AI Cyber Attack Statistics 2025

The numbers that should worry you

0.1%

can consistently identify a deepfake

iProov, 2025

+2137%

deepfake fraud growth since 2022

Signicat

+703%

credential phishing growth H2 2024

SlashNext

82.6%

of phishing emails now use AI

KnowBe4

$25M

lost by Arup in one deepfake video call

CNN, May 2024

Over the last few years, artificial intelligence has gone from a technology of the future to a mainstream tool that anyone can use. AI is now widely available and has helped many businesses work more efficiently.

However, advancements in AI have also introduced dangerous new cybersecurity risks that every business should know about. These risks come from new vulnerabilities in AI systems and the growing use of AI-driven methods by attackers.

We've rounded up the latest AI cyberattack statistics so you can understand the scope of these new threats. Every number on this page links to its primary source — if we couldn't verify it, we left it out.

Key takeaways

→Hackers now use AI tools like ChatGPT to write more convincing phishing emails.
→Cybercriminals are using AI-generated deepfakes and voice clones for identity-theft scams — including the $25M Arup heist.
→Humans are remarkably bad at spotting AI-generated content: only 0.1% can reliably ID a deepfake, and people identify AI voices correctly just 60% of the time.
→Cybersecurity professionals are investing heavily in AI to identify and respond to threats faster than humans alone can.

The growing role of AI in cybercrime

AI isn't just a tool for defense — it's increasingly being used to power more sophisticated cybercrime. Attackers now use advanced models and machine-learning techniques to evade traditional security controls and personalize attacks at scale.

This shift means organizations must rethink how they assess vulnerabilities and strengthen incident response. Reactive approaches aren't enough when attacks can adapt and evolve in real time.

AI phishing attack statistics

Phishing is one of the most common ways hackers exploit AI. Attackers now use AI tools like ChatGPT to mimic writing styles and avoid detection, taking advantage of vulnerabilities in email filters and user habits. The old advice of “look for typos” is dead.

The phishing paradox

Total volume is down — but the dangerous kind exploded.

Overall phishing emails dipped in 2024, but the sophisticated, AI-personalized variants grew dramatically through H2.

Phishing email volume
+202%
H2 2024 vs H1 2024 — SlashNext
Credential-phishing attacks
+703%
H2 2024 vs H1 2024 — driven by AI-generated phishing kits (SlashNext)
Overall phishing volume
-20%
2024 full-year — focus shifting to email + voice (Zscaler)

Sources: SlashNext 2024 Phishing Intelligence Report; Zscaler ThreatLabz 2025 Phishing Report

The numbers explain why even savvy users get caught:

Humans vs. AI-generated lures

78% of people open AI-generated phishing emails. 21% click.

And in controlled research conditions, people identify AI-generated voices correctly only 60% of the time — barely better than a coin flip.

Open the email

AI-generated phishing message

Click the link

Of recipients who opened it

ID an AI voice

Best-case accuracy in research conditions

Sources: SoSafe AI Phishing Study; Nature Scientific Reports — AI voice clone detection

And the time-to-craft a convincing phishing email has collapsed. Generative AI tools help attackers compose phishing emails up to 40% faster, which means the same attacker can run more campaigns against more targets. 65% of phishing attacks now target organizations rather than individuals.

AI deepfake statistics

A deepfake is a digitally generated image or video made to look and sound real. Large language models and generative video have collapsed the cost of producing one, and the financial industry has become the most-attacked target.

Only 0.1% of people can consistently identify a deepfake, even when primed to look for one (iProov tested 2,000 UK and US consumers in 2025).
53% of financial professionals have experienced an attempted deepfake scam (Regula Forensics survey, 2024).
Per the Signicat report, deepfakes are now the most common form of digital identity fraud in financial services across Europe, accounting for roughly 6.5% of all fraud attempts — up from 0.1% three years ago.

The growth curve

Deepfake fraud is up 2,137% since 2022.

What used to be 0.1% of fraud attempts is now 6.5% — roughly 1 in 15 cases. Signicat's survey of 1,200 fraud decision-makers across European financial services tracked this rise.

Source: Signicat — The Battle Against AI-Driven Identity Fraud (2024)

And it's not theoretical — there's a concrete case that should be on every CFO's mind.

Real-world case

$25M

The Arup deepfake video call.

In January 2024, a finance employee at the Hong Kong office of British engineering giant Arup joined what he thought was a routine video call with the firm's UK-based CFO and several colleagues.

