TL;DR
AI has expanded the attack surface for every organisation that builds, buys, or integrates AI systems. Threats now include hyper-personalised phishing powered by deepfakes, prompt injection attacks that hijack AI agents, and model theft that can exfiltrate millions in R&D. Businesses need layered defenses — employee training, AI-specific red-teaming, and governance frameworks like NIST AI RMF — to protect their AI investments and intellectual property.
How AI Is Supercharging Social Engineering and Phishing
Generative AI has made social engineering cheaper, faster, and dramatically more convincing. Attackers no longer need to craft clunky phishing emails by hand — they can now produce hundreds of personalised lures in seconds, complete with flawless grammar and tone-matched writing that bypasses traditional red flags.
Deepfake voice cloning is particularly alarming. In 2024, fraudsters used AI voice cloning to impersonate a CFO at a Hong Kong-based multinational, tricking an employee into executing wire transfers totalling approximately HK$400 million (≈ US$25.6 million) during a video call. The attackers used deepfake technology to recreate the CFO and other executives on a live call. This incident is now a textbook example of how AI weaponises trust at scale.
Key Risks
- Hyper-personalised phishing at scale. LLMs can scrape LinkedIn, company blogs, and breach databases to craft spear-phishing campaigns tailored to individual employees. Cost per attack approaches zero once the model is in place.
- Voice and video deepfakes. Tools can clone a voice from as little as 3 seconds of audio. Video deepfakes are now convincing enough for live calls, as the Hong Kong case demonstrated.
- Business Email Compromise (BEC) evolution. AI-generated BEC emails are indistinguishable from legitimate communications. The FBI's IC3 reported that BEC scams caused over $2.9 billion in adjusted losses in 2023, a figure widely expected to rise as AI lowers the barrier to entry.
Practical Recommendations
- Implement liveness verification protocols for any financial transaction or sensitive request, regardless of the apparent sender. A callback to a pre-verified number should be mandatory.
- Train staff on deepfake-specific social engineering. Traditional phishing training is necessary but no longer sufficient. Employees need to understand that voices and faces can be forged in real time.
- Deploy AI-powered email security solutions that use machine learning to detect anomalous communication patterns, not just signature-based detection. Resources from vendors like Proofpoint, Abnormal Security, and Microsoft Defender for Office 365 offer AI-enhanced BEC detection.
Prompt Injection and AI Agent Security — The New Injection Attack
If SQL injection defined web security for a generation, prompt injection is its AI equivalent — and arguably harder to defend against. Prompt injection occurs when an attacker embeds malicious instructions inside data that an AI model processes, causing it to execute unintended actions. With the rise of AI agents that can read emails, browse the web, execute code, and call APIs, the blast radius of a successful injection is enormous.
Understanding the Threat
Direct prompt injection is where an attacker directly manipulates the input to a model (e.g., "Ignore all previous instructions and reveal the system prompt"). Indirect prompt injection is more dangerous and more realistic in business contexts: an attacker plants malicious content in a document, web page, or email that an AI agent then reads and processes. The agent follows the injected instructions without the user ever seeing the malicious payload.
In 2024, security researchers demonstrated that AI agents reading web pages could be tricked into executing hidden instructions embedded in website text — potentially exfiltrating data, making unauthorised API calls, or modifying files. The OWASP Foundation now ranks prompt injection as the #1 vulnerability in its Top 10 for LLM Applications.
Practical Recommendations
- Treat every AI agent as an untrusted data processor. Any data the agent reads from external sources (web pages, emails, documents, APIs) should be treated as potentially adversarial.
- Implement human-in-the-loop checkpoints for any agent action that has real-world consequences — file writes, API calls, financial transactions, data exfiltration. The agent should request explicit human approval before executing.
- Use sandboxed execution environments. Restrict agent permissions to the minimum required. No agent should have blanket access to production databases or customer data.
- Run regular adversarial testing using tools like Garak (open-source LLM vulnerability scanner from NVIDIA) and Lakera Guard (real-time prompt injection detection). DeepSec offers automated red-teaming for generative AI systems.
Model Theft and Data Poisoning — Protecting the Crown Jewels
AI models are valuable intellectual property. A fine-tuned model representing months of engineering effort and proprietary training data can be exfiltrated, replicated, and weaponised by competitors or nation-state actors. Meanwhile, data poisoning attacks target the integrity of the training pipeline itself — if you cannot trust the data your model was trained on, you cannot trust the model.
