A series of high-profile cyberattacks have highlighted how widespread the risk has become. As cybercriminals increasingly utilise AI-powered social engineering techniques to manipulate employees and bypass traditional security controls, organisations across all sectors are facing a more complex threat landscape.
Marks & Spencer, Jaguar Land Rover and even nursery schools have found themselves targeted by bad actors, exposing everything from customer information to sensitive family data.
Phishing, fraud and other forms of malware are on the rise, underscoring the essential role of robust data protection in every organisation. The rise of artificial intelligence is making it even more challenging to defend against cybercrime, especially social engineering scams.
In this article, a team of data protection specialists at The DPO Centre take a closer look at AI-powered social engineering scams work and what organisations can do to defend against them.
Why Social Engineering Works
At its core, social engineering isn’t about taking advantage of patchy code or software loopholes – it targets the people operating those systems. Criminals manipulate trust, sending emails that appear to come from your finance director, or call while posing as your IT team, or even create convincing video messages from senior executives.
What makes these types of attacks so dangerous is how legitimate they seem. Unlike brute-force hacks, these attacks slip past technical defences because the true “entry point” is human behaviour. All it takes is one distracted click or hurried response for the attack – and damage – to take hold.
How AI Is Changing Social Engineering
The concept of social engineering is far from new, and most businesses will recognise the classic signs – clumsy phishing emails riddled with spelling mistakes. However, AI has given the face of these scams a fresh lick of paint, and today, they can be polished to near- perfection – tailored to your industry, written in your company’s tone of voice, and delivered at scale.
We’re now seeing phishing emails that are so well-crafted they could have been written by your own comms team, free of awkward phrasing or obvious red flags. These are becoming increasingly difficult to identify and therefore pose a greater threat to organisations.
Deepfakes, Vishing and Impersonation
Phishing emails remain one of the most common attack methods, but AI is also driving the rise of sophisticated vishing (voice phishing) attacks. Criminals can now use AI-generated voices to impersonate executives, suppliers, or IT personnel, creating a greater sense of urgency and legitimacy.
Deepfake technology also enables criminals to convincingly mimic the voices and appearance of senior leaders, increasing the likelihood that employees will approve payments, share sensitive information, or bypass established security procedures.
Scraping tools – once limited in scope – can act on a much broader scale, compiling detailed profiles of employees from LinkedIn posts, press releases, and even unrelated social media chatter. Likewise, AI-powered chatbots can adjust tone in real time when someone hesitates, making the exchange feel like a natural conversation rather than a script.
The Business Impact
For Marks & Spencer, the attack caused a loss in customer trust. For Land Rover, the focus was operational continuity. In the case of the nursery school breach, it was safeguarding children’s data. Different sectors and different attack vectors – but the risks are much the same: financial loss, regulatory penalties, and reputational damage that lingers long after the headlines fade.
So, what can businesses do to protect themselves from these types of scams? The answer doesn’t lie in any one piece of technology, but rather a multi-layered defence strategy.
Protecting Your Organisation
There are several strategies you can implement to help protect your organisation, employees and customers from AI-powered social engineering scams. These include:
Building Employee Awareness
As with many risks in business, awareness comes first. Staff need to recognise the tactics commonly used in AI-powered social engineering attacks, including urgency, authority, fear, and impersonation. Employees should feel empowered to pause, verify requests through a secondary channel, and challenge unusual instructions regardless of who appears to have sent them.
Don’t Just Train, Test
Training alone isn’t enough. Phishing simulations might feel uncomfortable to deploy, but they reveal how employees would react in the moment, and you can provide real, actionable feedback to specific individuals who might be acting as a “weak point”.
Strengthening Technical and Operational Defences
Intelligent email filters and anomaly detection tools can take the pressure off staff by blocking the most obvious threats before they hit inboxes. At the same time, don’t overlook the fundamentals: multi-factor authentication remains one of the simplest ways to prevent compromised credentials from leading to a full-scale breach.
Regular Policy Reviews
Regular, comprehensive reviews of your policies and processes are essential to keep pace with the changing realities of cybersecurity. Incident response plans should be living documents, actively tested and refined and not left to gather dust on a server. It is also worth reviewing how much staff and company information is publicly available online. To further increase security, it may be beneficial to limit this information to reduce the risk of social engineering.
Conclusion
In truth, cybercriminals don’t need to target your systems if they can target your people, and by adding AI to the mix, the line between genuine business communication and criminal manipulation is becoming harder to spot.
That’s why defending against social engineering attacks should be a priority for every organisation. True resilience doesn’t come from a single product or quick fix, but from embedding data protection awareness, robust policies and procedures, and smart technology into the organisation’s DNA. Small steps taken now can prevent far greater disruption later.
Photo by Giu Vicente on Unsplash
