AI-Powered Cyberattacks: What’s Changed and How to Defend Against Them

Criminals adopt new technology fast, and AI is no exception. Artificial intelligence has made cyberattacks more convincing, more automated, and harder to detect. Here’s what that looks like in practice and what you can do about it.

How Attackers Use AI

Supercharged Social Engineering

AI lets attackers gather and analyze large amounts of personal information from social media, company websites, and data breaches. They use this data to craft highly personalized phishing messages that are much harder to distinguish from legitimate communications.

Where a human might send 50 targeted phishing emails in a day, an AI system can send thousands, each one customized for its recipient.

Deepfake Audio and Video

AI-generated voice and video clones can impersonate executives, colleagues, or business partners. There have been real cases where attackers used AI voice cloning to authorize fraudulent wire transfers by mimicking a CEO’s voice over the phone.

In 2024, a finance worker in Hong Kong transferred $25 million after a video call with what appeared to be the company’s CFO and other colleagues, all of whom were AI-generated deepfakes.

Automated Attack Campaigns

AI automates the entire attack lifecycle: finding targets, crafting messages, analyzing responses, and adapting tactics based on what works. This means attacks can scale dramatically while maintaining a level of personalization that used to require manual effort.

Adaptive Evasion

AI-powered malware can modify its own behavior to avoid detection by security tools. It watches for sandbox environments, adjusts its timing, and changes its code patterns to stay under the radar.

Defending Against AI-Enhanced Attacks

Train Your People (Differently)

Traditional security awareness training needs an upgrade for the AI era:

• [ ] Update phishing examples to include AI-generated content (perfect grammar, personalized details, no obvious red flags)
• [ ] Train employees on deepfake awareness: verify unexpected video or voice requests through a separate, trusted channel
• [ ] Establish verification protocols for financial transactions that can’t be bypassed by a convincing voice or video
• [ ] Create a culture where questioning unusual requests is encouraged, even when they appear to come from leadership
• [ ] Run regular simulations that include AI-quality phishing attempts

Use AI for Defense

The same technology that powers attacks can strengthen your defenses:

• [ ] Deploy email security tools with AI-based detection that catches sophisticated phishing attempts
• [ ] Use behavioral analytics that learn what normal activity looks like and flag anomalies
• [ ] Implement identity verification solutions that go beyond passwords and can detect impersonation attempts
• [ ] Consider AI-powered security operations tools that can process alerts faster than human analysts

Layer Your Defenses

No single tool stops AI-powered attacks. Build layers:

• [ ] Email filtering and anti-phishing (first line)
• [ ] MFA on all accounts (blocks credential theft)
• [ ] EDR on all endpoints (catches malware that gets through)
• [ ] Network monitoring (detects lateral movement and data exfiltration)
• [ ] Data Loss Prevention (flags unauthorized transfers of sensitive data)
• [ ] Backup and recovery (your safety net if everything else fails)

Establish Verification Procedures

For high-value actions (financial transfers, credential changes, vendor payments), require out-of-band verification:

• [ ] Confirm requests through a pre-established phone number or in-person
• [ ] Require dual authorization for transactions above a threshold
• [ ] Never rely solely on email, voice, or video for approving sensitive actions
• [ ] Document and communicate these procedures so everyone follows them

The Bottom Line

AI has raised the quality and scale of cyberattacks. Phishing emails are harder to spot. Voice impersonation is convincing. Automated campaigns can target thousands of employees simultaneously. But the fundamentals of defense haven’t changed: verify before you trust, layer your security controls, train your people, and have a plan for when something gets through. The attacks are smarter, so your defenses need to be too.