Cyber security awareness can no longer be built around obvious phishing emails and annual training reminders. This was one of the key messages coming out of the recent Infosecurity Europe 2026 event in London as cyber specialists revealed more attackers are using deepfakes, impersonation, voice cloning and highly personalised manipulation to target employees across every communication channel.
Modern attacks are no longer identified through poor spelling or clumsy scams. They depend on trust, urgency and familiarity. In other words, the real attack surface is not just technology – it is employee behaviour.
For CISOs, Heads of Information Security and Communications Directors, that means security awareness must become a communications-led behaviour change programme, not a training checkbox.
AI has made social engineering more convincing
Generative AI has changed the quality and scale of social engineering. IBM notes that AI tools can now help attackers write phishing emails, create fake websites and generate deepfakes much faster than before, with the technology also making scams more targeted and harder to detect. IBM also warns that generative AI can produce technically polished attacks in minutes, while deepfake audio and video add another layer of credibility.
Infosecurity Europe’s own 2026 research says 64% of UK cybersecurity leaders believe Agentic AI will have the biggest impact on cybersecurity over the next three years, underlining how quickly AI is reshaping both attack and defence.
For employees, that means the familiar warning signs are fading. Bad grammar, odd phrasing and generic requests are no longer reliable indicators of fraud.
Deepfakes and vishing are the new trust traps
Voice is now a weapon.
Vishing attacks use phone calls, voice notes or audio messages to pressure employees into revealing information or approving payments. Deepfake voice cloning makes this far more dangerous because attackers can imitate executives, suppliers, help desks or family members with convincing realism. IBM highlights that deepfake technology can create fake audio and video calls that lend credibility to social engineering campaigns.
Such tactics were highlighted by our guest cyber expert, Jake Moore, at the Blue Goose Briefing ‘AI: Friend or Foe?’ where he warned: ”Seeing and now hearing is no longer believing.’
Recent reporting shows the scale is accelerating. A 2026 analysis by AI Incident Database reported that deepfake fraud has reached an ‘industrial scale,’ with researchers noting the accessibility of tools means almost anyone can now produce fake content. The same report described a case in which a finance officer at a multinational company was tricked into transferring nearly $500,000 during what he believed was a legitimate video meeting.
‘Awareness needs to move beyond ‘spot the typo’,’ says Ben Watson, strategy director, at Blue Goose.
‘Employees need to recognise manipulation tactics such as urgency, authority, secrecy and emotional pressure across voice, video and chat.’
The threat is multi-channel, not email-only
Most organisations still over-index on email phishing in their cyber security awareness programmes. That is a problem because attackers now operate across email, SMS, collaboration tools, social platforms and voice. If your training only focuses on inbox hygiene, your workforce remains exposed everywhere else.
For Blue Goose, this is the strategic imperative.
‘A strong awareness programme should teach employees how to respond when a request arrives by email, then gets reinforced by a Teams message, then follows up with a phone call. That is the reality of modern impersonation campaigns,’ adds Ben.
The numbers show employee risk is rising
There is growing evidence that AI is making social engineering more effective.
IBM says generative AI can draft an effective phishing email in about five minutes, compared with around 16 hours for a human team doing comparable research and writing. That speed advantage allows attackers to personalise at scale, which makes campaigns harder for employees to spot.
Separately, Microsoft researchers were reported to have found people were 4.5 times more likely to click a phishing email when it was written by AI than when it was composed by a human. That same reporting said 54% of people clicked AI-written phishing emails versus 12% for human-written ones.
The message is simple: employee exposure is not static, and awareness models need to evolve.
Why awareness fails without communication strategy
Training content alone does not change behaviour.
Employees are more likely to act when messages are repeated, relevant, and delivered in the right format at the right time. That is why message design, audience segmentation, channel planning and internal campaign identity matter as much as the learning content itself.
Blue Goose’s cyber and compliance expertise helps you turn policy into impactful employee-facing communication. That means creating campaigns that are:
- Clear enough to be remembered.
- Targeted enough to feel relevant.
- Repeated enough to change behaviour.
- Consistent enough to build trust.
- Practical enough to support reporting and escalation.
This is especially important in large global organisations where different teams face different risks.
Finance may need vishing and payment diversion scenarios. HR may need impersonation and data theft examples. Executives and assistants may need guidance on deepfake voice requests and urgent approvals. We have tackled such segmentation in campaigns for the likes of Bank of England, Yusen Logistics, Computacenter, Burberry and many more.
What good cyber security awareness looks like in practice
The strongest awareness programmes now do three things well.
First, they make the threat concrete by using real-world examples of impersonation, deepfakes and manipulated requests. Second, they embed behaviour prompts such as ‘pause, verify, report’ into everyday work. Third, they reinforce the message through multiple channels, not just one LMS module.
Blue Goose helps you builds such a communication system that makes secure behaviour easier to repeat across the business. And in a world of AI-generated fraud, that is what effective awareness looks like.
Why this matters now
Attackers are no longer relying on crude scams. They are using AI to impersonate trusted voices, copy familiar brand language, and manipulate employees under time pressure. Cyber awareness is a behavioural communications challenge and behaviours change as technology changes.
If your organisation wants measurable engagement and safer employee decisions, you need more than a training portal. You need a campaign strategy built for deepfakes, impersonation, vishing and multi-channel manipulation.
Image by Pexels
