How CISOs Can Tackle Deepfakes and AI-Powered Attacks in 2026: A Strategic Playbook

Awareness training builds knowledge. Testing proves if it translates to action….

In early 2024, a finance executive at Arup—the British engineering firm behind the Sydney Opera House—joined a video call with his CFO and several colleagues. The conversation was around a discussion about an urgent wire transfer. They authorized $25.6 million across 15 transactions. Every person on that call was a deepfake.1

That attack required human orchestration. In 2026, it won’t.

Agentic AI has changed the equation. In September 2025, Anthropic disclosed what they believe to be the first documented case of a large-scale cyberattack executed without substantial human intervention—AI agents autonomously researching targets, producing exploit code, and scanning stolen data faster than any human team could operate.2 Autonomous systems can now research targets, craft personalized pretexts, generate synthetic voices and video, and orchestrate multi-channel attacks—all while adapting in real-time based on how victims respond.

For CISOs, this isn’t just another threat to add to the list. It’s a fundamental shift that exposes a critical gap in how most organizations approach security: they train people, build processes, and deploy technology—but rarely test how all three work together under realistic attack conditions.

Layer 7 is the new perimeter. And defending it requires testing your people, processes, and technology as an orchestrated whole—not as separate checkboxes.

The 2026 AI Threat Landscape

The convergence of deepfakes, agentic AI, and traditional social engineering has created attack capabilities that most security programs aren’t designed to handle.

Agentic AI: The Force Multiplier

Agentic AI doesn’t just automate tasks—it reasons, plans, and adapts. Palo Alto Networks’ Unit 42 demonstrated this capability by simulating a complete ransomware attack—from initial compromise to data exfiltration—in just 25 minutes using AI at every stage of the attack chain.3 Gartner predicts that by 2028, a third of our interactions with AI will shift from typing commands to engaging with autonomous agents that act on their own goals and intentions.4

Applied to social engineering, this means:

Autonomous reconnaissance at scale. An agentic system can scrape LinkedIn, corporate websites, earnings calls, and social media to build detailed profiles of high-value targets. It maps reporting relationships, identifies communication patterns, learns the names of assistants, and catalogs upcoming events—all before launching a single attack.

Dynamic attack orchestration. When a target doesn’t respond to the initial approach, the AI pivots. It tries a different channel, adjusts the pretext, or escalates the perceived urgency. It’s not following a script—it’s pursuing an objective.

Personalization that scales. Every attack can be tailored to the individual target using details the AI gathered during reconnaissance. The “CEO” mentions the board meeting that’s actually on the calendar. The “vendor” references the contract that’s actually up for renewal. The attack feels real because it’s built on real information.

Voice Phishing: Your Executives Are Already Cloned

Voice cloning has crossed the uncanny valley. Attackers need as little as three seconds of audio to create a voice clone with an 85% match to the original speaker.5 With 30 seconds of audio from a conference keynote, earnings call, or podcast appearance, attackers can generate synthetic speech indistinguishable from the real person.

The threat has industrialized rapidly. Deepfake-enabled vishing surged by over 1,600% in the first quarter of 2025 compared to the end of 2024.6 In the Asia-Pacific region alone, AI-related fraud attempts increased 194% in 2024 compared to the previous year.7 Over 10% of surveyed financial institutions have suffered deepfake vishing attacks exceeding $1 million, with an average loss per incident of approximately $600,000.8

Vishing attacks using cloned executive voices are hitting finance teams, HR departments, and IT help desks with increasing frequency. The calls come during high-pressure moments—end of quarter, during M&A activity, ahead of board meetings—when urgency feels justified and verification feels like friction.

Your C-suite’s voices are already in attacker databases. The question is whether your teams can identify a synthetic call when it comes.

Calendar Phishing: Weaponizing the Tools You Trust

Calendar phishing exploits something every organization relies on: meeting invites. Check Point researchers identified a campaign affecting approximately 300 brands, where attackers send invites that appear to come from executives, clients, or partners.9 The invite includes a link—to join a “video call,” review a “document,” or access a “deal room.”

