TL;DR
Prompt injection is now the #1 AI security risk (OWASP LLM01:2025), with success rates reaching 84% in unprotected systems. AI-powered phishing and deepfake social engineering are costing businesses billions annually — a single deepfake Zoom call cost one firm $499,000. Leaders need technical controls, governance frameworks, and incident response plans designed for the AI era, not just traditional perimeter defence.
The AI Threat Landscape Has Changed the Game
Artificial intelligence is not just a productivity tool — it is a weaponised capability in the hands of adversaries. Traditional cybersecurity models assume attackers exploit code vulnerabilities. In 2026, they exploit language itself. The FBI has officially warned that criminals are "leveraging AI to orchestrate highly targeted phishing campaigns" with perfect grammar and deep personalisation. Meanwhile, prompt injection attacks — ranked LLM01 on the OWASP Top 10 for LLM Applications 2025 — let attackers hijack AI agents by embedding hidden commands in documents, emails, and web pages. Business leaders who treat AI security as a niche engineering problem are already behind.
AI-Powered Phishing and Deepfake Social Engineering
Generative AI has made phishing indistinguishable from legitimate communication. Attackers use large language models to craft messages that reference current projects, use company-specific terminology, and mimic the writing style of actual executives. The result: a 620% spike in phishing attacks ahead of Black Friday 2025 alone, according to Darktrace data.
Deepfake technology compounds the threat. Doppel's 2026 Social Engineering Predictions Report found that deepfake attempts now occur every five minutes, and less than ten seconds of audio is enough to clone a voice convincingly. In one real-world case, attackers used a deepfake video and audio feed on a Zoom call to impersonate a CFO, tricking an employee into transferring $499,000. A 2026 Entrust report recorded a 19% increase in deepfake incidents in Q1 2025 compared to all of 2024 — and the trend is accelerating.
Multi-channel campaigns are the new normal. Doppel reports that 45% of social engineering attacks now span multiple platforms simultaneously — email, SMS, LinkedIn, and fake domains — making them far harder to detect and block through single-channel defences. IBM's 2025 Cost of a Data Breach Report found that AI-driven attacks cost organisations an average of $4.49 million per incident, while organisations using security AI and automation saved $1.9 million and detected incidents ~100 days faster.
Prompt Injection: The #1 AI Vulnerability You Haven't Heard Of
Prompt injection exploits a fundamental design flaw in large language models: they cannot reliably distinguish between trusted system instructions and untrusted input. An attacker embeds malicious natural-language commands inside content the AI processes — a poisoned resume, a web page the AI agent browses, or a document in a retrieval pipeline — and the model naively follows those commands instead of its original programming.
Palo Alto Networks Unit 42 documented a real-world case in December 2025 where attackers used web-based indirect prompt injection to bypass an AI product ad review system, hiding malicious instructions in visually concealed HTML on a website that the AI agent processed as part of its normal operation. Academic researchers have found similar techniques embedded in peer-reviewed papers — hidden text instructing AI review systems to return positive evaluations.
The OWASP classification matters because it signals that prompt injection is not a theoretical risk. Attack success rates range from 50% to 84% depending on system architecture, and the attack surface expands with every new AI agent that can read email, browse the web, query databases, or execute code. An AI sales agent that can send emails on behalf of a human is one prompt injection away from sending fraudulent invoices to customers.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Model Theft and Intellectual Property Risks
AI models represent enormous R&D investment — and they are increasingly targets for theft. Attackers use model extraction techniques, querying APIs thousands of times to reconstruct a proprietary model's behaviour, or exploit supply chain vulnerabilities to exfiltrate model weights. HiddenLayer's threat intelligence team identifies model theft as a primary motivation in attacks against AI systems, noting that stolen models can be fine-tuned for malicious purposes or sold to competitors, erasing millions in competitive advantage overnight.
