Bad actors are now using AI to supercharge their attacks

Here’s what keeps security leaders up at night: bad actors are now using AI to supercharge their attacks

Gone are the days of obvious phishing emails riddled with typos and suspicious formatting. Today’s AI attacks are polished, personalized, and increasingly difficult to spot. AI removes the “tells” that trained employees once relied on, making even seasoned professionals vulnerable.

One InfoSec Director put it bluntly: “My biggest concern about AI in cybersecurity is the ability for cybercriminals to create more believable phishing attacks by removing many of the ‘tells’ that end users could use to identify them.”

This isn’t hypothetical. It’s happening now.

Cybersecurity is fundamentally about people. Technology plays a critical role, but without a workforce that understands the threats and knows how to respond, even the best tools fall short.

Annual Training Isn’t Enough

If your organization’s security awareness program consists of a once-a-year training module followed by a compliance checkbox, you’re leaving the door open.

One-time training doesn’t change behavior. It doesn’t build the kind of reflexive skepticism that stops an employee from clicking a malicious link or entering credentials on a spoofed site. Real security culture requires:

• Frequent, relevant training that adapts to emerging threats
• Simulated phishing that tests employees in realistic scenarios
• Real-time coaching that intervenes now risky behavior occurs
• Continuous measurement of human risk across the organization

The organizations we work with who take this approach see dramatic results. Some have reduced their “phish-prone percentage” from over 30% to under 5% within a year.

Turning Your Workforce Into an Asset

Here’s the good news: the same workforce that represents your largest attack surface can become your strongest line of defense.

When employees know what to look for—and more importantly, when they develop the instincts to pause and verify—they become active participants in your security posture rather than passive vulnerabilities.

This shift requires investment, yes. But it also requires a change in mindset. Security isn’t just IT’s job. It’s everyone’s job. And the organizations that build that understanding into their culture are the ones that prove most resilient when attacks come.

What This Means for Your Coverage

From a risk management perspective, insurers are paying close attention to how organizations approach human risk. A robust security awareness program isn’t just good practice, it’s increasingly a factor in how we assess and price cyber risk.

If you’re evaluating your organization’s cybersecurity posture, ask yourself:

• How often are employees trained on current threats?
• Do you test employees with simulated phishing campaigns?
• Can you measure and report on human risk across your organization?
• Do you have mechanisms for real-time intervention when risky behavior is detected?

The answers to these questions matter, not just to your insurer, but to the long-term security of your business.

Building a Culture of Security

Cybersecurity is fundamentally about people. Technology plays a critical role, but without a workforce that understands the threats and knows how to respond, even the best tools fall short.

At Reliance Insurance, we believe that the organizations best positioned to navigate today’s threat landscape are those that invest in their people, not as a compliance exercise, but as a core business priority.

Because when your employees are trained, vigilant, and empowered, they’re not just avoiding risk. They’re actively protecting everything you’ve built.