ValorTech(414) 410-9440
The AI Threat Assessment & Checklist

The AI ThreatAssessment& Checklist

  • Why traditional phishing tests are failingNew data
  • How to secure your "Money Path" from deepfakes & BEC
  • A 30/60/90-day plan built for non-technical leaders
  • The exact KPIs your board should track - and which to ignore

Prepared by ValorTech

Updated Jan 2026

Social engineering at scale

Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.

Phishing click-through rates

12%Traditional
54%AI-assisted

Source: Microsoft DDR 2025 and Verizon DBIR 2025.

Key insight

AI strips out the grammar and tone errors employees were taught to use as warning signs.

Downtime is not an option1

Prepared by ValorTech

Updated Jan 2026

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvement:

Call-backs to known numbers for bank and payee changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control on vendor master records.

Downtime is not an option2

Prepared by ValorTech

Updated Jan 2026

Ransomware reality: resilience beats heroics

Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.

Ransomware presence

32%2024
44%2025

Paying the ransom

36%
64%

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies protected from quiet deletion.

Restore tests that prove RTO and RPO.

Backup systems segmented from day-to-day IT.

A written recovery runbook for containment and decisions.

Key takeaway

Don't wait for an incident to learn your recovery time. Treat restore testing like a fire drill: scheduled, measurable, and documented.
Downtime is not an option3

Prepared by ValorTech

Updated Jan 2026

The AI risk puzzle: two lenses

Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.

AI exposure map

AI governance first

Approve use cases

Keep sensitive data out

Require human review

High velocity / high risk

Assume targeted impersonation

Layer controls fast

Run tabletop drills

Baseline hygiene

Lock identity down

Patch + backup basics

Run phishing drills

Brand + exec protection

Harden payment changes

Monitor impersonation

Tighten public bios

How to use the map

Pick the quadrant you are in today. If you are unsure, assume high velocity and high risk when you have executive visibility, vendor complexity, or frequent payment changes.

Signals you're in high velocity / high risk

Frequent vendor banking changes and urgent wires.

High public visibility for executives.

Many third-party vendors with remote access.

A distributed team that relies heavily on email and SaaS.

Downtime is not an option4

Prepared by ValorTech

Updated Jan 2026

Business continuity & disaster recovery

AI raises both security and operational risk. Our continuity work starts with business processes, not servers.

Key insight

Write down your decision rights in advance: who can authorize downtime, who can approve emergency spend, and who speaks to customers, insurers, and counsel.

Critical

System(s)

Owner

RTO

RPO

Notes

Operator tip: the 'skeleton crew' file drill

Assume email is down and one key system is unavailable. Run the business for 60 minutes using your documented workarounds, then fix what breaks first.
Downtime is not an option5

Prepared by ValorTech

Updated Jan 2026

Operational technology and edge systems

The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.

Key insight

Keep OT-like systems behind controlled access with MFA, a firewall boundary, and a jump host we can monitor.

A simple segmentation model

IT Network

Email / SaaS

Identity

Endpoints

Servers

Security zone

Firewall

Jump host

MFA

Logging

OT / Physical ops

Building systems

Access control

Medical / lab

Sensors / fleet

Controlled access (MFA + logging)

Edge devices & VPNs targeted in vulnerability exploitation

3%2024
22%2025
Downtime is not an option6
ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI ThreatAssessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Prepared by ValorTech

Updated Jan 2026

Social engineering at scale

Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.

Phishing click-through rates

12%Traditional
54%AI-assisted

Source: Microsoft DDR 2025 and Verizon DBIR 2025.

Key insight

AI strips out the grammar and tone errors employees were taught to use as warning signs.

Downtime is not an option1

Prepared by ValorTech

Updated Jan 2026

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvement:

Call-backs to known numbers for bank and payee changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control on vendor master records.

Downtime is not an option2

Prepared by ValorTech

Updated Jan 2026

Ransomware reality: resilience beats heroics

Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.

