Strengthening the Human Element in Cyber Defense

By Joseph Bednar July 17, 2025

Sophisticated Game

There’s no doubt, information security experts say, that people have become more savvy about detecting phishing attacks and other cyber threats.

Unfortunately, the hackers have become more savvy as well — exponentially so, in the era of artificial intelligence — and that’s a problem.

“The risk is getting worse, not better,” Bean said. “The sophistication of the attacks is getting infinitely better, and the variety or complexity of the attacks is getting significantly higher. And a lot of that is driven by AI.”

Elaborating, he explained that there are essentially two types of phishing attacks. One is the bread-and-butter, scattershot attacks that hope to ensnare as many random recipients as possible. And these hackers — many of them operating from foreign countries where English isn’t their first language — are now using AI to craft emails that sound more plausible, and don’t set off the same alarm bells as their cruder predecessors.

“But then there are high-value attacks, which are much more sophisticated and much more intelligent. They’re not just mass attacks sent out to hundreds or thousands or millions of people. They’re targeted attacks,” Bean said — and these employ AI to a troubling degree.

He related a real-life example of a CFO getting an email from a hacker posing as a vendor, urgently asking for a payment, at a time when the CEO was traveling and unavailable (which the hacker knew). To verify the transaction, the hacker set up a Zoom call with what turned out to be a deepfake version of an actual attorney.

“The lawyer says, ‘this is what the money is for; go ahead and wire it.’ And the CFO, at that point, is very comfortable and sends the money, no hesitation,” Bean said. “That kind of deepfake would have been impossible even three years ago; only Hollywood could provide that level of sophistication. But in the last couple of years, it’s so easy. You can get content online, combine it with certain tools, and do some really impressive stuff that’s beyond phishing — it’s straight-up cybercrime.”

Tim Miller, chief Information Security Officer at Community Bank, agreed that malicious AI tools are helping to create perfectly crafted phishing emails that are specific to a company or individual user, which is why the bank’s employees are not only trained on a regular basis to detect these threats, but tested as well.

“You don’t want to create a simulated fishing program without some level of training tied to failures,” he explained. “And you’ve got to make it believable; you’ve got to make it good. Sometimes that upsets people; we’ve done tests in the past that people have gotten really upset about, but that’s what these threat actors are doing. They don’t care what your feelings are. The point is to get an emotion out of you, a sense of urgency, of fear, and that’s how they get you to click.”

Exploiting the human element in cybercrime — known in IT circles as social engineering — is an ongoing concern for companies of all sizes.

Delcie Bean

“The risk is getting worse, not better. The sophistication of the attacks is getting infinitely better, and the variety or complexity of the attacks is getting significantly higher. And a lot of that is driven by AI.”

Hoxhunt, an organization that helps companies with IT risk management, notes that the human element is a factor in 68% of data breaches, according to a Verizon report. Of those, the Comcast Business Cybersecurity Threat Report says 80% to 95% are initiated by a phishing attack, and the total volume of phishing attacks has skyrocketed since the advent of ChatGPT in 2022.

“I think the risks from AI are going to continue to develop, and we’ve already seen significant changes from what the risks were before,” Miller said. “What was theoretical risk a year ago is actual risk now, and what that’s going to look like a year from now, I think, is somewhat unknown.”

Damage Done

For companies that do fall prey to cyberattacks and data breaches, the damage can be significant, Miller said, especially for companies (like banks and hospitals) in highly regulated industries, publicly traded companies, and businesses that operate in multiple states.

“Even if you deem it a small-scale event, it can mushroom very quickly,” he noted. “Now, let’s take the example of ransomware, where they’re able to get in and actually encrypt your data. In almost every ransomware event over the last couple of years, they’ve combined that with data exfiltration. So not only are they preventing you from accessing your files, they have a copy of it themselves. So it’s a combination of them wanting money from you, and they have the data already.”

Another big risk in these events is reputation risk, he went on.

“If a customer knows that you’ve had a security incident or a breach, especially a significant one, how do they know their data is going to be protected going forward? How do they know that the company is ultimately going to be able to protect them in the future? And are they more likely to find somebody else to do their business with? That’s the thing with cybersecurity incidents — it starts to degrade trust a little bit, which makes it challenging for companies to overcome.”

That’s why cybercrime is actually much more prevalent than public reports would suggest, Bean said. “You’re not going hear about 95% of them. The CEO or CFO doesn’t want to let that story get outside their little circle of trust.

“Ransomware has always been much more prevalent than we knew about because companies were keeping it secret, unless it caused a significant outage, like a hospital or an entire town being taken down,” he added. “For every one of those, another 100 businesses were hit quietly, and they dealt with it, and they weren’t telling anyone because they didn’t want it reaching the world because of loss of credibility and fear of lawsuits — and a lot of cybercrime stayed under the radar.”

