AI is lowering the barriers to cybercrime while raising the stakes for every organization.
getty
Cybercrime remains one of the most significant and costly risk management challenges facing business leaders. Despite massive investment and improved defenses, attacks on the world’s expanding digital footprint are increasing in scale and impact and are projected to reach a staggering cost of $14 trillion in 2028.
Fortunately, with the rapid emergence of artificial intelligence, the tools to defend against cyberattacks are growing in sophistication and effectiveness. AI is a welcome addition to the cyber professional’s portfolio of options to protect their organizations.
Perhaps not surprisingly, AI has also become a source of innovation for those intent on committing cybercrimes. By making attacks cheaper, faster, and easier to scale, AI is fundamentally changing the economics of cybercrime. The cybersecurity playing field has shifted quickly, and leaders must understand these new AI-driven challenges and respond with urgency.
The Cost Of Cybercrime Is Falling
Phishing and social engineering attacks are the most common forms of cybercrime today, each costing an enterprise an average of around $4 million per breach.
Unfortunately, despite admirable efforts to defend and reduce these attacks over many years, the tide has turned significantly in favor of the cybercriminal.
AI is fundamentally changing the economics of cybercrime by reducing the cost of attacks while increasing their speed, scale, and potential financial return. In a recent academic study researchers found that AI-automated phishing emails performed identically to human experts, reaching a 54 percent click-through rate, compared with 12 percent for generic phishing emails. With relative ease, AI can automate information gathering, target identification, and vulnerability assessments.
Throughout history, cybercriminals have operated under economic constraints of time, labor, expertise, and cost. AI is reducing each of those constraints simultaneously. When the cost of producing highly convincing phishing campaigns falls while effectiveness remains high, attackers gain a significant economic advantage. As a result, AI is reshaping the economics of cybercrime.
For example, spear phishing, emails customized and sent to specific individuals, used to require substantial human effort. However, AI has made these emails, which often have a higher attack success rate, easier to produce and deliver at scale.
Similarly, another research study concluded that generative AI could be successfully used to reduce the cost and increase the impact of social engineering schemes, by supporting content creation, enhanced targeting and personalization, and attack automation.
Collectively, these studies show that AI is becoming a force multiplier for cybercriminals, enabling attacks to be launched more efficiently, at lower cost, and at far greater scale.
Keeping The Front Door Closed Gets Harder
Phishing is particularly difficult for a business to defend against. Unlike other attacks which target networks, systems, and applications, phishing typically begins with what appears to be a legitimate email.
Traditionally, employees have been trained to look for poor spelling and grammar, unusual formatting, and other obvious clues to suggest that the email may not be authentic. For vigilant employees, these subtle giveaways have helped to reduce the risks phishing emails pose.
However, AI is diminishing these revealing signals by not just producing more authentic-looking phishing emails, but by understanding and leveraging the existing processes and details of the business.
For example, a finance employee may receive an email that appears to come from a senior executive providing urgent instructions about a real project that requires payment be made to a specific bank account. It’s not a new type of attack, but AI makes it significantly more convincing by exploiting trust, organizational workflows, and internal knowledge.
Some may recall the now infamous Hong Kong cyberattack where an employee joined a video conference and was instructed by the CFO to deposit $25 million into different bank accounts only to learn later that everyone on the video call were AI-generated deepfake impersonations.
As AI-generated communications become increasingly convincing, employees will find it much harder to distinguish legitimate business requests from sophisticated deception. That creates a growing leadership challenge because traditional awareness training alone is no longer sufficient.
Action cannot be delayed and some immediate steps should be taken.
A 5-Step Action Plan For Leaders
AI-enhanced deception must be viewed as a growing business risk, rather than simply a cybersecurity awareness challenge. Countermeasures must become a leadership priority, and organizations should act without delay.
Here are five actions that leaders should consider immediately:
- Training: Employee training in all its forms; manuals, online, and classroom, must be updated to reflect the new reality of AI-driven cyberattacks. Particular attention should be given to phishing and social engineering which, as a result of AI, have much less of the obvious signatures of deception.
- Process Controls: Evaluate common business processes such as payments, access to sensitive data, and workflow approvals, to ensure there are sufficient controls in place to flag and mitigate more sophisticated social engineering attempts.
- Simulations: Increase the focus on testing incident response plans through tabletop exercises and online simulations related to AI-powered scenarios. Ironically, the use of AI to generate and manage these simulations will likely offer a robust and efficient approach.
- Defensive Tools: Upgrade or replace outdated secure email gateways and other tools used to identify and block malicious traffic with those optimized with AI for AI-powered cyberattacks.
- Governance: Incorporate insight and guidance around AI cyberattacks to relevant organizational governance structures such as innovation, risk management, and digital trust.
AI Raises The Stakes For Defenders
The rapid emergence of AI, particularly generative AI since 2022, has had a profound impact on the way individuals and organizations work, with the biggest changes still ahead.
Sadly, however, it’s a truism that with most new technology created for the benefit of society and business, someone will find a way to use it for malicious purposes. AI is one of those technologies.
Cybercriminals have quickly discovered that AI changes the economics of their efforts. They can execute faster, at a greater scale, and extract more profit. This means the risk posed by cyberthreats, particularly phishing and social engineering, has changed dramatically.
While leaders have more AI-driven tools to defend their businesses from cybercrimes, they also have the challenge of protecting them from more effective attacks. Organizations that fail to recognize how AI is reshaping the economics of cybercrime risk preparing for yesterday’s threats instead of tomorrow’s.
This article was co-authored with Dr. Atdhe Buja, Associate Professor in the Department of Computer Science, Math, and Digital Forensics at Commonwealth University of Pennsylvania.