Ransomware presence

32%2024
44%2025

Paying the ransom

36%
64%

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies protected from quiet deletion.

Restore tests that prove RTO and RPO.

Backup systems segmented from day-to-day IT.

A written recovery runbook for containment and decisions.

Key takeaway

Don't wait for an incident to learn your recovery time. Treat restore testing like a fire drill: scheduled, measurable, and documented.
Downtime is not an option3

Prepared by ValorTech

Updated Jan 2026

The AI risk puzzle: two lenses

Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.

AI exposure map

AI governance first

Approve use cases

Keep sensitive data out

Require human review

High velocity / high risk

Assume targeted impersonation

Layer controls fast

Run tabletop drills

Baseline hygiene

Lock identity down

Patch + backup basics

Run phishing drills

Brand + exec protection

Harden payment changes

Monitor impersonation

Tighten public bios

How to use the map

Pick the quadrant you are in today. If you are unsure, assume high velocity and high risk when you have executive visibility, vendor complexity, or frequent payment changes.

Signals you're in high velocity / high risk

Frequent vendor banking changes and urgent wires.

High public visibility for executives.

Many third-party vendors with remote access.

A distributed team that relies heavily on email and SaaS.

Downtime is not an option4

Prepared by ValorTech

Updated Jan 2026

Business continuity & disaster recovery

AI raises both security and operational risk. Our continuity work starts with business processes, not servers.

Key insight

Write down your decision rights in advance: who can authorize downtime, who can approve emergency spend, and who speaks to customers, insurers, and counsel.

Critical

System(s)

Owner

RTO

RPO

Notes

Operator tip: the 'skeleton crew' file drill

Assume email is down and one key system is unavailable. Run the business for 60 minutes using your documented workarounds, then fix what breaks first.
Downtime is not an option5

Prepared by ValorTech

Updated Jan 2026

Operational technology and edge systems

The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.

Key insight

Keep OT-like systems behind controlled access with MFA, a firewall boundary, and a jump host we can monitor.

A simple segmentation model

IT Network

Email / SaaS

Identity

Endpoints

Servers

Security zone

Firewall

Jump host

MFA

Logging

OT / Physical ops

Building systems

Access control

Medical / lab

Sensors / fleet

Controlled access (MFA + logging)

Edge devices & VPNs targeted in vulnerability exploitation

3%2024
22%2025
Downtime is not an option6
ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI ThreatAssessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Prepared by ValorTech

Updated Jan 2026

Social engineering at scale

Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.

Phishing click-through rates

12%Traditional
54%AI-assisted

Source: Microsoft DDR 2025 and Verizon DBIR 2025.

Key insight

AI strips out the grammar and tone errors employees were taught to use as warning signs.

Downtime is not an option1

Prepared by ValorTech

Updated Jan 2026

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvement:

Call-backs to known numbers for bank and payee changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control on vendor master records.

Downtime is not an option2

Prepared by ValorTech

Updated Jan 2026

Ransomware reality: resilience beats heroics

Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.

Ransomware presence

32%2024
44%2025

Paying the ransom

36%
64%

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies protected from quiet deletion.

Restore tests that prove RTO and RPO.

Backup systems segmented from day-to-day IT.

A written recovery runbook for containment and decisions.

Key takeaway

Don't wait for an incident to learn your recovery time. Treat restore testing like a fire drill: scheduled, measurable, and documented.
Downtime is not an option3

Prepared by ValorTech

Updated Jan 2026

The AI risk puzzle: two lenses

Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.

AI exposure map

AI governance first

Approve use cases

Keep sensitive data out

Require human review

High velocity / high risk

Assume targeted impersonation

Layer controls fast

Run tabletop drills

Baseline hygiene

Lock identity down

Patch + backup basics

Run phishing drills

Brand + exec protection

Harden payment changes

Monitor impersonation

Tighten public bios

How to use the map

Pick the quadrant you are in today. If you are unsure, assume high velocity and high risk when you have executive visibility, vendor complexity, or frequent payment changes.

