Social engineering remains the leading entry point for breaches in 2026, and the tactics have shifted significantly: AI-generated phishing is now indistinguishable from legitimate communication at scale, deepfake audio and video are being used to impersonate executives in real time, and voice phishing (vishing) targeting help desks and finance teams has become one of the fastest-growing attack categories.
Effective prevention in 2026 requires layered technical controls, verification processes that do not rely on recognising "obvious" red flags, and training that reflects what these attacks actually look like now, not the phishing examples from five years ago.
Here is what has changed, why employees remain the primary target despite years of awareness training, and what actually reduces risk.
Why Do Employees Remain the Top Target?
Technical defences have genuinely improved. Email filtering, endpoint detection, and network segmentation are far more mature than they were a decade ago. Attackers have responded by going around those defences rather than through them, and the easiest way around a firewall is a person who clicks, approves, or transfers something voluntarily.
Social engineering works because it exploits trust, urgency, and authority, three things no technical control can fully patch. An employee who receives a message that appears to come from their CEO, marked urgent, asking for an immediate wire transfer, is responding to a social dynamic, not a technical vulnerability.
This is exactly why social engineering continues to account for the majority of successful breaches even as every other category of defence improves.
What Has Changed: Social Engineering Tactics in 2026
AI-Generated Phishing at Scale
The phishing email with obvious spelling mistakes and awkward phrasing is largely gone. Generative AI now allows attackers to produce grammatically perfect, contextually relevant, highly personalised phishing messages at a volume and quality that was previously only possible through manual, targeted spear phishing.
Attackers are also using AI to scrape publicly available information, LinkedIn profiles, press releases, and earnings calls to craft messages that reference real internal projects, real colleague names, and real organisational context, making the message far harder to dismiss as generic phishing.
Deepfake Audio and Video Impersonation
Voice cloning now requires only a few seconds of audio, often pulled from a public earnings call, conference talk, or social media video, to generate a convincing synthetic voice. Combined with real-time video deepfake tools, attackers can now impersonate executives in live phone calls and video meetings, not just in pre-recorded messages.
This tactic specifically targets the verification step many organisations rely on: "call them to confirm." If the call itself can be faked, that verification step no longer provides the assurance it once did.
Vishing Targeting Help Desks and Finance Teams
Voice phishing, or vishing, has become one of the fastest-growing attack categories specifically because it targets the human processes around password resets, MFA re-enrollment, and payment approvals. A common pattern: an attacker calls an IT help desk impersonating an employee, claims to have lost access to their MFA device, and convinces the help desk to reset access or re-enrol a new device under the attacker's control.
This tactic has been used in several high-profile breaches where the initial access point was not a technical vulnerability at all, but a help desk agent following a script that did not account for this scenario.
Business Email Compromise (BEC) Evolution
BEC has moved beyond simple invoice fraud. Current variants include attackers compromising a real vendor's email account and inserting themselves into an active, legitimate invoice conversation, making the fraudulent payment request appear as a continuation of a real business relationship rather than a new, suspicious message.
Multi-Channel Social Engineering Campaigns
Increasingly, attacks combine channels deliberately: an initial phishing email is followed by a phone call referencing that email, followed by a text message, all designed to build a false sense of legitimacy through repeated, consistent contact across different channels before the actual ask is made.
Why Traditional Awareness Training Is No Longer Enough?
Most organisations' security awareness training still centres on teaching employees to spot phishing red flags: spelling errors, suspicious links, urgent language, mismatched sender addresses. This training is not wrong, but it is increasingly insufficient against tactics specifically designed to eliminate those red flags.
Training that focuses on "spotting the fake" breaks down when the fake is genuinely indistinguishable, which is now common with AI-generated text and deepfake audio or video. The more durable defence is training employees on process, not pattern recognition: what verification steps are required regardless of how convincing a request appears, not whether a specific message looks suspicious.
Digisecuritas' Security Awareness Training programmes are built around current attack tactics, including AI-generated phishing and vishing scenarios, rather than outdated examples that no longer reflect what employees actually encounter.
What Actually Reduces Social Engineering Risk in 2026
Verification Processes That Do Not Rely on Recognition
For any high-risk action, financial transfers, access changes, or credential resets, the verification process should not depend on whether the request "feels right." It should require a specific, out-of-band verification step every time, regardless of who appears to be asking or how urgent the request seems.
