According to Cisco Talus researchers, phishing is the primary method threat actors use to gain unauthorized access to networks, accounting for more than one-third of all incidents in the first quarter of 2026. This increase is attributed to threat actors using legitimate AI tools to enhance phishing campaigns, particularly against health care and government sectors.
According to the blog, “State-sponsored and criminal actors have been observed abusing large language models to aid in the development of phishing lures, malicious scripts, and other tasks.” They have also adopted AI algorithms to evade detections and orchestrate attacks.
The use of AI tools makes it easier for threat actors to gain entry, accelerate the speed of phishing campaignz, and harvest credentials faster, all without having to use code.
To prevent being victimized, Cisco recommends that organizations:
- Implement properly configured MFA and other access control solutions;
- Conduct robust patch management; and
- Configure centralized logging capabilities across the environment.
The IR Trends Q1 2026 post describes the ways AI tools are used to initiate attacks, and how phishing is again the most frequent entry by threat actors. It reinforces the need to keep users vigilant and educated on the importance of detecting and reporting phishing attempts.