Modern phishing doesn't depend on employee error as much as it depends on employee habits.

Last week, we published the 2026 Attack Landscape Report, which examines nearly 800,000 email attacks observed across 4,600+ organizations in the second half of 2025. This is the second post in our series exploring the report's findings, and it focuses on phishing, the most common threat employees will encounter at 58% of all observed attacks.

Defending against that volume is a challenge on its own, but the issue is exacerbated by how precisely the tactics adapt to the target environment.

Across all the techniques discussed below, a consistent pattern emerges: phishing strategies cluster where they're most likely to blend in. Attackers match their lures to the workflows, tools, and communication norms of the environment they're targeting—opting to exploit routine rather than attempt to circumvent it.

Not every phishing attack sends the target straight to a malicious page. Approximately one in five (21.6%) use redirect links—intermediate URLs that route the recipient through one or more hops before reaching the final destination. Redirect chains are a deliberate evasion technique: each intermediate URL obscures the true endpoint from both users and the security tools that inspect links before delivery. Within this category, link shorteners are a particularly effective tool, and their usage patterns vary in revealing ways across organization size.

The Link Shorteners Attackers Favor Most

Among phishing attacks that use redirects, 10.2% rely on link shortener services, which compress URLs into short, generic strings hosted on domains that security tools rarely block outright.

TinyURL leads the list of most-used link shorteners, likely because it requires no account creation. Anyone can generate a shortened link instantly and anonymously, making it the lowest-friction option for an attacker looking to obscure a malicious destination. The remaining shorteners—shorturl[.]at, is[.]gd, and bit[.]ly—share similar characteristics: free, no authentication required, and minimal abuse monitoring relative to the volume of links they process.

The prominence of t[.]co stands out for a different reason. Unlike the other domains on this list, t[.]co isn't an independent shortener service; it's Twitter/X's redirect infrastructure, automatically applied to any link posted on the platform. Threat actors likely post malicious links on Twitter/X specifically to generate t[.]co-shortened URLs, exploiting the fact that security tools are reluctant to block a widely trusted domain wholesale. The attacker gets a clean, reputable-looking URL without registering anything.

Why Shorteners Show Up More at Larger Organizations

When phishing attacks are broken out by organization size, the use of redirects and link shorteners moves in opposite directions. Redirect use skews toward smaller organizations: 26.6% of phishing targeting small organizations includes redirects, compared to 16.5% of phishing targeting large enterprises. Link shorteners reverse the pattern. Usage jumps from 1.6% in phishing targeting small organizations to 3.5% in phishing targeting large enterprises—a 2.3x difference between the two ends of the size spectrum.

Smaller organizations often lack sophisticated URL inspection, leaving basic redirect chains effective on their own—no additional obfuscation needed. Larger enterprises are more likely to deploy link-reputation and URL-scanning tools that would catch standard redirects, which renders shorteners especially valuable as an additional layer of obfuscation. Threat actors aren't using link shorteners indiscriminately; they appear to use them where the defensive environment demands it.

File-sharing phishing is an attack in which a threat actor poses as a colleague or familiar file-hosting or e-signature service and sends a malicious link disguised as a shared document. Using services like SharePoint, Dropbox, Google Drive, or Docusign as cover, these attacks either impersonate a legitimate platform or exploit the platform itself to deliver the email or link.

The lure is inherently low-suspicion in any environment where cloud-based document exchange is a standard workflow. But the rate isn't uniform. File-sharing phishing accounts for 12.4% of all phishing and concentrates heavily in industries and job functions where external document exchange is constant and expected.

Industries Reliant on Document Exchange

Within financial services, 22.2% of phishing attacks use file-sharing lures—nearly double the 12.4% sample average. The construction and engineering industry runs close behind at 21.3%.

The financial services industry runs on documents: loan agreements, account statements, audit packages, compliance disclosures, investment reports, etc. Receiving a notification that someone has shared a document is entirely unremarkable for a financial services employee, and attackers exploit that normalcy. A fake Docusign request or spoofed SharePoint notification lands in a context where such communications arrive constantly and are expected to require a click.

Construction projects also generate a relentless volume of shared documents across a wide web of parties—general contractors, subcontractors, architects, engineers, project owners, inspectors—who exchange drawings, specifications, RFIs, submittals, change orders, and bid packages throughout the project lifecycle. Cloud file-sharing platforms are standard infrastructure for this workflow, meaning a "new document shared with you" notification is completely routine, especially from an unfamiliar party.

Across the full sample, 12% of phishing attacks involve brand impersonation—leveraging the name and visual identity of a trusted company to make a credential harvesting attempt appear as a routine notification. The tactic works by borrowing trust the recipient already extends to a familiar brand. But the rate varies significantly depending on how many branded platforms an organization's employees interact with daily and how deeply those tools are embedded in standard operations.

Why Hospitality Leads in Brand Impersonation

In the hospitality industry, nearly one in four phishing attacks (24.1%) feature brand impersonation—more than double the sample average. The next-closest industry is technology at 16.1%, followed by education (14.4%), advertising and marketing (13.1%), and financial services (13.1%). Healthcare sits at just 7.1%—about a third of the rate in hospitality.

The hospitality industry's heavy reliance on branded third-party platforms (reservation systems, payment gateways, review sites) creates a target-rich environment for brand impersonation. A convincing fake notification from Booking.com, Square, or a hotel loyalty program is a natural fit for an environment where such communications are routine and expected. Other industries also depend on well-known platforms, but few match hospitality's variety. A single hotel property might interact with a dozen branded services daily across booking, payment, staffing, and guest communication—all of which lend themselves to impersonation.

Phishing techniques calibrate to the security infrastructure they expect to face. The most effective lures are the ones that require no explanation—a shared document notification, a familiar brand's login prompt, a redirect through a trusted domain. None of these trigger suspicion because none of them look unusual. For threat actors, it's less about needing employees to make a mistake and more about hoping they just act normally.

Defending against phishing requires security awareness training (SAT) that reflects the actual threat landscape: redirect chains, file-sharing lures, and brand impersonation tailored to the platforms employees interact with daily. Traditional, static SAT still emphasizes obvious, easily-spotted attacks, which leaves organizations underprepared for the tactics that succeed specifically because they don't look like attacks. Catching those threats before they reach employees requires behavioral AI that understands what normal looks like for a given organization, surfaces the anomalies that indicate a threat, and stops attacks before employees even have a chance to engage.

The final post in this series examines VEC, where the exploitation of trust extends beyond the organization's walls, into the vendor relationships that operations depend on.

The threats your organization faces are shaped by how it operates. The 2026 Attack Landscape Report shows you exactly how.