Practical examples: a mandatory callback to a pre-verified phone number, never a number provided in the request itself, for any wire transfer above a defined threshold. A code word or secondary verification step for executive-initiated urgent requests. A policy that help desk staff cannot reset MFA based on a phone call alone, full stop, regardless of how convincing the caller is.
Technical Controls That Reduce the Attack Surface
Email authentication and filtering: DMARC, DKIM, and SPF configured correctly reduce domain spoofing, though they do nothing against compromised legitimate accounts or lookalike domains, which remain common.
Phishing-resistant MFA: Traditional SMS and push-based MFA can be defeated through social engineering and MFA fatigue attacks. Phishing-resistant methods such as FIDO2 hardware keys remove the human approval step that vishing and MFA fatigue attacks rely on.
Privileged access controls: Limiting who can approve high-value financial transactions or access changes, and requiring multi-person approval for the highest-risk actions, reduces the impact of any single employee being successfully targeted.
Digisecuritas' Identity and Access Management practice implements phishing-resistant authentication and privileged access controls specifically designed to limit what a successful social engineering attempt can actually achieve.
Simulated Phishing and Vishing Exercises
Running realistic, current phishing and vishing simulations, not generic templated tests, gives organisations actual data on where their human risk sits, rather than assuming awareness training has worked. The goal is not to catch employees out, but to identify which teams or processes need additional support before a real attacker finds the same gap.
This is also where organisations benefit from testing that goes beyond email, since vishing and deepfake-based impersonation require a different simulation approach than a standard phishing test. Our overview of red team exercises covers how multi-vector social engineering testing fits into a broader security validation programme.
Incident Reporting Culture
Employees need a fast, low-friction way to report a suspicious message or call, and a culture where reporting a near-miss is treated as valuable, not embarrassing. The single biggest factor in containing a successful social engineering attempt quickly is how fast it gets reported, which depends entirely on whether employees feel safe reporting it.
A Practical Starting Checklist
- Verification process for high-value financial transactions that does not rely on caller recognition
- Help desk policy explicitly prohibiting MFA resets or access changes based on phone verification alone
- Phishing-resistant MFA deployed for privileged accounts and finance systems at minimum
- DMARC, DKIM, and SPF correctly configured and enforced, not just monitoring
- Security awareness training updated within the last 12 months to reflect AI-generated phishing and vishing tactics
- A simulated phishing or vishing exercise run within the last 12 months
- A fast, clearly communicated process for employees to report suspicious contact
- Multi-person approval required for wire transfers above a defined threshold
Conclusion
The shift toward AI-generated phishing, deepfake impersonation, and vishing is not a future risk to plan for eventually. It is the current operating environment, and the organisations being targeted successfully right now are not, in most cases, organisations without any security awareness training. They are organisations whose training and verification processes have not caught up to what these attacks actually look like in 2026.
The fix is not more frequent training on the same content. It is updating what employees are trained to recognise, and building verification processes that hold up even when the attack is genuinely convincing.
Digisecuritas helps organisations modernise security awareness training and build verification processes that withstand AI-driven social engineering.
Book a Discovery Call to assess where your organisation's human risk actually sits.
Frequently Asked Questions
How common are deepfake-based social engineering attacks right now?
They remain less common than email-based phishing and vishing in raw volume, but they are growing quickly and have already been used in several large-scale financial fraud incidents. Their disproportionate impact, given the size of losses in confirmed cases, makes them a priority risk despite lower frequency than email phishing.
What is vishing and why is it growing so fast?
Vishing is voice-based phishing, typically targeting help desks, finance teams, or employees directly by phone. It is growing because it specifically targets human verification processes around password resets and account access, which are often less rigorously controlled than technical security measures.
Can phishing-resistant MFA actually stop social engineering attacks?
It significantly reduces the impact of social engineering targeting authentication, since methods like FIDO2 hardware keys cannot be approved by a tricked employee the way push-notification MFA can. It does not address social engineering aimed at other actions, such as wire transfer fraud, which requires separate verification controls.
How often should security awareness training be updated?
At minimum annually, though given how quickly AI-generated phishing and deepfake tactics are evolving, organisations should review and refresh training content at least every six months to ensure it reflects current attack patterns rather than outdated examples.
Is BEC still a major risk if employees are trained to spot phishing?
Yes. Modern BEC variants, including compromised vendor account takeovers inserted into legitimate ongoing conversations, are specifically designed to look identical to a genuine business communication. Training to spot phishing red flags does not address this variant, which is why process-based verification for financial transactions matters more than recognition-based training alone.
