It's 9:00 AM on a Tuesday. Your CFO just authorized a $50,000 wire transfer after receiving a frantic call from ‘the CEO’, or so he thought. The voice had to be the CEOs right?. The cadence was perfect. The urgency was palpable. The only problem? The CEO was nowhere near a phone when the call happened.
This isn't science fiction. In early 2024, a finance worker at British engineering firm Arup transferred $25 million to fraudsters after joining a video call with what appeared to be his company's CFO and several colleagues. Every face on the screen looked real. Every voice matched. But every person on that call, except the victim, was an AI-generated deepfake.
Welcome to the cybersecurity threats your current security awareness training must address, and the traditional playbook won't prepare your employees for any of them.
AI-powered phishing uses large language models to generate flawless, personalized phishing emails at scale. These attacks eliminate the grammatical errors and generic content that employees were traditionally trained to spot, making them significantly harder to detect.
For years, the standard advice was simple: look for typos, watch for awkward phrasing, and be suspicious of anything that doesn't "sound right." That advice is now dangerously obsolete.
Generative AI has handed attackers a capability that previously required significant skill and time: the ability to produce flawless, contextually aware, highly personalized phishing messages in seconds. According to Sift's Q2 2025 Digital Trust Index, over 82% of phishing emails now incorporate AI-generated content, allowing fraudsters to craft convincing lures up to 40% faster than before.
The impact is measurable. Research comparing AI-generated phishing with human-crafted versions found that AI-generated emails achieved a 54% click-through rate compared to just 12% for traditionally written phishing messages. That's not a marginal improvement, it's a fundamental shift in attacker effectiveness.
What makes AI phishing particularly dangerous is its ability to scale personalization. Previously, a highly targeted spear-phishing attack required an attacker to manually research a victim, craft a custom message, and send it individually. Now, large language models can ingest publicly available information, LinkedIn profiles, company announcements, social media posts, and automatically generate hundreds of unique, contextually relevant messages.
A manufacturing company's procurement team receiving emails that reference their actual vendor relationships and recent purchase orders isn't a hypothetical. It's happening now. And those emails are nearly indistinguishable from legitimate correspondence.
Deepfake audio uses AI to clone a person's voice from just seconds of sample audio. Attackers use this technology for voice phishing (vishing) attacks, impersonating executives to request wire transfers, credential changes, or access to sensitive systems.
The Arup case wasn't an anomaly. Deepfake fraud attempts have increased by over 3,000% since 2022, and the technology required to execute these attacks has become remarkably accessible. An attacker can now clone a voice with reasonable accuracy from just a few seconds of sample audio, the kind readily available from earnings calls, conference presentations, YouTube videos, or even voicemail greetings.
This capability has transformed voice phishing, or "vishing," from a relatively crude attack vector into one of the most dangerous social engineering threats facing organizations. CrowdStrike observed a 442% increase in vishing incidents between the first and second half of 2024 alone.
The attack pattern is straightforward but devastating:
What makes these attacks so effective is that they exploit one of our most fundamental trust signals. We've spent our entire lives using voice recognition as identity verification. The sound of a familiar voice triggers an automatic trust response that's difficult to override, even when we intellectually understand the technology exists to fake it.
Quishing (QR code phishing) is a social engineering attack where malicious links are embedded in QR codes. When victims scan these codes, typically received via email or found in physical locations, they're directed to credential-harvesting sites or prompted to download malware.
QR codes have become ubiquitous, restaurant menus, parking meters, two-factor authentication, conference badges. This ubiquity is precisely what makes quishing such an effective attack vector. We've been trained to scan codes without thinking, and attackers are exploiting that conditioned behavior.
The growth has been staggering. Analysis from multiple security firms shows quishing incidents have increased roughly 14-fold over the past five years, with the APWG recording over one million phishing attacks in Q1 2025 alone, a significant portion involving QR codes.
The attack works by replacing or augmenting traditional phishing links with QR codes. An employee receives an email that appears to be from IT, HR, or a trusted vendor, instructing them to scan a code to re-authenticate their account, access a document, or complete required training. The code leads to a credential harvesting page that looks identical to a legitimate login screen.
What makes quishing particularly insidious is that it shifts the attack from a managed corporate device to an employee's personal phone, often outside the protection of corporate security tools. The URL isn't visible until after the code is scanned, and even then, it appears on a small mobile screen where it's easy to miss subtle indicators of fraud.
Physical quishing attacks are also increasing. Attackers place malicious QR codes over legitimate ones on parking meters, restaurant tables, public advertisements, and even inside office buildings.
For a broader overview of critical topics your program should address, see our guide to the 10 critical security awareness topics every employee should know.
Smishing (SMS phishing) uses text messages to trick victims into clicking malicious links or revealing sensitive information. Modern smishing attacks leverage data from previous breaches to craft highly personalized messages that reference victims by name, bank, or employer.
Text message phishing isn't new. But the sophistication and targeting of these attacks has evolved dramatically. What was once a spray-and-pray tactic, generic "your package is delayed" messages sent to millions, has become a precision instrument.
Modern smishing campaigns leverage data from previous breaches to craft highly personalized messages. An attacker who purchases leaked data knows your name, your bank, your employer, and possibly your recent transactions. A text message that reads "Hi [your name], your [actual bank] account has been flagged for unusual activity" is far more convincing than a generic alert.
