AI and cybersecurity: staying ahead of evolving threats

By Nick Stafford//October 23, 2025//

Nick Stafford

By Nick Stafford//October 23, 2025//

Listen to this article

Businesses have countless technology tools at their disposal to protect systems, software and processes, but cybercriminals are likewise harnessing digital advances to breach defenses. Generative artificial intelligence has made threats more difficult to discern, but the battle is not lost. Businesses can stay ahead of threats by staying informed, developing a plan and prioritizing ongoing training.

At a Glance:

AI-driven scams like phishing and deepfakes are rising in sophistication.
Businesses can reduce risk through regular updates and strong protocols.
Training employees helps identify and stop cybersecurity threats.
Multifactor authentication and strong passwords remain vital defenses.

AI supercharges scams

New cybersecurity scams keep joining a growing list of business threats, and fraudsters now armed with generative AI are ready to exploit vulnerabilities. Phishing emails, once identifiable by their awkward phrasing and obvious typos, are becoming more realistic and convincing. In business email compromise (BEC) attacks, hackers with control of a worker’s email have access to correspondence to feed AI, thus producing more authentic-sounding communications with which to garner sensitive information. BEC scams are hard to spot since emails appear from a trusted source, and AI is making detection more difficult.

Other AI-assisted scams are also increasingly challenging to identify. For vishing attacks, only a short audio clip is needed to impersonate an individual’s voice, enabling scammers to pose as a superior requesting an urgent payment action. Visual evidence can’t be relied upon, either, considering advances in AI-generated photos and videos. Last year, a finance professional of a multinational firm was famously duped into paying $25 million to fraudsters following a video call with colleagues, all of whom were deepfakes.

Key elements of cybersecurity plans

Larger businesses typically invest heavily in robust cybersecurity plans, complete with regular trainings to reinforce best practices. While smaller businesses may not have the luxury of investing as heavily in such programs, a basic plan and protocols can be instrumental. Fundamental security steps can help keep bad actors out, and additional training can help identify and stop attackers in their tracks.

1. Maintain systems, software, devices
Regular technology maintenance thwarts intrusion by addressing vulnerabilities before they invite issues. Keeping business systems, software and devices current involves enabling routine scans, running regular updates and installing recommended security patches.

2. Set a strong perimeter
Firewalls on computers, routers and other devices should be enabled and configured properly. Such measures help to understand whether whoever is knocking at the digital door should be let in.

3. Develop protocols for payments
Instituting protocols for specific payment scenarios can help reduce the risk of fraudulent transactions. The ability to initiate ACH or other transactions could be limited to authorized individuals, and permission levels could be set for certain dollar amounts.

4. Confirm payment changes are authentic
Any change in wire or deposit instructions received by email or otherwise should be authenticated verbally through a known channel, such as a vendor’s phone number on file.

5. Introduce redundancy for added confidence
Purchases or payment requests exceeding certain amounts should be verified through a secondary form of trusted communication, such as by calling a known number or even confirming in person.

6. Create rules for one-off requests
Additional rules may be required for seemingly benign requests, like the purchase of gift cards, to ensure even small amounts don’t provide an entry for abuse.

7. Promote strong passwords
Strong passwords are key to protecting computer and account access. They should never include personal information that could easily be found online, only something the employee knows. Reputable password managers can also help.

8. Implement multifactor authentication
Enabling two-factor authentication whenever possible can create more friction for potential scammers. It is much more difficult for a scammer to obtain both a password and a device to verify a stolen login.

9. Approach unsolicited communications with caution
Any unsolicited emails and texts should be approached with skepticism. Rather than click links, staff should type in known website addresses or call a known number to verify a communication’s legitimacy.

10. Follow gut feelings
Employees who feel uneasy about unusual or unexpected requests should trust their instincts and alert their managers. Verifying authenticity up front could save significant time and money.

Keep cybersecurity top of mind

Developing an information security policy is a critical first step in identifying potential threats and how to respond. However, a policy is only as good as how well it is understood and internalized. Everyone has a part in mitigating risk and reinforcing security, and together, they make it harder for attackers seeking a way in.

Habitually reviewing a cybersecurity policy and providing training opportunities can help keep best practices top of mind. This regular attention can also help ensure that a policy gets updated as new threats emerge since scammers are always evolving their tactics.

Ultimately, businesses want to protect what they have built — assets, reputation, employees and customers — and they put systems in place to keep threats out. Deception capabilities may be growing with AI and other advances, but investing time and attention to fundamental security practices remains an effective defense.

Nick Stafford is the chief security officer for ICCU, which helps its members achieve financial success while also helping to keep their finances safe and secure. More information is at www.iccu.com/security.