Most AI-enabled cybercrime arrives dressed as routine work.
Article Contents
A supplier sends new banking details. An owner appears on a video call and asks for a transfer. A marketer downloads a free AI video tool. A new remote employee asks for access to customer files.
None of these situations feels extraordinary. That is precisely why they work.
AI helps criminals build a believable story around a request. It can study public information, summarize stolen emails, imitate writing styles, translate messages, create documents, reproduce voices and search thousands of stolen files for valuable information.
It can also help write malicious software and work through the technical stages of an attack.
Microsoft Threat Intelligence reported in March 2026 that most malicious AI use centres on producing text, code and media. Criminals use it to draft phishing messages, translate content, summarize stolen data and generate or debug malware. Human operators still control most targets and deployment decisions, while AI increases their speed and reach.
The financial damage is already substantial. The Canadian Anti-Fraud Centre recorded more than CAD $68 million in reported spear-phishing losses during 2025, followed by nearly CAD $31 million during the first three months of 2026. Those figures measure spear phishing as a whole. AI increases the realism and volume of the same payment-redirection scams.
A request can look real and still be unsafe. Payments, account changes, data disclosures, software installations and login approvals all need a verification process of their own.
How AI fits into a cyberattack
AI can play three different roles in an attack.
AI-assisted attacks
A person remains in charge and uses AI to complete part of the work.
The criminal might use a chatbot to research a company, rewrite an email, translate a message, troubleshoot malicious code or summarize stolen documents.
This approach lets a smaller or less experienced criminal operation produce more convincing work.
AI-generated attacks
AI creates something used to deceive or compromise the target.
That could include:
- A fake invoice
- A cloned voice
- A synthetic video
- A forged identity document
- A fraudulent website
- A piece of malicious code
The employee sees the finished material without seeing how it was produced.
Agentic attacks
An AI agent receives a goal and works through a series of steps. It acts, checks the result, changes its approach and continues.
The attacker supplies the objective and infrastructure. The agent handles more of the operational work that once required someone to sit at a keyboard throughout the intrusion.
Agentic attacks remain less common than AI-assisted phishing and fraud, but the first real-world cases have arrived.
Where AI changes the attack
AI compresses work that once took criminals much longer.
A company website can become a list of employees and decision-makers. A job posting can reveal which software the business uses. A stolen email account can reveal payment schedules, supplier relationships and the writing style of everyone involved.
Ten years of stolen files can become a brief that identifies the company’s largest customers, confidential disputes, financial position and most sensitive employee records.
Language barriers also shrink. A criminal can write polished messages for a Canadian accounting department, a French-speaking supplier and an overseas contractor without being fluent in any of their languages.
The old warning signs have not vanished, but they carry less weight. Clean grammar, familiar terminology and a professional tone no longer establish that a message is genuine.
Real AI cyberattack examples
A supplier changes its banking details
The email lands in an existing conversation about a real invoice.
It names the project manager, invoice number, amount and payment date. The supplier explains that it has changed banks and attaches a professional-looking document containing the new account information.
The bookkeeper calls the number in the updated email signature. A friendly accounts representative confirms the change.
The money goes to the criminal.
This scene combines payment-redirection techniques documented by the Canadian Anti-Fraud Centre. Fraudsters may study language patterns, payment schedules and key contacts before impersonating a supplier or contractor. They also register lookalike domains and create mailbox rules that quietly forward copies of genuine correspondence.
AI can summarize the stolen email history, identify the next payment, reproduce the supplier’s tone and prepare responses for questions the bookkeeper may ask.
The follow-up call offers little protection when the phone number came from the fraudulent message.
The SLAM phishing method gives employees a useful pause before acting:
- Sender: Check the full email address and domain.
- Links: Inspect where each link leads.
- Attachments: Confirm that the file was expected.
- Message: Consider whether the request makes sense.
AI makes the Message test less decisive because a fraudulent request can sound perfectly natural. Banking changes still require a callback using contact information already stored in the company’s supplier record.
A strong payment policy reads:
No employee may create or change payment instructions based solely on an incoming email, message, telephone call or video meeting. Every change must be verified through previously recorded contact information and approved by a second authorized person.
The same procedure should cover payroll changes, customer refunds and new payees.
Owners and executives must follow it too. An urgent request from the boss is where the policy earns its keep.
