Not long ago, a company held a conference call with a key vendor that included a dozen executives. The call was to create a repayment structure and schedule for a $2.6 million debt. A $750,000 installment arrangement was agreed to for the following Monday and was then shared with the call participants in a group email.
That Friday, a request came through that same legitimate email chain, citing delays in the process and asking for the payment to be made directly to another vendor’s bank. The message contained the new banking information.
No one on the email chain questioned the request or picked up the phone to verify it. The company’s employees simply made the transfer, unaware that a threat actor had compromised the vendor employee’s email account and joined the email chain to request the change.
Fortunately, the business owner reacted quickly, their security firm was contacted and stepped in. They contacted the U.S. Secret Service’s Cyber Fraud Task Force, whose agents stopped the victim’s $750,000 from leaving the bank.
These types of incidents—increasing in both frequency and severity—serve as important lessons about today’s cyber threats, including the growing role of phishing in business email compromise, ransomware and other network attacks. Even if a message comes from a legitimate email address, no user should assume the email is legitimate. Today’s professionals must always assume something nefarious is happening in situations like these.
Awareness Is No Longer Enough
Law enforcement made significant strides against cybercrime in 2024, including multiple high-level arrests and the takedowns of major international cybercriminal groups. Despite these commendable efforts, 2024 also presented record-breaking case activity both in terms of the number of new victims and the severity of the cases remediated.
According to Verizon’s 2025 Data Breach Incident Report, ransomware attacks rose 37% in 2024. These attacks disproportionately affected smaller organizations. There were some bright spots around ransom payments because the median ransom paid decreased to $115,000 from $150,000 in 2023. Verizon also reported that 64% of victims did not pay a ransom demand. A 15% increase in payment resistance from two years ago.
Recently, the state of Alabama suffered a significant attack, just days after the venerable Harrod’s department store in London was compromised. Yale New Haven’s healthcare system also saw a major compromise, as did car rental giant Hertz. Even Skyward Specialty Insurance was reportedly hit, proving no industry is immune. Add artificial intelligence to the mix, and the risks grow exponentially. Last year, for example, fraudsters used an AI deepfake video call to steal $25 million from the U.K. engineering firm Arup.
Even with threat actor advancements, old-fashioned phishing is still the number one tactic cybercriminals use to gain control of a victim’s IT infrastructure. According to the Verizon report, 57% of attacks are enabled by phishing, and other researchers report the number is as high as 90%.
Once the threat actors are in a system, they can use embedded AI tools like Microsoft Copilot to efficiently extract volumes of information and potentially hold a company hostage. No organization is safe.
AI’s stealthy ability to move inside of a network is one of today’s greatest threats. AI-enabled threat actors can quietly live off the land inside a network in ways less sophisticated threat actors cannot. AI can run undetected as it steals data, searches for vulnerability and writes code on the fly to exploit that vulnerability. It can search through files and emails for details on users and operations to mimic the tone and language an employee might use. This information allows the threat actor to craft highly tailored spoof emails or deepfake video calls like the one that fooled Arup Engineering.
Although AI is not yet used in cyberattacks as extensively as their severity might suggest, it’s estimated that by 2027, 17% of all cyberattacks will involve generative AI.
The Tool of Tech Enemies Can Be Your Friend
The growing use of AI to create professional and individually tailored phishing campaigns means companies cannot hope to rely on executives and employees to accurately identify misspelled words, awkward phrasing or suspect email addresses and domains. As it progresses, the only counter to offensive AI will be defensive AI, which can analyze and respond at the speed of the attacker.
Claims managers can play a role in educating clients about how to avoid cyberattacks and how to respond when they happen. By working closely with cybersecurity providers and remaining up to date on current cyber threats, claims managers can be a positive source of actionable advice.
The continued prominence of phishing and other social engineering schemes shows that training should be a primary effort but technical safeguards such as filtering and administrative controls are required to backstop that training. It only takes one wrong click for a threat actor to infiltrate a network.
That means human intervention is also necessary; emails like the one above that nearly cost a business $750,000 should be met with skepticism and verification like follow-up calls to confirm any unusual changes.
Networks must also be constructed using heavy segmentation and zero trust. Multi-factor authentication should be enabled on all forms of access and administration, not just logon. By doing this, a threat actor must get past layers of access controls on systems and applications, not just find their way into a network.
AI adoption can help protect a system but is by no means perfect. Users, developers and administrators must understand the potential vulnerabilities these tools introduce. Some threat actors are behind bars and their networks have been shut down or disrupted. Millions of businesses now have back-ups and disaster recovery and incident response plans that enable them to avoid paying a ransom, but the attacks continue.
Cybersecurity experts and insurers can help safeguard systems against attacks and help clients remain up to date on the threats in this rapidly changing landscape.
McDonald is chief operating officer and chief information security officer of Alvaka, where he has served for more than two decades. He is a member of industry and law enforcement organizations including the High-Tech Crimes Investigations Association, FBI Infragard, DHS CISA UAV Working Group and GTIA’s Global Cybersecurity Task Force. Email: [email protected].
Was this article valuable?
Here are more articles you may enjoy.
Validating Mental Health Claims in Today’s Workforce 
Wall Street Backs LA Wildfire Lawsuits, Chasing Billions 
Highway Robberies, Cargo Theft Now Just Part of Doing Business in Mexico 
Homes With Toxic Smoke Damage Deepen Insurance Nightmare in LA 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.