The Anti-Phishing Working Group published its Q1 2026 Phishing Activity Trends Report in May 2026. The headline number is significant: 971,181 unique phishing attacks in the first three months of the year, up 13.8 percent from 853,244 in Q4 2025. But the number that deserves the most attention is not the total volume. It is the sector breakdown.
In Q3 2025, the telecom category accounted for 5.9 percent of all phishing attacks. By Q1 2026, that figure had reached 33 percent, making telecom the single most frequently attacked industry in the quarter. The APWG notes that this represents the largest single-sector concentration in its dataset since Q4 2023. URL-based phishing attacks specifically targeting telecom increased 75 percent between Q4 2025 and Q1 2026.
This is not a gradual trend. It is a sudden, concentrated targeting decision by organized threat actors, and the reasons behind it have direct implications for email authentication strategy.
Why Cybercriminals Moved to Telecom
The APWG report explains the sector’s attractiveness through what it calls “multiple pivots.” Telecom carriers are unusual targets because a single successful compromise gives attackers access to more than one exploitable asset.
Most telecom providers bundle three services under a single account: internet access, an ISP-branded email address, and mobile phone services. When a phishing attack successfully steals the credentials for a telecom customer account, the attacker does not just gain access to one thing. They gain access to an email account marked with a trusted brand name, control over a phone number used for SMS two-factor authentication, and potentially account management capabilities that expose billing details and service settings.
That combination is uniquely valuable. An email account hosted under a recognized carrier brand – AT&T, Verizon, Comcast, BT, Telstra – carries decades of sender reputation. These accounts rarely land in spam folders. When attackers compromise enough of them, they have a ready-made pool of trusted sending infrastructure that has never been flagged as a source of fraud. A Gmail account is a commodity. An ISP-branded email account linked to a real subscriber is a phishing asset.
The phone number access enables a second attack vector: SIM swapping. By controlling the mobile account, attackers can reroute SMS authentication codes, bypassing two-factor authentication on banking, email, and financial platforms. This is not theoretical. SIM-swap fraud has been the mechanism behind several high-profile account takeovers in the past two years.
One successful telecom phishing hit therefore opens doors that a standard credential theft attack cannot. The pivot count – email reputation, phone control, account data – is what makes telecom targets worth the infrastructure investment.
The Brand Impersonation Layer
To steal telecom customer credentials, attackers need a convincing impersonation of the carrier. This is where DMARC enforcement gaps create a structural vulnerability.
DMARC works by cryptographically tying email messages to the domain they claim to originate from. A message claiming to come from [email protected] must pass SPF alignment (sent from authorized infrastructure) and carry a valid DKIM signature. If either fails and the domain’s DMARC policy is p=reject, the receiving server discards the message. No inbox placement occurs.
The problem is that the telecom sector’s DMARC adoption reflects the same pattern seen across much of the economy. Research from 2026 shows that finance and telecom sectors have DMARC presence on roughly 32 to 33 percent of their domains – but most of those domains are sitting at p=none, a monitoring-only mode that generates reports but instructs receiving servers to do nothing with unauthenticated messages. Globally, only about 18.1 percent of all domains have DMARC enforcement at p=quarantine or p=reject.
This means that for the average telecom carrier, a threat actor can construct an email that appears to come from an official carrier domain, pass it through standard sending infrastructure, and have it reach subscriber inboxes without triggering a DMARC rejection. The authentication gap is not the customer’s failure. It is the carrier’s.
The Phishing Chain That Targets Telecom Subscribers
Telecom phishing attacks typically follow a specific pattern. A subscriber receives an email that appears to come from their carrier – a billing alert, a security notice, a notice that their account has been accessed from an unrecognized device. The email looks legitimate. In many cases, it actually passes basic spam filter checks because it is sent from well-configured infrastructure that impersonates the carrier’s domain.
The message contains a link to a landing page that mimics the carrier’s account portal. The subscriber enters their username and password. The attacker captures those credentials in real time and immediately initiates account access to extract the phone number, email account, and any stored payment methods.