Signals you're in high velocity / high risk

Frequent vendor banking changes and urgent wires.

High public visibility for executives.

Many third-party vendors with remote access.

A distributed team that relies heavily on email and SaaS.

Downtime is not an option4

Prepared by ValorTech

Updated Jan 2026

Business continuity & disaster recovery

AI raises both security and operational risk. Our continuity work starts with business processes, not servers.

Key insight

Write down your decision rights in advance: who can authorize downtime, who can approve emergency spend, and who speaks to customers, insurers, and counsel.

Critical

System(s)

Owner

RTO

RPO

Notes

Operator tip: the 'skeleton crew' file drill

Assume email is down and one key system is unavailable. Run the business for 60 minutes using your documented workarounds, then fix what breaks first.
Downtime is not an option5

Prepared by ValorTech

Updated Jan 2026

Operational technology and edge systems

The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.

Key insight

Keep OT-like systems behind controlled access with MFA, a firewall boundary, and a jump host we can monitor.

A simple segmentation model

IT Network

Email / SaaS

Identity

Endpoints

Servers

Security zone

Firewall

Jump host

MFA

Logging

OT / Physical ops

Building systems

Access control

Medical / lab

Sensors / fleet

Controlled access (MFA + logging)

Edge devices & VPNs targeted in vulnerability exploitation

3%2024
22%2025
Downtime is not an option6
ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI ThreatAssessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Key Insights in This Report:

54%vs12%

AI-assisted vs. traditional phishing click-through rate

Microsoft Digital Defense Report 2025

1.2 HRS

Breach to data theft - down from 4.8 hrs in 2024

Unit 42 Global Incident Response Report 2026

$4.44M

Global average cost of a data breach (2025)

IBM / Lennon Cost of a Data Breach 2025

54%vs12%

AI-assisted vs. traditional phishing click-through rate

Microsoft Digital Defense Report 2025

1.2 HRS

Breach to data theft - down from 4.8 hrs in 2024

Unit 42 Global Incident Response Report 2026

$4.44M

Global average cost of a data breach (2025)

IBM / Lennon Cost of a Data Breach 2025

The Threat Has Changed

Old Defenses Weren't Built for This

AI-assisted phishing is 4.5× more effective than traditional methods — and your employees are the target. The playbook shows you exactly how to close the gap

Phishing Click-Through Rate

Simulated attack data — Microsoft DDR 2025

60%50%40%30%20%10%0%
12%
Traditional Phishing
54%
AI-automated phishing emails

*Your employees are 4.5× more likely to click an AI-crafted message

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Phishing Click-Through Rate

Simulated attack data — Microsoft DDR 2025

60%

50%

40%

30%

20%

10%

0%

Traditional Phishing

AI-automated phishing emails

12%

54%

*Your employees are 4.5× more likely to click an AI-crafted message

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Adam Sipos, Chief Information Security Officer at ValorTech

“

We are being trained to trust AI implicitly, trading our privacy for the ultimate convenience. But while we embrace these tools, the threat landscape is shifting rapidly. Hackers have immediate access to information and zero-day vulnerabilities, making critical maintenance more important than ever. Our message shouldn't be about fearing AI, it's about retaining your control. Nobody is developing their own AI from scratch; we are all navigating how to use it strategically. Set your goals, keep your walls high, and ensure your security posture evolves just as fast as the tools you're adopting.

Adam

Chief Information Security Officer (CISO)

ValorTech
The Coding-to-Hacking Evolution

AI Now Hacks Like
A Mid-Level Engineer

The SWE-bench measures whether an AI can navigate, understand, and modify real-world code. In 2023, models solved 4% of tasks. By early 2026, frontier models score above 75% - meaning an AI can find a bug, understand the full app context, and write an exploit in seconds. The playbook covers what this means for your software vendors, internal tools, and IT supply chain.