Every face on the call was a deepfake. Every voice was AI-generated, trained on publicly available footage of the real executives. The worker — who knew the real CFO and recognized the colleagues — authorized 15 separate wire transfers totaling roughly $25 million (HKD 200 million) before realizing he had been the only real person on the call. Hong Kong police reported the case in February; Arup didn't publicly confirm itself as the victim until May.

This is the case study every accounting partner should be aware of. The defense isn't recognizing the people on the screen — it's having a process that doesn't permit wire authorization on a video call alone, no matter who appears to be on it.

Reported by: CNN Business, May 2024

AI password-hacking statistics

AI has changed the economics of brute-forcing passwords. What used to take days now takes minutes for the average reused password.

The cracking-speed problem

51% of 15.68 million common passwords cracked in under a minute.

And 81% of the rest fell within a month. This is why MFA + a password manager isn't optional anymore — the password alone isn't a control.

A 2023 study used an AI tool trained on 15.68M known leaked passwords. Here's how quickly the AI worked through the list.

51%

of common passwords

<1 minute

81%

of common passwords

1 month

Source: Home Security Heroes / ISACA

The reason this works: 94% of leaked passwords are reused or duplicated across multiple sites, per a 2025 Cybernews study of 19 billion exposed credentials. Crack one, and you've cracked the user's entire digital identity.

AI voice-cloning statistics

Voice cloning takes a short recording of someone's voice — typically pulled from social media, podcasts, or YouTube — and uses it to generate convincing false recordings of that same voice. It's the engine behind a growing wave of phone scams.

The McAfee “Beware the Artificial Imposter” report surveyed 7,054 adults across seven countries and found that a quarter of adults have personally experienced or know someone who experienced an AI voice scam — and 77% of victims lost money. Of those who lost money, more than a third lost between $500 and $3,000; 7% lost between $5,000 and $15,000.

And per a peer-reviewed study published in Nature Scientific Reports, participants correctly identified a voice as AI-generated only about 60% of the time — and matched the perceived identity of an AI-generated voice to its real counterpart 80% of the time.

Worth knowing

In April 2024, a LastPass employee was targeted by an AI voice-cloning scam where the cloned voice impersonated LastPass CEO Karim Toubba. The employee didn't fall for it — but only because the request felt “off”, not because they could tell the voice was fake. LastPass disclosed the incident publicly.

AI in cybersecurity defense

AI isn't just an attack tool. The cybersecurity industry is investing heavily in AI for threat detection, response automation, and vulnerability discovery.

Per TakePoint Research, 80% of industrial cybersecurity professionals believe the benefits of AI in security outweigh the risks, and companies using AI-driven detection report identifying threats up to 60% faster than with traditional methods.

The arms race

Both sides are building. Both markets are exploding.

AI cybersecurity tooling and AI voice cloning are both projected to grow roughly 9-10× over their forecast windows. The defenders are spending faster — but the attackers don't need parity to win.

AI cybersecurity market

2021 → 2030

$15B

$135B

20212030

9×growth

AI voice cloning market

2023 → 2033

$2.1B

$25.6B

20232033

12.2×growth

Sources: Acumen Research and Consulting — AI in Cybersecurity Market; Market.us — AI Voice Cloning Market

Translation: your firm is going to depend on vendors and partners for AI-powered defense, whether you plan for it or not. The right time to ask what your MSP is using and where the gaps are is before the next attack — not after.

What to do about it

The stats above all share a pattern: AI has lowered the cost and raised the quality of every attack type that targets human judgment. Phishing emails that used to be obvious are now polished. Voices that used to be unreliable are now convincing. Faces that used to require Hollywood budgets are now generated for free.

Three practical defenses for any business, especially CPA firms and other regulated industries:

Process, not vigilance. Don't rely on humans recognizing an AI-generated message or call. Build approval processes that don't bend based on who appears to be asking — wire authorizations require a callback to a known number, not the number that called you.
MFA everywhere. Especially for email, accounting software, and any system that touches money or client data. A password that took 30 seconds to crack still won't work without the second factor.
AI-aware security training. Annual training was enough when phishing emails had typos. Now it needs to be quarterly, and it needs to include voice-cloning and deepfake examples — not just email screenshots.

Whether you're running a CPA firm or any other regulated business, the threat model has changed. The good news: most of the defense is operational, not technical.

All articles

Share this article