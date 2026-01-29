New Osterman Research reveals phishing and BEC attacks have been "reset" by AI, with finance teams most vulnerable and existing defenses proving inadequate

ATLANTA--(BUSINESS WIRE)--#Osterman--In a stark warning for enterprise security, a new study from Osterman Research commissioned by IRONSCALES reveals that 88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months. The culprit: AI-powered phishing attacks leading a renaissance of threats that legacy security tools were never designed to stop.

The research report, Restoring Trust in Business Communications, surveyed 128 cybersecurity decision-makers and exposes a dangerous gap: while 82% report heightened threat actor interest in exploiting trusted communications, 60% lack confidence in their ability to counter deepfake attacks effectively.

The Phishing Renaissance: AI Resets the Threat Curve

"The threat curve just got reset," said Michael Sampson, Principal Analyst at Osterman Research. "Even 'solved' attack types like phishing and business email compromise have become immature again. BEC attacks from 2025 bear little resemblance to those from 2020—they're now hyper-personalized, multi-channel, and can be launched autonomously at scale."

Despite already experiencing high breach rates, the worst may be yet to come. When asked about the maturity of AI-enhanced attacks already hitting their organizations, respondents believe threat actors are still in early stages:

28% say AI-generated phishing is just getting started

25% say the same about deepfake audio attacks

28% believe deepfake video attacks remain nascent

In other words, organizations are already being breached at alarming rates (88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months) that haven't reached full maturity.

Traditional indicators that employees and security systems relied upon—grammar errors, suspicious sender addresses, generic language—have been eliminated by AI. Anyone can now craft perfect attacks in any language, personalization happens at scale, and attacks now come through email, phone, video, and collaboration platforms simultaneously.

Finance Teams in the Crosshairs

The research identifies a perfect storm of vulnerability for finance departments: they're the highest-priority target for threat actors (59% of organizations rate them as "high" or "extreme" priority targets) while simultaneously being the employee group organizations are most concerned about (59% express high concern about their readiness to defend against trust-based attacks).

"Finance teams control the money, so they're priority number one for attackers," noted Audian Paxson, Principal Technical Strategist at IRONSCALES. "But cybersecurity leaders report the lowest confidence in these teams' ability to spot sophisticated BEC and impersonation scams. That gap is getting exploited daily."

Over 33% of organizations saw threat actors successfully masquerade as trusted vendors to steal funds or information in the past year, with vendor impersonation attacks increasing significantly (13% reporting major increases year over year).

Legacy Tools Failing at Scale

Perhaps most alarming: nearly one in five security leaders state security awareness training is proving ineffective against AI-enhanced threats. Current training approaches for preparing employees to detect attacks that weaponize trust are proving ineffective for many organizations. Training on detecting attacks using deepfake audio and video are particularly ineffective. In total, respondents rated the following from “not at all effective” to “moderately effective”:

38% for detecting deepfake audio attacks

39% for detecting deepfake video attacks

43% for detecting AI-generated phishing

"Legacy email protections are too blunt an instrument to recognize the subtle indicators of modern AI-powered attacks," said Sampson. "Organizations can no longer trust these legacy solutions to protect against threats that didn't exist when they were designed."

Organizations Prepared to Take Immediate Action

The crisis is driving reassessment of security strategies. The research found that 70% of organizations now consider detecting deepfake audio impersonation attacks "extremely important," the highest priority increase measured. Additionally:

70% are willing to add best-in-class point solutions to address gaps

68% are willing to change vendors entirely

70% are willing to replace their entire security technology stack

The Cost of Failure

The cost of inaction is clear: 55% of security leaders say failing to defend against these trust-exploiting attacks significantly increases data breach likelihood. The damage compounds from there - reduced productivity, compromised customer communications, and operational disruption.