The OWASP Top 10 for LLMs 2025 also flags supply chain vulnerabilities (LLM03) and data/model poisoning (LLM04) as critical risks. A compromised third-party model or poisoned training dataset can introduce backdoors that are nearly impossible to audit — especially when models are sourced from unverified repositories on HuggingFace or similar platforms.
Governance: The Framework Every Business Needs Now
Protecting an organisation in the AI era requires more than firewall rules and phishing simulations. Leaders should implement:
AI-specific access controls: AI agents must operate under least-privilege identity, with the same token management, dynamic authorisation, and audit logging applied to human users. An agent that can read email should not also be able to send wire transfers.
Prompt injection defences: Deploy input sanitisation, instruction hardening, and output filtering at the application layer. Tools like MintMCP Gateway provide centralised oversight for AI agent deployments, while PromptFoo enables continuous security testing of LLM integrations.
Deepfake-resistant verification: Implement out-of-band verification for financial requests — a phone call to a known number, not just a video feed. Train finance teams to treat any request for fund transfer that arrives through a single channel as suspect until verified through a second, independent channel.
Supply chain governance: Maintain an AI Bill of Materials (AIBOM) — the OWASP Gen AI Security Project provides a free generator — to track every model, dataset, and third-party component in your AI stack. Audit model provenance before deployment, not after a breach.
Incident response for AI: Traditional IR playbooks do not cover scenarios where an AI agent is the compromised entity. Build and tabletop-test procedures for agent containment, credential rotation, and forensic analysis of prompt injection attacks.
The cost of inaction is concrete. IBM data shows breach costs are $4.49 million on average when AI is involved, and detection without AI tools takes ~100 days longer. Frameworks like the OWASP LLM Top 10 and MITRE ATLAS provide free, actionable guidance — and organisations using security AI save nearly $2 million per incident.
FAQ
Q: Is prompt injection really a threat to my business if we're not building custom AI agents? Yes. If your organisation uses any LLM-powered tool that processes external content — Microsoft 365 Copilot reading emails, a CRM AI scanning web leads, or even a chatbot on your website — you have exposure. The attack surface grows with every integration.
Q: How do we verify whether a deepfake is real? Single-channel verification is unreliable. For any financial or sensitive request, require a second, out-of-band confirmation — a phone call to a known number, an in-person check, or a pre-established code word. Technical detection tools are improving, but process is currently the strongest defence.
Q: What is the first thing we should do to secure our AI deployments? Start with an AI asset inventory. Catalogue every LLM integration, AI agent, and third-party AI service your business uses. Map their data access, authentication scope, and attack surface. Then apply least-privilege access controls — you cannot secure what you have not identified.
Q: How much does AI-powered cybercrime actually cost? IBM's 2025 Cost of a Data Breach Report puts AI-driven breaches at $4.49 million on average. Deepfake fraud cost Americans $547.2 million in early 2025 alone. The global cybercrime cost is projected to exceed $10.5 trillion annually.
Conclusion
AI has redefined the threat landscape, and the gap between attacker capability and organisational defence is widening every quarter. Prompt injection turns AI agents into unwitting accomplices. Deepfake social engineering bypasses decades of anti-phishing training. Model theft erases competitive moats built over years. The businesses that survive this shift will be the ones that treat AI security as a board-level governance issue — not an IT checklist item.
Start with an audit. Know your AI attack surface. Test your defences against the OWASP Top 10 for LLMs. And build verification processes that assume seeing is not believing.
Visit consult.lil.business for a free cybersecurity assessment tailored to your AI deployments. Our team can help you audit your AI attack surface, implement governance frameworks, and build resilience against the next generation of threats.
References
- OWASP Top 10 for LLM Applications 2025 — Prompt Injection (LLM01)
- Palo Alto Networks Unit 42 — Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild
- IBM Cost of a Data Breach Report 2025 — AI-Driven Attack Statistics
- MITRE ATLAS — LLM Prompt Injection Techniques (AML.T0051)
- Doppel 2026 Social Engineering Predictions Report — Deepfake and Multi-Channel Attack Data
Verifier warning: verifier returned no output
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →