The $40bn cyber threat to businesses

May 21, 2026

Defence Secretary Sir Michael Fallon gave a speech at Cyber 2017 outlining how the Ministry of Defence is tackling today's cyber threats.

Cybercrime exploits a weakness common to all companies: their people. Criminals don’t need tech skills to hack through a firewall, they can simply dupe unwitting employees into helping them.

A $25m cybercrime at engineering firm Arup only began after an employee signed off 15 transactions following a video call seemingly with their CFO. They later discovered that fraudsters had digitally simulated the CFO and other staff. Cybercrime is a human issue as much as it’s a threat from tech.

In the recent past, criminal gangs needed a call centre. In the near future, they’ll only need a laptop.

Security company Trend Micro linked open-source tech and AI tools – chaining together image generation, text-to-speech, avatar creation, and video production – in a legit project showing that one person could run a highly convincing scam campaign, which previously required a whole team.

Inexpensive deepfake tools allow cybercrime to be deployed at scale, dramatically lowering labour costs. Now that criminal gangs no longer need a warehouse full of labour slaves, cold-calling potential victims, AI fraud has become what has been described as “industrialised plausibility.”

In the year to November 2025, scammers stole £9.4 billion from UK consumers. In the US, AI-related losses are projected to hit $40 billion by 2027, a sharp rise from around $12 billion in 2023. In 2024, 53% of finance professionals in the US and UK said they had been targeted by deepfake scams.

AI capability is progressing faster than companies can keep up with. We have got to the point where tech breakthroughs are so powerful (eg Mythos from Anthropic), they can potentially rip through the entire internet, identifying security vulnerabilities. These can either be corrected or exploited – depending on who gets to them first, which is why Mythos is currently restricted to a select few.

Agentic tools, however, are already widely available. OpenClaw, for example, allows an AI ‘agent’ to take actions, such as automating calendar entries from your social media activity. Now that AI can find flaws and (separately) manage online actions, organisations are becoming ever more vulnerable to new strands of attack, including coordinated campaigns using fake video, audio, and emails.

In response, companies invest in tech-based security such as image analysis and behavioural analytics. Tech security restricts outside threats. However, the best security in the world becomes obsolete the moment an employee is conned into cooperating with AI fraud.

Human detection of high-quality deepfake videos is only 24.5% accurate. Inadequate training doesn’t help. Deloitte’s US CTO has warned that 93% of organisations’ tech-related funding is spent on the technology itself, while just 7% goes to training.

Leaders who provide inadequate training (such as passive videos) are exposing their company to risk. Better to invest in training that requires people to engage with a trainer.

Through active learning, trainees develop the long-term ability to identify and question suspicious communication, a skill that might make all the difference. In the heat of the moment, it won’t necessarily be a tech solution that will come to the rescue. It might be a timely question – from a trained employee, about who or what is behind an unexpected video call.

Millions of dollars are at stake, along with productivity, confidential data, and reputation. Leaders can protect their organisation by ensuring that their people are a secure line of defence. This begins with training. Where to start? Talk to us. We’re Working Voices, we’ve been training people for nearly 30 years and we’re ready to help: wvpsd.com