Back to blog
8 min read

AI Cyber Attack Statistics 2026

The numbers that should worry you

0.1%

can consistently identify a deepfake

iProov, 2025

+2137%

deepfake fraud growth since 2022

Signicat, 2025

+703%

credential phishing growth H2 2024

SlashNext, 2024

86%

of phishing attacks are now AI-driven

KnowBe4, 2026

$25M

lost by Arup in one deepfake video call

CNN, May 2024

Over the last few years, artificial intelligence has gone from a technology of the future to a mainstream tool that anyone can use. AI is now widely available and has helped many businesses work more efficiently.

However, advancements in AI have also introduced dangerous new cybersecurity risks that every business should know about. These risks come from new vulnerabilities in AI systems and the growing use of AI-driven methods by attackers.

We've rounded up the latest AI cyberattack statistics so you can understand the scope of these new threats. Every number on this page links to its primary source — if we couldn't verify it, we left it out.

Key takeaways

  • Hackers now use AI tools like ChatGPT to write more convincing phishing emails.
  • Cybercriminals are using AI-generated deepfakes and voice clones for identity-theft scams — including the $25M Arup heist.
  • Humans are remarkably bad at spotting AI-generated content: only 0.1% can reliably ID a deepfake, and people identify AI voices correctly just 60% of the time.
  • Cybersecurity professionals are investing heavily in AI to identify and respond to threats faster than humans alone can.

The growing role of AI in cybercrime

AI isn't just a tool for defense — it's increasingly being used to power more sophisticated cybercrime. Attackers now use advanced models and machine-learning techniques to evade traditional security controls and personalize attacks at scale.

This shift means organizations must rethink how they assess vulnerabilities and strengthen incident response. Reactive approaches aren't enough when attacks can adapt and evolve in real time.

AI phishing attack statistics

Phishing is one of the most common ways hackers exploit AI. Attackers now use AI tools like ChatGPT to mimic writing styles and avoid detection, taking advantage of vulnerabilities in email filters and user habits. The old advice of “look for typos” is dead.

The phishing paradox

Total volume is down — but the dangerous kind exploded.

Overall phishing emails dipped in 2024, but the sophisticated, AI-personalized variants grew dramatically through H2.

  • Phishing email volume

    +202%

    H2 2024 vs H1 2024 — SlashNext

  • Credential-phishing attacks

    +703%

    H2 2024 vs H1 2024 — driven by AI-generated phishing kits (SlashNext)

  • Overall phishing volume

    -20%

    2024 full-year — focus shifting to email + voice (Zscaler)

Sources: SlashNext 2024 Phishing Intelligence Report; Zscaler ThreatLabz 2025 Phishing Report

The numbers explain why even savvy users get caught:

Humans vs. AI-generated lures

78% of people open AI-generated phishing emails. 21% click.

And in controlled research conditions, people identify AI-generated voices correctly only 60% of the time — barely better than a coin flip.

78%

Open the email

AI-generated phishing message

21%

Click the link

Of recipients who opened it

60%

ID an AI voice

Best-case accuracy in research conditions

Sources: SoSafe AI Phishing Study; Nature Scientific Reports — AI voice clone detection

And the time-to-craft a convincing phishing email has collapsed. Generative AI tools help attackers compose phishing emails up to 40% faster, which means the same attacker can run more campaigns against more targets. 65% of phishing attacks now target organizations rather than individuals.

AI deepfake statistics

A deepfake is a digitally generated image or video made to look and sound real. Large language models and generative video have collapsed the cost of producing one, and the financial industry has become the most-attacked target.

  • Only 0.1% of people can consistently identify a deepfake, even when primed to look for one (iProov tested 2,000 UK and US consumers in 2025).
  • 49% of businesses encountered audio or video deepfake fraud attempts in 2024 — up from around 30% in 2022 (Regula Forensics, 2024).
  • Per the Signicat report, deepfakes are now the most common form of digital identity fraud in financial services across Europe, accounting for roughly 6.5% of all fraud attempts — up from 0.1% three years ago.
  • US losses from generative-AI-enabled fraud are projected to reach $40 billion by 2027 — up from $12.3 billion in 2023, a 32% compound annual growth rate (Deloitte Center for Financial Services).

The growth curve

Deepfake fraud is up 2,137% since 2022.

What used to be 0.1% of fraud attempts is now 6.5% — roughly 1 in 15 cases. Signicat's survey of 1,200 fraud decision-makers across European financial services tracked this rise.

20220.1%2023~2.5%20246.5%Deepfake fraud share of total identity-fraud attempts (Europe, financial services)
Source: Signicat — The Battle Against AI-Driven Identity Fraud (2025)

And it's not theoretical — there's a concrete case that should be on every CFO's mind.

