Practical scam rules for all staff:
- Never believe it’s me (or any manager) if I ask for passwords, codes, or urgent payments.
I do not ask for passwords, MFA codes, or confidential details by email, phone, or chat — ever. - Always double-check urgent or unusual requests.
If someone pressures you with “urgent”, “do this now”, or “don’t tell anyone”, stop and verify through another channel. - Be suspicious of voice calls that sound “exactly right”.
Voices can be cloned. If a call asks for money, access, or credentials — hang up and verify. - Never approve MFA (login) requests you did not start yourself.
If your phone keeps asking you to approve logins, deny them and report it. - Do not install browser extensions unless approved by IT.
Even “productivity” or “security” extensions can spy on everything you type. - Do not click pop-ups telling you to “update now”.
Software updates only happen through official company processes, never random pop-ups. - If a website looks normal but something feels off — stop.
Fake websites can look identical to real ones. When in doubt, don’t log in. - Never reuse work passwords anywhere else.
One leaked password should not open multiple systems. - Report mistakes immediately — you will not be blamed.
Fast reporting reduces damage. Silence makes it worse.
What scams to watch out for this year?
Scammers are making so much money because Cyber scams are becoming harder to spot, more damaging to recover from, and alarmingly widespread. They have access to sophisticated tools, including AI that can replicate voices and writing styles.
Heimdal Security is a cybersecurity company that delivers a unified, AI-powered protection platform combining next-gen antivirus, threat prevention, and privileged access control. Danny Mitchell, Cybersecurity Writer at this company believes that the threat landscape in 2026 will be shaped by attackers who understand how to exploit trust, fatigue, and system-level vulnerabilities.
“Scams are no longer simply tricking users into clicking a bad link,” says Mitchell.
Mitchell identifies the scams gaining traction, explaining that they aren’t entirely new, but the way they’re being executed is changing in ways that make them far more dangerous.
- AI-Powered Phishing and Voice Cloning
Phishing emails used to be easy to spot. Poor grammar, generic greetings, and suspicious links were obvious red flags. Now, attackers use AI to analyze writing styles, mimic tone, and create messages that sound exactly like someone you know. Voice cloning has become particularly concerning. Criminals can replicate a colleague’s or manager’s voice using just a few seconds of audio.
“We’re seeing cases where employees receive calls that sound identical to their CEO, requesting urgent wire transfers or access credentials,” Mitchell says. “The technology required to do this is now accessible and cheap. It’s not a theoretical risk any longer, but actually happening regularly.”
- Business Email Compromise with MFA Fatigue
Business email compromise (BEC) attacks have evolved to bypass multi-factor authentication (MFA). The tactic is called MFA fatigue. Attackers flood a user’s phone with dozens of push notifications until the person, frustrated or confused, approves one just to stop the alerts.
“MFA is still important, but it’s not a silver bullet,” Mitchell explains. “Attackers know that users get tired, especially if they’re bombarded with notifications during a meeting or late at night. One accidental approval is all it takes.”
- Malicious Browser Extensions
Browser extensions are small tools that add functionality to web browsers, but they also represent a significant attack surface. Malicious extensions can monitor everything a user types, capture login credentials, or redirect users to phishing pages without them noticing.
Mitchell highlights how these extensions often disguise themselves as productivity tools or security add-ons. “Users install them thinking they’re improving their workflow, but in reality, they’ve just handed an attacker full visibility into their online activity,” he says.
- DNS-Based Redirection and Fake Update Scams
Attackers are increasingly targeting the DNS layer, which is the system that translates website names into IP addresses. By poisoning DNS records, criminals can redirect users to fake websites that look identical to the real thing.
“You type in your bank’s URL, but instead of reaching the legitimate site, you’re sent to a replica controlled by attackers,” Mitchell explains. “Everything looks normal, so you enter your credentials, and now they have them.”
Fake update scams are another growing threat. Users receive pop-ups claiming their software needs an urgent update. Clicking the prompt installs malware instead.
How Organizations Can Reduce Scam Exposure Going Into 2026
Mitchell stresses that organizations cannot rely solely on employees making perfect decisions under pressure. He reveals the controls that security teams need to implement to prevent scams from reaching users in the first place.
- DNS-Level Threat Prevention: Blocking threats at the DNS layer stops malicious domains before users can interact with them.
There are many DNS security brands and services that specialize in DNS threat blocking and filtering for business networks.
All of these services replace or sit alongside your current DNS setup. Instead of using your ISP’s default DNS (which usually doesn’t block threats), the company configures its network or devices to use one of these provider’s DNS systems.
When a user’s device tries to visit a domain:
-
It asks the DNS service for an IP address.
-
The DNS service checks its threat lists.
-
If it’s malicious, it blocks the request before the site loads.
This prevents users from ever seeing the dangerous site, even if the link looked real.
| Provider | Type | Notes |
|---|---|---|
| Cloudflare | Commercial & free tiers | Enterprise-grade DNS & web security services |
| Cisco Umbrella / OpenDNS | Commercial | Industry-leading business DNS security |
| Quad9 | Free | Good baseline malicious site blocking |
| CleanBrowsing | Freemium | DNS filtering with category controls |
| DNSFilter / ControlD | Commercial | Advanced threat filtering for SMBs |
“If the connection to a phishing site or malware server is blocked at the DNS level, the scam never gets a chance to work,” Mitchell says.
- Privilege Access Controls: Limiting who has access to sensitive systems reduces the impact of compromised accounts. Mitchell advises implementing least-privilege access, where users only have the permissions they need to do their job.
“If an attacker compromises an account with limited access, the damage they can do is contained,” he explains.
- Patch and Asset Hygiene: Unpatched software creates entry points for attackers. Mitchell recommends automated patch management to close vulnerabilities quickly and maintain an accurate inventory of all devices and applications.
- User Risk Reduction Without Relying on ‘Perfect Behavior ’: Rather than expecting employees to identify every scam, organizations should reduce the opportunity for human error. This includes disabling risky features like MFA push notifications in favor of more secure authentication methods, restricting browser extension installations, and using email filtering that flags unusual requests.
“Security needs to work even when users are tired, distracted, or under pressure,” Mitchell says.
“The goal isn’t to blame people for falling for scams, but rather to build systems that make scams harder to execute.”
Heimdal Security is a cybersecurity company headquartered in Copenhagen, Denmark, and has grown to support a global client base. Their mission is to empower CISOs, security teams, and IT administrators to proactively manage risk, reduce alert fatigue, and gain full visibility across their environment.