What makes calendar phishing dangerous:

It bypasses email scrutiny. Many organizations have trained employees to be suspicious of email links. But a calendar invite from someone you work with? That feels different. It’s on your calendar. It must be legitimate. Because Google Calendar automatically adds event invites by default, attackers can make these events appear genuine alongside real meetings.10

It leverages implicit trust. When an invite appears to come from your CEO’s calendar, the psychological barriers to clicking are dramatically lower than a cold email.

It enables multi-stage attacks. The calendar invite might be the setup—establishing a “meeting” that the attacker then joins as a deepfake, or creating a pretext for a follow-up vishing call.

Agentic AI makes calendar phishing surgical. The system can identify the right targets, time the invites to coincide with real events, and craft pretexts based on actual business context.

High-Risk Departments and Transactions

Not all targets are equal. Attackers prioritize based on what access a compromised employee provides. CISOs need to think the same way.

Finance and Treasury

The most direct path to financial loss. Wire transfers, payment redirections, and vendor payment fraud all target finance teams. According to the Verizon 2024 DBIR, over 40% of successful social engineering attacks were Business Email Compromise (BEC) imposter attacks—email attacks with no malicious link or infected attachment, designed purely to steal money.11 High-risk moments include:

• End of quarter and fiscal year close
• M&A activity and deal closings
• New vendor onboarding
• Executive travel (when “urgent” requests seem plausible)

The transaction: Any wire transfer, payment method change, or new vendor setup over a defined threshold.

Executive Assistants and Chiefs of Staff

The gatekeepers. They control calendars, manage communications, and often have broad access to initiate requests on behalf of executives. Compromising an EA can give attackers a trusted platform to launch secondary attacks across the organization.

The transaction: Any action taken on behalf of an executive—scheduling, communications, access requests.

Human Resources

Access to sensitive personnel data, payroll systems, and the authority to make changes that affect compensation. HR teams are targeted for W-2 fraud, direct deposit changes, and access to employee PII.

The transaction: Payroll changes, direct deposit modifications, sensitive data exports.

IT Help Desk

The keys to the kingdom. Password resets, MFA bypasses, and access provisioning all flow through IT support. A convincing vishing call to the help desk can defeat the most sophisticated technical controls. Groups like Muddled Libra (Scattered Spider) have used AI-generated audio and video to impersonate employees during help desk scams.12

The transaction: Password resets, MFA enrollment changes, access provisioning for sensitive systems.

Legal and M&A Teams

High-value targets during deal activity. Attackers seek deal terms, negotiating positions, and the ability to redirect funds during closings.

The transaction: Document sharing during active deals, wire transfers for deal closings.

Why Awareness Training Alone Isn’t Enough

Let’s be clear: awareness training matters. When done well—engaging, continuous, and relevant to the threats employees actually face—it builds the foundational knowledge that enables people to recognize attacks. Organizations that invest in quality training programs see measurable improvements in their employees’ ability to identify threats.13

But here’s the challenge: knowledge doesn’t automatically translate to behavior under pressure.

The 2024 Verizon DBIR found that the human element was a component of 68% of breaches—roughly the same as the previous year.14 This persistence isn’t necessarily a failure of training content. It’s a gap between knowing what to do and actually doing it when it counts.

“Research helps explain why. A 2024 meta-analysis by Leiden University researchers examined 69 studies and found that while training significantly improves knowledge and attitudes, changes in actual behavior are harder to achieve.15 The gap isn’t ignorance—it’s the translation from classroom knowledge to real-world action.”

An ETH Zurich study found that regular reinforcement and reminders were more impactful than training content alone—suggesting that sustained engagement matters more than one-time education.16 This aligns with what security leaders know intuitively: training is a continuous process, not an annual checkbox.

The real question isn’t whether your employees know what to do. It’s whether they’ll do it when their “CEO” is on a video call expressing frustration about a delayed wire transfer.

That’s the gap that testing fills.