Bean emphasized that the classic, non-AI attacks that have been around for years are still prevalent — essentially, “they’re trying to get you to log in and do something.” But these have become more sophisticated and targeted as well.

“They’ll know that you placed an Amazon order — ‘there’s a problem with the delivery of your dog food; click here if you still want to receive this order.’ They use very sophisticated tools to scrape your cookies when you’re on websites, and they see that you’re browsing for dog food, they assume you placed the order, and they send a very targeted attack. That stuff is growing.”

Miller said Community Bank communicates regularly with customers on how they can avoid becoming victims, while also making sure employees know what to look for.

Tim Miller

“If a customer knows that you’ve had a security incident or a breach, especially a significant one, how do they know their data is going to be protected going forward? How do they know that the company is ultimately going to be able to protect them in the future? And are they more likely to find somebody else to do their business with?”

“It’s important, from our perspective, to make sure everyone inside the company understands that cybersecurity risks are everyone’s responsibility. It’s not just my role,” he explained. “And it’s important for the folks in our branches to understand what these threats are because they are the frontline to customer interactions. And if they can relay some of the information to them, that’s obviously beneficial for all.”

That’s especially true at a time when threats are increasing. “I mean, the concept of deepfakes is very much here, and it’s not going anywhere. And that’s a concept that’s really challenging for people to grasp,” Miller went on, going back again to what he emphasizes internally, which is the importance of following established processes — for instance, when a possibly deepfaked company executive is asking for a wire transfer.

“It goes back to adhering to your processes and not necessarily going off of your emotion — because your emotion in that instance would be, ‘I want to satisfy the CFO by making this wire.’ But the reality is, you might have a verification step where you call the CFO back. These attacks have gotten so good that the whole ‘smell test’ piece may not work anymore. So you have to go back to certain things that you know will identify those risks.”

Strong Defense

Bean emphasized the importance of both training and testing employees, saying one without the other isn’t enough.

At the same time, however, “we’ve had to shift to almost accepting that there’s going to be a certain amount of successful phishing attacks. It’s like a war — you have to cede one line in the battle and retreat to a different position that you feel is more defensible.”

And that second position, in many cases, has been recognizing what a successful breach looks like — often using AI systems to monitor that — and locking it down before damage is done.

“Most commonly, they’re stealing Microsoft 365 or Google Workspace credentials. But the second they log into the system, there are certain hallmarks about how that’s going to look. The login is different in subtle ways; a login by a bad actor sends up suspicious flags. An AI system can evaluate that login, and if there’s anything remotely suspicious, a human can lock the account, send a report to us, and we take over the case from there.

“That’s definitely been a godsend. We’re seeing hackers getting through MFA [multi-factor authentication] or getting a password through phishing, but we’re catching them the instant they log in,” Bean went on, comparing it to having both external home security and motion sensors inside the house. “The police arrive before there’s any damage.”

He added that this is a war being fought on multiple fronts, and companies need to take it seriously, through training, testing, and perhaps an outside partner.

“If someone can get in, it can be anywhere from a couple hundred thousand dollars to a couple million, and most businesses don’t have that floating around. Some go out of business or face financial hardships that might not be covered by cyber insurance. It’s not something you can afford to underinvest in.”

Miller added that “a lot of companies, especially smaller companies, don’t have budgets to invest in the latest and greatest, and that’s fine. It’s more about, are you patching your systems? Are employees aware of newer threats? There’s a lot that companies can do.

“These are the basics of cybersecurity — which, honestly, is what protects you 99% of the time,” he added. “It’s doing the basics of being skeptical. That’s one of the keys with phishing and all these other types of fraudulent attempts — being skeptical about it.”

Strengthening the Human Element in Cyber Defense

Sophisticated Game

Damage Done

Strong Defense

Daily News

MorningBird Media to Host Grand Opening, Ribbon Cutting Today

Bulkley Richardson Continues Annual YMCA Camp Cleanup

Greenfield Cooperative Bank to Host Two Free Document Shredding Events

UMassFive College Federal Credit Union Appoints Lauren Duffy President, CEO

River Valley Co-op Purchases Land Beneath Original Northampton Store

Spring Art Walk Returns to Historic Lenox Village on June 6-7

NBSB Sponsors Habitat Playhouse Builds to Support Military Families

Carl Cameron Promoted at Holyoke Medical Center, Valley Health Systems

Dakin Humane Society Names Samantha Novak Associate Director of Marketing

Beacon Bank Announces Free Support for Visually Impaired Users at All Branches

News

Contact

Departments

Events