For years, phishing awareness focused heavily on email: suspicious links, fake invoices, malicious attachments, and credential-harvesting pages.

That advice still matters. But attackers are no longer limited to the inbox.

Modern social engineering increasingly happens in real time through phone calls, meeting invites, collaboration platforms, fake video-call pages, and voice-based impersonation. As deepfake and synthetic voice capabilities improve, the boundary between phishing, vishing, and fake meetings is becoming harder for users to navigate.

The core problem is not just whether a user can spot a fake email. The problem is whether they can recognise unsafe behaviour during a believable human interaction.

‍

Recent Example: Cushman & Wakefield Vishing Incident, May 2026

In May 2026, Cushman & Wakefield confirmed a limited data security incident caused by vishing, or voice phishing. A company spokesperson told The Register that the organisation had activated response protocols, taken steps to contain unauthorised activity, and engaged third-party experts to support the response.

The same report noted that two cybercrime groups, ShinyHunters and Qilin, had separately claimed responsibility for attacks on the company. Cushman & Wakefield said systems and operations continued to run normally while the incident was being investigated.

This is a useful example because it shows how social engineering is evolving. The attacker does not always need a malicious attachment or a fake login page. A voice interaction can be enough to create urgency, trust, and compliance.

That matters because deepfake-enabled meetings are an evolution of the same problem.

‍

From Vishing to Fake Meetings

A vishing attack uses voice to manipulate a person into taking an unsafe action. A fake meeting attack uses the same principle but adds more context: calendar invites, collaboration tools, video interfaces, fake update prompts, and sometimes AI-generated audio or video.

A typical fake meeting lure might look like this:

A user receives a meeting invite from what appears to be a colleague, vendor, recruiter, partner, or customer.

The link opens a page that looks like a familiar video-conferencing platform.

The user sees a waiting room, loading screen, fake participant, or pre-recorded video.

A prompt appears saying the meeting client needs an update, the SDK is missing, audio cannot connect, or the browser needs a fix.

The user is instructed to paste a command into PowerShell, Terminal, or the browser console.

The command executes attacker-controlled code.

This is where social engineering and ClickFix overlap. The attacker creates a believable situation and then asks the user to “fix” the problem by running the payload themselves.

‍

Why This Works

Real-time social engineering works because it creates pressure.

People behave differently in meetings than they do when reading email. They are trying to be helpful. They do not want to delay the call. They may assume technical issues are normal. They may not inspect a URL carefully if the invite looked legitimate or appeared on their calendar.

Deepfakes make this even more difficult.

A fake video or synthetic voice does not need to be flawless. It only needs to be convincing for long enough to lower suspicion and move the victim toward the next action.

That is why “spot the deepfake” is not a complete defence. The better defence is to teach users to recognise unsafe requests, regardless of how believable the person or meeting appears.

‍

The Rule Users Should Remember

No legitimate meeting should require a user to paste commands into PowerShell, Terminal, or a browser console.

That one rule is simple, practical, and memorable.

It avoids asking employees to become forensic experts in synthetic media. Instead, it focuses on behaviour. The person on screen might look real. The voice might sound convincing. The page might look like a legitimate meeting tool.

But if the meeting asks the user to run a command, install an unknown component, approve an unexpected MFA request, or bypass normal controls, it should be treated as suspicious.

‍

What Organisations Should Teach

Security awareness needs to expand beyond email phishing.

Employees should be trained to:

· Verify unusual requests through a separate channel

· Check meeting URLs before joining external calls

· Be suspicious of update prompts inside meeting pages

· Never paste commands from meeting pop-ups or chat messages

· Report suspicious calls, meeting links, and voice-based requests

· Challenge urgent requests involving access, payments, credentials, or software installation

· Treat unexpected MFA prompts as potential compromise signals

For high-risk users, such as finance, executives, administrators, developers, and customer-facing teams, this training should be specific and scenario-based.

A finance user needs to recognise voice-based payment manipulation. A developer needs to recognise malicious command execution. An executive assistant needs to recognise impersonation. An administrator needs to recognise credential and MFA manipulation.

Different roles face different lures.

‍

What Security Teams Should Monitor

Real-time social engineering often leaves technical traces after the human interaction.

Security teams should monitor for:

· PowerShell, Terminal, or script execution shortly after browser activity

· Commands that download and execute remote content

· Encoded or obfuscated scripts

· Suspicious child processes launched from browsers or collaboration tools

· New files written to temporary folders

· Security-tool exclusion attempts

· Unexpected MFA approvals

· New sessions from unusual locations

· Connections to newly registered or lookalike domains

The goal is to connect identity, endpoint, browser, and network signals. A suspicious call or fake meeting link may be the human trigger, but the compromise often becomes visible through endpoint and identity behaviour.

‍

Key Takeaway

Social engineering has moved beyond email.

Voice calls, fake meetings, cloned collaboration pages, synthetic media, and ClickFix-style prompts are all part of the same trend: attackers are building believable workflows that persuade users to take unsafe actions.

The defence is not simply telling users to be more careful. The defence is giving them clear rules, reducing the privileges attackers can abuse, and monitoring for the behaviours that follow successful manipulation.

Whether the lure is a phone call, a fake meeting, or an AI-generated persona, the objective is the same: make the user trust the attacker long enough to open the door.

Organisations need to train for that reality now.