Your employees can pass a quiz about deepfakes. They can identify warning signs in a multiple-choice question. They can recite the verification procedure from memory. But the only way to know if that knowledge translates to action under pressure is to test it under realistic conditions.

Awareness training builds the foundation. Testing validates that it holds.

What Training Can’t Test

Even excellent awareness programs have inherent limitations in what they can validate:

Whether people follow procedures under pressure. What happens when a real attack occurs? It’s impossible to fully simulate in an e-learning module. People behave differently when they believe the situation is real.

Whether processes hold up when invoked. Your verification procedure looks good in a policy document. But when an employee actually tries to verify an urgent executive request, do they know who to call? Is that person available? Does the procedure account for time zones? For after-hours requests? For the executive who’s “traveling and can’t be reached”?

Whether technology supports the process. When an employee receives a suspicious calendar invite, does your email security flag it? When they report a vishing attempt, does your SOC have the tools to analyze the audio? When a deepfake video call comes through, does your conferencing platform provide any indicators?

Attackers don’t target people, processes, or technology separately. They find the weakest seam between all three and exploit it. Your testing needs to work the same way.

Testing People, Process, and Technology Together

The organizations that will successfully defend against AI-powered attacks in 2026 share a common approach: they combine quality training with realistic testing that pressure-tests their defenses as an integrated system. Not as silo’d solutions and compliance checkboxes.

What Integrated Testing Looks Like

Realistic attack simulation. Use the same techniques attackers use—voice cloning, video deepfakes, calendar phishing, multi-channel orchestration. Target the specific departments and transactions that matter most to your organization.

Process invocation under pressure. The test should require employees to actually use verification procedures, not just acknowledge they exist. This reveals whether the process works in practice: Are the right people reachable? Do employees know the steps? Does the process account for edge cases?

Technology validation. Does your email security catch the phishing component? Does your conferencing platform flag synthetic video? Does your SIEM correlate the attack indicators? Testing reveals whether your technical controls support your human defenses.

Orchestrated scenarios. Real attacks rarely use a single vector. Test multi-channel campaigns: a calendar invite followed by a vishing call, or a spoofed email followed by a deepfake video conference. This tests whether your defenses detect the pattern, not just the individual components. It also helps show where your security defenses break..

The Training-Testing Feedback Loop

Testing isn’t just validation: it’s a force multiplier for your training program.

When employees experience realistic attack simulations, they internalize lessons in ways that classroom training can’t replicate. The employee who successfully identifies a deepfake vishing attempt becomes an advocate who reinforces the training message with peers. The team that stops a simulated wire fraud attack builds confidence that translates to real-world vigilance.

Testing also reveals where training needs to evolve. If simulations consistently expose gaps in recognizing voice cloning, that insight should shape future training content. If employees know the verification procedure but can’t execute it under time pressure, that’s a process design problem—not a knowledge problem.

The best security programs create a continuous loop: training builds knowledge, testing validates behavior, results inform better training.

Focus on High-Risk Transactions

• Structure your testing program around the transactions that matter most:
• Wire transfers above defined thresholds
• Vendor payment method changes
• IT access provisioning for privileged accounts
• Payroll and direct deposit modifications
• Document sharing during M&A activity
• Application Downloads against AUP.

For each high-risk transaction, test the entire chain: Can an attacker using AI-powered techniques trick an employee into initiating the transaction? If the employee follows the verification process, does it actually prevent the attack? Do your technical controls provide any backstop?

Measure What Matters

Complement your training metrics with resilience metrics:

Procedure adherence rate: When employees receive realistic attack simulations, what percentage correctly invoke verification procedures?

Process completion rate: Of those who attempt verification, what percentage successfully complete it? Where does the process break down?

• Time to escalation: How quickly do employees report suspicious activity to security teams?
• Detection coverage: What percentage of simulated attacks are flagged by technical controls?
• Cross-channel correlation: When attacks span multiple channels, does your SOC connect the dots?

