OpenText’s 2026 Cybersecurity Threat Report should end the fantasy that phishing awareness training, spam filters, and an MFA app are enough to protect a company. The report found phishing activity rose 206% year over year in 2025, with more than 464 million phishing attacks and more than 327 million spearphishing attacks recorded.
Read that again. More than 327 million targeted attacks. Not generic messages with broken English, strange fonts, and an obvious promise from a foreign prince. These are increasingly customized messages written specifically for the employee receiving them. They reference the person’s role, vendors, customers, projects, leadership team, recent events, and the normal language of the business. And AI has made that possible at industrial scale.
The old security model essentially asks every employee to be a full time threat analyst. Look carefully at every email. Notice the subtle wording problem. Inspect the sender. Hover over the link. Recognize the fake invoice. Question the urgent request. Never make one mistake. That was already unrealistic. Now it is impossible.
AI can create a unique message for every single employee in seconds. It can match tone, grammar, job function, and business context. It can write like a vendor, a colleague, a CFO, a recruiter, a Microsoft administrator, or the company’s own IT team. It can generate endless variations of the same campaign so filters do not see one repeated malicious template. It can also make the message polished enough that the old red flags are gone. There is no longer a reliable human test for whether an email is real. And email security filters, while absolutely necessary, are not a guarantee either.
Attackers increasingly avoid the obvious signs that legacy filters were designed to catch. They compromise legitimate email accounts. They send messages through real cloud services. They abuse trusted file sharing, form, document, and notification platforms. They use redirect chains that initially appear harmless to automated scanners. They exploit legitimate sender infrastructure that can pass DKIM and other authentication checks because the message really did come from an authenticated account or service.
DKIM can help establish that a message was authorized by a sending domain. It does not prove the human or system using that sender had good intentions. A phishing email from a compromised vendor mailbox can look technically legitimate. A lure delivered through a trusted cloud platform can look technically legitimate. A message that uses a real Microsoft, Google, or document sharing workflow can look technically legitimate. And that is the point.
Security teams can improve filtering. They should improve filtering. They can use modern email security, DMARC enforcement, behavioral detection, browser controls, endpoint defenses, and strong incident response. All of that matters. But none of it changes the hard truth. Eventually, an attacker will get a believable message in front of someone. The real question is what happens next.
If the employee can be tricked into entering a password, sharing a one time code, approving an authenticator push, or completing a login through a real time relay site, the attacker gets in. Traditional MFA does not solve that problem. In most modern attacks, it simply gives the attacker one more thing to persuade the employee to approve. And they do. Virtually every time. That is why companies need to stop treating phishing detection as the final control.
The final control must be authentication that refuses to trust the message, the link, or the employee’s momentary judgment.
Token provides that hard stop. Token biometric assured identity requires a live fingerprint match on secure hardware. Its biometric FIDO2 credentials are cryptographically bound to the legitimate domain, so a phishing site cannot use them for authentication. Token also requires physical proximity to the endpoint being accessed. There is no code to hand over. No push notification to approve. No reusable secret to intercept. No cloud synced credential that can simply be copied elsewhere.
An employee can click the wrong link. The attacker still does not get in. That is the standard enterprises need now. Not “we hope employees spot the AI generated fake.” Not “our filter catches most of them.” Not “we deployed an authenticator app.”
Most is not enough when one message can open the door to ransomware, customer data theft, wire fraud, or a complete business shutdown. There were more than 464 million phishing attacks last year. Expecting people to identify every one is not a cybersecurity strategy. It is a wish.
Token turns that wish into a hard identity gate. No biometric proof. No legitimate domain. No physical presence. No entry.