The FBI's Internet Crime Complaint Center (IC3) continues to rank phishing and smishing among the most reported cybercrimes, with SMS-based attacks accounting for an increasing share of social engineering incidents. The personal, immediate nature of text messages, and the fact that most people don't have spam filters on their phones, makes this channel particularly effective.
Business Email Compromise (BEC) involves attackers compromising or spoofing legitimate business email accounts to request fraudulent wire transfers, redirect payroll, or steal sensitive data. BEC attacks caused $2.77 billion in reported losses in 2024, more than any other form of social engineering.
While AI-powered phishing and deepfakes capture headlines, BEC remains the single most financially damaging form of social engineering. The FBI's IC3 reported that BEC attacks resulted in $2.77 billion in losses in 2024 alone, dwarfing ransomware losses.
What makes BEC particularly dangerous is that it often involves no malware, no malicious links, and no attachments, just a convincing email from what appears to be a trusted source requesting a normal business transaction. Traditional security tools focused on detecting malicious payloads are essentially blind to these attacks.
The classic example remains the "CEO gift card" scam, where employees receive messages apparently from executives asking them to purchase gift cards for a client event or employee recognition. But BEC has evolved well beyond gift cards. Sophisticated attackers now target:
An insider threat is a security risk that originates from within the organization, either from malicious employees who intentionally abuse access, or negligent employees whose mistakes create vulnerabilities.
Not every threat comes from outside your organization. The Tesla data leak of 2023 exposed 75,000 personnel records, not because hackers breached their systems, but because two disgruntled former employees abused their legitimate access to steal and leak data to foreign journalists.
The challenge with insider threats is that they bypass most traditional security controls. An employee with legitimate access to sensitive data doesn't need to hack anything, they simply download, copy, or share information they're already authorized to view.
For more on this topic, see our detailed guide: What is an Insider Threat? A Guide for Businesses.
Understanding the threats is essential, but it's only half the equation. The other half is recognizing that traditional security awareness training, annual compliance sessions with generic content, is fundamentally inadequate for this threat landscape.
Research consistently shows that continuous training dramatically outperforms annual sessions. Organizations implementing ongoing awareness programs see phishing susceptibility drop by over 40% within 90 days and up to 86% within a year. Annual training shows no meaningful long-term impact on employee behavior.
The reason is simple: the forgetting curve is real. Within days of completing training, employees begin losing the specific knowledge they gained. Within weeks, retention drops precipitously. By the time the next annual session arrives, most employees are essentially starting from scratch.
Building this kind of program requires moving beyond checkbox compliance toward genuine security culture, an environment where employees understand they're an essential part of the security team, not just potential liabilities.
The threats facing your organization in 2026 are more sophisticated, more scalable, and more convincing than anything we've seen before. AI has fundamentally shifted the balance of power toward attackers, giving them capabilities that previously required significant skill and resources.
But the underlying vulnerabilities these attacks exploit haven't changed. They still rely on urgency, authority, fear, and trust. They still target employees who haven't been trained to recognize manipulation. They still succeed when verification procedures don't exist or aren't followed.
Your employees remain your primary attack surface, and your most important defense. The question isn't whether they'll encounter deepfake audio, AI-generated phishing, or sophisticated QR code attacks. They will. The question is whether they'll be prepared to recognize and respond appropriately when it happens.
That preparation doesn't come from a single training session or a compliance checkbox. It comes from building an organization where security awareness is continuous, where simulations reflect actual threats, where reporting is encouraged, and where every employee understands their role in protecting the organization.
The attackers are using AI to scale their operations. Your human firewall needs to scale too.
The most critical threats for 2026 include AI-powered phishing (which now accounts for over 82% of phishing emails), deepfake audio and video used for vishing attacks, QR code phishing (quishing), sophisticated SMS phishing (smishing), and Business Email Compromise. These threats exploit human trust rather than technical vulnerabilities, making employee training essential.
AI has eliminated the traditional red flags employees were taught to look for, poor grammar, awkward phrasing, and generic content. Attackers can now generate flawless, highly personalized phishing messages in seconds. Studies show AI-generated phishing emails achieve click-through rates of 54% compared to just 12% for traditionally crafted messages.
Quishing is phishing conducted through malicious QR codes. Attackers embed harmful links in QR codes sent via email or placed in physical locations. When scanned, these codes direct victims to credential-harvesting sites or trigger malware downloads. Quishing is particularly dangerous because it shifts the attack to personal mobile devices, often bypassing corporate security tools, and the malicious URL isn't visible until after the code is scanned.
While deepfake audio can be highly convincing, employees should watch for manipulation patterns rather than audio quality. Red flags include extreme urgency, requests for secrecy, pressure to bypass normal procedures, and any request involving financial transactions or sensitive data. The safest response is to hang up and verify the request through a separate channel, calling the person back at a known number or confirming in person.
The most prevalent social engineering tactics in 2026 exploit psychological triggers: urgency (act now or face consequences), authority (impersonating executives or IT), fear (your account is compromised), and trust (appearing to come from known contacts or brands). AI has made these tactics more effective by enabling attackers to personalize messages at scale and eliminate the grammatical errors that once served as warning signs.
Annual training is insufficient for addressing modern threats. Research shows continuous training, monthly micro-learning modules combined with regular phishing simulations, reduces susceptibility by up to 86% within a year, while annual training shows minimal long-term impact on behavior. Effective programs deliver short, frequent touchpoints rather than infrequent marathon sessions.