When & Where We Click: What the 2026 Sagiss Survey Says About AI Phishing

Phishing attacks rank among the most dangerous cyber threats for Dallas businesses. A successful attack can unlock the door to sensitive company and customer data, resulting in data and intellectual theft and financial losses. Something as simple as clicking on a compromised link can have devastating consequences for small and medium-sized businesses (SMBs).

Unfortunately, phishing attacks are becoming harder to identify due to artificial intelligence. Hackers are using AI technology to construct emails and texts that mimic the professional tone that workers expect from colleagues, vendors, and others. In this guide, we explore AI phishing statistics in 2026. You’ll learn about the drivers that cause employees to click, when it’s most likely to occur, and how you can safeguard your business.

The Bottom Line: Most Workers Are Clicking First, Questioning Later

According to the 2026 Sagiss Managed Security Report on AI Phishing in the Workplace, employees tend to prioritize speed over caution when it comes to work communication. Our findings show that:

• 63% of employees have clicked a work-related link that they later wished they had verified.
• 57% of workers confirmed the legitimacy of a request only after taking action.
• 45% of employees have responded to an email or message and later wondered whether it was genuine.

Most employees understand that phishing exists and that small businesses face real AI phishing threats. Still, many fall into habitual behaviors that put organizational cybersecurity at risk.

The Sagiss survey found that 41% of workers have ignored an initial gut feeling about a suspicious message because it seemed urgent. That explains why awareness alone hasn’t solved the problem. When a message arrives that appears to be from a manager and references a real project, the instinct to respond quickly can override even a well-trained employee’s better judgment. Phishing messages engineered to trigger that response are exploiting the same professional instincts that make employees good at their jobs.

When Workers Make Mistakes: Rushing, Multitasking, and After-Hours Risk

Employees are most likely to click phishing links when they’re short on time or not paying attention. The Sagiss workplace phishing survey found:

• 55% of workers say that rushing between tasks or meetings increases their risk of mistakes.
• 68% of employees check email after hours, when they may have home responsibilities to attend to.
• 56% of workers feel pressure to respond to messages outside working hours.

In any of these scenarios, an employee’s primary focus may not be the communication they’re engaging with. As a result, they may make a quick decision without thinking it through or validating the message source.

Where Phishing Happens: Email, Chat, and the After-Hours Inbox

Workplace communication isn’t tied to a single channel. It occurs through multiple platforms, including email and messaging tools such as Slack and Teams. Any of these channels is ripe for a phishing attack. All it takes is one hacker to gain access to a user’s email address or the company’s messaging platform.

Of the employees surveyed by Sagiss, 34% responded to a work message after hours and later felt they should have validated the sender. Even though a message may seem legit because it’s sent to a user’s work address, that doesn’t mean it is. And if the employee happens to get a convincing-looking message when they’re off the clock, there’s a heightened risk they’ll engage without verifying its legitimacy.

Email and chat platforms aren’t the only channels under attack. Text messaging has become an increasingly significant phishing vector, and many SMBs are far less equipped to defend against it. Most organizations have invested in email spam filtering, link scanning, and security awareness training built around inbox threats. Very few have equivalent coverage for text messages. An employee's personal phone is entirely outside the company’s security perimeter, with no endpoint protection and no IT visibility, making it ideal for a successful attack.

Why We Still Click: The “Looks Legitimate” Problem

Just a few years ago, phishing messages were plagued by bad grammar and spelling mistakes. This made it easier for employees to spot and disregard suspicious communications. But those days are gone. Today’s phishing messages can look identical to any other work email in your inbox.

Of the 500 workers surveyed by Sagiss, 37% say that phishing communications are difficult to validate when they appear legitimate or well-written. A further 42% of employees have trusted a message because it mirrored a colleague’s tone and voice.

This means organizations and their teams must step up their phishing identification tactics. Employees can no longer trust an email or chat message based solely on its appearance. Additional authentication is necessary, especially when messages contain links or request sensitive information.

How AI Changed the Game: Better Grammar, More Believable Tone

Since AI burst onto the scene in late 2022, many businesses have incorporated the technology to boost worker productivity and automate mundane tasks. Bad actors have also incorporated the technology in their processes to enhance their fraud.

Most AI-written phishing messages are free of the grammatical errors once common in older communications. They use a professional tone that feels natural in a user’s inbox.

According to the Sagiss survey, 72% of employees find that phishing messages are more convincing because they use AI-written language. The survey also found that:

• 33% of employees noticed an improvement in grammar and writing in the suspicious messages they received over the past year.
• 27% of workers say that suspicious messages use greater personalization.
• 26% of employees noted a natural tone in the messages they received.

This is bad news for businesses and employees, who are now tasked with sorting through an inbox that may contain a mix of legitimate and illegitimate messages. Traditional tools such as email spam filters may not be strong enough to detect AI-written messages, especially those that appear authentic.

Large language models can ingest publicly available information, such as LinkedIn profiles, company websites, press releases, social media activity, and data from prior breaches, and use it to craft messages that reference real names, real projects, and real organizational context. That is what accounts for the 27% of employees who report seeing greater personalization in suspicious messages. The attack feels tailored because, increasingly, it is.

AI is also making it easier for people without technical skills to launch attacks. Compounding this, attackers no longer need the technical skill to build these tools themselves. In May of 2026, the FBI Internet Crime Complaint Center issued a warning about a phishing-as-a-service platform that made sophisticated AI-generated attack campaigns available by subscription. This means that enterprise-level tooling is available to anyone willing to pay a monthly fee.

What SMBs Can Do About It

Many small and mid-sized businesses require employees to undergo awareness training that covers cybersecurity essentials. But as bad actors embrace AI phishing tactics, this approach is no longer enough to ward off attacks. Even the most informed and technically adept employees can be fooled by messages that appear professional and valid, especially when they're multitasking or in a hurry.

A better strategy is to introduce procedural controls for high-risk activities, such as bank or wire transfers, credential resets, and user access changes. Adopting out-of-band verifications, where employees validate their identity in a separate communication channel, can prevent AI phishing attacks from compromising a business.

Take an example of an employee emailing the IT team for a password update. An IT team using out-of-band verification might send an SMS text to the employee’s phone to verify their identity. Only after verification would the password update proceed. With these tactics, companies can prevent hackers from leveraging email to gain unauthorized access to critical systems.

Phishing-resistant multi-factor authentication is another control worth prioritizing. Hardware security keys and passkeys can’t be intercepted or relayed in real time, which closes a gap that AI-powered phishing kits have learned to exploit. Unlike traditional MFA, phishing-resistant methods don’t depend on an employee correctly identifying a fraudulent request before entering a code.

For SMBs that lack the in-house resources to implement and monitor these controls consistently, managed security services offer a practical solution. A qualified managed security provider can deploy the right technical stack, establish verification protocols, and provide the continuous monitoring that most small businesses can’t maintain on their own. They also train employees on how to avoid potential attacks. The full 2026 Sagiss phishing survey contains more insights into how employees behave when facing a potential phishing attack, and its effect on Dallas-area businesses. Check it out to learn more about the motivations that lead employees to click, or reach out to Sagiss for a consultation on managed security for SMBs.