The 75 percent surge in URL-based telecom phishing observed by APWG in Q1 2026 reflects the maturation of this attack chain. Threat actors have built tooling, templates, and infrastructure specifically for carrier impersonation. The barrier to running a telecom phishing campaign has dropped substantially as purpose-built kits have proliferated.
What stops this chain cold is DMARC enforcement at p=reject on the carrier’s sending domains. When that policy is in place, the impersonation email – regardless of how convincing its content is – is rejected before it reaches the subscriber’s inbox. The link never loads. The credentials are never entered.
What the Social Media Data Adds to the Picture
Beyond the telecom surge, the Q1 2026 APWG report documents a parallel escalation in social media threats. On every major platform, threat volume increased between Q4 2025 and Q1 2026. The composition of those threats breaks down as 43.8 percent brand and individual impersonation, and 27.1 percent outright scams designed to defraud users of money or personal information.
This is relevant to the telecom pattern because social media impersonation and email phishing are often coordinated campaigns. A threat actor running a telecom brand impersonation operation will frequently maintain fake social media accounts under the carrier’s brand, create fraudulent support profiles, and use those accounts to direct victims toward phishing links. The email campaign and the social media campaign reinforce each other.
Organizations with strong DMARC posture gain a secondary benefit: BIMI eligibility. Brand Indicators for Message Identification allows a verified logo to appear next to authenticated email messages in supporting mail clients. When subscribers see the carrier’s verified logo alongside an email, they have a visual confirmation that the message passed all three authentication layers. When that logo is absent from a message claiming to be from the carrier, it is an observable signal that something is wrong. In an environment where sophisticated impersonation is increasingly the norm, that visual layer becomes a meaningful distinction.
The Wire Transfer BEC Shift
The Q1 2026 APWG data includes an interesting counterpoint to the telecom surge: business email compromise wire transfer attacks decreased 25 percent compared to Q4 2025, with the average demanded amount falling 15 percent to $42,663 from $50,297.
This decline does not suggest that BEC is less of a threat. It more likely reflects a tactical shift in where attackers are concentrating resources. When telecom phishing produces high-value account access at scale – email infrastructure, phone number control, financial account pathways – the economics of traditional wire transfer BEC campaigns become relatively less attractive. Attackers follow returns. In Q1 2026, telecom returns were exceptionally high.
The implication for organizations is that the threat landscape is not static. The category that was the primary concern in one quarter may not be the dominant vector in the next. Email authentication – SPF, DKIM, and DMARC at enforcement – provides a structural defense that does not need to be retuned every time attackers shift tactics. A domain at p=reject is protected against email-based impersonation regardless of which industry or sector attackers decide to target next quarter.
The Authentication Gap That Attackers Exploit
The core finding in the APWG Q1 2026 report is not complicated: when a sector becomes a concentrated target, the brands within that sector are immediately weaponized for impersonation. Telecom carriers became the primary target in Q1 2026. Their customers are receiving phishing emails that appear to come from their carrier’s official domains. Many of those emails are reaching inboxes because the carriers themselves have not implemented DMARC enforcement.
This is a pattern that has repeated across industries. Healthcare was a primary target in 2025. Airlines were identified in earlier analysis. Each time, the common factor was an authentication gap that allowed attackers to send email appearing to originate from a trusted brand domain without restriction.
The solution in each case is the same: DMARC enforcement at p=reject closes the gap. Aggregate reporting shows exactly what unauthorized sending activity is occurring against a domain. Moving from p=none through p=quarantine to p=reject systematically eliminates the attack surface that impersonation campaigns depend on.
Telecom is today’s most targeted sector. It will not be the last new sector to face concentrated attack. The organizations that have already moved to DMARC enforcement are structurally less exploitable as targets, regardless of which industry the next wave of phishing focuses on.
Excello Mail gives you complete visibility into your DMARC posture, clear guidance on the path to p=reject enforcement, and aggregate report analysis that shows every source sending email on behalf of your domain. Sign up for free to Excello Mail and close the authentication gap before your brand becomes the next impersonation target.