executive summary
- what’s new: Organizations across industries are facing the exponential growth of AI-powered social engineering scams. This is a targeted campaign that leverages AI to create persuasive text, audio, and video communications, and attacks are surging in both volume and sophistication.
- Why it’s important: A single successful attack can trigger data breach notification requirements, regulatory investigations, civil litigation, and lasting reputational damage, with the average global cost of a data breach in the millions of dollars.
- What to do next: Organizations should consider training employees on deepfake recognition, strengthening financial controls with multi-person approval for wire transfers, maintaining robust incident response plans, and ensuring adequate insurance against AI-powered fraud.
__________
Organizations across industries are facing the exponential growth of AI-powered social engineering fraud. This is a highly targeted campaign that leverages artificial intelligence (AI) to trick specific individuals within an organization into divulging sensitive information, authorizing fraudulent transactions, or gaining unauthorized access to critical systems.
Tasks that once required considerable skill and time are now automated and scalable. The rapid proliferation of generative AI tools has enabled threat actors to create highly persuasive communications that include realistic text, audio, and video, leading to a surge in both the volume and sophistication of attacks.
The average cost of a data breach in the United States in 2025 was $10.22 million, an all-time high. The FBI reported that total cybercrime losses in 2025 will exceed $20 billion, including more than $3 billion related to business email compromise complaints, and noted that the number and scale of cybercrime continues to increase. According to an April 2026 report by security firm KnowBe4, phishing attacks increased by 17.1% compared to the previous six months.
For organizations across sectors, the impact goes far beyond direct financial losses. A single successful attack can cause the following:
- Data Breach and Cyber Notification Obligations.
- Regulatory research.
- Civil litigation.
- Permanent reputational damage.
Main trends and commonalities
There are several notable trends that characterize the current threat landscape.
- Content generation using AI. Threat actors are increasingly deploying deepfake audio and video techniques that leverage publicly available audio, handwriting, and other information to imitate known contacts. In May 2025, the FBI issued a public advisory warning that malicious actors were conducting sophisticated campaigns impersonating U.S. government officials in both text and AI-synthesized voice channels to lure recipients to malicious links under the guise of transitioning to a secure platform.
- Impersonation targeting senior executives. Threat actors often impersonate senior organizational leaders as their first hook, exploiting the possibility that employees’ instincts to follow strict hierarchies and authority may prevent them from double-checking instructions they believe come from their superiors. In addition to the deepfake techniques described above, large-scale language models allow attackers to generate sophisticated and convincing fraudulent emails at scale, leveraging publicly available data from sources such as LinkedIn and corporate websites to tailor attacks to specific recipients. Attackers can use publicly available information, such as details about an organization’s loan agreements, board structure, and even handwriting samples, to instill trust in victims. In addition to senior executives, threat actors often impersonate trusted third-party advisors, such as outside attorneys, by using spoofed domains that closely resemble legitimate email addresses, fake letterheads, and phone numbers with appropriate country or area codes.
- Impersonation of IT staff. Threat actors also often call individuals within an organization, pretending to be someone from the organization’s IT desk. By requesting a multi-factor authentication (MFA) token from an individual, an attacker can bypass MFA credentials and gain full access to the system.
- Fabricated requirements of urgency and confidentiality. These plans are often driven by urgent or confidential financial requirements. Targeted employees may be required to sign non-disclosure agreements to facilitate sensitive M&A transactions and to keep the matter confidential from other members of the organization. This may include purported regulatory requirements, impending structural changes or layoffs, the urgent need to pay a ransom, or similar excuses to prevent employees from consulting senior colleagues or the legal department or questioning apparent discrepancies.
Legal and regulatory implications
For companies subject to Securities and Exchange Commission (SEC) disclosure obligations (including foreign private issuers), the SEC’s cybersecurity disclosure rules require disclosure of material cybersecurity incidents, generally within four business days of a determination of materiality. The SEC is also pursuing enforcement actions against companies that have made misleading disclosures about cybersecurity risks.
A successful attack that results in unauthorized access to personal data, financial records, or other sensitive information may result in breach notification obligations under federal, state, and international law. Sector-specific regulations such as financial institutions and medical institutions also apply.
