Phishing is getting quieter and more dangerous. Although volume is down ~20% year over year, AI is accelerating targeted lures and initial access activity.
Zscaler ThreatLabz uncovered how attackers are increasingly moving beyond the inbox, probing exposed attack surfaces, validating stolen credentials, and executing account takeover inside encrypted traffic.
In this report, you’ll discover:
- Phishing is declining in volume, but concentrating in fewer, higher-conversion campaigns that blend into trusted workflows and sectors
- AI is accelerating both realism and velocity, enabling polished lures and rapid infrastructure spin-up and rotation
- Encryption provides the default cover for initial access and limits what teams can detect without TLS visibility
- Deception brings early attacker intent into view, exposing scanning, probing, and credential validation before access is established
- Practical steps to eliminate initial access risk, including attack-surface reduction, stronger identity controls, and earlier takeover detection
Key stats from Zscaler
65.5%
YoY surge in Services sector phishing
95.2%
Phishing delivered over encrypted channels
89.9M