Swe-bench scores - Feb 2026

Real-world code task completion rate

Claude Sonnet 4.5
79.2%
Gemini 3
76.2%
GPT-5.2
75.4%
Human Avg.
92%
Claude Sonnet 4.5
79.2%
Gemini 3
76.2%
GPT-5.2
75.4%
Human Avg.
92%

In 2023, models scored 4%. The gap to human-level is closing fast.

What's in the Playbook?

Four Things Your Leadership Team Needs

01

Benchmark Your Exposure

The AI Readiness Questionnaire

Identify your highest-risk gaps across identity, payments, data, and AI governance - in under 15 minutes

02

Stop Wire Fraud Cold

The "Money Path" Protocol

A printable verification script for finance teams to stop deepfake-driven payment fraud before it lands

03

No New Headcount Required

The 30/60/90-Day Plan

Harden identity, govern AI tools, and train staff on a realistic timeline built for non-technical leaders

04

Report to Your Board

The Executive KPI Dashboard

The 8 metrics your board and insurer need - and which vanity metrics to stop tracking immediately

Get the Free Executive Playbook

Trusted by healthcare, finance, legal, and non-profit leaders across the Midwest

Fraud and BEC are still the loss leaders

The fastest route to real-world loss is still fraud: payment redirection, vendor spoofing, and business email compromise.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact out-of-band steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise (BEC) is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an 'urgent' email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes (bank details, payee, vendor, ACH/wire instructions), it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Fraud and BEC are still the loss leaders

The fastest route to real-world loss is still fraud: payment redirection, vendor spoofing, and business email compromise.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact out-of-band steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise (BEC) is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an 'urgent' email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes (bank details, payee, vendor, ACH/wire instructions), it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Get the Free Executive Playbook

Trusted by healthcare, finance, legal, and non-profit leaders across the Midwest

Fraud and BEC are still the loss leaders

The fastest route to real-world loss is still fraud: payment redirection, vendor spoofing, and business email compromise.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact out-of-band steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise (BEC) is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an 'urgent' email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes (bank details, payee, vendor, ACH/wire instructions), it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Fraud and BEC are still the loss leaders

The fastest route to real-world loss is still fraud: payment redirection, vendor spoofing, and business email compromise.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B

Reported losses (USD billions)

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact out-of-band steps do we require before money moves?

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise (BEC) is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud

$6.57B

Business email compromise

$2.77B

Tech support scams

$1.46B

Personal data breach

$1.45B

Non-payment / non-delivery

$0.79B

01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an 'urgent' email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes (bank details, payee, vendor, ACH/wire instructions), it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank/pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records (who can edit, and when).

Downtime is not an option2
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating
ValorTech

Prepared by ValorTech | Updated Jan 2026

Confidential - for business leadership use

Our 2026 AI Threat

Assessment & Checklist

A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

ValorTech team collaborating

Ready to Know Where You Actually Stand?

Download the free playbook, score your organization, and bring the results to ValorTech for a complimentary 30-day remediation session - at no cost.

Call (414) 410-9440valortech.io

Social engineering at scale

Phishing isn't new. What's new is speed and personalization. In testing, AI-automated phishing emails produced a much higher click-through rate than standard phishing. That creates volume pressure: more attempts get through, and teams spend more time verifying what used to be obvious.

Phishing click-through rates in testing

60%50%40%30%20%10%0%
12%
54%
Standard phishing emailsAI-automated phishing emails

Source: Microsoft Digital Defense Report 2025 (p.36)

Key insight

Treat verification as a business process, not a security training problem. Your best defense is a small set of repeatable workflows that make fraud expensive: call-backs, dual approval, and known-good contacts.

Fast controls we recommend

Harden payment changes: out-of-band verification + two-person approval.

Fix helpdesk resets: strong identity proofing + phishing-resistant MFA for admins.

Reduce public puzzle pieces: limit org charts, travel posts, and vendor details in public bios.

Practice the moment of truth: monthly drills for urgent payment and CEO text scenarios.

Downtime is not an option1

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes, it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank and pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records: who can edit, and when.

