TL;DR

• AI is actively being used to scale social engineering and automated cyberattacks, making phishing and impersonation much more effective and tailored.

• Between deepfakes, multilingual polymorphic phishing, and voice cloning, attackers now use AI to craft deception that traditional filters struggle to detect.

• Recent reports show that loss from AI-enabled scams reached record levels and that most organizations have already seen AI-driven phishing incidents.

• Defenders can’t rely on old static signatures anymore; behavioral and contextual detection, multi-factor defenses, and real-time analytics are required.

• The human element remains the weak link; awareness, adaptive training, and Zero Trust measures are the best counterweights to misused AI.

  ---

Artificial intelligence has a dual nature: it accelerates innovation for defenders, but it also gives attackers unprecedented scale and efficacy. At cybersecurity conferences like Black Hat Europe 2025, specialists highlighted that attackers are using AI to craft highly convincing social engineering content, automate parts of attack chains, and experiment with advanced tactics like data poisoning and prompt injection.

Social engineering was already among the top cyber threats pre-AI; with AI, attackers can generate personalized phishing emails, voice messages, and even video deepfakes in seconds. Traditional red flags like spelling errors, generic greetings, or awkward phrasing are disappearing because large language models synthesize professional-grade deception using public data and social profiles.

By 2026, this threat isn’t just a theory. Surveys suggest that the majority of organizations have already experienced an AI-related phishing or social engineering incident. And some estimates point to financial losses in the tens of billions tied directly to AI-enhanced scams and impersonation campaigns.

Where AI Is Powering Attacks

AI makes bad actors better at several core tactics. Firstly, social engineering at scale. Attackers now generate hundreds of unique, personalized emails or messages that read like they were written by a colleague or business partner. These messages reference actual projects, titles, and company details scraped from public sources, which markedly increases the likelihood of a victim clicking or responding.

Another evolution is multi-channel social engineering. Attackers orchestrate coordinated campaigns across email, SMS, collaboration platforms, and voice calls. This layered approach builds trust and context in the victim’s mind before the malicious payload arrives, making detection harder for channel-specific filters.

Deepfakes have moved from experimental to operational. Sophisticated synthetic media can mimic voices and faces to influence targets in real-time, whether in video calls, automated messages, or even crisis response scenarios.

Research also suggests that polymorphic campaigns, where each phishing message is unique, are outpacing signature-based defenses. By constantly varying content and structure, these attacks slip past traditional detection systems that rely on pattern recognition.

Finally, AI accelerates the automation of attack chains. Tools can now generate malicious code snippets, conduct reconnaissance, write social engineering copy, and adapt tactics based on defensive signals, all with minimal human intervention.

Why This is Worse Than Old Threats

One major problem is that many defenses still assume attacks are noisy, clumsy, or unconvincing. AI removes those hallmarks. A global survey found that less than half of users could correctly identify an AI-generated phishing attempt, with many failing basic digital literacy checks.

Another issue is deepfake misuse. Beyond text, attackers use generative systems to create realistic audio and video that impersonate trusted individuals, from CEOs to family members. These media types bypass traditional skepticism and can elicit urgent, emotional responses that lead to credential disclosure or financial loss.

AI also erodes the usefulness of static prevention training. Security awareness programs designed for legacy threats are less effective against automated, contextually rich deception. Employees trained to spot typos and suspicious links now face AI that produces flawless text with context-aware relevance.

The financial impact of these attacks is real and growing. In 2025 alone, reports estimate billions of dollars in losses tied to AI-enhanced scams, with AI-linked operations generating significantly higher revenue for attackers than traditional schemes.

Finally, AI empowers low-skill threat actors. What once required specialized training can now be executed with off-the-shelf models and prompt engineering. This democratization of offensive capability expands the threat surface dramatically.

My Perspective: Human Psychology is Still the Focal Point

If there’s one theme that emerges from the rush to weaponize AI, it’s that the human element remains the critical vulnerability. Attackers will always look for the weakest link, and no algorithm, no matter how advanced, can fully eliminate psychological trickery. AI amplifies the scale, but the entry point still depends on human behavior.

In practical terms, this means defenders cannot treat AI-misused attacks as purely technical problems. They are social problems dressed in technical wrappers. You don’t just need better filters; you need deeper behavioral insights, adaptive training that evolves with attacker tactics, and decision frameworks that help people recognize when trust is being manipulated rather than earned.

Organizations should stop thinking of phishing and social engineering as “annoyances.” They are now strategic threats that can penetrate Zero Trust perimeters, exploit lateral trust within networks, and turn your own collaboration tools into vectors of compromise. And as attackers begin to use voice, video, and cross-channel reinforcement, the old signs of “this looks fake” will disappear, replaced by “this feels familiar.” The ultimate battleground will be perception itself.

AI Toolkit: Technologies Worth Exploring

• Maskara – Gets better answers by making AI models debate each other.

• Pega – Enterprise AI for decisioning, workflows, and automation at scale.

• GoAI – An AI investment analyst that turns market noise into logic.

• Explainpaper – Highlights and explains complex research papers instantly.

• IONI – AI-driven regulatory and food-safety compliance in one system.

  ---

Prompt of the Day: Simulating an AI-Driven Attack

Act as an AI cyber threat simulator. Given a hypothetical enterprise environment (email, Slack, SMS, voice), design three AI-powered social engineering attack scenarios targeting:

1. a finance team granting payment approval,

2. an HR rep handling credentials, and

3. an engineer with elevated privileges.

For each scenario, outline the AI tactics (deepfake, multi-channel reinforcement, context scraping), the likely trigger points (keywords, timings), and one defensive control that could detect or stop it. Keep this concise and practical.