AI is rewriting the cyber risk playbook

As every sector becomes increasingly reliant on digital applications, the threat landscape facing UK businesses is shifting in ways many organisations are still struggling to fully grasp. At HSBC UK’s recent fraud and cyber awareness webinar, security specialists outlined how generative AI, supply chain exposure and identity based attacks are converging to create a more volatile and unpredictable risk environment. This has significant implications for mid market enterprises, at a time when cyber security is becoming an essential enabler of operational continuity, financial stability and trust among both clients and customers.

The rise of AI is accelerating the credibility and scale of cybercrime, says Damon Rands, CEO of Pure Cyber. While artificial intelligence is not new, it has become far more accessible, including to cyber criminals. “AI has been around a very long time,” he said, “but what it has done today is to lower the barrier of entry for anybody to start getting involved with cybercrime.”

Attackers who once relied on poorly written phishing emails can now produce communications that mirror corporate correspondence with near flawless accuracy. Generative AI enables convincing emails, realistic narratives and rapid personalisation at scale. The results are increasingly difficult for employees to distinguish from legitimate activity.

This shift is no longer driven by technical aptitude on the part of criminals but by automation, volume and believability. The warning signs that once helped users flag suspicious messages have fallen away, and even well trained teams face new forms of vulnerability. For mid market businesses, often operating without large in house cyber teams, the pressure to strengthen monitoring, authentication and behavioural based detection has intensified.

Modern cybercrime is increasingly about exploiting identity, rather than infrastructure. Although tools and techniques continue to evolve, most attacks still begin with stolen credentials. Once inside a mailbox, attackers can remain undetected for long periods of time, learning internal workflows, tone of voice and financial routines.

Tom Evans, Chief Offensive Risk Officer at Pure Cyber, explained that attackers quickly adapt to what they observe: “They know exactly how you operate; so when they try to mimic you, they’ll do it in a way that seems normal.”

This is the foundation of business email compromise (BEC), one of the most damaging forms of corporate fraud. And as AI enabled impersonation becomes more sophisticated, these attacks are harder to detect. In one particularly striking case, a finance professional received an email requesting an urgent £25 million transaction. When they questioned the request, the purported CFO suggested the target join a Teams call with themselves and several senior colleagues to validate the payment. The conversation felt natural, detailed and entirely legitimate. Only later did the organisation discover that every participant on the call had been digitally fabricated. “All of the people on those calls were deepfakes, capable of responding in real time” explains Rands. And so the employee authorised the transfer in good faith.

This incident underscores the scale of adaptation now required from finance, treasury and operations teams. Traditional authentication cues such as seeing a colleague’s face, hearing their voice, or relying on the perceived security of a video call can no longer be taken as proof of legitimacy.

The interconnected nature of modern supply chains has created a major structural exposure to cyber threats. Attackers are no longer focused solely on large corporates; instead, they target smaller vendors, outsourced service providers and software components that may open indirect pathways into larger networks.

“The Target breach in 2013 is a classic example of how a small supplier can trigger a major corporate crisis,” says Rands. In this incident, attackers first compromised a small refrigeration contractor with access to Target’s invoice system. Once inside, criminals uploaded malicious files into an untested and poorly configured environment, allowing malware to spread across the retailer’s network and onto point of sale terminals. This ultimately cost the business more than $200 million¹.

British Airways (BA) faced a similar vulnerability in 2018, when attackers altered the source code of a widely used JavaScript library incorporated into its online checkout. “The British Airways breach shows how a single compromised component can undermine an entire system,” says Evans. Even though thousands of websites used the same library, the attack was engineered so it only affected BA’s checkout process, siphoning customer payment data to a malicious domain.

For mid market businesses, the lesson is clear: risk does not always sit where the data resides. Many organisations rely on cloud platforms, third party integrations and external IT providers, each representing a potential point of exposure. As Rands noted, even small companies often underestimate their value to attackers. “You might just be an organisation that does industrial cleaning,” he said, “but you’re a gateway to the businesses that you work with.”

This reality places renewed emphasis on supplier oversight, contractual expectations and independent assurance around digital resilience.

In today’s era of readily available technology capable of exceptional feats of imitation, the issue of cyber security can no longer be treated as a discrete technical issue. It is now a fundamental component of operational resilience and financial integrity. As Rands put it, “good cyber security should be that when something happens, it’s not the first time you’ve thought about it.” Evans similarly encouraged organisations to adopt a posture where verification, governance and clear processes act as safeguards against increasingly credible threats.

Whether facing AI enhanced phishing, deepfake impersonation or supply chain vulnerabilities, businesses of every size need to invest in preparedness, awareness and robust control frameworks. The landscape may be changing quickly, but with the right approach, organisations can strengthen their resilience and maintain the trust of their customers and stakeholders.