Downtime is not an option2

Ransomware reality: resilience beats heroics

Ransomware remains a high-impact scenario. In Verizon's 2025 DBIR sample, ransomware appears in 44% of breaches reviewed. The good news: most organizations did not pay. The bad news: recovery still hurts when backups aren't tested and identity isn't locked down.

Ransomware presence in breaches

Paying the ransom (DBIR 2025 sample)

32%
44%
20242025

% of breaches reviewed

36%

Paid

64%

Did not pay

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies: protected backups that an admin account can't quietly delete.

Restore tests: scheduled proof that we can restore systems within agreed RTO/RPO.

Separation: backup systems and credentials segmented from day-to-day IT.

Recovery runbook: who decides, who communicates, who talks to insurers and legal, and who runs containment.

Key takeaway

Don't wait for an incident to learn your recovery time. We treat restore testing like a fire drill: scheduled, measurable, and documented.

Downtime is not an option3

Social engineering at scale

Phishing isn't new. What's new is speed and personalization. In testing, AI-automated phishing emails produced a much higher click-through rate than standard phishing. That creates volume pressure: more attempts get through, and teams spend more time verifying what used to be obvious.

Phishing click-through rates in testing

60%50%40%30%20%10%0%
12%
54%
Standard phishing emailsAI-automated phishing emails

Source: Microsoft Digital Defense Report 2025 (p.36)

Key insight

Treat verification as a business process, not a security training problem. Your best defense is a small set of repeatable workflows that make fraud expensive: call-backs, dual approval, and known-good contacts.

Fast controls we recommend

Harden payment changes: out-of-band verification + two-person approval.

Fix helpdesk resets: strong identity proofing + phishing-resistant MFA for admins.

Reduce public puzzle pieces: limit org charts, travel posts, and vendor details in public bios.

Practice the moment of truth: monthly drills for urgent payment and CEO text scenarios.

Downtime is not an option1

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes, it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank and pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records: who can edit, and when.

Downtime is not an option2

Ransomware reality: resilience beats heroics

Ransomware remains a high-impact scenario. In Verizon's 2025 DBIR sample, ransomware appears in 44% of breaches reviewed. The good news: most organizations did not pay. The bad news: recovery still hurts when backups aren't tested and identity isn't locked down.

Ransomware presence in breaches

Paying the ransom (DBIR 2025 sample)

32%
44%
20242025

% of breaches reviewed

36%

Paid

64%

Did not pay

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies: protected backups that an admin account can't quietly delete.

Restore tests: scheduled proof that we can restore systems within agreed RTO/RPO.

Separation: backup systems and credentials segmented from day-to-day IT.

Recovery runbook: who decides, who communicates, who talks to insurers and legal, and who runs containment.

Key takeaway

Don't wait for an incident to learn your recovery time. We treat restore testing like a fire drill: scheduled, measurable, and documented.

Downtime is not an option3

Social engineering at scale

Phishing isn't new. What's new is speed and personalization. In testing, AI-automated phishing emails produced a much higher click-through rate than standard phishing. That creates volume pressure: more attempts get through, and teams spend more time verifying what used to be obvious.

Phishing click-through rates in testing

60%50%40%30%20%10%0%
12%
54%
Standard phishing emailsAI-automated phishing emails

Source: Microsoft Digital Defense Report 2025 (p.36)

Key insight

Treat verification as a business process, not a security training problem. Your best defense is a small set of repeatable workflows that make fraud expensive: call-backs, dual approval, and known-good contacts.

Fast controls we recommend

Harden payment changes: out-of-band verification + two-person approval.

Fix helpdesk resets: strong identity proofing + phishing-resistant MFA for admins.

Reduce public puzzle pieces: limit org charts, travel posts, and vendor details in public bios.

Practice the moment of truth: monthly drills for urgent payment and CEO text scenarios.

Downtime is not an option1

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes, it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank and pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records: who can edit, and when.

