Hoxhunt 2026 Phishing Trends Report: A 14x AI Phishing Surge Hit Over the Holidays

Hoxhunt analysts tracked AI-generated phishing incidence across November, December, and January 2025-2026. The numbers tell a clear story:

The 4% November figure was consistent with what Hoxhunt had observed throughout most of 2025. The December spike to 56% was, as the report puts it, astonishing. Multiple CISOs confirmed to Hoxhunt that they were hit with an entirely new breed of AI-powered phishing over the holidays. And the trend has held into 2026.

This wasn't supposed to be a surprise. The post-ChatGPT era saw massive increases in malicious messages hitting email filters. It was a matter of time before those attacks started slipping through in volume. What changed is that the trickle became a flood, practically overnight.

The Comcast Business Cybersecurity Threat Report estimates that 80-95% of breaches start with a phishing attack. A Statista survey found that 54% of ransomware infections traced back to phishing, with another 27% tied to poor user practices and 26% to a lack of cybersecurity training.

Hoxhunt's analysts were clear: these AI-generated phishing emails are not deepfake video calls or hyper-personalized spear phishing at mass scale. Not yet. What they are is a significant upgrade to the traditional phishing playbook. Better grammar. Cleaner design. More professional presentation. The kind of improvement that turns a quick glance into a click.

The telltale signs Hoxhunt identified in AI-assisted emails include highlighted boxes with thick colored left borders to draw attention to a fake urgency, emojis placed strategically before calls to action (like "📞 Call Support" or "🔒 Secure documents"), rounded corners on buttons and containers, polished grammar throughout, and HTML comments with generic section markers like "Main Content" that large language models commonly produce.

The most common themes broke down like this:

• Fake offers and promotions (18.6%) - free phones, car emergency kits, airline rewards. The year-end timing made these feel natural.
• Financial service impersonations (13.1%) - banks, insurance companies, and PayPal, claiming the recipient needed to act on security updates or available benefits.
• Unpaid invoice lures (8.3%) - impersonated parties ranged from career training consultants to supply chain partners.
• HR impersonations (8.2%) - performance reviews and salary updates were the most common hooks. These exploit the emotional weight that HR communications naturally carry.

Of the analyzed emails, 43.1% used links, 20.3% used open redirects to mask malicious URLs from both humans and spam filters, 11% used attachments, and 4.9% included a malicious phone number for callback phishing. Urgency was the most commonly exploited emotion, followed by greed and reward-seeking.

One interesting finding: AI-enabled auto-personalization is already common in these campaigns, but it's not very good yet. Failed placeholder text like "##victimdomain##" still shows up in plenty of messages. That will change. The technology is improving.

Callback phishing saw a 500% increase in Q4 2025, according to VIPRE Security Group data cited in the report. The concept is simple: instead of embedding a malicious link, the attacker includes a phone number. The email claims something alarming - a fraudulent charge, an expiring subscription, an urgent invoice - and tells the recipient to call to resolve it.

The reason it works is structural. Most email security tools focus on scanning links and attachments. Phone numbers pass right through. Once on the phone, attackers use social engineering to extract credentials, push the target to install remote access software, or authorize fraudulent payments.

Hoxhunt's analysis of callback campaigns from October 2025 through January 2026 found that 27.1% impersonated financial services (PayPal, Venmo, Bank of America), while 26.6% were invoice-themed with fake subscription renewals and bogus order confirmations. LevelBlue's research found that 43% of business email compromise attacks now include a callback phishing element.

PDFs accounted for 23.7% of all malicious attachments in the first half of 2025, holding their position as the most common malicious file type. They remain popular because they bypass filters more easily and users trust them instinctively. Hoxhunt found these PDFs carrying fake invoices with fraudulent payment details, fake law enforcement letters, and documents with embedded links leading to credential harvesters.

The bigger story is the emergence of SVG files. Malicious SVG attachments increased fifty-fold compared to 2024, climbing to 5% of all malicious attachments - the third most common type. SVG files look like ordinary graphics but can carry embedded scripts that bypass many anti-spam tools. Microsoft moved to block inline SVG image rendering in September 2025, but SVG attachments are still supported, so the technique persists.

