.jpg)
1 hour ago
3
Article content
New Osterman Research reveals phishing and BEC attacks have been “reset” by AI, with finance teams most vulnerable and existing defenses proving inadequate
THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY
Subscribe now to read the latest news in your city and across Canada.
- Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman, and others.
- Daily content from Financial Times, the world's leading global business publication.
- Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
- National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
- Daily puzzles, including the New York Times Crossword.
SUBSCRIBE TO UNLOCK MORE ARTICLES
Subscribe now to read the latest news in your city and across Canada.
- Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman and others.
- Daily content from Financial Times, the world's leading global business publication.
- Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
- National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
- Daily puzzles, including the New York Times Crossword.
REGISTER / SIGN IN TO UNLOCK MORE ARTICLES
Create an account or sign in to continue with your reading experience.
- Access articles from across Canada with one account.
- Share your thoughts and join the conversation in the comments.
- Enjoy additional articles per month.
- Get email updates from your favourite authors.
THIS ARTICLE IS FREE TO READ REGISTER TO UNLOCK.
Create an account or sign in to continue with your reading experience.
- Access articles from across Canada with one account
- Share your thoughts and join the conversation in the comments
- Enjoy additional articles per month
- Get email updates from your favourite authors
Sign In or Create an Account
or
Article content
ATLANTA — In a stark warning for enterprise security, a new study from Osterman Research commissioned by IRONSCALES reveals that 88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months. The culprit: AI-powered phishing attacks leading a renaissance of threats that legacy security tools were never designed to stop.
Article content
Article content
Article content
The research report, Restoring Trust in Business Communications, surveyed 128 cybersecurity decision-makers and exposes a dangerous gap: while 82% report heightened threat actor interest in exploiting trusted communications, 60% lack confidence in their ability to counter deepfake attacks effectively.
Article content
By signing up you consent to receive the above newsletter from Postmedia Network Inc.
Article content
The Phishing Renaissance: AI Resets the Threat Curve
Article content
“The threat curve just got reset,” said Michael Sampson, Principal Analyst at Osterman Research. “Even ‘solved’ attack types like phishing and business email compromise have become immature again. BEC attacks from 2025 bear little resemblance to those from 2020—they’re now hyper-personalized, multi-channel, and can be launched autonomously at scale.”
Article content
Despite already experiencing high breach rates, the worst may be yet to come. When asked about the maturity of AI-enhanced attacks already hitting their organizations, respondents believe threat actors are still in early stages:
Article content
- 28% say AI-generated phishing is just getting started
- 25% say the same about deepfake audio attacks
- 28% believe deepfake video attacks remain nascent
Article content
In other words, organizations are already being breached at alarming rates (88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months) that haven’t reached full maturity.
Article content
Traditional indicators that employees and security systems relied upon—grammar errors, suspicious sender addresses, generic language—have been eliminated by AI. Anyone can now craft perfect attacks in any language, personalization happens at scale, and attacks now come through email, phone, video, and collaboration platforms simultaneously.
Article content
Finance Teams in the Crosshairs
Article content
The research identifies a perfect storm of vulnerability for finance departments: they’re the highest-priority target for threat actors (59% of organizations rate them as “high” or “extreme” priority targets) while simultaneously being the employee group organizations are most concerned about (59% express high concern about their readiness to defend against trust-based attacks).
Article content
“Finance teams control the money, so they’re priority number one for attackers,” noted Audian Paxson, Principal Technical Strategist at IRONSCALES. “But cybersecurity leaders report the lowest confidence in these teams’ ability to spot sophisticated BEC and impersonation scams. That gap is getting exploited daily.”
Article content
Article content
Over 33% of organizations saw threat actors successfully masquerade as trusted vendors to steal funds or information in the past year, with vendor impersonation attacks increasing significantly (13% reporting major increases year over year).
Article content
Legacy Tools Failing at Scale
Article content
Perhaps most alarming: nearly one in five security leaders state security awareness training is proving ineffective against AI-enhanced threats. Current training approaches for preparing employees to detect attacks that weaponize trust are proving ineffective for many organizations. Training on detecting attacks using deepfake audio and video are particularly ineffective. In total, respondents rated the following from “not at all effective” to “moderately effective”:
Article content
- 38% for detecting deepfake audio attacks
- 39% for detecting deepfake video attacks
- 43% for detecting AI-generated phishing
Article content
“Legacy email protections are too blunt an instrument to recognize the subtle indicators of modern AI-powered attacks,” said Sampson. “Organizations can no longer trust these legacy solutions to protect against threats that didn’t exist when they were designed.”
Article content
Organizations Prepared to Take Immediate Action
Article content
The crisis is driving reassessment of security strategies. The research found that 70% of organizations now consider detecting deepfake audio impersonation attacks “extremely important,” the highest priority increase measured. Additionally:
Article content
- 70% are willing to add best-in-class point solutions to address gaps
- 68% are willing to change vendors entirely
- 70% are willing to replace their entire security technology stack
Article content
The Cost of Failure
Article content
The cost of inaction is clear: 55% of security leaders say failing to defend against these trust-exploiting attacks significantly increases data breach likelihood. The damage compounds from there – reduced productivity, compromised customer communications, and operational disruption.
Article content
About the Research
Article content
The study surveyed 128 professionals with direct responsibility for managing cybersecurity posture at U.S. organizations with 1,000-5,000 employees across all industries during September-October 2025. The complete report, Rebuilding Trust in Digital Communications, is available at https://ironscales.com/rebuilding-trust-in-digital-communications-report-download.
Article content
About IRONSCALES
Article content
IRONSCALES is the leader in AI-powered email security protecting over 17,000 global organizations from advanced phishing threats. As the pioneer of adaptive AI, we detect and remediate attacks like business email compromise (BEC), account takeovers (ATO), and deepfake attacks that other solutions miss. By combining the power of AI and continuous human insights, we safeguard inboxes, unburden IT teams, and turn employees into a vital part of cyber defense across enterprises and managed service providers. IRONSCALES is headquartered in Atlanta, Georgia. To learn more, visit www.ironscales.com or follow us on LinkedIn.
Article content
Article content
Article content
Article content
View source version on businesswire.com:
Article content
Article content
Article content
Contacts
Article content
Media Contact:
Article content
Article content
Douglas De Orchis
Article content
Article content
Scratch Marketing + Media for IRONSCALES
Article content
Article content
Article content
Article content
English (US)