New Osterman Research reveals phishing and BEC attacks have been ‘reset’ by AI, with finance teams most vulnerable and existing defenses proving inadequate
ATLANTA, Ga. – In a stark warning for enterprise security, a new study from Osterman Research commissioned by IRONSCALES reveals that 88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months. The culprit: AI-powered phishing attacks leading a renaissance of threats that legacy security tools were never designed to stop.
The research report, Restoring Trust in Business Communications, surveyed 128 cybersecurity decision-makers and exposes a dangerous gap: while 82% report heightened threat actor interest in exploiting trusted communications, 60% lack confidence in their ability to counter deepfake attacks effectively.
The Phishing Renaissance: AI Resets the Threat Curve
“The threat curve just got reset,” said Michael Sampson, Principal Analyst at Osterman Research. “Even ‘solved’ attack types like phishing and business email compromise have become immature again. BEC attacks from 2025 bear little resemblance to those from 2020—they’re now hyper-personalized, multi-channel, and can be launched autonomously at scale.”
Despite already experiencing high breach rates, the worst may be yet to come. When asked about the maturity of AI-enhanced attacks already hitting their organizations, respondents believe threat actors are still in early stages:
- 28% say AI-generated phishing is just getting started
- 25% say the same about deepfake audio attacks
- 28% believe deepfake video attacks remain nascent
In other words, organizations are already being breached at alarming rates (88% of organizations experienced at least one security incident that undermined trust in digital communications over the past 12 months) that haven’t reached full maturity.
Traditional indicators that employees and security systems relied upon—grammar errors, suspicious sender addresses, generic language—have been eliminated by AI. Anyone can now craft perfect attacks in any language, personalization happens at scale, and attacks now come through email, phone, video, and collaboration platforms simultaneously.
Finance Teams in the Crosshairs
The research identifies a perfect storm of vulnerability for finance departments: they’re the highest-priority target for threat actors (59% of organizations rate them as “high” or “extreme” priority targets) while simultaneously being the employee group organizations are most concerned about (59% express high concern about their readiness to defend against trust-based attacks).
“Finance teams control the money, so they’re priority number one for attackers,” noted Audian Paxson, Principal Technical Strategist at IRONSCALES. “But cybersecurity leaders report the lowest confidence in these teams’ ability to spot sophisticated BEC and impersonation scams. That gap is getting exploited daily.”
Over 33% of organizations saw threat actors successfully masquerade as trusted vendors to steal funds or information in the past year, with vendor impersonation attacks increasing significantly (13% reporting major increases year over year).
Legacy Tools Failing at Scale
Perhaps most alarming: nearly one in five security leaders state security awareness training is proving ineffective against AI-enhanced threats. Current training approaches for preparing employees to detect attacks that weaponize trust are proving ineffective for many organizations. Training on detecting attacks using deepfake audio and video are particularly ineffective. In total, respondents rated the following from “not at all effective” to “moderately effective”;
- 38% for detecting deepfake audio attacks
- 39% for detecting deepfake video attacks
- 43% for detecting AI-generated phishing
“Legacy email protections are too blunt an instrument to recognize the subtle indicators of modern AI-powered attacks,” said Sampson. “Organizations can no longer trust these legacy solutions to protect against threats that didn’t exist when they were designed.”
Organizations Prepared to Take Immediate Action
The crisis is driving reassessment of security strategies. The research found that 70% of organizations now consider detecting deepfake audio impersonation attacks “extremely important,” the highest priority increase measured. Additionally:
- 70% are willing to add best-in-class point solutions to address gaps
- 68% are willing to change vendors entirely
- 70% are willing to replace their entire security technology stack
The Cost of Failure
The cost of inaction is clear: 55% of security leaders say failing to defend against these trust-exploiting attacks significantly increases data breach likelihood. The damage compounds from there – reduced productivity, compromised customer communications, and operational disruption.
About the Research
The study surveyed 128 professionals with direct responsibility for managing cybersecurity posture at U.S. organizations with 1,000-5,000 employees across all industries during September-October 2025. The complete report, Rebuilding Trust in Digital Communications, is available at https://ironscales.com/rebuilding-trust-in-digital-communications-report-download.
About IRONSCALES
IRONSCALES is the leader in AI-powered email security protecting over 17,000 global organizations from advanced phishing threats. As the pioneer of adaptive AI, we detect and remediate attacks like business email compromise (BEC), account takeovers (ATO), and deepfake attacks that other solutions miss. By combining the power of AI and continuous human insights, we safeguard inboxes, unburden IT teams, and turn employees into a vital part of cyber defense across enterprises and managed service providers. IRONSCALES is headquartered in Atlanta, Georgia. To learn more, visit www.ironscales.com or follow us on LinkedIn.
