phishing attacks running today are operationally sophisticated, and several distinct techniques are worth understanding individually.
It is the one that causes the most damage. Rather than blasting out thousands of generic lures, attackers spend time researching specific individuals: their job titles, who they report to, which projects are currently live, and which vendors the organization uses. The resulting email reads as if it were written by someone who already works there. Because in terms of research, it was.
Phishing over the phone has become significantly more threatening since AI voice tools became accessible. Cloning a voice from a few minutes of audio is now a realistic capability. There have been documented cases of employees receiving calls from what genuinely sounded like their line manager, asking them to do something they’d normally query. They didn’t query it.
(SMS-based attacks) catches people at a moment when they’re less guarded. A text about a parcel delivery, an HMRC notification, and a two-factor code prompt; these feel low-stakes, and people respond to them quickly.
It is worth treating as its own category. The NCSC has flagged BEC consistently as one of the most financially damaging threats facing UK organizations. It typically involves either compromising a real email account or impersonating one closely enough to authorize fraudulent payments or to carry out supply chain interventions. The sums involved regularly run into six figures.
It has evolved, too. Attackers no longer sit on stolen passwords waiting to use them; they’re relayed in real time. By the time you’ve noticed something was off, the credentials have already been used.
A few years ago, IT teams were justifiably confident that MFA was a strong enough barrier to make phishing less effective. That confidence took a significant knock with the wider adoption of adversary-in-the-middle (AiTM) attacks. Worth understanding how this actually works. In a standard phishing attack, the victim enters credentials into a fake page, and the attacker harvests them. In an AI-TM attack, a reverse proxy sits between the victim and the real website. The victim types their password. They get the MFA challenge. They complete it. The proxy relays everything to the real site in real time, and the attacker walks away with an authenticated session token, not just a password, but an active, logged-in session.
The MFA challenge wasn’t bypassed. It was answered by the victim, for the attacker’s benefit. That’s a meaningful distinction because it means the normal indicators of a phishing attempt don’t trigger. MFA fatigue attacks take a different and arguably cruder approach. The attacker already has valid credentials, possibly from a data breach or an earlier phishing campaign. They trigger repeated push notification requests to the victim’s phone.
Browser-in-the-middle (BitM) attacks are a step further against. Where AiTM uses a proxy, BitM serves the victim an actual browser controlled by the attacker. The target is interacting with the genuine website, the URL checks out, the certificate is valid, but they’re doing so through a browser window that the attacker can observe and control entirely. For context, this matters enormously when session tokens are issued by cloud platforms that manage physical security, HR records, or financial approvals. The risk of identity theft through phishing in these scenarios isn’t just about what gets stolen; it’s about what the attacker can do while impersonating a legitimate person.
It would be dishonest to write about phishing in 2026 without addressing AI directly, though not in the breathless way it often gets covered. The practical change AI has made to phishing is scale and personalization. Writing a convincing, personalized spear-phishing email used to require a human to conduct research and draft. Now, an attacker can ingest a company’s LinkedIn page, their press releases, and its public job postings, and generate targeted lures for dozens of employees in the time it would previously have taken to write one. The quality is broadly the same. The effort is a fraction.
Partly this is about what UK organizations represent economically. Financial services, legal services, healthcare, defense supply chains: these sectors handle money, sensitive data, and intellectual property in volumes that make them worth targeting deliberately rather than opportunistically. Cyber threat trend data points to sustained year-on-year increases in email-based attacks against UK organizations. Ransomware delivered via phishing is a particular problem for healthcare organizations and councils, which have been paralyzed by ransomware deployments that started with a single email. And the leverage is high: if you can threaten to publish sensitive data and disrupt operations, the pressure to pay is significant.
One of the more significant shifts in how serious organizations approach phishing defense is the move toward actual threat intelligence, rather than generic guidance. Generic guidance says things like “be suspicious of unexpected emails.” Useful up to a point, less useful when the email looks completely expected because the attacker researched it carefully.
