Email security in 2026 is no longer a technical story about filters and MFA. It is primarily a behavioural question. Social engineering is the umbrella technique attackers use to exploit trust, urgency and authority through email, SMS, phone, QR codes and chat. AI-generated phishing emails are virtually indistinguishable from real messages, MFA is routinely bypassed and deepfake voices make CEO fraud painfully convincing. What must employees be able to do in practice, and how do you anchor this in a security awareness programme?
What is social engineering, and why is email still the main vector?
Social engineering is the umbrella term for attack techniques that target the human, not the technology. An attacker manipulates trust, leverages urgency, impersonates authority or exploits curiosity. Email security is therefore not just a filter problem: once a message gets past the gateway, the recipient's behaviour is the last line of defence.
Email remains the most-used channel for social engineering in 2026, for three reasons. First, the volume: almost every employee receives dozens of emails per day and lacks time for deep inspection. Second, identity is easily forged: sender names, company logos and signatures are mimicked without effort. Third, the cost is low: an attacker can target thousands of organisations in a single campaign.
Modern social engineering rarely stays in email alone, however. Attacks run across multiple channels in parallel: an email leading to a phone call, an SMS leading to a QR code on a fake site, a LinkedIn message ending in a Teams call. The question for an organisation is therefore not "how do I keep phishing out?" but "how do I ensure that employees have the right reflex when something slips through?"
Phishing 2.0: AI has tilted the playing field
Until 2023 phishing was often recognisable by clumsy sentences, language mistakes and odd salutations. That time is over. Generative AI produces a flawless email in any language within seconds, perfectly matched to your organisation's tone. The old rule of thumb that mistakes equal a fake and fluent language equals a real message no longer works, and has become actively harmful in some training programmes because it lulls employees to sleep.
What does still work is context anomaly. A request that does not match the relationship ("why is this supplier asking me about the invoice?"), a time that stands out (Friday afternoon, just before a long weekend), a channel that deviates (a colleague who normally uses Teams suddenly sends a personal email). And above all, a request that deviates from the normal process: a payment outside the standard approval route, an urgent change of bank details, an MFA code asked to be shared via WhatsApp.
Train employees on process deviation, not on spelling mistakes. The question "does this match how we normally do it?" is a more reliable filter than any spell check. Good simulations practise this principle, not by sending strange-looking emails, but by sending credible emails that contain small process deviations.
The four modern attack forms every employee must recognise
Phishing is no longer limited to email. Four forms deserve explicit attention in any training on email security and social engineering:
- Smishing (SMS phishing): a short text with urgency ("your parcel could not be delivered, tap here") with a link to a fake site. Works well because people are less critical on their phone than on their laptop.
- Vishing (voice phishing): an attacker calls posing as helpdesk, bank or supplier. With AI voice cloning this now sounds like the actual director or a familiar colleague. A classic trick: "I am looking into your account right now to limit the damage, can you confirm the six digits on your screen?" The attacker has just triggered a password reset and uses the employee as the key.
- Quishing (QR phishing): a QR code in an email or on a poster leading to a fake site. Email security filters cannot read QR codes, and employees usually scan with their personal phone, outside the corporate perimeter. A typical example is an email about "MFA re-registration" where the QR code goes to a page capturing password and MFA code in one go.
- Business Email Compromise (BEC): a legitimate inbox of a colleague or supplier has been taken over. A real email then arrives with a real request: a payment, a change of bank details. Indistinguishable from a normal message because it actually comes from the real email address. BEC is the most financially damaging form of cybercrime globally.
Why MFA is no longer enough, and what that means for awareness
Multi-factor authentication (MFA) was long the answer to password theft. An attacker with your password could not get in without the second factor. In 2026 that certainty is gone: cybercriminals now routinely bypass MFA via three techniques.
MFA fatigue (push bombing). The attacker has your password and keeps sending push notifications: ten, twenty, fifty times, often at night. The aim is that out of frustration or sleepiness you tap "approve" once. Awareness message: an unexpected flood of MFA prompts is an attack. Do not approve, report to IT, and change your password immediately.
Adversary-in-the-Middle (AitM). The attacker sets up a fake site that mirrors the real login page exactly. When you enter your password and MFA code, the fake site forwards them to the real site and steals the session cookie. With that cookie the attacker takes over your session without further MFA. You notice nothing: you see your email or document as expected. Awareness message: always check you are on the real site, and prefer a bookmark over a link in a message.