The Verizon DBIR calculated a global benchmark for phishing simulation reporting rates: just 20%.17 Only one in five people successfully recognize and report a phishing attack when they receive one. But organizations with mature, behavior-focused programs see reporting rates climb significantly higher—evidence that the combination of training and testing drives real improvement.

Building Resilience for 2026

The threat landscape has evolved. Agentic AI gives attackers autonomous capabilities that can research, plan, and execute sophisticated social engineering campaigns. Deepfakes make voice and video impersonation trivial. Calendar phishing weaponizes the productivity tools your organization depends on.

Defending against these threats requires a layered approach:

Training builds the knowledge foundation—helping employees understand what AI-powered attacks look like and why verification procedures matter.

Process design creates the procedural guardrails—ensuring that high-risk transactions have verification steps that can withstand social pressure.

Technology provides detection and enforcement—catching what humans miss and creating friction that slows attackers down.

Testing validates that all three work together—revealing gaps before real attackers exploit them and building the muscle memory that turns knowledge into action.

The organizations that treat training and testing as complementary investments—rather than either/or choices—will be the ones prepared for what’s coming.

How Breacher.ai Approaches This Problem

We built Breacher.ai around a simple premise: training builds knowledge, but you can’t defend against attacks you’ve never experienced.

Our red team assessments use the same AI-powered techniques that sophisticated adversaries deploy—voice cloning, real-time deepfakes, calendar phishing, agentic orchestration. We target your high-risk departments with scenarios built around your actual high-risk transactions. And we test your people, processes, and technology as an integrated system.

The goal isn’t to prove that your training failed. It’s to validate where training has taken hold, identify where gaps remain, and build the institutional muscle memory that creates genuine resilience.

Layer 7 is the new perimeter. It’s time to test it accordingly.

Ready to pressure-test your organization against AI-powered social engineering? Contact Breacher.ai to discuss a red team assessment tailored to your threat profile.

References

Footnotes

1. CNN, “Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’,” February 2024; Fortune, “A deepfake ‘CFO’ tricked the British design firm behind the Sydney Opera House in $25 million fraud,” May 2024. ↩
2. Anthropic, “Disrupting the first reported AI-orchestrated cyber espionage campaign,” September 2025. ↩
3. Palo Alto Networks Unit 42, “Unit 42 Develops Agentic AI Attack Framework,” May 2025. ↩
4. SecurityWeek, “How Agentic AI Will Be Weaponized for Social Engineering Attacks,” February 2025, citing Gartner predictions. ↩
5. Keepnet Labs, “Deepfake Statistics & Trends 2025,” November 2025. ↩
6. Right-Hand Cybersecurity, “The State of Deep Fake Vishing Attacks in 2025,” October 2025. ↩
7. Group-IB, “The Anatomy of a Deepfake Voice Phishing Attack,” August 2025. ↩
8. Group-IB, “The Anatomy of a Deepfake Voice Phishing Attack,” August 2025. ↩
9. Check Point Blog, “Google Calendar Notifications Bypassing Email Security Policies,” January 2025. ↩
10. Dark Reading, “Phishers Turn to Google Calendar Spoofing Globally,” December 2024. ↩
11. SANS Institute, “Tackling Modern Human Risks in Cybersecurity: Insights from the Verizon DBIR 2024,” May 2025. ↩
12. Palo Alto Networks Unit 42, “Unit 42 Develops Agentic AI Attack Framework,” May 2025. ↩
13. KnowBe4, “2024 Phishing by Industry Benchmarking Report,” showing phish-prone percentages dropping from 34.3% to 4.6% after 12 months of combined training and testing. ↩
14. Verizon, “2024 Data Breach Investigations Report,” May 2024. ↩
15. Cybersecurity Dive, “Why security awareness training doesn’t work — and how to fix it,” October 2025, citing Leiden University meta-analysis. ↩
16. ETH Zurich study cited in Cybersecurity Dive, “Why security awareness training doesn’t work — and how to fix it,” October 2025. ↩
17. Verizon 2024 DBIR; Hoxhunt, “Phishing Trends Report 2025.” ↩