For hackers, human trust is the new attack surface

The use of artificial intelligence (AI) has upended phishing email fraud with super-realistic fake emails and videos that hit at the central tenet of business – trust among employees; organisations need to adapt accordingly.

Hackers using artificial intelligence (AI) have acquired the ability to make fake communications almost indistinguishable from genuine ones, and this has shifted the attack surface from technology to human trust, the bedrock of business. Image: Canva.

Artificial intelligence (AI) has fundamentally changed the economics of deception used by hackers to infiltrate systems. 


For years, cybersecurity professionals have told employees not to click suspicious links.


That advice is no longer enough. 


With the use of AI, the greatest cybersecurity risk is no longer suspicious-looking emails or obvious scams.  


It is AI's ability to produce fake communications that are almost indistinguishable from genuine ones. 


This has shifted the attack surface. It is no longer just about technology; rather, it is about human trust. 

The end of "spot the phishing email" 


Traditional phishing relied on scale. Attackers sent millions of emails, hoping that a small percentage of recipients would respond. 


Justin Fong: Every critical decision begins with trust.

Interestingly, many of these emails contained poor spelling and awkward grammar. This was often deliberate.


Rather than trying to fool everyone, scammers used poor language as a filter to identify the most susceptible victims.


Those who overlooked these obvious warning signs were more likely to continue with the scam. 


AI has changed that equation. 


Today, an attacker can generate thousands of perfectly written emails in seconds.  


Every message can be personalised. Every sentence can mirror an organisation's writing style, and every email can be written in flawless English.  


The quality of deception has improved dramatically while the cost of producing it has collapsed. The old advice to "look for spelling mistakes" belongs to a bygone era. 

When every executive can be deepfaked 


Imagine receiving a Microsoft Teams invitation from your CEO. 


The meeting begins.  


Your CEO appears on screen. The voice sounds authentic. The facial expressions look natural. Several colleagues are already in the meeting.  


During the discussion, you are instructed to authorise an urgent payment before the market closes. 


This is no longer science fiction.  


Deepfake technology and AI voice cloning have already been used in real-world financial fraud. The employee is no longer deciding whether an email looks genuine.


They are deciding whether to trust what appears to be their own eyes and ears. 

This is a much harder problem. 

AI doesn't need to hack systems 


For decades, organisations have invested heavily in protecting technology. 


Firewalls, endpoint detection, identity management and Zero Trust architectures. 


While these controls remain essential, increasingly, AI-enabled attackers are bypassing them altogether. Instead, they exploit something organisations have spent decades encouraging: 

  • Trust your manager. 
  • Respond quickly. 
  • Collaborate openly. 
  • Be customer-focused. 
  • Help your colleagues. 

These behaviours are exactly what make organisations effective. But ironically, they are also becoming the pathways through which AI-powered deception succeeds. 

Trust has become critical infrastructure 


Governments have long recognised physical infrastructure as critical: power grids, water supplies, telecommunications networks and financial systems.

  

Yet every one of these systems ultimately depends on trusted human decisions. 


A procurement officer approves a contract. A finance executive authorises a payment. A call centre agent resets an account - a senior official shares sensitive information during what appears to be a legitimate video conference. 


Every critical decision begins with trust. 


AI is now attacking that trust directly. In doing so, it has made human judgement part of our critical infrastructure. 

Zero Trust must include humans 


The cybersecurity industry often describes Zero Trust as a technical architecture based on a simple principle: never trust, always verify.  


Perhaps that philosophy now needs to extend beyond devices and networks. 


Organisations should normalise verification between people.  


It should become acceptable - even expected - to verify unusual requests, even when they come from senior leaders. Calling someone back using an independently verified number should be viewed as professionalism, not distrust.  


A finance officer who pauses an urgent payment request should be recognised as strengthening organisational resilience, not slowing the business down.  


Organisations that adapt fastest will be those that redesign their culture, not just their technology. 

The next generation of cybersecurity 


Many organisations continue to measure phishing resilience by click rates. That is becoming an increasingly incomplete measure.  


The more important question is this: Can employees maintain sound judgement when every communication appears authentic? 


Technical controls will always matter. But AI has shifted the contest from detecting malicious code to evaluating human credibility. 


The most resilient organisations will not simply have better cybersecurity tools.  


They will cultivate healthy scepticism, stronger verification habits and cultures where questioning unusual requests is encouraged rather than discouraged. 


Because in the age of AI, attackers are no longer trying to break into our systems. They are exploiting our trust, and trust has become the most valuable attack surface of all. 


------------- 


The author is a former military security officer and senior communications leader with over 30 years’ experience. He helps organisations strengthen their human firewall by transforming employees from the weakest link in cybersecurity to the first line of defence. He has previously worked for the Singapore Armed Forces, Prime Minister’s Office, and A*STAR, leading crisis response teams, advising political office holders, and building communication strategies that work under pressure.