Social engineering is as old as humanity itself, but the tactics are evolving at breakneck speed. In 2026, we see attacks so sophisticated that even trained security professionals fall for them. Cybercriminals combine artificial intelligence with deep psychological manipulation to deceive employees, gain access and compromise organisations.
These are the five newest social engineering tactics your organisation needs to watch for.
1. AI-generated phishing: indistinguishable from the real thing
The days of phishing emails with spelling mistakes and odd translations are over. Modern attackers use large language models to generate perfect, context-aware phishing messages. These AI tools analyse the target's LinkedIn profile, recent company news and even the writing style of colleagues to create messages that are virtually indistinguishable from genuine communications.
A CFO receives an email that exactly mimics the CEO's writing style, references an actual acquisition that was in the news last week, and requests an urgent wire transfer. The email contains no attachments, no links — just a convincing request. This is not science fiction; this happens daily.
The problem is scale. Where a human attacker might craft ten convincing emails per day, AI generates thousands. Each personalised, each credible.
2. Deepfake voice: the CEO on the phone
Voice cloning technology has reached a point where three seconds of audio are sufficient to create a convincing copy of someone's voice. Attackers use publicly available material — podcasts, YouTube videos, conference recordings — to clone the voices of executives and managers.
The attack follows a proven pattern: a finance department employee receives a call from what sounds like the director. The voice is recognisable, the tone is urgent, and the request seems reasonable. "I'm in a meeting and can't email, but can you process this payment today?"
In 2025, a deepfake voice attack cost a Hungarian company €35 million. The employee who authorised the payment was convinced they were speaking with their CEO. Verification protocols — such as a callback arrangement via a fixed number — are no longer optional but essential.
3. QR phishing (quishing): the invisible link
QR codes are everywhere: from restaurant menus to parking meters. Attackers gratefully exploit this. Quishing — phishing via QR codes — bypasses traditional email security filters because the malicious URL is hidden in an image rather than as a clickable link.
The tactic is simple but effective. An employee receives an email that appears to come from IT or HR: "Scan this QR code to reset your MFA" or "Scan for the new parking policy." The QR code leads to a convincing fake website that harvests login credentials.
Physical variants are equally dangerous. Fake QR stickers placed over existing codes on parking machines, in office lobbies, or even on business cards at networking events. The physical component gives the attack an extra layer of credibility.
4. LinkedIn pretexting: the long game
LinkedIn is a goldmine for social engineers. Not only because of the wealth of professional information but also because the platform fosters a culture of trust and networking. Attackers patiently exploit this through prolonged pretexting campaigns.
The scenario: a "recruiter" from a reputable company sends a connection request. After weeks of casual conversation and trust-building, a request follows to complete a "technical assessment" — in reality malware disguised as a test environment. Or they ask for confidential information about "comparable roles and salaries in the sector."
These attacks specifically target IT staff, system administrators and C-level executives. The patience factor makes them particularly difficult to detect: by the time the malicious request arrives, the relationship already feels trusted.
5. Supply chain social engineering: through the back door
Why force the front door when the back door is open? Supply chain social engineering targets not your organisation but your suppliers, partners and service providers — the links with access to your systems.
An attacker compromises a supplier's email account and sends a message from that account to your procurement department: "We have changed our bank account number. Here are the new details." The message comes from a known and trusted address, references existing contracts and feels completely normal.
The NIS2 directive explicitly recognises this risk. Supply chain responsibility is a core principle: organisations must not only have their own security in order but also monitor that of their suppliers and impose requirements where necessary.
Technology alone is not enough
What all these tactics have in common is that they exploit the human as a vulnerability. Firewalls, antivirus software and email filters provide protection against technical attacks but are powerless against an employee who in good faith authorises a payment or shares login credentials.
Effective protection requires a combination of technology, processes and — above all — awareness. Security awareness training that goes beyond an annual e-learning module. Training that confronts employees with realistic scenarios, measures their behaviour and continuously adjusts.
Nexus-7 helps organisations map their human vulnerabilities and structurally strengthen them. Not with standard checklists, but with behaviour-focused assessments that demonstrate where the real risks lie — and what can be done about them.
