When the Attacker Isn’t Human: AI, Deepfakes and the New Shape of Cybercrime

Based on insights from the Acronis Cyberthreats Report, H1 2025, reviewed by BackupVault.
 

The Interview That Went Exactly as Expected

 
The candidate joins the Zoom call on time. Clear audio. Good eye contact.

Their answers are articulate and technically sound. Their CV aligns with the role. Their GitHub activity looks active and credible. Nothing feels rushed. Nothing feels out of place. The hiring decision is easy.

Weeks later, the first anomalies appear. Access logs show activity outside expected hours. Credentials are used in ways that don’t match the employee’s role. Code is committed to repositories by an account no one remembers approving. The investigation escalates quickly.

The person you hired never existed. The face was AI-generated. The voice was synthetically cloned. The identity was taken from a real individual who had no idea their name was being used.

This is no longer a hypothetical scenario or a rare edge case. Variations of this have already occurred across organisations in the UK, Europe and the US, including smaller teams with limited hiring and security controls. It marks a fundamental shift in how modern cybercrime operates.

Chapter 1: How AI Changed the Economics of Cybercrime

 

1. The skills barrier has collapsed

Cybercrime was once constrained by capability. Writing malware, exploiting vulnerabilities, or running social engineering campaigns required specialist knowledge and time.

That constraint has largely disappeared.

Today, attackers can rely on readily available tools, templates, and automation to:

• Generate convincing phishing messages.
• Create believable fake profiles and CVs.
• Impersonate real people using stolen or publicly available data.
• Reuse proven attack techniques at scale.

What once required a skilled team can now be carried out by individuals with minimal technical expertise and a clear objective.

IT manager insight: Cybercrime is no longer limited by skill. It is limited only by access and opportunity.

---

2. Identity can no longer be taken at face value

Digital identity has traditionally relied on visual and verbal confirmation.

A video call. A confident delivery. A professional online presence.

These signals are no longer reliable.

Attackers increasingly combine:

• AI-generated or enhanced profile images.
• Synthetic or manipulated voice samples.
• Stolen real-world identities with legitimate histories.
• Convincing online activity designed to pass basic checks.

The result is a façade that looks legitimate enough to pass standard hiring processes, especially in smaller organisations where speed and trust are essential.

Seeing and hearing someone is no longer proof that they are who they claim to be. Identity must now be verified, not assumed.

---

3. Automation removes friction for attackers

Attackers are no longer limited by working hours, attention span, or scale.

Simple automation allows them to:

• Test credentials across multiple systems.
• Probe access boundaries quietly over time.
• Reuse successful techniques across many organisations.
• Maintain persistence without drawing attention.

These attacks do not need to be sophisticated to be effective. They only need to blend in.
 

---

 

Chapter 2: Deepfake Hiring Fraud, The Insider Threat That Looks Legitimate

 
Recent investigations have shown that fake employees were successfully placed into Western software organisations using manipulated identities and fabricated credentials.

While some cases involved organised groups, the techniques themselves are increasingly accessible and repeatable.

Attackers passed standard recruitment processes using:

• Convincing video interviews.
• Synthetic or altered CVs aligned to the role.
• Real identities taken from unwitting individuals.
• Code samples designed to meet expectations, not raise suspicion.

Once hired, they were treated as legitimate team members.

They received:

• Access to internal systems.
• Valid credentials.
• Exposure to source code and sensitive data.

From the organisation’s perspective, nothing appeared unusual.

---

Why this matters to IT leaders in small and medium businesses

With legitimate access, attackers do not need to break in.

They can:

• Introduce backdoors quietly.
• Exfiltrate data slowly.
• Abuse trusted access without triggering perimeter defences.
• Operate for extended periods without detection.

This is an insider threat, created not by ideology or grievance, but by automation and identity abuse. For smaller organisations, a single compromised hire can expose the entire environment.
 

---

 

Chapter 3: When the AI Tool Becomes the Risk

 
Security incidents are no longer limited to malware or compromised devices.

• AI tools and assistants, when adopted without governance, can introduce new risks, including:
• Unintended data exposure.
• Uncontrolled data sharing.
• Unexpected external connections.

No malicious code is required. The risk comes from misplaced trust and lack of visibility.

The risk to organisations

When AI systems are used without clear controls, they can expose:

• Customer and employee data.
• Operational information.
• Credentials and internal processes.

AI systems inherit the trust they are given. Without oversight, that trust becomes a liability.
 

---

 

Chapter 4: Trust Abuse Is Going Visual

 
Attackers are increasingly using video and imagery to reinforce credibility.

Synthetic or manipulated videos have been used to promote scams, impersonate trusted figures, and create urgency.

For years, video was considered a strong signal of authenticity. That assumption no longer holds.

The visual layer of trust has weakened, especially when combined with social pressure and routine workflows.
 

---

 

Chapter 5: Why Traditional Detection Is Struggling

 
Modern threats change frequently and quietly.

In 2025:

• The average lifespan of a malware variant is just 1.4 days.
• Most samples are never seen again.

Attackers do not rely on reuse. They rely on variation.

For smaller organisations still dependent on signature-based tools, this creates blind spots where threats can persist unnoticed.
 

---

 

Chapter 6: What IT Managers Must Do Now

 

1. Secure identity at the point of entry

Remote hiring must assume that identity manipulation is possible.

Controls should include:

• Stronger identity verification.
• Structured onboarding processes.
• Clear access approvals and audits.

Trust should be earned progressively, not granted by default.

---

2. Put basic governance around AI usage

Organisations should define:

• Which AI tools are approved.
• What data those tools can access.
• How usage is monitored.

Uncontrolled adoption creates invisible risk, especially for smaller teams.

---

3. Focus on behaviour, not signatures

Traditional tools alone are no longer enough.

Detection should prioritise:

• Unusual access patterns.
• Unexpected system behaviour.
• Attempts to bypass normal workflows.

When threats change constantly, behaviour becomes the most reliable signal.

---

4. Treat digital content as untrusted by default

Extra verification should apply to:

• Recruitment-related communications.
• Financial or investment requests.
• Executive or authority-based messaging.
• Unexpected video or voice interactions.

If something creates urgency or pressure, it deserves scrutiny.
 

---

 

Conclusion: You Are Defending Against Process, Not People

 
Cybersecurity has shifted.

The threat is no longer just an individual attacker. It is a repeatable process that blends automation, identity abuse, and trust exploitation.

For small and medium businesses, this does not mean panic. It means adjustment.

Those who adapt their assumptions, controls, and visibility can reduce risk significantly, even as attackers become faster and cheaper to operate.
 

---

 
The battlefield has changed, and smaller organisations are no longer overlooked.

Defending against modern threats does not require enterprise-scale complexity, but it does require the right visibility and controls.

BackupVault helps SMEs adapt to this new reality, providing protection, oversight, and 24/7 UK-based expertise across modern attack surfaces.

Get in touch today and ensure your organisation is prepared for today’s threat landscape, not yesterday’s.