AI-assisted vs. traditional phishing click-through rate
Microsoft Digital Defense Report 2025
Prepared by ValorTech
Updated Jan 2026
Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.
Phishing click-through rates
Source: Microsoft DDR 2025 and Verizon DBIR 2025.
Key insight
AI strips out the grammar and tone errors employees were taught to use as warning signs.
Prepared by ValorTech
Updated Jan 2026
Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.
Top cyber-enabled fraud loss categories (US, 2024)
Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
Reported losses (USD billions)
Board question
Minimum viable BEC controls
Start here if you want one week of high-impact improvement:
Call-backs to known numbers for bank and payee changes.
Two-person approval for wires, ACH changes, and new vendors.
Change-control on vendor master records.
Prepared by ValorTech
Updated Jan 2026
Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.
Ransomware presence
Paying the ransom
Source: Verizon 2025 DBIR Executive Summary.
Backups that actually work
Immutable copies protected from quiet deletion.
Restore tests that prove RTO and RPO.
Backup systems segmented from day-to-day IT.
A written recovery runbook for containment and decisions.
Key takeaway
Prepared by ValorTech
Updated Jan 2026
Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.
AI exposure map
AI governance first
Approve use cases
Keep sensitive data out
Require human review
High velocity / high risk
Assume targeted impersonation
Layer controls fast
Run tabletop drills
Baseline hygiene
Lock identity down
Patch + backup basics
Run phishing drills
Brand + exec protection
Harden payment changes
Monitor impersonation
Tighten public bios
How to use the map
Signals you're in high velocity / high risk
Frequent vendor banking changes and urgent wires.
High public visibility for executives.
Many third-party vendors with remote access.
A distributed team that relies heavily on email and SaaS.
Prepared by ValorTech
Updated Jan 2026
AI raises both security and operational risk. Our continuity work starts with business processes, not servers.
Key insight
Critical
System(s)
Owner
RTO
RPO
Notes
Operator tip: the 'skeleton crew' file drill
Prepared by ValorTech
Updated Jan 2026
The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.
Key insight
A simple segmentation model
IT Network
Email / SaaS
Identity
Endpoints
Servers
Security zone
Firewall
Jump host
MFA
Logging
OT / Physical ops
Building systems
Access control
Medical / lab
Sensors / fleet
Controlled access (MFA + logging)
Edge devices & VPNs targeted in vulnerability exploitation

Prepared by ValorTech | Updated Jan 2026
Confidential - for business leadership use
A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.
Prepared by ValorTech
Updated Jan 2026
Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.
Phishing click-through rates
Source: Microsoft DDR 2025 and Verizon DBIR 2025.
Key insight
AI strips out the grammar and tone errors employees were taught to use as warning signs.
Prepared by ValorTech
Updated Jan 2026
Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.
Top cyber-enabled fraud loss categories (US, 2024)
Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
Reported losses (USD billions)
Board question
Minimum viable BEC controls
Start here if you want one week of high-impact improvement:
Call-backs to known numbers for bank and payee changes.
Two-person approval for wires, ACH changes, and new vendors.
Change-control on vendor master records.
Prepared by ValorTech
Updated Jan 2026
Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.
Ransomware presence
Paying the ransom
Source: Verizon 2025 DBIR Executive Summary.
Backups that actually work
Immutable copies protected from quiet deletion.
Restore tests that prove RTO and RPO.
Backup systems segmented from day-to-day IT.
A written recovery runbook for containment and decisions.
Key takeaway
Prepared by ValorTech
Updated Jan 2026
Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.
AI exposure map
AI governance first
Approve use cases
Keep sensitive data out
Require human review
High velocity / high risk
Assume targeted impersonation
Layer controls fast
Run tabletop drills
Baseline hygiene
Lock identity down
Patch + backup basics
Run phishing drills
Brand + exec protection
Harden payment changes
Monitor impersonation
Tighten public bios
How to use the map
Signals you're in high velocity / high risk
Frequent vendor banking changes and urgent wires.
High public visibility for executives.
Many third-party vendors with remote access.
A distributed team that relies heavily on email and SaaS.
Prepared by ValorTech
Updated Jan 2026
AI raises both security and operational risk. Our continuity work starts with business processes, not servers.
Key insight
Critical
System(s)
Owner
RTO
RPO
Notes
Operator tip: the 'skeleton crew' file drill
Prepared by ValorTech
Updated Jan 2026
The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.
Key insight
A simple segmentation model
IT Network
Email / SaaS
Identity
Endpoints
Servers
Security zone
Firewall
Jump host
MFA
Logging
OT / Physical ops
Building systems
Access control
Medical / lab
Sensors / fleet
Controlled access (MFA + logging)
Edge devices & VPNs targeted in vulnerability exploitation

