March 5, 2026
AI-driven social engineering attacks are on the rise — and your organization needs to take the right steps to protect itself and prevent significant financial losses. This article discusses what a social engineering attack is and how AI is making these types of scams more convincing. Our advisors also share several practical steps to help your organization recognize and prevent these types of scams.
Artificial intelligence (AI) is transforming the business landscape — and the landscape of cyber threats. This new technology is changing how malicious cyber actors are implementing social engineering attacks, where they exploit emotional and social connections for personal gain. AI is making these efforts look more creditable and believable, and your organization needs to take the right steps to reduce the risk of these threats.
AI-enabled fraud is on the rise and human impersonation is only becoming more prevalent in Canada. According to Canadian Cyber Threat Exchange, phishing scams and compromised credentials are the most common vectors of attack and Canadian businesses paid an average of $6.32 million per data breach. Let’s discuss what a social engineering attack is, and how AI has impacted these types of attacks. We’ll also share some practical steps you can take to keep your organization safe.
The word con helps reveal the essence of a social engineering attack. Con is an abbreviation for confidence trick, meaning that the scammer relies on building the confidence, trust, comfort, or belief of the victim before taking advantage of them for personal benefit.
Another popular term for this type of social engineering scam is pig butchering. This involves a malicious individual building trust with the victim through social media, dating apps, or messaging platforms. Eventually, the scammer persuades the victim to invest in fake or fraudulent scams that usually involve cryptocurrency. The term comes from the idea of softening up the victim with attention, affection, or friendship before butchering them by convincing them to send large sums of money. While this sounds macabre, it is an accurate description for this type of scam.
Cyber security professionals started to use the term social engineering as hacking evolved. This term acknowledges the psychological and manipulative aspects of this type of scam, which are now understood as a core attack method alongside technical exploits. Social engineering refers to the practice of manipulating people into revealing confidential information, performing actions, or providing access to systems. Social engineers exploit trust, fear, urgency, or authority to gain access instead of breaking into systems through technical hacking.
No matter what these tactics are called, the idea is simple — gain someone’s trust and exploit it for personal benefit. Everyone is vulnerable to this type of scam as we gain confidence and comfort with online interactions through social media applications and online work collaboration platforms.
AI is now making social engineering attacks look more believable and creditable. This means that AI-driven social engineering is become the foremost cyber threat as more malicious cyber actors focus on identity-centric attacks for financial benefit.
Common types of AI-driven cyber attacks include:
A phishing attack involves a cybercriminal posing as a legitimate individual or organization to trick an employee into clicking on a link. This allows the scammer to steal sensitive login information or deliver malware. AI generates highly convincing phishing messages that often bypass traditional human detection. It also allows scammers to scale these attacks by generating customized messages in a short amount of time.
Spear phishing is a subtype of phishing attack that involves highly personalized attacks tailored to an individual. AI supercharges target research, enabling the scammer to gain information on the victim and develop attacks tailored to the individual in a short amount of time.
Vishing stands for voice phishing — a type of phone-based scheme where the scammer poses as a trusted individual or organization to convince the victim to transfer funds or reveal confidential information. The rise of artificial intelligence has enabled scammers to use AI-cloned voices to make this type of scam more convincing.
Smishing is a phishing attack delivered by text message. The goal is to gain access to confidential information such as passwords or bank accounts through a fraudulent link, and AI enables scammers to generate convincing messages quickly.
This type of attack involves the scammer impersonating executives or vendors to trick employees into initiating fraudulent payments. AI has enabled scammers to research and impersonate individuals quite effectively to launch these personalized attacks.
Deepfake impersonation involves the scammer using AI to generate audio or video that mimics real people that the victim knows. This is an emerging and fast-growing threat, and it can be difficult for most people to tell what is real and what is fake.
Each of the examples above show how AI is helping threat actors personalize, scale, and validate attacks. Social engineering attacks are continuing to grow in popularity, and you need to take the right steps to prevent your business from falling victim to these attacks. The practical steps below can help you get started.
The cyber threat landscape is constantly evolving, and your employees are your first and best line of defense. Provide awareness training so that your employees understand the AI-driven cyber threats your business is facing and what steps they can take to keep your organization safe.
AI-driven scams often use the names of legitimate individuals or companies to gain access to confidential information. Review invoices thoroughly before you make a payment to confirm that the information matches the company information. Additionally, consider creating a list of approved businesses that your organization works with to help employees determine which contacts are legitimate. Additionally, specific passphrases or words for sensitive transactions can help validate the user.
Social engineering attacks need access to vital business information to make the scam more convincing. Confirming details such as job titles or approval limits allows these types of scammers to impersonate executives or employees more effectively. This makes it important to ensure that your employees do not provide or confirm any business information on an unsolicited call, such as the address, phone number, or account numbers your organization uses.
Select a small number of staff to approve business purchases and pay bills to reduce the opportunity and impact of fraudulent requests. Social engineering attacks rely on pressuring an individual to act quickly, often in response to a false request from an executive or vendor. Sending each request for review and approval helps limit the chances of a successful attack.
Frequent vendor changes, payment increases, or transactions that fall just below approval thresholds are all anomalies that indicate fraud may be taking place. Regularly monitoring your business for unusual payments or other types of anomalies can help you detect the signs of a social engineering scam quickly and act to limit the losses before they increase.
AI-driven social engineering attacks are on the rise. Providing awareness training to your employees, verifying information, protecting your business information, segregating employee duties, and monitoring for anomalies can all help prevent your organization from becoming another victim to these attacks.
For more information, contact a member of our Cyber Security and Privacy team. Our team will work with you to set a security and privacy baseline, identify your top threats, and define resilience tactics to effectively future-proof your organization.
AI-driven social engineering is when malicious cyber actors use AI to scale and personalize phishing, deepfake impersonation, and other types of scams for personal financial gain.
AI enables malicious threat actors to conduct research on targets, convincingly impersonate individuals, and launch attacks at scale.
Phishing, spear phishing, vishing, smishing, business email compromise, and deepfake impersonation are the most common types of AI-driven social engineering scams targeting Canadian individuals and businesses.
Some practical steps to protect your business include providing awareness training to employees, verifying information, not providing business information to unsolicited callers, segregating duties, and monitoring your business for anomalies. An external advisor can help you identify top threats and develop a strategy to protect your business.
MNP’s Cyber Security Leader, Eugene oversees research and development activities and formulates long-term vision and strategies at the executive management level to help the firm better serve clients. He provides a full range of cyber security services and solutions to medium-sized and large enterprises, delivering strong advice to help clients make business decisions relating to technology.
Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.