AI Reprices Cybercrime Risk Around Phishing And Deepfakes
A Forbes contributor analysis by Dr. Jonathan Reichental, republished by Yahoo Finance, says generative AI is reducing the cost and skill needed for phishing and social-engineering attacks. The piece frames AI cyber risk as an operating-control problem for payment approvals, access requests, employee training, simulations, defensive tools and board-level governance.

A Forbes contributor analysis by Dr. Jonathan Reichental, republished by Yahoo Finance, says artificial intelligence is changing cybercrime less by inventing new attacks than by making old ones cheaper, faster and harder for companies to verify.
The argument is economic as much as technical.
The analysis describes cybercrime as a risk-management problem already projected to cost $14 trillion in 2028, while phishing and social-engineering attacks each cost an enterprise about $4 million per breach.
Generative AI changes that calculation because attackers can automate research, targeting and message production while preserving the credibility that once required skilled human operators.
The Cost Curve Moves First
The strongest evidence is the gap between ordinary phishing and AI-assisted deception.
An academic study cited in the analysis found AI-automated phishing emails performed at the level of human experts and reached a 54 percent click-through rate, compared with 12 percent for generic phishing emails.
That changes the attacker's calculation.
If the marginal cost of a convincing spear-phishing email falls, more campaigns can be built around specific employees, real projects, payment workflows and internal language.
The risk is not only that fraudulent emails look better.
It is that the production cost of believable fraud falls while the possible return remains high.
Spear phishing shows the point clearly.
Messages once requiring manual research can now be personalized at scale, with AI helping gather information, identify targets and shape a request around a company's normal processes.
That makes the attack surface broader than the inbox.
The economics are the warning.
Old Warning Signs Lose Value
Traditional awareness training has often taught employees to spot poor spelling, awkward grammar, odd formatting and generic wording.
The analysis warns that AI weakens those signals by producing cleaner messages and by giving attackers a way to mimic organizational context.
A finance employee, for example, may receive a request that appears to come from a senior executive, refers to a real project and asks for payment to a bank account.
The attack type is not new, but AI can make the request feel routine enough to pass through a busy approval chain.
That shifts phishing from an email-filter problem into a business-process problem.
The question for companies is no longer only whether a message looks suspicious.
It is whether payment approvals, data-access requests and executive instructions have verification paths strong enough to withstand a believable message.
Deepfakes Extend The Same Risk
The Hong Kong deepfake case cited by Reichental shows the same cost shift moving beyond text.
The cited case involved an employee who joined a video conference, believed the call included company executives and transferred $25 million before learning the participants were AI-generated impersonations.
The case illustrates how trust can become part of the attack surface.
A convincing executive impersonation can move the target from system access to the decision process around payment approval.
Voice, video and chat channels can all become routes into the same payment or access workflow.
For security leaders, that means awareness training alone is too narrow.
Employees still need training, but the higher-value control is a second path for confirming high-consequence actions before money moves, credentials change or sensitive data is released.
The Response Is Operational
The five recommendations point toward a broader operating model.
Training needs to reflect AI-driven phishing and social engineering.
Payment, data-access and workflow approvals need to be tested against more realistic deception attempts.
Incident-response exercises should include AI-powered scenarios rather than only conventional breach playbooks.
The recommendations also call for defensive tools designed for AI-enabled attacks, including updated secure email gateways and malicious-traffic controls.
But the governance recommendation is the more important signal: AI cyber risk needs to sit inside risk management, digital trust and innovation oversight, not only inside the security team.
The public record still has limits.
The analysis does not provide a company-by-company benchmark for AI-driven losses, and the cited phishing study sample is not identified in the text available to readers.
Exposure will vary by sector, approval design and employee access patterns.
The analysis does not provide a sector-by-sector loss benchmark for AI-generated phishing or deepfake attempts.
Until that data is clearer, the practical question is how quickly businesses can add verification controls around payment, data-access and executive-approval workflows.


