Downtime is not an option2

Ransomware reality: resilience beats heroics

Ransomware remains a high-impact scenario. In Verizon's 2025 DBIR sample, ransomware appears in 44% of breaches reviewed. The good news: most organizations did not pay. The bad news: recovery still hurts when backups aren't tested and identity isn't locked down.

Ransomware presence in breaches

Paying the ransom (DBIR 2025 sample)

32%
44%
20242025

% of breaches reviewed

36%

Paid

64%

Did not pay

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies: protected backups that an admin account can't quietly delete.

Restore tests: scheduled proof that we can restore systems within agreed RTO/RPO.

Separation: backup systems and credentials segmented from day-to-day IT.

Recovery runbook: who decides, who communicates, who talks to insurers and legal, and who runs containment.

Key takeaway

Don't wait for an incident to learn your recovery time. We treat restore testing like a fire drill: scheduled, measurable, and documented.

Downtime is not an option3
ValorTech

Battle-tested guidance for leaders. Not legal advice.

Copyright 2026 All Rights Reserved

Privacy PolicyTerms & ConditionsAbout Us

Ready to Know Where You Actually Stand?

Download the free playbook, score your organization, and bring the results to ValorTech for a complimentary 30-day remediation session — at no cost
Call (414) 410-9440valortech.io

Social engineering at scale

Phishing isn't new. What's new is speed and personalization. In testing, AI-automated phishing emails produced a much higher click-through rate than standard phishing. That creates volume pressure: more attempts get through, and teams spend more time verifying what used to be obvious.

Phishing click-through rates in testing

60%50%40%30%20%10%0%
12%
54%
Standard phishing emailsAI-automated phishing emails

Source: Microsoft Digital Defense Report 2025 (p.36)

Key insight

Treat verification as a business process, not a security training problem. Your best defense is a small set of repeatable workflows that make fraud expensive: call-backs, dual approval, and known-good contacts.

Fast controls we recommend

Harden payment changes: out-of-band verification + two-person approval.

Fix helpdesk resets: strong identity proofing + phishing-resistant MFA for admins.

Reduce public puzzle pieces: limit org charts, travel posts, and vendor details in public bios.

Practice the moment of truth: monthly drills for urgent payment and CEO text scenarios.

Downtime is not an option1

Fraud and BEC are still the loss leaders

Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.

Top cyber-enabled fraud loss categories (US, 2024)

Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
01234567

Reported losses (USD billions)

Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

Board question

If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?

Our rule: if it changes where money goes, it requires an out-of-band call-back and a second approver. No exceptions for urgency.

Minimum viable BEC controls

Start here if you want one week of high-impact improvements:

Call-backs to known numbers for bank and pay changes.

Two-person approval for wires, ACH changes, and new vendors.

Change-control for vendor master records: who can edit, and when.

Downtime is not an option2

Ransomware reality: resilience beats heroics

Ransomware remains a high-impact scenario. In Verizon's 2025 DBIR sample, ransomware appears in 44% of breaches reviewed. The good news: most organizations did not pay. The bad news: recovery still hurts when backups aren't tested and identity isn't locked down.

Ransomware presence in breaches

Paying the ransom (DBIR 2025 sample)

32%
44%
20242025

% of breaches reviewed

36%

Paid

64%

Did not pay

Source: Verizon 2025 DBIR Executive Summary.

Backups that actually work

Immutable copies: protected backups that an admin account can't quietly delete.

Restore tests: scheduled proof that we can restore systems within agreed RTO/RPO.

Separation: backup systems and credentials segmented from day-to-day IT.

Recovery runbook: who decides, who communicates, who talks to insurers and legal, and who runs containment.

Key takeaway

Don't wait for an incident to learn your recovery time. We treat restore testing like a fire drill: scheduled, measurable, and documented.

Downtime is not an option3
ValorTech

Battle-tested guidance for leaders. Not legal advice.

©2026 All Rights Reserved

Privacy PolicyTerms & ConditionsAbout Us