For financial institutions in the European Union, the Digital Operational Resilience Act (DORA) requires them to provide initial notification within four hours of deeming an incident significant and within 24 hours of first discovering the incident. Data exposed through unauthorized access to systems will be classified as a serious incident under DORA, and the UK Financial Conduct Authority (FCA) will expect similar notifications and updates.
The General Data Protection Regulation (GDPR) and other privacy laws around the world also require notification to regulators and, in many cases, individuals following a data breach.
Additionally, organizations that suffer a significant breach may face regulatory scrutiny regarding the adequacy of their pre-incident cybersecurity and data protection programs, internal controls, and incident response protocols. Organizations must be able to demonstrate that they have appropriate technical and organizational measures in place to protect data, including cyber defences, data deletion, and staff training.
If an incident results in falsification of invoices or books, or inaccurate financial reporting to external stakeholders such as auditors, the risk of regulatory scrutiny increases. To mitigate these risks, regulators and law enforcement agencies increasingly expect organizations to implement risk-based governance, multi-layered technical controls, robust identification procedures, effective incident response capabilities, and appropriate board and executive oversight, rather than just awareness programs.
If these attacks result in fraudulent wire transfers or misappropriation of funds, organizations may face issues related to civil liability, insurance coverage, and local law considerations. The involvement of nation-state actors in a particular campaign may further implicate sanctions and export control considerations. Organizations should consult legal counsel as soon as they discover an incident to ensure privileges are maintained and all legal obligations are met.
Best practices and recommendations
In light of the evolving threat environment, organizations should consider the following measures to reduce risk and strengthen their defenses:
Employee training and awareness. Organizations should implement regular mandatory training programs that take into account current trends and specifically focus on recognizing deepfakes and recognizing AI-generated communications. These programs should be complemented with role-specific, targeted training for senior executives, financial personnel, and information technology (IT) staff, who are high-value impersonation targets. Organizations should also consider training on policy implementation and practical defense strategies such as callback procedures and preset codewords.
Escalation and reporting protocols. Suspicious requests, especially those involving urgency, confidentiality, or deviations from established procedures, should be immediately escalated to a supervisor, security team, or legal department. Organizations must clearly communicate reporting channels and foster a “speak up” culture. Employees should understand that their organization never expects them to transfer funds externally without the involvement of multiple senior officials, and they should never sign non-disclosure agreements or other agreements without review by the legal team.
Oversight of the Board of Directors. Organizations should ensure that their boards are well-briefed on cyber trends and risks and provide sufficient oversight. Regulators in various jurisdictions expect directors to understand the risks and be actively involved in cybersecurity oversight.
Financial management. Organizations require multiple approvals for wire transfers and set high approval thresholds for transfers over a specified amount. All financial requests received via email must be verified through an independent, secondary channel, such as a secure messaging platform or callback to a known phone number. Organizations should also work with their banks to ensure that transfers over a certain amount or to specific jurisdictions or bank accounts trigger secondary verification protocols and send notifications to multiple individuals within the organization.
Technical safeguards. Organizations must complement traditional email filtering with new content-focused detection technologies, including AI-driven prevention tools that can identify anomalous communication patterns that evade traditional security controls. Organizations should also re-evaluate their multi-factor authentication implementations in light of recent bypass techniques.
Insurance applicable. Many cyber insurance policies include social engineering sublimits that organizations should be aware of. Organizations must ensure that their insurance coverage extends to AI-enabled social engineering fraud and other cybercrime and is sufficient to cover losses that can exceed $10 million and the significant associated costs of investigating and remediating an incident.
Prepare for incident response. Organizations should maintain a robust incident response plan that provides for clear escalation and early involvement of legal counsel to ensure that legal privilege over investigation-related materials and findings is maintained and that the organization’s various legal obligations are considered and fulfilled. These plans should be tested regularly through tabletop exercises and updated to reflect the latest threat intelligence. Organizations should also consider adopting policies that clearly require all employees to cooperate with internal investigations, including providing information and devices used for business communications (such as personal devices).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended to be, and should not be construed as, legal advice. This Memorandum is considered advertising under applicable state law.
