Executive Summary
- What’s new: Organizations across industries are confronting a sharp escalation in AI-enabled social engineering scams — highly targeted campaigns that harness AI to craft convincing text, voice and video communications, fueling attacks that have surged in both volume and sophistication.
- Why it matters: A single successful attack can trigger data breach notification obligations, regulatory investigations, civil litigation and lasting reputational harm, with the global average cost of a data breach in the millions.
- What to do next: Organizations should consider implementing employee training on deepfake awareness, strengthening financial controls with multiperson approval for wire transfers, maintaining robust incident response plans and ensuring adequate insurance coverage for AI-enabled scams.
__________
Organizations across industries are confronting a sharp escalation in AI-enabled social engineering scams — highly targeted campaigns that harness artificial intelligence (AI) to deceive specific individuals within an organization into divulging sensitive information, authorizing fraudulent transactions or granting unauthorized access to critical systems.
What once demanded significant skill and time can now be automated and scaled: The rapid proliferation of generative AI tools allows threat actors to craft remarkably convincing communications — including realistic text, voice and video — fueling attacks that have surged in both volume and sophistication.
The average cost of a data breach in the U.S. was a record $10.22 million in 2025. The FBI reported more than $20 billion in total cybercrime losses for 2025, including more than $3 billion tied to business email compromise complaints, and noted that the number and scale of cybercrime continues to grow. An April 2026 report by the security firm KnowBe4 found a 17.1% increase in phishing attacks compared to the previous six months.
For organizations across sectors, the implications extend well beyond direct financial losses. A single successful attack can trigger:
- Data breach and cyber notification obligations.
- Regulatory investigations.
- Civil litigation.
- Lasting reputational harm.
Key Trends and Commonalities
Several notable trends characterize the current threat landscape.
- AI-enabled content generation. Threat actors increasingly deploy deepfake audio and video technology, drawing on publicly available voice, handwriting and other information to mimic known contacts. In May 2025, the FBI issued a public advisory warning that malicious actors had conducted a sophisticated campaign impersonating senior U.S. government officials across both text and AI-synthesized voice channels, directing recipients to malicious links under the guise of transitioning to a secure platform.
- Targeted impersonation of senior executives. Threat actors frequently impersonate an organization’s senior leadership as their initial hook, exploiting the likelihood that strict hierarchical structures and employees’ instinct to defer to authority will deter them from double-checking instructions that appear to come from a superior. In addition to the deepfake technology discussed above, large language models enable threat actors to generate polished, persuasive fraudulent emails at scale, drawing on publicly available data from sources such as LinkedIn and corporate websites to tailor attacks to specific recipients. Threat actors can use publicly available information — such as details regarding an organization’s lending agreements, board structure and even handwriting samples — to instill confidence in their victims. Beyond senior executives, threat actors often impersonate trusted third-party advisers such as external counsel, including by using spoofed domains that closely resemble legitimate email addresses, fake letterheads and telephone numbers with appropriate country or area codes.
- Impersonation of IT staff. Threat actors also commonly call individuals within an organization, impersonating someone from the organization’s IT desk. By asking the individual for a multifactor authentication (MFA) token, the threat actors are able to bypass MFA credentials and gain full access to the system.
- Manufactured urgency and secrecy requirements. These schemes often hinge on urgent or secretive financial requests. Targeted employees may be asked to sign nondisclosure agreements in furtherance of a purported highly confidential M&A transaction and to keep the matter secret from the rest of the organization — citing purported regulatory requirements, imminent structural changes or layoffs, an urgent need for a ransom payment, or similar pretexts designed to prevent employees from consulting senior colleagues or the legal department, or from questioning apparent discrepancies.
Legal and Regulatory Implications
For companies with Securities and Exchange Commission (SEC) disclosure obligations (including foreign private issuers), the SEC’s cybersecurity disclosure rules require the disclosure of material cybersecurity incidents, generally within four business days of a determination of materiality. The SEC has also pursued enforcement actions against companies for misleading disclosures regarding their cybersecurity risks.
A successful attack that results in unauthorized access to personal data, financial records or other sensitive information may trigger mandatory breach notification obligations under federal, state and international laws, as well as sector-specific regulations such as those governing financial institutions and health care organizations.
