What is the main finding of the 2026 Osterman Research report on digital communications trust?

The report reveals that AI has fundamentally reset the threat curve for digital communications. 87.5% of organizations experienced at least one trust-undermining security incident in the past 12 months, and attack types previously considered 'solved'—like phishing and business email compromise—have become immature and dangerous again due to AI enhancement. The barrier to entry has collapsed (anyone can craft perfect attacks in any language), the sophistication ceiling has been raised (hyper-personalization at scale), and the attack surface has exploded (multi-channel, multi-modal, autonomous attacks).

Why are secure email gateways (SEGs) failing against modern phishing attacks?

According to Osterman Research, legacy email protections including SEGs are 'too blunt an instrument to recognize the subtle indicators of modern and still emerging AI-powered attacks.' SEGs were designed to detect malicious links, weaponized attachments, and obvious account impersonations—but AI-generated phishing eliminates traditional telltale signs. Spelling and grammar are now perfect, valid accounts are compromised rather than using suspicious addresses, and tone-perfect messages blend seamlessly into email threads. Notably, traditional phishing detection is the ONLY defensive technology declining in importance according to the research.

How concerned are organizations about deepfake attacks?

The research shows significant concern but a dangerous confidence gap: 60% of organizations lack confidence in their ability to defend against deepfake attacks despite having training programs in place. Training on detecting deepfake audio and video attacks is described as 'particularly ineffective.' More alarming, 57.8% of respondents say deepfake threats are still 'immature and emergent'—meaning threat actors are just getting started. The importance of detecting deepfake audio impersonation attacks is anticipated to increase more than any other defensive technology over the next 12 months (from 49.2% to 69.5% rating it 'extremely important').

What percentage of organizations are willing to replace their entire security stack?

70.4% of organizations surveyed are willing to replace their entire security technology stack for a new platform approach with demonstrably better capabilities against emerging sophisticated attacks. Additionally, 76.6% are willing to add best-in-class point solutions to their current stack. This signals that the market is ready to move away from legacy solutions that aren't addressing AI-powered threats effectively.

Which employee groups are most at risk from trust-weaponizing attacks?

Finance employees are the top concern, with 59.4% of organizations indicating both high attack priority from threat actors AND high concern about employee readiness—a dangerous combination. Finance teams are specifically targeted because they have access to payment systems. The second highest concern is for IT and security employees, who control access to systems, data, and privileges that can be compromised for fund access or extortion. Over 80% of elevated concern exists where employees are also under high-priority attack from threat actors.

How has phishing evolved with AI according to the research?

The report states that 'the BEC attacks of 2025 bear little resemblance to the BEC attacks of 2020.' Today's attacks are hyper-personalized, multi-channel, and can be launched autonomously at scale. 30% of respondents identify phishing as the #1 threat to trust—almost 3x higher than any other category. AI has eliminated traditional phishing indicators: threat actors bypass safety guardrails on commercial AI models, use compromised identities for internal phishing, and aggregate target profiles from data breach records for personalization. The sophistication ceiling has been raised while the barrier to entry collapsed.

What are the business impacts of failing to defend against trust-weaponizing attacks?

55% of respondents say failing to defend against attacks that weaponize trust significantly increases the likelihood of a data breach—this had the highest 'extreme' rating of all impacts measured. Additional consequences include hits to employee productivity and workflow efficiency, reduced ability to engage with customers, diminished capacity to attract and retain employees, dampened market capitalization, and challenges meeting regulatory requirements. Threat actors specifically target data for use in extortion campaigns.

What does 'Phishing 3.0' mean?

Phishing 3.0 refers to the current generation of AI-enhanced phishing attacks that have fundamentally reset what organizations must defend against. Unlike earlier generations that relied on volume and obvious deception, Phishing 3.0 attacks feature perfect language in any locale, hyper-personalization using aggregated breach data, multi-modal delivery (email, voice, video), and autonomous operation at scale. The term acknowledges that even organizations who 'solved' phishing with traditional defenses are essentially starting over against this new threat paradigm.

Rebuilding Trust in Digital Communications

Protect Better

Block advanced phishing and BEC attacks (and never seen before threats) with our Adaptive AI—dynamically sharpened by real-world user insights and a community of over 25,000 threat hunters.

99.7%

Threats

Automatically Remediated by AI

25,000+

Analysts

Collectively Threat Hunting

Simplify Operations

Slash the time your team spends remediating email incidents from 30 minutes per incident to 30 seconds. Our Adaptive AI scans every email for malicious indicators. When it finds a threat, it doesn’t just block it, it automatically finds and remediates all others like it in your environment.

“IRONSCALES has cut the number of man hours down by 95%.”

Augustine Boateng

Interim Chief Information Officer, City of Memphis

Empower your Org

Triple the email security awareness of your workforce and transform your employees into a crucial line of phishing defense. We make it dead simple to sharpen your employees' understanding of real-world threats with:

Phishing simulation testing
Security awareness training (SAT)
Dynamic email banners

...and a GPT-powered chat assistant

3X

Awareness

With integrated simulation and training

90%

Reduction

In employees clicking malicious links and attachments

Join 17,000+ Companies and Counting

Case Studies

"The ability to provide real-time feedback on both positive and negative performance has proven very effective. It’s a wake-up call for our employees.”

Itzik Menashe Global IT Director of Telit

Read the Case Study

Back

Stop Email Attacks. 
Dead In Their Tracks.

Experience top-tier email protection with IRONSCALES™, the industry's first Adaptive AI-powered platform to catch the threats that others miss.

Get started

See pricing

For Enterprises

For MSPs & MSSPs

Protect Better

Simplify Operations

Empower Your Org

17,000+ Customers and Counting

Case Studies

Reviews

Osterman Research: AI Trends in Cybersecurity

Case Study: Concentrix

Our Awards

HOW IRONSCALES WORKS

Platform Overview

API Integration

Artificial Intelligence

Human Element

TAKE A TOUR

Product Tours

Platform Overview Tour

DMARC Management Tour

Deepfake Protection Tour

Discover the Reality of Deepfake Threats: Stay Ahead With the Latest Insights

BY USE CASE

Business Email Compromise

Advanced Malware & URL Attacks

Generative AI Attacks

Account Takeover Attacks

Deepfake Attack Protection

DMARC Management

Phishing Simulation Testing

Security Awareness Training

BY PLATFORM

BY PROJECT

BY INDUSTRY

BY ROLE

LEARN

Blog

Deepfake Insights

Cybersecurity Glossary

Resource Library

Guides

Platform Tours

CONNECT

Events

Newsletter

LinkedIn

The Hidden Gaps in SEG Protection

New Gartner® Email Security Magic Quadrant™

Are Deepfake Emails Phishing 3.0?

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

MSPs and MSSPs

Resellers

Technology Partners

ENGAGE

Become Partner

Partner Portal

Partner with IRONSCALES

Rebuilding Trust in Digital Communications

The threat curve has reset. AI hasn't just evolved attacks, it's made "solved" problems like phishing and BEC immature and dangerous again.

A Unified Approachto Email Security

99.7%

25,000+

3X

90%

Case Studies

Stop Email Attacks. Dead In Their Tracks.

A Unified Approach
to Email Security

Stop Email Attacks. 
Dead In Their Tracks.