Threat intelligence tells you that a specific phishing kit, a particular combination of spoofed page, delivery infrastructure, and credential relay mechanism, is currently being used against UK financial services firms. Or that your company’s domain is being typosquatted and phishing pages are live right now. That’s actionable in a way that general awareness is not.
Modern threat intelligence platforms draw on dark web monitoring, shared incident data, and analysis of live phishing infrastructure to give security operations teams concrete targets to act on. The basics of email phishing still matter; people need to know what a phishing email looks like, but intelligence-led defense is a different and more effective posture.
There’s no single control that stops phishing. That’s frustrating, but it’s true, and any product or vendor that implies otherwise is worth treating skeptically. What works is layers. At the email layer, that means proper DMARC, DKIM, and SPF configuration alongside decent threat protection that does more than pattern-match against known bad signatures. Sandboxing attachments and URLs, catching lookalike domains before they reach inboxes, and flagging external senders collectively reduce the volume of attempts that reach staff. Dedicated tools specifically designed for this, like those covered in the email threat protection product review, offer more capability than standard email gateway defenses.
Most phishing attacks ultimately come down to identity: getting access to something by pretending to be someone. So the defenses that focus on identity verification, rather than just network access, tend to be the most effective. Behavioral analytics applied to identity signals is worth understanding here. If someone always logs in from London between 8 am and 7 pm, and then an authenticated session appears at 2 am from an Eastern European IP address, that’s detectable. It doesn’t require knowing the attacker’s tools. It just requires knowing what normal looks like.
Credentials have been harvested through phishing and used in an AI-aided TM attack, the session token appears completely legitimate. The only way to catch that is through contextual signals where the session is coming from, what it’s doing, and whether it matches the account holder’s established patterns. That’s what modern identity threat detection aims at.
Training still matters. But there’s a version of security awareness training that’s become almost ritualized: a once-a-year online module, a simulated phishing test using an obvious lure, a pass/fail metric that tells you very little. That version is largely theatre. Useful training in 2026 looks different. It covers the actual techniques employees are likely to encounter, how AI-generated phishing pages can look identical to real ones, why receiving a push notification request you didn’t initiate is a serious signal, and what AI-generated spear phishing feels like (it doesn’t feel unusual, which is the point). It covers voice calls as well as emails.
Zero-trust has become something of an overused term in security, to the point where some people have stopped taking it seriously. That’s a shame because the underlying principle is directly relevant to phishing defense. The core idea doesn’t assume that, because someone authenticated successfully, they’re trustworthy for the rest of their session, which aligns well with the threat model phishing creates.
An AiTM attack produces a valid session token. A stolen credential looks like a legitimate login. The way to catch these isn’t at the authentication step; it’s in the continuous validation that follows. Micro-segmentation limits what any one compromised identity can reach. Least-privilege access limits how far damage can spread. Session validation based on ongoing context (not just the initial login) catches anomalies that static authentication misses.
Yes, and it’s more common than most physical security teams realize. Building access control systems, CCTV management platforms, and visitor management software are typically accessed through web interfaces with standard credentials.
Compromised credentials for physical security management systems can allow unauthorized access to the configuration. Indirectly, a phishing attack that installs malware can target networked security hardware, disrupt alarm systems, or give attackers persistent visibility into physical access logs.
It can, and the mechanisms are more varied than people expect. Compromised access control credentials can unlock doors remotely. Ransomware delivered via phishing has been used to disable security systems in healthcare and retail settings, removing the electronic barriers entirely.
Financial services, legal, healthcare, and defense all represent high-value targets. Supply chain complexity matters, too; large organizations often have weaker security at the contractor and supplier levels, creating accessible entry points.
The most important shift is treating physical security platforms as IT security assets, with the same hardening, the same access controls, and the same monitoring. After that: phishing-resistant MFA for accounts that control building access systems, and correlation between cyber and physical access anomalies.
Lock down the affected accounts immediately, revoke sessions, reset credentials, and flag MFA tokens as potentially compromised. Then pull the access logs for both IT systems and physical security platforms covering the period since the phishing email was sent, not just from when it was detected.