For financial entities within the European Union, the Digital Operational Resilience Act (DORA) has initial notification obligations within four hours of determining an incident as major and within 24 hours from the initial discovery of the incident. Data exfiltrated through unauthorized access to systems would be classified as a major incident under DORA, and the U.K. Financial Conduct Authority (FCA) would also expect similar notifications and updates.
The General Data Protection Regulation (GDPR) and other privacy laws around the world also require notifications to regulators and, in many cases, individuals, following a data breach.
In addition, organizations that suffer a significant breach may face regulatory scrutiny regarding the adequacy of their pre-incident cybersecurity and data protection programs, internal controls and incident response protocols. Organizations must be able to evidence that they have implemented appropriate technical and organizational measures to protect data, including regarding cyber defense, deletion of data and training of staff.
The risk of regulatory scrutiny is heightened where an incident results in falsified invoices, doctored books and records, or inaccurate financial reporting to external stakeholders such as auditors. Regulators and law enforcement increasingly expect organizations to implement risk-based governance, layered technical controls, robust identity verification procedures, effective incident response capabilities and appropriate board and management oversight — not merely awareness programs — to mitigate these risks.
Where these attacks result in fraudulent wire transfers or the misappropriation of funds, organizations may face issues related to civil liability, insurance coverage and local law considerations. The involvement of nation-state actors in certain campaigns may further implicate sanctions and export control considerations. Organizations should consult legal counsel promptly upon discovering an incident to ensure that privilege is preserved and that all legal obligations are met.
Best Practices and Recommendations
In light of the evolving threat environment, organizations should consider the following measures to mitigate risk and strengthen their defenses:
Employee training and awareness. Organizations should implement regular, mandatory training programs, with a particular focus on deepfake awareness and the recognition of AI-generated communications, taking into account current trends. These programs should be supplemented with targeted, role-specific training for senior executives, finance personnel and information technology (IT) staff, who represent high-value impersonation targets. Organizations should also consider implementing policies, and training on, practical defensive strategies, such as call-back procedures or preset codewords.
Escalation and reporting protocols. Any suspicious request — particularly one involving urgency, secrecy or deviation from established procedures — should be escalated promptly to a supervisor, the security team or the legal department. Organizations should foster a “speak-up” culture with clearly communicated reporting channels. Employees should understand that the organization will never expect them to transfer funds externally without the involvement of multiple senior personnel, and that they should never sign nondisclosure agreements or other contracts without the legal team’s review.
Board oversight. Organizations should ensure their boards are fully briefed on cyber trends and risks and are providing sufficient oversight. Regulators across various jurisdictions expect that directors need to understand the risks and actively engage in cybersecurity oversight.
Financial controls. Organizations should require multiperson approval for wire transfers and establish heightened authorization thresholds for transfers above designated amounts. All financial requests received by email should be verified through a secondary, independent channel, such as a secure messaging platform or a call-back to a known telephone number. Organizations should also work with their banks so that transfers above a certain amount, or to certain jurisdictions or bank accounts, trigger secondary verification protocols, with notifications sent to multiple individuals at the organization.
Technological safeguards. Organizations should supplement traditional email filtering with newer, content-focused detection technologies, including AI-driven defensive tools capable of identifying anomalous communication patterns that evade legacy security controls. Organizations should also reassess their multifactor authentication implementations in light of recent bypass techniques.
Insurance coverage. Many cyber insurance policies have social engineering sublimits that organizations should be aware of. Organizations should ensure that their insurance coverage extends to AI-enabled social engineering scams and other cybercrimes, and that the coverage is sufficient to account for losses that can exceed $10 million, as well as the significant related expenses of investigating and remediating an incident.
Incident response preparedness. Organizations should maintain robust incident response plans that provide for clear escalation and the early engagement of counsel, so that legal privilege is preserved over investigation-related materials and findings, and the organization’s various legal obligations are considered and fulfilled. These plans should be tested regularly through tabletop exercises and updated to reflect the latest threat intelligence. Organizations should also consider adopting policies that clearly require all employees to assist with internal investigations, including by providing information and any devices used for business communications, such as personal devices.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.