A familiar face asks for a transfer
In early 2024, an employee at engineering firm Arup joined a video meeting with people who appeared to be the company’s chief financial officer and other senior colleagues.
The meeting was fake.
The employee made transfers totalling approximately USD $25 million. Arup later confirmed that criminals had used digitally generated voices and images. Its chief information officer described the incident as technology-enhanced social engineering. The company’s systems had not been breached; an authorized employee had been persuaded to move the money. Arup later discussed the incident and its lessons with the World Economic Forum.
The deception combined several strong signals of trust. The employee saw familiar people, heard familiar voices, watched several apparent colleagues participate and received a plausible explanation for the transactions.
A smaller business may encounter a shorter version of the same attack. A cloned owner leaves a voicemail asking for a deposit. A customer joins a brief video call to confirm a refund. A manager asks payroll to send employee records before a meeting.
The amount could be CAD $8,000 rather than USD $25 million. The approval weakness remains the same.
Employees should end the original interaction, call the requester through a known number, confirm the purpose and amount, and involve a second approver. The accounting record should show who completed the verification and when.
A familiar face can begin a conversation. It cannot approve a transfer.
A free AI tool steals business passwords
A marketing employee sees an advertisement for a free AI video generator.
The website looks polished and carries familiar branding. The employee enters a prompt, waits for the video and downloads the finished file.
The “video” is malware.
Google’s Mandiant researchers documented this campaign in May 2025. Criminals created more than 30 fraudulent AI websites that impersonated services such as Luma AI, Canva Dream Lab and Kling AI. Thousands of social-media advertisements directed people to the sites. A sample of more than 120 malicious ads reached an estimated 2.3 million users in European Union countries.
The sites behaved like real AI generators. They asked for a prompt, displayed a loading bar and then offered a download.
One analyzed file used an .mp4 video extension in its name, followed by a long run of unusual blank characters and a hidden .exe program extension. To someone glancing at the filename, it looked like a video.
The malware could collect login credentials, browser cookies, credit-card information and social-media account data. Stolen browser cookies are especially valuable because they can give an attacker access to a session that is already signed in.
This attack fits comfortably inside a normal working day. The employee is trying to finish a campaign, test a tool or produce something for a customer.
An approved-software process should tell employees:
- Which AI tools the company permits
- Which browser extensions may be installed
- Whether desktop software requires approval
- What company information may be uploaded
- How to request a new tool
- Where approved software should be downloaded
Employees should reach a service through its known website rather than through a social-media advertisement. Company devices should use managed accounts, endpoint protection and restricted installation rights.
The approval process must also be quick enough to use. A request that disappears into a three-week queue will acquire unofficial shortcuts by lunchtime.
A fake meeting turns an audio problem into malware
A prospective business contact schedules a video meeting.
The invitation looks legitimate. The meeting platform resembles Zoom. A senior executive appears on screen, but the audio is not working properly.
The participant receives troubleshooting instructions and is asked to paste a command into the computer.
That command installs malware.
In February 2026, Google’s Mandiant team described an attack built around a compromised Telegram account, a fake Zoom meeting and malicious troubleshooting commands.
The victim reported seeing what appeared to be a deepfake video of a chief executive. Mandiant confirmed the fake meeting and malicious command sequence, while the video itself could not be recovered for forensic verification.
The fake audio problem gave the victim a reason to follow unusual instructions. The command started an infection that eventually deployed several malware families designed to collect credentials, browser information and session tokens.
The business rule should be bright and uncomplicated:
Employees must never paste commands into PowerShell, Command Prompt, Terminal or a Run window based on instructions received during a meeting, call, chat or webpage.
Normal audio troubleshooting may involve choosing a microphone, reconnecting to the meeting or calling the company’s IT provider. It should not involve copying a mysterious command into the operating system.
A remote employee uses a synthetic identity
A candidate submits a strong résumé and performs well in the interview.
Their professional profile looks established. Their identification appears valid. They complete a technical assessment and speak confidently about the role.
After hiring, the company gives them access to email, source code, customer files and internal systems.
The identity is fabricated.
Microsoft has documented North Korean remote IT worker operations that used AI-generated profile images, face-swapping, voice-changing tools and AI assistance during applications and interviews. The workers also used AI to tailor résumés, answer technical questions, translate workplace communication and maintain consistent personas after they were hired.
A fraudulent worker may perform genuine day-to-day tasks while concealing their identity, location and objectives. Legitimate access gives them time to collect information, study internal systems and seek broader permissions.
