Phishing in 2026: Why Technical Controls Are Not Enough

I spent four years as a penetration tester. One of the things that experience teaches you quickly is that phishing works on organisations with mature technical defences just as well as it works on organisations with none. The controls reduce volume. They do not eliminate risk. Understanding why is the first step toward actually improving your posture.

What the technical controls actually do

DMARC, SPF, and DKIM are email authentication protocols. Properly configured, they prevent an attacker from sending email that appears to come from your domain — spoofing. They do not prevent an attacker from registering a domain that looks like yours (yourcompany-secure.com, yourcompanylogin.com) and sending from it. They do not prevent an attacker from compromising a legitimate email account at a trusted supplier and sending from a real, authenticated address.

Link filtering and sandboxing catches known malicious URLs and detonates attachments in isolated environments. Sophisticated attackers use clean infrastructure that has no prior reputation, time their delivery to avoid sandbox analysis windows, and use legitimate platforms — SharePoint, OneDrive, Google Drive — to host the payload. The link being clicked is clean. The destination is not.

Where the actual risk lives

The phishing attacks that succeed in 2026 against organisations with mature controls share a consistent profile. They use business email compromise via compromised supplier accounts, not spoofed domains. They target users with privileged access — finance approvers, IT administrators, executives — rather than the full population. They use pretexts tied to current events or believable internal processes. And they move fast: credential harvest to lateral movement to data exfiltration in under two hours, before detection tooling triggers an alert that reaches a human.

The technical controls you have implemented were designed for a threat model from five years ago. The attackers have adapted. Your controls have not moved at the same pace.

What actually reduces risk

Three things move the needle materially. First: phishing-resistant MFA. TOTP codes and SMS OTP are phishable — adversary-in-the-middle attacks can intercept them in real time. Hardware security keys (FIDO2/WebAuthn) and passkeys are not. If your high-privilege accounts are not using phishing-resistant MFA, your technical email controls are defending a perimeter that ends at the credential.

Second: detection on post-authentication behaviour, not just pre-authentication signals. Alert on impossible travel, new device enrollments, first-time access to sensitive resources from authenticated sessions. The phish has already landed when you are watching these signals — but you can still catch the attacker before they achieve their objective.

Third: supplier risk awareness. Your DMARC configuration does not protect you from a compromised account at a company your employees trust and communicate with daily. Map your high-trust supplier relationships. Those are your real phishing surface in 2026.

Security is a property, not a product. The technical controls are the floor, not the ceiling.