Book a meeting
Cart
Register
Sign in

AI-powered Social Engineering in 2026 (and what 2025 taught us)

Social engineering didn’t suddenly become dangerous because of AI. What changed in 2025 was friction. The signals defenders relied on for years, like tone, wording, familiarity, even voice, became cheap to replicate at scale.

 

As we move into 2026, the question is no longer whether AI will be used in social engineering, but how deeply it will integrate into everyday workflows, approvals, and identity assumptions. The following observations aren’t predictions for a distant future; they’re patterns already emerging from real incidents, reporting, and defensive telemetry, now accelerating.

 

 

What’s changing in 2026: Four shifts defenders can’t ignore

Below is a breakdown of how these components come together, why they matter, and how they help organizations extract the maximum value from their HTB investment.


1) Real-time deepfake “conversations” become routine
In 2025, many deepfake incidents were “point-in-time”, a short audio clip, a convincing video, a one-off lure. In 2026, expect more interactive deepfakes: calls where the attacker’s voice responds naturally, adapts to objections, and mirrors the cadence of a known executive.

 

That change matters because most organizations still verify identity using cues AI can mimic, like voice and writing style. This is where the phrase “trust but verify” stops being cute and becomes mandatory operations.

 

2) AI turns BEC into “workflow compromise”
BEC (Business Email Compromise) isn’t new, but it’s still painfully lucrative. The FBI’s 2024 IC3 annual report (released publicly) shows internet crime losses exceeding $16B overall. Federal Bureau of Investigation And social-engineering-enabled fraud remains central to that ecosystem.

In 2026, the bigger shift will be where the compromise happens:
Not just the email thread —> the invoice workflow
Not just the CFO—> the AP clerk + vendor onboarding process
Not just “change the bank details”—> “change the policy exception that allows the change”

 
Attackers will aim to compromise approval logic, not just people.

 

3) “Synthetic familiarity” will beat traditional awareness training
Most awareness training is still anchored in outdated cues (“hover over the link,” “watch for spelling mistakes”). The problem: AI removes those cues.

In 2026, the most effective attacks won’t look suspicious, they’ll look routine. They’ll mimic:
ticketing templates
internal HR language
vendor communications
meeting follow-ups

 
Which means training needs a new goal: teaching people to pause on high-risk actions, not to spot “bad writing.”

4) Social engineering will converge with credential theft and session hijacking

Social engineering will increasingly be the front-end for technical takeover: steal session cookies, abuse OAuth consent, capture MFA tokens, and exploit helpdesk workflows.

Microsoft’s 2025 reporting explicitly frames adversaries using AI as a multiplier across phishing and deepfake generation, and emphasizes the need for authenticated comms and anomaly detection in communication patterns. Microsoft+1 The direction of travel is clear: persuasion gets the victim to do one small action; automation completes the compromise.

 

 

 

 

What defenders should do now (without turning into conspiracy theorists)

 

1. High-risk action” controls beat “spot the phishing”
Treat certain actions like financial controls:

  • changing bank details
  • adding new payees
  • resetting MFA or approving device enrollment
  • granting admin privileges
  • sharing sensitive files externally

 
Implement out-of-band verification (call-back numbers from known directories, not the email signature), and require two-person integrity for the highest-risk changes.

 

➜ 2. Add authenticity to communication, not just security to endpoints
If your execs can approve payments via chat, your attackers will too. Practical steps:

  • Verified internal comms channels for approvals
  • Approved “signing” mechanisms for sensitive requests (even simple workflow signatures help)
  • Clear rules: “No payment changes via email/chat—ever”

 

This aligns with Microsoft’s emphasis on authenticated communication channels as a counter to AI-augmented social engineering. Microsoft

 

➜ 3. Instrument the human layer
This sounds abstract, but it isn’t. Your security stack should detect:

  • unusual communication patterns (first-time contact, unusual time, unusual wording for that person)
  • sudden urgency language + finance keywords
  • helpdesk reset spikes
  • mass QR redirects or new shortened links
Microsoft notes the scale required to fight this class of threat, citing massive fraud disruption and bot-driven sign-up blocking as part of modern defense needs. Microsoft

 

➜ 4. Run “deepfake tabletop exercises” like you mean it
Most organizations tabletop ransomware. Fewer tabletop:

  • “CEO voice note asks AP to reroute payment”
  • “HR receives a video call to ‘verify’ identity documents”
  • “Helpdesk gets a live call from ‘IT leadership’ demanding an emergency reset”
This isn’t theater. It’s rehearsal for the moment when stress hits and your policies evaporate.