Small businesses often hire quickly and handle identity checks informally. A polished résumé, professional profile and smooth video interview can create confidence without proving who is behind them.
Remote hiring should include:
- Independent identity verification
- References contacted through independently sourced information
- Company-controlled equipment
- Separate accounts for each worker
- Limited access during onboarding
- Additional permissions only when the role requires them
A new employee should not receive keys to every digital room on the first morning.
AI searches stolen files and builds the ransom demand
An attacker gains access to a company’s cloud storage.
Inside are years of customer contracts, employee records, insurance documents, legal correspondence, banking exports and financial reports.
The attacker has the data but still needs to understand it. AI handles the first pass.
It identifies the largest customers, finds sensitive personal information, summarizes disputes and estimates which disclosure would create the greatest pressure.
Anthropic reported disrupting an operation that used AI throughout a data-theft and extortion campaign. The criminal targeted at least 17 organizations, including healthcare providers, emergency services, government bodies and religious organizations.
AI was used for reconnaissance, credential harvesting, network intrusion, selection of data to steal and preparation of tailored extortion demands. Some demands exceeded USD $500,000. The system also examined victims’ financial information to help select ransom amounts.
This changes how quickly stolen information becomes useful. A small criminal group can process a large breach and turn raw files into a pressure campaign designed around the victim’s own finances and relationships.
Backups restore encrypted or deleted systems. Stolen information requires additional controls:
- Restrict access to payroll, legal and financial records
- Remove files the company no longer needs
- Review which outside applications can access shared storage
- Monitor large downloads and exports
- Separate sensitive departments and data sets
- Revoke unused accounts and integrations
A seven-year-old spreadsheet can still contain personal information, account details or passwords that remain useful to an attacker.
JADEPUFFER gives ransomware an AI operator
On July 1, 2026, the Sysdig Threat Research Team published its investigation of JADEPUFFER, which it classified as the first documented agentic ransomware operation.
The attack began through CVE-2025-3248, a known vulnerability in an internet-facing installation of Langflow. Langflow is an open-source platform used to build AI applications and automated workflows.
Once inside, the agent searched the compromised system for:
- AI provider keys
- Cloud credentials
- Cryptocurrency wallets
- Database credentials
- Configuration files
- Internal services
It then moved from the original Langflow server toward a separate production database.
The agent interpreted responses and corrected its own mistakes.
During one sequence, it created an administrative account and attempted to log in. The login failed. Within 31 seconds, it diagnosed the problem, changed the password-generation method, rebuilt the account and successfully logged in.
It also changed parsers when a service returned XML instead of JSON and adjusted a database command when a foreign-key restriction blocked the first attempt.
The agent eventually encrypted 1,342 configuration records, deleted the original tables and created a ransom note.
Its encryption key was printed once but never saved or transmitted. The victim could not recover the encrypted configurations, even by paying the ransom.
The operation relied on several familiar weaknesses:
- A known vulnerability had not been patched
- A public application could reach sensitive internal systems
- Credentials and secrets were available in the environment
- Administrative access was poorly separated
- Internal services were exposed to the compromised application
JADEPUFFER connected those weaknesses into one fast, adaptive sequence.
For a business owner, the useful questions are straightforward:
- Which company systems can be reached from the public internet?
- Does each one need to be public?
- Who installs its security updates?
- Does it contain passwords, cloud keys or API credentials?
- Can it connect directly to production data?
- When was the last independent review?
The AI operator was new. The open door was an overdue software update.
Practical defences for small businesses
Security controls should focus on the action being requested: sending money, sharing data, approving a login, installing software or giving someone access.
The following measures stop many AI-assisted attacks without requiring employees to determine whether a particular email, voice or video was generated by AI.
Put payment verification in writing
Every supplier banking change, payroll change, unusual refund and new payee should be verified through an established contact method.
Require two approvals for high-risk or first-time transactions. Add a waiting period before paying a newly added account. Send confirmation to the supplier’s previous email address or established contact.
Employees should have clear permission to delay a request from the owner.
Train employees around actions
Teach employees to pause when a request combines urgency with money, confidential information or account access.
