COMMENTARY: The rapid advancement of artificial intelligence has led to the next wave of digital transformation, allowing organizations worldwide to increase their efficiency and innovation. However, it has also introduced new risks.
Cybercriminals now leverage Generative AI to launch more sophisticated phishing attacks,
business email compromise (BEC) schemes, and deepfake scams, threats that are becoming increasingly difficult to detect and mitigate.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
AI has given cybercriminals powerful new and improved ways to exploit businesses with savvier techniques. Attackers now automate highly-personalized phishing emails, create realistic voice and video deepfakes, and manipulate employees into revealing sensitive information or approving unauthorized transactions.
With cyberattacks harder to detect and prevent, businesses urgently need to strengthen their defenses. For small – and mid-sized businesses (SMBs), these evolving threats present an especially pressing challenge, as many SMBs already operate with limited cybersecurity resources.
The way to defend against these threats isn’t just fighting AI with AI or adopting AI-driven cybersecurity tools for defense. It’s also a reminder to get back to basics: businesses of all types and sizes must reinforce foundational cybersecurity practices and implement a strategic risk management approach.
AI alone won’t solve AI-enabled attacks
Many businesses have turned to AI-powered security tools to defend against these new AI threats. While the tools are valuable, they are not a silver bullet. As attackers learn more about defender behaviors and technologies, they evolve their attacks. It will always be a game of point/counterpoint.
In some cases, businesses can even inadvertently increase their own risk by embedding AI into their workflows because they don’t understand its security implications. For instance, it’s possible to expose sensitive company data entered into unsecured AI-powered chatbots and expose or repurpose it in ways that introduce new vulnerabilities.
Defense-in-depth wins again
Instead of solely pursuing the latest AI-driven security tools, organizations should focus on strengthening their overall cybersecurity posture. Case in point: BECs alone accounted for nearly one-third of all claims in the first half of 2024, and BECs, together with funds transfer fraud, made up 60% of all claims across the year. What’s more, the average loss from BECs rose 23% year-over-year to $35,000, demonstrating that many businesses are still falling victim to the most basic email attacks.
To effectively counter AI-enabled scams, businesses must adopt a multi-layered cybersecurity concept known as a defense-in-depth strategy, which protects against the individual failure of any single control. Adding multiple controls offers redundancy, making it harder for cybercriminals to execute accurate attacks.
A defense-in-depth strategy focuses on a few important areas, including employee education, identity verification, AI risk management, and cyber insurance. Here’s a rundown of each one:
Enhance employee training: Many AI attacks still rely on human error to succeed. Businesses should implement security awareness training that helps employees recognize these scams, including conducting regular phishing simulations to ensure employees remain vigilant. Given the rise of deepfake scams, businesses should also train employees to question unusual requests, especially those involving financial transactions or confidential data.
Strengthen identity verification and authentication: Deepfakes have become more sophisticated, which means it’s critical to have robust identity verification and authentication measures. Businesses should implement multi-factor verification (MFA) across all critical systems and establish strict verification protocols for sensitive communications and financial transactions. If an executive suddenly requests a wire transfer or a vendor asks to update banking details, employees should confirm the request through a secondary channel, such as a direct phone call. To avoid voice spoofing, these phone calls should also contain a previously agreed-upon codeword that allows both parties to verify their identities.
Monitor and manage AI use: Many companies are integrating AI-powered tools into their operations without fully considering the security risks. Businesses should audit the AI tools their employees use and establish clear data-sharing policies to prevent the unintended exposure of sensitive information. Limiting how and where employees interact with AI tools can help mitigate security risks associated with these technologies.
Assess cyber insurance coverage: Even with robust cybersecurity measures in place, all organizations are open to potential attacks. Cyber insurance serves as a crucial safety net, helping businesses recover from financial losses related to AI-driven fraud. However, not all policies are created equal. Organizations should work closely with their insurers to ensure they have adequate coverage for emerging AI-related threats, including coverage for losses directly stemming from AI-enhanced BEC, ransomware, and deepfake scams, and that it’s clearly defined in their policy language.
AI has its plusses and minuses. While cybercriminals use it to automate and enhance attacks, businesses can leverage AI to fight back by strengthening both human and technological defenses. Ultimately, it’s crucial to take on a proactive risk approach to stay ahead of evolving threats.
For SMBs, these defensive strategies can mean the difference between thwarting an attack and facing significant financial and reputational damage. AI-enabled scams will continue to evolve, that's why businesses must remain informed, vigilant, and prepared.
Tiago Henriques, chief underwriting officer, CoalitionSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
