When AI meets human nature: The perfect storm for cyber deception

COMMENTARY: In the time it takes you to read this sentence, AI has helped generate dozens of phishing emails indistinguishable from legitimate business communications. AI is forcing cybersecurity to evolve faster than anyone anticipated, and the battlefield isn't your firewall. It's your people.

AI is making it harder to differentiate between genuine and fake content. At the same time, most breaches, 95%, still start with human error, considering how things like fatigue, workload, and tool sprawl impact human clarity and judgement. Attackers understand this, as it provides them with new ways to manipulate people. We’re now seeing that AI-powered deception and human nature are creating a perfect storm that many security leaders aren’t prepared to weather.

AI makes attackers smarter and faster

AI is giving attackers a serious upgrade. According to the Mimecast State of Human Risk Report, phishing and impersonation attacks have jumped 77% in just a year as AI becomes increasingly better at mimicking language, tone, and context. Scams today are more convincing than anything we’ve ever seen before.

To boost credibility, attackers are going after trusted platforms like PayPal and Salesforce, using AI to create messages that look nearly identical to “normal” language and context from these trusted providers. And when employees are swamped with constant notifications and deadlines, they’re more likely to fall for these scams.

AI is also making attackers more productive than ever before. Gone are the days that coordinating an attack took hours of manual work. They can automate and personalize it in just seconds. Traditional tools like email filters and signature-based detection simply can’t keep up with the volume and covert nature of their tactics. The reality is that these malicious messages that appear legitimate can easily hide from security controls.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Organizations must step up to protect their employees

While AI has driven attack sophistication, it's time to retire the outdated narrative that employees are "the weakest link." Roughly 95% of breaches can be traced back to human behavior, but this statistic reflects a systemic failure by organizations to provide adequate guardrails, not simply a failure of their workforce. Employees today are doing their best while operating under sustained mental strain. Constant collaboration demands have reduced the time and attention people can realistically devote to carefully inspecting every digital interaction.

When highly sophisticated, AI-driven deception is specifically engineered to exploit human trust and cognition, expecting individual vigilance to serve as the primary line of defense is unrealistic. The real vulnerability lies in organizational infrastructure, not employee competence. Companies must invest in smarter security architectures, automated threat detection, and training that empowers rather than blames, because protecting people is an organizational responsibility, not an individual burden.

Balancing AI awareness with human risk management

As AI makes deception easier, staying alert becomes more critical. It also becomes more challenging as social engineering tactics like credential phishing and business email compromise (BEC) evolve with AI, and attackers can more easily imitate trusted senders, language, and workflows.

The most infamous threat groups have proven just how effective this can be. For example, Scattered Spider posed as IT teams and help desks in 2025, convincing employees to give access to sensitive files or login credentials — and ultimately cost organizations millions in recovery and fines.

Related reading:

Technical controls alone won't suffice. Organizations need clear guidance and policies that encourage safe digital habits as AI-generated content becomes increasingly common. Security playbooks must evolve to recognize both human and technical factors, knowing that people are the most critical part of today’s attack surface.   

Human risk management programs are becoming increasingly critical, especially considering that shadow IT and unmonitored AI use create new blind spots that are nearly impossible for security teams to fully manage.

This is where human risk management becomes especially important as risk isn’t spread evenly across an organization, it’s concentrated. Just 8% of employees are responsible for about 80% of security incidents, which calls for new approaches to training. Tailored security interventions are much more effective than one-size-fits-all training — and are essential to combating rising threats in today’s human risk environment.

Personalized training, attack simulations, and education based on individual employees can free up security leaders to redirect resources where risk is the highest. This strategy will also equip employees with the right resources they need to identify emerging scams and respond effectively.

Defending against AI deception

Technology alone can’t solve this new age of AI-driven cyber deception. Automation and AI-enhanced detection tools are key to innovation, but they won’t foster much change without strategies that address human behavior at the same time. Organizations that combine AI-enhanced security tools with personalized human risk management will be in a much better position to fight these threats.

Advancements in employee awareness are the basis for organizational resilience. Leaders who deliver clearer guidance, tailored training, and adaptive security defenses can help their employees weather the perfect storm that arises when AI meets human nature.