TL;DR
Most stolen credentials aren't cracked — they're handed over. Helpdesk vishing, MFA fatigue, and AI-personalized phishing are the dominant vectors in 2025 and 2026. In Spain alone, INCIBE recorded 122,223 cybersecurity incidents in 2025, a 26% increase year-on-year, with phishing leading at 25,133 cases. The answer isn't a stronger password policy. It's building the organizational capability to recognize and resist manipulation before it succeeds.
Introduction
An employee gets a call from IT support. There's been suspicious activity on their account. They need to reset their password immediately through a link that's being sent to their email right now. The process takes two minutes. Everything seems legitimate.
The call wasn't from IT.
Today is World Password Day — an annual reminder to use stronger credentials, enable multi-factor authentication, and stop reusing passwords across accounts. All of that matters. But it addresses the technical surface of the problem, not the human one. Attacks by AI-enabled adversaries increased 89% year-over-year in 2025, with voice phishing and helpdesk impersonation among their preferred entry points (CrowdStrike 2026 Global Threat Report, crowdstrike.com).
In Spain, INCIBE recorded 122,223 cybersecurity incidents in 2025, a 26% increase on the previous year, with phishing leading fraud cases at 25,133 incidents (INCIBE, Balance de ciberseguridad 2025, incibe.es). Behind most of those numbers is a person who did something reasonable in a context designed to prevent them from telling the difference.
Attackers don't guess the password. They ask for it.
The most common passwords involved in incidents — "123456", "admin", "password" — get attention every World Password Day. INCIBE identifies default credentials as the primary vulnerability for SMBs in Spain. These are real problems. They don't explain most corporate incidents.
In enterprise environments, compromised credentials are rarely obtained through brute force. They're obtained because someone designed a situation in which the target handed over the information voluntarily, believing it was the right thing to do.
Helpdesk vishing is one of the most effective and least visible methods. The attacker calls the employee, presents as IT support, and creates urgency: there's a problem with the account, it needs to be resolved now, follow this specific process. The employee follows the instructions because everything fits what a legitimate call would look like. The password can be unique, long, and complex. The attack works anyway.
MFA fatigue: when the security control becomes the attack vector
Multi-factor authentication is a necessary protection layer. MFA fatigue shows that technical controls don't operate in isolation — they operate through people.
In this type of attack, the attacker sends repeated verification requests to the employee's device. Through exhaustion, distraction, or confusion, the person approves one. In more sophisticated variants, the attacker calls at the same time, posing as IT support, to convince the user that approving the request is a required step to resolve a technical issue.
The control that failed wasn't the MFA. It was the employee's judgment in a moment of pressure specifically designed to override it. Adversary-in-the-middle attacks, which bypass MFA by intercepting session tokens in real time, surged 146% in 2024 (Microsoft, via Zensec, zensec.co.uk).
AI at the service of manipulation
Attackers use AI tools to personalize phishing messages at scale. The result is targeted emails — no spelling errors, references to the employee's name, role, company, and in some cases recent projects — generated automatically from publicly available information on LinkedIn and other sources.
AI-generated phishing emails recorded a 54% click-through rate in a recent academic study, compared to 12% for human-written messages (cited via Secureframe, secureframe.com). The gap is significant: attackers using AI are more than four times more likely to get a click.
The problem isn't that employees don't know phishing exists. It's that the message they receive in 2026 doesn't look like the example they saw in training in 2023. Standard awareness training teaches people to recognize one type of attack. Attackers update the attack.
The structural gap no password policy closes
Default credentials in SMBs aren't a knowledge problem. Behind them are onboarding processes that don't enforce a mandatory password change, policies that exist on paper but aren't applied, and no visibility into which credentials are still factory-set.
That's an organizational behavior problem. It doesn't get resolved with a reminder. It gets resolved with processes that make the correct behavior the easiest one to execute, and with metrics that surface when it isn't happening.
What standard training can't do
Most security awareness programs measure whether the employee completed the module. They don't measure whether the employee changed the behavior the module was trying to modify.
When an attacker calls an employee posing as IT support on a Friday afternoon, what determines the outcome isn't the completion rate on the last training course. It's whether that person has the habit and judgment to pause at an unexpected request, report it, and wait for confirmation through a verified channel.
That judgment doesn't come from an annual module. It comes from simulations that replicate real attack patterns, behavioral metrics that identify where individual blind spots are, and a learning system that intervenes at the right moment for each person.
Conclusion
World Password Day is a useful reminder. Changing weak passwords, not reusing them, enabling multi-factor authentication: these measures reduce the technical attack surface.
But the surface that grew fastest in 2024 and 2025 isn't technical. It's the surge in vishing, the AI-personalized emails that bypass the patterns employees were trained to spot, and the MFA fatigue attacks designed to exploit the moment a person stops paying attention.
The question worth asking today isn't whether your organization's employees have strong passwords. It's whether they know what to do when someone designs a situation to make them give those passwords away.