SIM swap. The attacker convinces your mobile provider to move your number to their SIM card. From that moment they receive your SMS MFA codes. Awareness message: prefer an authenticator app or hardware key over SMS for MFA. And if your phone suddenly says "no network" at a strange moment, contact your provider immediately.
The future is passwordless. Passkeys and hardware keys (FIDO2) resist all of these techniques. For your awareness programme this is an important message: explain why your organisation is moving to these methods, so employees see them as protection rather than as a hurdle.
Verifying is not distrust: five rules of thumb for employees
What all modern social engineering techniques have in common is that they exploit trust. Trust in your inbox, in a familiar voice, in an MFA prompt, in a supplier. The throughline for awareness is therefore simple: verifying is not distrust, it is professionalism. The question "is this right?" is always legitimate, even to the boss.
- Urgency or pressure is a red flag. Real messages give you time. "Do this now or else…" is almost always a manipulation technique.
- Verify unusual requests via a second channel. Call back on a known number (from the intranet, not from the message), walk over, ask in a Teams call you initiate. Verification through the same channel as the suspicious message is not verification.
- Check the destination before you click. On the computer: hover over the link with your mouse to see the real destination. On the phone: long-press the link. When in doubt, go to the site manually via a bookmark.
- When in doubt: report. Better ten false reports than one missed real attack. A reporting culture without blame is a more important awareness outcome than a low click score.
- No-one ever asks for your MFA code, password or one-time code. Not IT, not your bank, not a supplier. An employee who knows and applies this rule is resistant to virtually all vishing and helpdesk-impersonation attacks.
How to anchor this in a security awareness programme
One long training where everything is covered in a day does not work. There is too much to remember in one go, and the content becomes outdated within months. What does work is a rhythm of short, recurring modules in which each theme is practised separately.
Combine e-learning with phishing simulations that include modern variants: not just classic phishing emails, but smishing scenarios, quishing posters and AitM landing pages. Make verification protocols explicit before they are needed: a callback number for supplier changes, a four-eyes rule above a threshold amount, a secret pass-phrase between executive and finance for urgent transfers.
Maintain a reporting culture. Employees must be able to report suspicious messages without shame, and without being scolded when they clicked themselves. An attacker benefits from silence; awareness is about reporting quickly so that IT can stop the attack before it spreads.
Finally, refresh content at least every six months. The threat landscape changes faster than that. AI tools, deepfake prices and MFA-bypass techniques evolve in months, not years. An awareness programme that was up to date in 2023 is, in 2026, a manual for attackers.
See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.
View the phishing pageRelated articles
- What is phishing?
- Phishing red flags employees should know
- How to recognize MFA fatigue attacks
- How to spot CEO fraud and prevent it
Sources
- CISA: avoiding social engineering and phishing attacks
- NCSC NL: phishing overview
- ENISA: Threat Landscape
FAQ
What is the difference between phishing and social engineering?
Social engineering is the umbrella technique attackers use to exploit human trust. Phishing is one specific form: social engineering through email. Other forms are vishing (phone), smishing (SMS), quishing (QR) and pretexting (a fabricated pretext).
Does MFA still help against modern phishing attacks?
MFA via authenticator app or hardware key remains an important layer, but is routinely bypassed via MFA fatigue, adversary-in-the-middle and SIM swap. The strongest defence is a combination: phishing-resistant MFA (FIDO2 or passkeys), good behaviour and fast reporting of unusual login prompts.
How often should I train employees on email security?
Short modules of five to ten minutes every month work demonstrably better than one annual two-hour training. In addition, two to four phishing simulations per year help practise recognition under realistic conditions.
What is quishing and why is it so dangerous?
Quishing is phishing via QR codes. It is dangerous because email security filters cannot read QR codes: the malicious link is invisible to them. Additionally, employees usually scan QR codes with their personal phone, outside the corporate security perimeter.
Should employees delete suspicious emails or report them?
Report, not delete. A report allows the IT team to investigate the attack, warn other colleagues and contain any compromise. Deleting hands the attacker silence to keep going elsewhere.
What verification works against a deepfake voice call?
For unusual financial requests, always verify via an independent channel: call back on a known number, a face-to-face meeting, or a secret pass-phrase between executive and finance known only verbally. Visual detection of deepfakes is unreliable; process-based verification is not.
How do I measure whether my email security awareness is working?
Combine three metrics: click rate in phishing simulations (lower is better), report rate (higher is better, a good sign that employees feel safe to report) and time-to-first-report (faster is better). In the long run report rate matters more than click rate.
External source: CISA - Avoiding social engineering and phishing attacks