AI password-hacking statistics

AI has changed the economics of brute-forcing passwords. What used to take days now takes minutes for the average reused password.

The cracking-speed problem

51% of 15.68 million common passwords cracked in under a minute.

And 81% of the rest fell within a month. This is why MFA + a password manager isn't optional anymore — the password alone isn't a control.

A 2023 study used an AI tool trained on 15.68M known leaked passwords. Here's how quickly the AI worked through the list.

51%

of common passwords

<1 minute

81%

of common passwords

1 month

0
1 month
Source: Home Security Heroes / ISACA

The reason this works: 94% of leaked passwords are reused or duplicated across multiple sites, per a 2025 Cybernews study of 19 billion exposed credentials. Crack one, and you've cracked the user's entire digital identity.

AI voice-cloning statistics

Voice cloning takes a short recording of someone's voice — typically pulled from social media, podcasts, or YouTube — and uses it to generate convincing false recordings of that same voice. It's the engine behind a growing wave of phone scams.

The McAfee “Beware the Artificial Imposter” report surveyed 7,054 adults across seven countries and found that a quarter of adults have personally experienced or know someone who experienced an AI voice scam — and 77% of victims lost money. Of those who lost money, more than a third lost between $500 and $3,000; 7% lost between $5,000 and $15,000.

The losses are now large enough that the FBI tracks them as their own category. Its 2025 Internet Crime Report logged roughly $893 million in AI-related fraud losses in 2025 — including voice-cloning “family in distress” calls and deepfakes — with $352 million of that hitting adults 60 and older, and the FBI notes the true figure is “almost certainly higher.”

And per a peer-reviewed study published in Nature Scientific Reports, participants correctly identified a voice as AI-generated only about 60% of the time — and matched the perceived identity of an AI-generated voice to its real counterpart 80% of the time.

Worth knowing

In April 2024, a LastPass employee was targeted by an AI voice-cloning scam where the cloned voice impersonated LastPass CEO Karim Toubba. The employee didn't fall for it — but only because the request felt “off”, not because they could tell the voice was fake. LastPass disclosed the incident publicly.

AI in cybersecurity defense

AI isn't just an attack tool. The cybersecurity industry is investing heavily in AI for threat detection, response automation, and vulnerability discovery.

Per TakePoint Research, 80% of industrial cybersecurity professionals believe the benefits of AI in security outweigh the risks, and companies using AI-driven detection report identifying threats up to 60% faster than with traditional methods.

The arms race

Both sides are building. Both markets are exploding.

The AI-defense market is projected to nearly quadruple by 2030 ($25B→$94B), while AI voice cloning is forecast to grow more than 10× by 2033 ($2.1B→$25.6B). The defenders are spending far more — but the attackers don't need parity to win.

AI cybersecurity market

2024 → 2030

$25.35B

$93.75B

20242030

3.7×growth

AI voice cloning market

2023 → 2033

$2.1B

$25.6B

20232033

12.2×growth

Sources: Grand View Research — AI in Cybersecurity Market, 2030; Market.us — AI Voice Cloning Market

Translation: your firm is going to depend on vendors and partners for AI-powered defense, whether you plan for it or not. The right time to ask what your managed IT provider is using and where the gaps are is before the next attack — not after.

What to do about it

The stats above all share a pattern: AI has lowered the cost and raised the quality of every attack type that targets human judgment. Phishing emails that used to be obvious are now polished. Voices that used to be unreliable are now convincing. Faces that used to require Hollywood budgets are now generated for free.

Three practical defenses for any business, especially CPA firms and other regulated industries:

  1. Process, not vigilance. Don't rely on humans recognizing an AI-generated message or call. Build approval processes that don't bend based on who appears to be asking — wire authorizations require a callback to a known number, not the number that called you.
  2. MFA everywhere. Especially for email, accounting software, and any system that touches money or client data. A password that took 30 seconds to crack still won't work without the second factor.
  3. AI-aware security training. Annual training was enough when phishing emails had typos. Now it needs to be quarterly, and it needs to include voice-cloning and deepfake examples — not just email screenshots.

Whether you're running a CPA firm or any other regulated business, the threat model has changed. The good news: most of the defense is operational, not technical — and for accounting firms, most of it is already required under IRS Publication 4557 and the FTC Safeguards Rule.

More from our security statistics library: Accounting Firm Cybersecurity Statistics · Law Firm Cybersecurity Statistics

All articles
Share this article

Work With Us

Technology expertise, built for accounting firms.

Schedule a free IT assessment. No obligation. Just a conversation.

Fixed monthly pricing
Response in 15 minutes
Free, no obligation
Call UsFree Assessment