The employee response should be specific:
- Verify payment instructions through a stored contact
- Open websites through a known bookmark
- Report unexpected login approvals
- Send unusual data requests to a manager
- Contact internal IT before installing software
- Refuse commands supplied during calls or meetings
The training should reflect the company’s actual procedures. A quiz about suspicious spelling will not help an accounts employee verify new supplier banking details.
Protect the accounts that unlock everything else
Email, banking, accounting, payroll, cloud administration, domain registration and remote access deserve the strongest authentication available.
Use passkeys or physical security keys for owners, administrators, finance employees and other high-value users.
The Canadian Centre for Cyber Security recommends phishing-resistant multi-factor authentication because modern adversary-in-the-middle phishing sites can capture passwords, ordinary MFA codes and active session tokens. Passkeys and security keys bind the login to the genuine website and break that interception flow.
Give every employee an individual account. Remove former employees promptly. Keep administrator accounts separate from everyday email, browsing and document work.
Find everything exposed to the internet
Ask the IT provider for a plain-language inventory of:
- Websites and hosting panels
- Firewalls and remote-access services
- File-transfer systems
- Databases
- Cameras and connected equipment
- Development platforms
- AI workflow tools
- Administration pages
Each item needs an owner, business purpose, update process and last-patch date.
Remove public access when a system does not need it. Restrict administration pages to trusted networks or secure remote access.
Control AI applications and browser extensions
Keep a short list of approved tools.
Review each tool before connecting it to company email, files, calendars or customer systems. An AI meeting assistant that can read the calendar and record every call holds a substantial amount of access.
Employees should never install software from an advertisement or paste commands supplied by a chatbot, webpage, caller or meeting participant.
Applications that are no longer used should lose their company access. An abandoned integration can remain connected long after everyone has forgotten why it was approved.
Limit access before an account is stolen
Employees, contractors and applications should receive the information and permissions required for their work.
Separate payroll, finance, legal and customer records. Review access when roles change. Remove old accounts and unused applications. Check which outside tools can read company email and shared storage.
A stolen account with narrow access creates a smaller incident.
Add a network backstop with egress control
No security stack catches every bad click, stolen credential or vulnerable application.
Many malware and data-theft operations still need an outbound connection. They contact a command server, retrieve another malicious component or send stolen information to infrastructure controlled by the attacker.
Egress control governs those connections as they leave the business network.
Sysdig’s JADEPUFFER recommendations specifically call for egress controls so a compromised application cannot beacon to arbitrary destinations or reach external staging servers.
Nerds On Site’s SME Edge provides DNS-based Zero Trust networking at the network boundary. Its underlying Don’t Talk To Strangers® (DTTS) technology denies outbound IP connections by default unless the destination has first been verified through an allowed DNS request or explicitly permitted by policy.
That approach can disrupt direct command-and-control beacons and unauthorized data-transfer routes. An employee may click, or a vulnerable device may be compromised, but the malicious software still has to reach somewhere outside the network. SME Edge places another gate in that path.
Its role is to govern connections. Patching, endpoint security, strong authentication, limited access and backups continue to cover the other stages of an attack.
Keep backups separate and test them
Maintain several backup copies, including one protected from ordinary employee and administrator accounts.
Test a real restoration. Record how long it takes and which systems must return first.
A dashboard showing “backup successful” proves that a process ran. It does not prove that the business can recover its accounting system on a Monday morning.
Prepare a one-page incident plan
The plan should answer:
- Who calls the bank?
- Who calls the IT provider?
- Who can disable an account?
- Who contacts the insurer and legal adviser?
- Who communicates with employees or customers?
- Where are offline contact details stored?
- Who has authority to make urgent decisions?
Keep a printed copy. Email and shared drives have a habit of becoming unavailable at the least charming moment.
The 15-minute owner security check
A business owner should be able to answer these questions without decoding a technical report:
- Can one employee change supplier banking details without a second approval?
- Would staff verify an unusual request from the owner?
- Are email and finance accounts protected with strong multi-factor authentication?
- Do the most important accounts support passkeys or security keys?
- Can employees install any AI application or browser extension they find?
- Does the company know which systems are accessible from the internet?
- Can a compromised website or application reach production data?
- Can one employee account access most company files?
- Is outbound network traffic restricted to trusted destinations?
- When did the company last restore a real system from backup?
- Who can disable accounts outside normal business hours?
- Are the necessary emergency contact details available offline?
An uncertain answer identifies the next task.
Turn the unknowns into a plan
Several answers in the checklist may be unclear. A professional assessment can identify the gaps, rank them by business risk and turn them into a practical work plan.