 

 

 

The uncomfortable conclusion

AI hasn’t invented social engineering. It has simply removed the friction. And once friction is removed, you get scale: more attempts, better targeting, more channels, and fewer obvious tells. When AI-driven phishing is reported as materially more effective and breach patterns still heavily involve the human element, the conclusion isn’t “train harder.” It’s “design systems where trust isn’t a single point of failure.” Microsoft
2026 is likely to reward organizations that do two things well:
  1. make high-risk actions boringly hard to do fast
  2. assume every identity signal can be faked, and build verification accordingly

 

That’s not paranoia. That’s modern operations.
SHARE:

Syllabus:

Intro to GCP

  • GCP Hierarchy
  • Google Workspace
  • gcloud config
  • Basic Hacking Techniques

Exploitation of GCP Services

  • IAM
  • KMS
  • Secrets 
  • Storage
  • Compute Instances & VPC
  • Cloud Functions
  • CloudSQL
  • Pub/Sub
  • App Engine
  • Google APIs
  • Cloud Shell

Methodologies

  • White box

Security Services

  • GCP Logging & Monitoring

Syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals
  • Basic Hacking Techniques

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2 & VPC
  • Lambda
  • RDS
  • SQS
  • SNS

Methologies

  • White box

Common Detection Mechanisms

  • CloudTrail

Syllabus:

Azure Basics

  • Azure Organization
  • Entra ID
  • Azure Tokens & APIs
  • Basic Enumeration Tools

 

Exploitation of Azure Services

  • Entra ID IAM
  • Azure IAM
  • Azure Applications
  • Azure Key Vault
  • Azure Virtual Machine & Networking
  • Storage Accounts
  • Azure File Share
  • Azure Table Storage
  • Azure SQL Database
  • Azure MySQL & PostgreSQL
  • Azure CosmosDB
  • Azure App Service
  • Basic Azure Research Technique
  • Azure Function Apps
  • Static Web Apps
  • Azure Container Registry
  • Azure Container
  • Instances, Apps & Jobs
  • Azure Queue
  • Azure Service Bus
  • Azure Automation Account
  • Azure Logic Apps
  • Azure Cloud Shell
  • Azure Virtual Desktop

 

Methologies

  • White box
  • Black box
  • Pivoting between Entra ID & AD

 

Common Detection Mechanisms

  • Azure & Entra ID Logging & Monitoring
  • Microsoft Sentinel
  • Microsoft Defender for Cloud & Microsoft Defender EASM

Fundamentals and Setup

  1. Overview of Android’s architecture and ecosystem dynamics.
  2. Exploration of security features native to Android using Java, Kotlin, C++, and Rust.
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on Android.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including certificate validation and pinning.
  • Cryptography in Android apps
    a) Utilization of Android’s Crypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of biometrics.
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
  • Android IPC
    a) Detailed exploration of Intents, deep links, Binders/services, and broadcast receivers.
  • Webviews
    a) Identifying and resolving common security issues in Android Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an Android app.
    b) Identifying known vulnerabilities within these components.
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including App Transport Security issues & certificate pinning.
  • Cryptography in IOS apps
    a) Utilization of iOS’s CryptoKit & CommonCrypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys and leveraging the secure enclave.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of Local Authentication (biometrics).
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
    d) Using Device Check and App Attest
  • iOS IPC
    a) Detailed exploration of URL schemes, deep (universal) links, and extensions.
  • Webviews
    a) Identifying and resolving common security issues in iOS Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an iOS app.
    b) Identifying known vulnerabilities within these components.
  • Implementing App Integrity
    a) What to look for
    b) How to implement
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Fundamentals & Setup

  1. Overview of iOS’s architecture and ecosystem dynamics.
  2. Exploration of security features native to to iOS using Objective-C, Swift, and C(++).
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in iOS code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on iOS.