-optimized.jpg){kind=avatar}
Why are organisations still losing to phishing in 2026? asks Ed Williams, Global Head of Pentesting, at the cyber advisory company LevelBlue.
Phishing has been the dominant attack vector for years. Despite this, organisations continue to be caught out by it. The UK governmentโs Cyber Security Breaches Survey 2026 confirms it remains the most prevalent and disruptive type of attack that businesses are facing. For those on the front line of incident response investigations globally, that finding is no surprise. The more useful question is, what has changed that keeps phishing so effective despite years of investment in cyber defences?
Why MFA is not enough on its own
Multi-factor authentication has become the standard answer to phishing risk. Organisations invest in it, report it as a control and move on. However, data suggests that it is not enough. LevelBlueโs Q1 2026 TTP briefing, ย shows that in that period, 84 per cent of organisations investigated had MFA in place. Attackers bypassed it in 95pc of those cases.
That number should give security leaders pause. MFA matters, but methods like adversary-in-the-middle attacks, session token interception and gaps in phishing-resistant MFA coverage mean it needs active management to be effective. Deploying it and moving on is where organisations are leaving themselves exposed.
The barrier to accessing sophisticated phishing has lowered
Part of what the NCSCโs Breaches Survey captures and what our teams are seeing on the ground, is that phishing attacks have become harder to spot. Unsurprisingly, AI is a massive contributing factor. The barrier to producing convincing, targeted phishing messaging has dropped considerably. What once required time and skills can now be assembled quickly and at scale.
We are also seeing attackers use trusted communication platforms in ways organisations are not prepared for. In Q1, threat actors were observed using Microsoft Teams to impersonate IT teams. In most cases, initial access was gained ย through a compromised external account or a misconfigured guest access setting that allowed outside users to message internal staff directly. Threat actors contacted employees requesting they download software or click links. Because such messages appear to come from within the organisation, people trust them. It is social engineering dressed up in familiar tools and it is becoming concerningly effective.
The damage after undetected entry
One of the less discussed aspects of phishing is what happens after the initial access. LevelBlueโs data shows that 38 per cent of cases involved a dwell time of over 31 days before incident response teams were engaged. That is over a month of undetected access.
During that window, attackers are not sitting still. They are mapping the environment, locating sensitive data and selling that access to other groups before any active attack begins. By the time response teams are brought in, attackers have typically moved through multiple systems, created additional access points, and in some cases exfiltrated data long before anyone noticed something was wrong. The initial compromise is rarely the hard part to investigate. Reconstructing five weeks of undetected activity is.
Getting back to what actually works
There is a tendency in security to reach for new tools when a familiar threat resurfaces. That instinct is understandable but often misplaced. Most of what makes phishing so persistent comes down to the basics being inconsistently applied.
Phishing resistant MFA, where hardware keys or passkeys replace traditional push notifications, meaningfully reduces bypass risk. Regular, scenario-based security awareness training that reflects how attacks actually look today, not generic examples from five years ago, makes a difference. Basic visibility of your environment and who has access to what remains one of the most effective detection tools available.
A strong foundation for a strong defence
None of this is new advice, which is part of the problem. Organisations that spend heavily on security tools but test their controls infrequently, or train staff once a year on outdated examples, are not getting the return they think they are. Incident data consistently shows that the organisations that contain phishing attacks quickly are not necessarily the ones with the most sophisticated tooling. They are the ones that know their environment, test their defences regularly and have clear processes for when something goes wrong. The UK Governmentโs Cyber Breaches Survey data is a useful reminder to ask whether the basics are actually being done well, not just done.