The Nerds On Site Cyber Security Snapshot reviews the network, data, devices, identities, employee awareness, cyber-insurance readiness, dark-web exposure, and email and web security. The findings are presented in plain language with recommended fixes and an implementation plan.
Nerds On Site can also help carry out the improvements, including account protection, policies, backups, network security and SME Edge.
Request a Cyber Security Snapshot
What to do after an incident
After a fraudulent transfer
Call the financial institution immediately and ask it to freeze, stop or recall the payment.
Then contact local police and report the incident to the Canadian Anti-Fraud Centre.
Speed can recover money. In January 2026, a Canadian business quickly reported a CAD $1.7 million spear-phishing transfer. The Canadian Anti-Fraud Centre, financial institutions and the United States Secret Service intercepted the transfer before the funds could be dispersed further.
Preserve:
- Original emails and attachments
- Email headers
- Payment instructions
- Account numbers
- Telephone numbers
- Meeting invitations
- Chat records
- Transaction confirmations
Do not delete messages or continue negotiating with the suspected criminal without professional advice.
After an account compromise
Contact the IT provider through a known number.
The response should include:
- Reviewing active login sessions
- Changing affected credentials
- Removing fraudulent email-forwarding rules
- Checking newly added devices
- Reviewing new authentication methods
- Examining administrator changes
- Searching for access to connected applications
A password reset can leave the attacker signed in when they have stolen an active browser session or added another authentication method.
After a malware infection
Disconnect the affected device from the network.
Do not wipe it, reinstall the operating system or begin deleting files. Those actions can destroy evidence needed to determine what the attacker accessed.
Contact the IT provider, cyber insurer and incident-response partner. Other devices and accounts linked to the affected employee should also be checked.
Frequently asked questions
Are most cyberattacks now run by AI?
No. Most attacks remain human-directed.
Criminals use AI to improve research, phishing, impersonation, malicious code and data analysis. Agentic attacks such as JADEPUFFER show that AI can now execute longer technical sequences, but these operations have not replaced ordinary phishing, stolen passwords and unpatched software.
Can employees learn to spot a deepfake?
Employees can learn common warning signs, but visual inspection should not carry the approval decision.
A poor internet connection can make a real person look artificial. A convincing synthetic video can survive a short call.
Independent verification works in both situations.
Is ordinary multi-factor authentication still useful?
Yes. Any multi-factor authentication offers more protection than a password alone.
Passkeys and physical security keys provide stronger protection for valuable accounts because they are tied to the genuine website. A criminal cannot collect and reuse them through a copied login page in the same way as a password or manually entered code.
Should a small business ban AI tools?
A blanket ban often pushes employees toward personal accounts and unapproved services.
Approve a manageable group of tools, define what information employees may enter and review integrations before connecting them to company systems.
Does a business need AI-specific cybersecurity software?
Some organizations will benefit from more advanced detection tools.
The first gains usually come from payment verification, strong authentication, patching, limited access, approved software, egress control, tested backups and a rehearsed incident plan.
How can a company tell whether AI was involved?
Investigators may find synthetic media, AI-generated code or activity connected to a model. Many incidents will still look like phishing, stolen credentials, malware or an unauthorized payment.
The immediate response remains the same: stop the requested action, preserve evidence, secure affected accounts and report financial losses quickly.
Conclusion
AI gives criminals faster research, better impersonation, cheaper technical help and a quicker way to exploit stolen information.
It can make a supplier email sound familiar, place an executive’s face into a video call, turn an AI-tool advertisement into malware and guide ransomware through a poorly protected network.
Each attack still depends on a business action: changing a payment, approving a login, installing a file, granting access or leaving a vulnerable system exposed.
Those actions can be controlled.
Verify payment changes through an established contact. Protect important accounts with phishing-resistant authentication. Restrict what employees and applications can access. Patch public-facing systems. Govern outbound connections. Test the backups. Practise the first hour of an incident.
Better fakes raise the value of boring, repeatable processes.
Those processes keep a convincing request from becoming an expensive one.
Get practical help protecting your business
AI-enabled attacks are changing quickly, but the next steps do not need to be complicated. Nerds On Site can assess your current security, identify the gaps that matter most and help put practical protections in place across your accounts, devices, network, backups and employee processes.












