AI-driven phishing & malware threats to rise by 2025

Cybersecurity firms are preparing for an increase in AI-driven threats in the year 2025, as highlighted by Usman Choudhary, Chief Product & Technology Officer at VIPRE Security Group.

Organisations are expected to face evolving challenges such as sophisticated phishing attacks, supply chain vulnerabilities, and compliance with heightened regulatory demands.

According to Choudhary, AI-powered phishing presents a significant threat to small and medium enterprises (SMEs). He explains, "In 2025, AI-driven phishing will evolve into a more sophisticated and stealthy threat. Cybercriminals will leverage AI to craft highly personalised attacks using publicly available data and advanced language capabilities, making these scams increasingly difficult to detect."

These cybercriminals will target platforms like Microsoft 365 and Google Workspace to exploit vulnerabilities for credential harvesting. SMEs, due to limited cybersecurity resources, may become prime targets for these attacks and serve as entry points for further infiltration into larger enterprises.

Choudhary also notes the potential for increased data breaches resulting from misdirected emails. "Already, misdirected emails have become a critical cybersecurity concern. Potentially, it is the most common cyber incident reported to the UK's Information Commissioner's Office (ICO) from a GDPR compliance standpoint," he states. As AI-driven email drafting tools gain traction, the risks associated with email misdirection are expected to rise, potentially exposing sensitive information to unintended recipients. This highlights the necessity of vigilance in automated communication environments.

The use of AI-generated malware to exploit supply chain vulnerabilities is anticipated to grow. In 2024, increased malware usage by cybercriminals led to significant data leaks and reputational damage for organisations. By 2025, AI-generated malware poses a greater threat as cybercriminals leverage AI for developing elusive malware and automating vulnerability scanning. Choudhary suggests adopting zero-trust architecture, AI-powered tools, and rigorous software development practices to counter these threats.

Data breach costs and increased regulatory demands are also set to amplify the importance of security awareness training. The average cost of a data breach in 2024 reached a global average of USD 4.88 million, primarily driven by human error.

"In 2024, enterprises faced an increasingly challenging cyber threat landscape, as cybercriminals successfully exploited the most advanced technologies, including AI, to breach organisations and cause mayhem," explains Choudhary.

The implementation of the EU AI Act and various US state data privacy laws imposes significant obligations on businesses to ensure data protection, breach notification, and consumer rights compliance.

The strengthening of regulatory landscapes in conjunction with persistent cyber threats underscores the urgency for robust security awareness training. "While technological solutions are of course critical to defend against the constant onslaught of cyber-attacks, employees' understanding of the threat landscape and vigilance is indispensable for mitigating cybersecurity risk, and demonstrating regulatory compliance," Choudhary concludes.