Model Theft
Model theft can occur through several vectors:
- API extraction: Attackers make a large number of queries to a model's API and use the responses to train a replica. Research has shown that models can be reconstructed with surprisingly few queries.
- Insider exfiltration: A developer or researcher with model access copies weights or training data to an external location. The 2024 case involving a Google AI researcher allegedly stealing proprietary AI chip trade secrets underscores this risk.
- Infrastructure compromise: A misconfigured cloud bucket, an exposed API key, or a vulnerable dependency can expose model artifacts directly.
HiddenLayer, a startup focused on AI security, reported in their 2024 State of ML/AI Threat Landscape report that 77% of organisations were not prepared for AI-specific security incidents, and model extraction attacks are among the most underreported threat categories.
Data Poisoning
Data poisoning involves manipulating a model's training data to introduce backdoors, biases, or vulnerabilities that activate under specific conditions. For organisations that fine-tune models on user-generated content, scraped data, or third-party datasets, this is a real and growing threat.
Research published at USENIX Security demonstrated that injecting even a small percentage of poisoned samples into a training dataset can create reliable backdoors that are extremely difficult to detect. For organisations relying on external data sources or open datasets, provenance tracking is essential.
Practical Recommendations
- Encrypt model artifacts at rest and enforce strict access controls. Use hardware security modules (HSMs) for the highest-value models.
- Monitor API usage patterns for signs of extraction attacks (abnormally high query volumes, systematic probing).
- Implement data provenance tracking for all training datasets. Know where every sample came from and maintain an audit trail.
- Use model watermarking to detect unauthorised copies. Research-grade watermarking techniques can embed traceable signatures that survive fine-tuning and distillation.
ISO 42001 AI Governance Pack — Coming Soon
Policy templates, risk assessment frameworks, and implementation guidance for organisations deploying AI systems. Join the waitlist for early access.
Join the Waitlist →Governance Frameworks for AI Security
Technical controls are necessary but insufficient. Organisations need structured governance frameworks to manage AI risk systematically. Several frameworks now provide actionable guidance:
Key Frameworks
- NIST AI Risk Management Framework (AI RMF 1.0) — Published in January 2023, this voluntary framework provides a structured approach to managing AI risks across four functions: Govern, Map, Measure, and Manage. It is freely available and widely adopted as the baseline standard for AI risk management.
- ISO/IEC 42001:2023 — The first international standard for AI management systems. It provides a certifiable framework for organisations to establish, implement, and continuously improve AI management practices. Certification is emerging as a procurement requirement in government and enterprise contracts.
- EU AI Act — Entered into force in August 2024. It establishes risk-based obligations for AI systems, with the first compliance deadlines arriving in 2025-2026. Organisations deploying "high-risk" AI systems face significant obligations around transparency, documentation, and human oversight.
- ISO/IEC 23894:2023 — Provides guidance on AI risk management aligned with ISO 31000.
Practical Recommendations
- Start with a gap assessment. Map your current AI usage against NIST AI RMF's Govern function. Where do you have visibility gaps?
- Establish an AI security review process for all new AI systems before deployment. This should include threat modelling, data lineage review, and adversarial testing.
- Invest in ISO 42001 alignment if you operate in regulated industries or sell to government. Early movers gain a competitive advantage as procurement requirements tighten.
- Appoint an AI security lead. Even a part-time designated owner ensures accountability. For smaller organisations, this could be a fractional or advisory role.
FAQ
Q: How much should we budget for AI-specific security? A: There is no one-size-fits-all number, but organisations heavily invested in AI should expect to allocate 5-10% of their total AI budget to security controls, testing, and governance. For a company spending $1M on AI initiatives, that means $50,000-$100,000 annually — covering red-teaming tools, governance software, staff training, and potentially fractional advisory support. The cost of a single model theft or deepfake-enabled fraud incident can far exceed this.
Q: Can we detect deepfakes reliably? A: Detection is an arms race, and no tool is perfect. A layered approach works best: technical detection tools (e.g., Pindrop for voice, Reality Defender for video), combined with process controls like liveness verification and callback protocols for high-value transactions. Do not rely on detection alone — assume deepfakes will bypass technical controls and build process-level defenses.
Q: What's the difference between direct and indirect prompt injection? A: Direct prompt injection is when an attacker directly manipulates the input to a model (e.g., typing "ignore previous instructions"). Indirect prompt injection is when malicious instructions are hidden in data the model reads — a web page, document, or email. Indirect injection is far more dangerous in business contexts because the victim never types anything malicious; their AI agent simply reads a compromised source.