Prepared by ValorTech | Updated Jan 2026
Confidential - for business leadership use
A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.
Prepared by ValorTech
Updated Jan 2026
Traditional awareness alone is no longer enough. AI-crafted phishing now reads like a real business conversation instead of an obvious fake.
Phishing click-through rates
Source: Microsoft DDR 2025 and Verizon DBIR 2025.
Key insight
AI strips out the grammar and tone errors employees were taught to use as warning signs.
Prepared by ValorTech
Updated Jan 2026
Ransomware gets the headlines, but fraud quietly drains cash. FBI reporting and incident data show the same pattern: BEC and fraud still lead real financial damage.
Top cyber-enabled fraud loss categories (US, 2024)
Investment fraud
$6.57B
Business email compromise
$2.77B
Tech support scams
$1.46B
Personal data breach
$1.45B
Non-payment / non-delivery
$0.79B
Reported losses (USD billions)
Board question
Minimum viable BEC controls
Start here if you want one week of high-impact improvement:
Call-backs to known numbers for bank and payee changes.
Two-person approval for wires, ACH changes, and new vendors.
Change-control on vendor master records.
Prepared by ValorTech
Updated Jan 2026
Ransomware remains high impact. Most organizations in the DBIR sample did not pay, but recovery still hurts when backups are untested and identity is loose.
Ransomware presence
Paying the ransom
Source: Verizon 2025 DBIR Executive Summary.
Backups that actually work
Immutable copies protected from quiet deletion.
Restore tests that prove RTO and RPO.
Backup systems segmented from day-to-day IT.
A written recovery runbook for containment and decisions.
Key takeaway
Prepared by ValorTech
Updated Jan 2026
Most organizations only ask how their people use AI. Attackers use AI against you whether or not you adopt it, so we score internal and external exposure together.
AI exposure map
AI governance first
Approve use cases
Keep sensitive data out
Require human review
High velocity / high risk
Assume targeted impersonation
Layer controls fast
Run tabletop drills
Baseline hygiene
Lock identity down
Patch + backup basics
Run phishing drills
Brand + exec protection
Harden payment changes
Monitor impersonation
Tighten public bios
How to use the map
Signals you're in high velocity / high risk
Frequent vendor banking changes and urgent wires.
High public visibility for executives.
Many third-party vendors with remote access.
A distributed team that relies heavily on email and SaaS.
Prepared by ValorTech
Updated Jan 2026
AI raises both security and operational risk. Our continuity work starts with business processes, not servers.
Key insight
Critical
System(s)
Owner
RTO
RPO
Notes
Operator tip: the 'skeleton crew' file drill
Prepared by ValorTech
Updated Jan 2026
The fastest route to real-world disruption is often through systems that look like IT but behave like physical operations.
Key insight
A simple segmentation model
IT Network
Email / SaaS
Identity
Endpoints
Servers
Security zone
Firewall
Jump host
MFA
Logging
OT / Physical ops
Building systems
Access control
Medical / lab
Sensors / fleet
Controlled access (MFA + logging)
Edge devices & VPNs targeted in vulnerability exploitation

Prepared by ValorTech | Updated Jan 2026
Confidential - for business leadership use
A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.
AI-assisted vs. traditional phishing click-through rate
Microsoft Digital Defense Report 2025
Breach to data theft - down from 4.8 hrs in 2024
Unit 42 Global Incident Response Report 2026
Global average cost of a data breach (2025)
IBM / Lennon Cost of a Data Breach 2025
AI-assisted vs. traditional phishing click-through rate
Microsoft Digital Defense Report 2025
Breach to data theft - down from 4.8 hrs in 2024
Unit 42 Global Incident Response Report 2026
Global average cost of a data breach (2025)
IBM / Lennon Cost of a Data Breach 2025
AI-assisted phishing is 4.5× more effective than traditional methods — and your employees are the target. The playbook shows you exactly how to close the gap
Simulated attack data — Microsoft DDR 2025
*Your employees are 4.5× more likely to click an AI-crafted message
Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release
Simulated attack data — Microsoft DDR 2025
60%
50%
40%
30%
20%
10%
0%
Traditional Phishing
AI-automated phishing emails
12%
54%
*Your employees are 4.5× more likely to click an AI-crafted message
Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release