The report also highlighted that roughly 90% of malicious attachments that bypass filters contain deceptive links leading to a further payload - typically a credential harvesting site or malware download. Only about 10% contain further social engineering aimed at deepening engagement before the eventual attack.

This one caught Hoxhunt's attention enough that they quickly built simulations around it. Attackers send phishing emails containing .ics calendar invite files. Many email environments automatically add these events to the recipient's calendar when the email arrives. The meeting links or attachments inside the calendar event are malicious.

When Hoxhunt ran simulations using calendar invites, failure rates hit 24% - that's 4 to 6 times higher than the global baseline. The attack works because it exploits routine behavior. You see a new meeting on your calendar, you check the details. It looks legitimate. You click.

There's a compounding problem: reporting the suspicious email doesn't remove the calendar event. Most security tools and reporting buttons target email messages, not calendar objects. So even an employee who correctly identifies and reports the phishing email may still click the malicious calendar event hours or days later when a reminder pops up. For this reason, the calendar event has to be deleted separately.

For businesses that rely on shared calendars and frequent meeting scheduling - which is most of them - this attack vector is particularly dangerous. Teams across law firms, CPA practices, and wealth management firms receive calendar invites constantly and are prime targets for this technique.

The report's training data is arguably more important than the threat data. It proves that phishing risk is a solvable problem when you approach training the right way.

After organizations adopted a security behavior change program over a traditional quarterly awareness model, Hoxhunt measured these outcomes:

The Verizon DBIR 2025 backs this up: users with recent training reported phishing emails at a 21% rate, compared to a 5% base rate - a fourfold increase. Speed matters too. Hoxhunt's top 5% of reporters flag threats in 39 seconds. And median dwell time drops by a third after training.

The real-world proof is compelling. Within 6 months of training, half of employees have reported at least one real phishing threat. By 12 months, that number reaches two-thirds. Before training, only 34% of users successfully reported simulated malicious attachments while 11% failed by clicking. After 12 months, the success rate climbed to 74% and the failure rate dropped below 2%.

The biggest human cyber risk, as Hoxhunt puts it, is neglecting your humans.

Hoxhunt broke down training performance across industries, job roles, and countries. The variance is significant, and it matters for how businesses structure their security programs.

For Houston-area businesses across construction, manufacturing, and oil and gas, these industry-specific gaps are worth paying attention to. Your training program should account for the types of phishing your people are most likely to encounter - and the types they're most likely to fall for.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, managed IT support, network security, VoIP, and SD-WAN for businesses with 10-200 employees. Reports like Hoxhunt's 2026 Phishing Trends Report are exactly why we invest heavily in security awareness and threat detection for the businesses we serve across Houston, Katy, Sugar Land, and Cypress.

The Hoxhunt report makes one thing very clear: technology alone won't stop phishing. Your people are both the target and the solution. But most small and mid-sized businesses don't have the resources to build and manage a security training program on their own. That's where a managed IT partner earns its keep.

• Email Security and Filtering - We deploy and manage advanced email filtering that catches the attacks before they reach your inbox, including the AI-polished phishing that's bypassing standard filters.
• Security Awareness Training - We implement behavior-based training programs designed to build real threat recognition skills, not just check a compliance box. The Hoxhunt data proves this approach works.
• Phishing Simulation and Testing - Regular simulated phishing campaigns tailored to the attack types your industry faces most, with measurable improvement tracked over time.
• Endpoint Protection and Monitoring - When someone does click, your systems need to catch it fast. We monitor endpoints 24/7 to detect and contain threats before they spread.
• Incident Response Planning - The $1.2 million cost difference between fast and slow breach detection tells the whole story. We build response plans so your team knows exactly what to do.
• Multi-Factor Authentication and Identity Management - Proper MFA configuration blocks the credential theft that most phishing attacks are ultimately after.

In 30+ years of working in IT, the pattern hasn't changed: the businesses that invest in their people's security skills before an incident are the ones that avoid the worst outcomes. The Hoxhunt data confirms this at a scale of 50 million data points. If your Houston-area business needs help building that kind of resilience, that's exactly what we do.