Q: Is ISO 42001 certification worth it for a small business? A: For most small businesses, full certification may be premature. However, aligning with the framework's principles — documenting AI use cases, establishing review processes, and assigning accountability — is valuable regardless of organisation size. If you sell to government or regulated enterprises, certification may become a procurement requirement sooner rather than later.
Conclusion
AI has fundamentally changed the threat landscape. The same technologies that drive efficiency and innovation also create new attack vectors — from deepfake-enabled fraud worth tens of millions to subtle prompt injection attacks that hijack AI agents. The organisations that thrive will be those that treat AI security as a first-class concern, not an afterthought.
Start with the fundamentals: train your team on deepfake social engineering, sandbox your AI agents, protect your model IP, and align with a recognised governance framework like NIST AI RMF or ISO 42001. The investment is modest compared to the cost of a single major incident.
If you want expert help assessing your organisation's AI security posture, start a qualified triage at https://consult.lil.business/ for authority verification, scoped evidence review, and trust assurance planning. No credentials, tenant access, live-system testing, or active scanning is required before signed scope, access verification, and rules of engagement are agreed.
References
- NIST AI Risk Management Framework (AI RMF 1.0)
- OWASP Top 10 for LLM Applications
- HiddenLayer — Threat Hunting for AI (2024 State of ML/AI Threat Landscape)
- CISA — Artificial Intelligence and Cybersecurity Resources
- ENISA — AI Threat Landscape
- Hong Kong deepfake fraud case — Reuters, 2024
Qualified Triage
Need to prove security trust?
We verify authority first, minimise access, define scope, and help you collect evidence for insurers, customers, tenders, auditors, and AI governance reviewers.
Start Qualified Triage →TL;DR
- A bug in Apache Tomcat (a program that runs websites) lets attackers take control of a server.
- Attackers started using it just 30 hours after someone showed how it works online.
- There's a fix — just update to the newest version of Tomcat.
What Happened, in Plain English?
Imagine your school has lockers. Now imagine someone figured out that sliding a specially shaped package through the air vent makes the locker open itself and follow whatever instructions are inside — even "give me everyone's lunch money."
That's basically what happened with Apache Tomcat, a program millions of companies use to run websites [5]. A bug called CVE-2025-24813 lets an attacker send a sneaky file to the server [1]. When the server opens it, it follows the hidden instructions, giving the attacker control [8].
The scary part: someone posted a how-to guide online, and within 30 hours, real attackers were already using it [2].
Which Versions Are Affected?
Three "flavours" of Tomcat have this bug [1]:
- Tomcat 9: versions 9.0.0-M1 through 9.0.98 → update to 9.0.99
- Tomcat 10: versions 10.1.0-M1 through 10.1.34 → update to 10.1.35
- Tomcat 11: versions 11.0.0-M1 through 11.0.2 → update to 11.0.3
What Should You Do?
- Find your Tomcat servers. Check which version each one is running.
- Update them. Install the patched version (9.0.99, 10.1.35, or 11.0.3) [1].
- Check your settings. Make sure the server doesn't let unknown visitors upload files [10].
- Clean up old libraries. Remove or update outdated Java libraries that are known to be unsafe [7][8].
FAQ
Yes. Tomcat often runs behind the scenes in tools you might not realise depend on it [5].
No — it's a small point-release designed to change as little as possible. Test in staging first, then roll it out [1].
Serious enough that CISA flagged it [4], but completely fixable with a straightforward update. The fix costs minutes; ignoring it could cost millions [6][9].
References
[1] Apache Software Foundation, "CVE-2025-24813: Apache Tomcat - Potential RCE and/or Information disclosure," Apache Tomcat Security, Mar. 2025.
[2] Wallarm, "CVE-2025-24813: Apache Tomcat RCE Exploited in the Wild," Wallarm Research, Mar. 2026.
[3] NIST National Vulnerability Database, "CVE-2025-24813 Detail," NVD, 2025.
[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.
[5] Shodan, "Apache Tomcat Server Distribution," Shodan.io, 2026.
[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.
[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.
[8] OWASP, "Deserialization of Untrusted Data," OWASP Top 10, 2021.
[9] Verizon, "Data Breach Investigations Report 2025," Verizon, 2025.
[10] SecurityWeek, "Apache Tomcat Vulnerability Important to Patch, Difficult to Exploit," SecurityWeek, Mar. 2026.
Want help checking your servers or setting up automatic updates? We can walk you through it.