“
We are being trained to trust AI implicitly, trading our privacy for the ultimate convenience. But while we embrace these tools, the threat landscape is shifting rapidly. Hackers have immediate access to information and zero-day vulnerabilities, making critical maintenance more important than ever. Our message shouldn't be about fearing AI, it's about retaining your control. Nobody is developing their own AI from scratch; we are all navigating how to use it strategically. Set your goals, keep your walls high, and ensure your security posture evolves just as fast as the tools you're adopting.
Adam
Chief Information Security Officer (CISO)
The SWE-bench measures whether an AI can navigate, understand, and modify real-world code. In 2023, models solved 4% of tasks. By early 2026, frontier models score above 75% - meaning an AI can find a bug, understand the full app context, and write an exploit in seconds. The playbook covers what this means for your software vendors, internal tools, and IT supply chain.
Real-world code task completion rate
In 2023, models scored 4%. The gap to human-level is closing fast.
What's in the Playbook?
Benchmark Your Exposure
Identify your highest-risk gaps across identity, payments, data, and AI governance - in under 15 minutes
Stop Wire Fraud Cold
A printable verification script for finance teams to stop deepfake-driven payment fraud before it lands
No New Headcount Required
Harden identity, govern AI tools, and train staff on a realistic timeline built for non-technical leaders
Report to Your Board
The 8 metrics your board and insurer need - and which vanity metrics to stop tracking immediately
Trusted by healthcare, finance, legal, and non-profit leaders across the Midwest
Fraud and BEC are still the loss leaders
The fastest route to real-world loss is still fraud: payment redirection, vendor spoofing, and business email compromise.
Top cyber-enabled fraud loss categories (US, 2024)
Reported losses (USD billions)
Board question
If a controller receives an urgent email from the CEO asking for a wire, what exact out-of-band steps do we require before money moves?
Minimum viable BEC controls
Start here if you want one week of high-impact improvements:
Call-backs to known numbers for bank/pay changes.
Two-person approval for wires, ACH changes, and new vendors.
Change-control for vendor master records (who can edit, and when).
Prepared by ValorTech | Updated Jan 2026
Confidential - for business leadership use
A C-suite playbook we use to reduce AI-driven cyber risk without slowing the business down.

Download the free playbook, score your organization, and bring the results to ValorTech for a complimentary 30-day remediation session - at no cost.
Social engineering at scale
Phishing isn't new. What's new is speed and personalization. In testing, AI-automated phishing emails produced a much higher click-through rate than standard phishing. That creates volume pressure: more attempts get through, and teams spend more time verifying what used to be obvious.
Phishing click-through rates in testing
Source: Microsoft Digital Defense Report 2025 (p.36)
Key insight
Treat verification as a business process, not a security training problem. Your best defense is a small set of repeatable workflows that make fraud expensive: call-backs, dual approval, and known-good contacts.
Fast controls we recommend
Harden payment changes: out-of-band verification + two-person approval.
Fix helpdesk resets: strong identity proofing + phishing-resistant MFA for admins.
Reduce public puzzle pieces: limit org charts, travel posts, and vendor details in public bios.
Practice the moment of truth: monthly drills for urgent payment and CEO text scenarios.
Fraud and BEC are still the loss leaders
Ransomware gets the headlines, but fraud is what quietly drains cash. In Microsoft's incident data, business email compromise is a more frequent outcome than ransomware. FBI reporting shows the same pattern: fraud categories dominate the top loss drivers.
Top cyber-enabled fraud loss categories (US, 2024)
Reported losses (USD billions)
Source: Verizon 2025 Data Breach Investigations Report (DBIR) press release
Board question
If a controller receives an urgent email from the CEO asking for a wire, what exact steps do we require before money moves?
Our rule: if it changes where money goes, it requires an out-of-band call-back and a second approver. No exceptions for urgency.
Minimum viable BEC controls
Start here if you want one week of high-impact improvements:
Call-backs to known numbers for bank and pay changes.
Two-person approval for wires, ACH changes, and new vendors.
Change-control for vendor master records: who can edit, and when.
Ransomware reality: resilience beats heroics
Ransomware remains a high-impact scenario. In Verizon's 2025 DBIR sample, ransomware appears in 44% of breaches reviewed. The good news: most organizations did not pay. The bad news: recovery still hurts when backups aren't tested and identity isn't locked down.
Ransomware presence in breaches
Paying the ransom (DBIR 2025 sample)
% of breaches reviewed
36%
Paid
64%
Did not pay
Source: Verizon 2025 DBIR Executive Summary.
Backups that actually work
Immutable copies: protected backups that an admin account can't quietly delete.
Restore tests: scheduled proof that we can restore systems within agreed RTO/RPO.
Separation: backup systems and credentials segmented from day-to-day IT.
Recovery runbook: who decides, who communicates, who talks to insurers and legal, and who runs containment.
Key takeaway
Don't wait for an incident to learn your recovery time. We treat restore testing like a fire drill: scheduled, measurable, and documented.