Rapid rise in advanced AI-driven phishing attacks is leaving majority of UK business unprepared, according to new Vodafone Business study

While a majority (78%) of business leaders felt ‘confident’ their employees could successfully identify an AI-driven phishing attack, the reality was that only a third were able to correctly distinguish a fake, AI-developed video or email from the real thing.

More than half of business leaders (55%) and 45% of office workers admitted they had been targeted by a phishing attempt within the past two years, with 82% of these attacks coming via email, followed by 39% over the phone and 22% on social media.

Last year, there was a 60% global increase in AI-driven phishing attacks, with the UK, United States and India comprising the three countries that suffered the most significant volumes of attacks on businesses. Alongside reputational damage, an average breach could cost an organisation up to £4,200.

To raise greater awareness of the issue during International Fraud Awareness Week, Vodafone Business has launched ‘Proactive Security – Phishing of the Future’, a new cybersecurity campaign designed to educate businesses on the rising threat of AI-driven phishing attacks, as well as the proactive strategies they can employ to help identify, manage and mitigate them successfully.

The study also highlighted an ‘age gap’ in awareness, with younger staff aged 18-to-24 appearing more likely to fall for AI-driven phishing scams than their older peers. Gen Z staff were more likely than most to fall victim, with nearly half (47%) having not updated their password for more than a year, and two-in-10 (19%) having never changed it at all.

Junior staff left themselves the most exposed to hackers, with nearly two-thirds (62%) having social media profiles that were open to the public, compared to two-fifths (40%) of Brits. An open social media account enables hackers to access private information that can be used for criminal activities, while fraudsters can use generative AI tools to replicate a person’s voice with only three seconds of audio.

Steve Knibbs, Head of Vodafone Business Security Enhanced (VBSE), said: “As our campaign highlights, cybercriminals are using AI tools to develop effective and convincing phishing scams, enabling them to create these deceptive communications at a pace and scale not seen before.

“Of course, businesses should be highly aware of the implications of falling victim to cyber scams, which can often lead to drastic reputational and financial consequences.

“I would request businesses of all sizes shore up their around-the-clock cybersecurity protection, by adopting a proactive, multi-layered approach that combines technical safeguards with employee education and AI-driven detection tools that can recognise patterns in phishing attempts.”

Further findings from the Vodafone Business study also revealed that more work was required to ensure office staff were suitably trained to manage more sophisticated AI-driven cyber-attacks. For example:

Chris Donnelly, entrepreneur, said: “Cybersecurity has always been a priority for my business. It’s something we think about all the time, and we ensure we keep our security protocols as updated as possible.

“You can imagine my surprise then by how effortlessly the ethical hacker was able to breach our defences using sophisticated AI phishing tactics, like voice cloning.

“As someone who runs a tech platform where we manage vast amounts of personal and private data, this experience highlights the importance of staying one step ahead in cybersecurity, especially with evolving AI threats.

“It’s a wake-up call for all businesses to strengthen their security measures and provide consistent training for staff to protect against even the most advanced forms of deception. Today, staying vigilant and adaptive is essential to protecting our organisation and clients.”

Katie Paxton-Fear, Ethical Hacker and Cybersecurity Lecturer at Manchester Metropolitan University, said: “I’m delighted to have partnered with Vodafone Business on this new campaign to drive awareness of the rising threat of AI phishing scams on the business sector.

“Today, cybercriminals have access to powerful artificial intelligence tools that make creating convincing phishing scams alarmingly easy and scalable.

“With AI, attackers can tailor messages to appear highly personalised, making it harder than ever for employees to distinguish a fake email from a legitimate one. Businesses, no matter their size, need to understand the real risk at hand and take proactive measures to defend against these threats.

“Strengthening cybersecurity practices, implementing advanced detection systems, and educating staff on recognising AI-driven scams are essential steps to safeguard valuable data and maintain trust.”

To assist the UK Government in its own mission to better prepare businesses for the rising threat of AI-driven cybersecurity scams, Vodafone Business has outlined several policy recommendations in its ‘Proactive Security – Phishing of the Future’ report, which include:

1. Incentivising cybersecurity adoption: Introduce financial incentives, such as tax breaks, grants or subsidies, for businesses that invest in cybersecurity measures, including training and certification.
2. Launching a ‘Cyber Safe’ PR campaign: Develop a nationwide PR campaign to promote Cyber Resilience Centres (CRCs) and the Cyber Essentials certification among businesses of all sizes.
3. Reallocating funding for local cybersecurity training: Reallocate funds within the National Cyber Security Strategy budget to support targeted local initiatives for businesses, focusing on effective engagement programmes.
4. Enhancing cybersecurity skills to prevent AI-led cyber-attacks: Promote the development and adoption of AI-driven cybersecurity tools and provide training to businesses on preventing AI-led cyber-attacks.
5. Expanding Cyber Resilience Centres (CRCs): Establish additional CRCs in underserved regions and enhance the capabilities of existing centres to offer tailored support for businesses.

Find out more about the range of cybersecurity solutions available through Vodafone Business, and help keep your business protected 24/7, by visiting Vodafone Business’ Cyber Security Solutions homepage.

And download the full ‘Proactive Security – Phishing of the Future’ report now.

Stay up to date with the latest news from Vodafone by following us on LinkedIn and Twitter/X, as well as signing up for News Centre website notifications.

-Ends-

Notes to Editors

* In this context, ‘business leaders’ refers to those who either operate their own business or are a C-suite executive.

Research Methodology

Vodafone Business commissioned Walr, an independent market research agency, to conduct online research among 1,000 business leaders and 2,000 office workers aged 18+ across the UK. The fieldwork took place from 3rd to 7th October 2024. Walr employs MRS-certified researchers and strictly adheres to the MRS Code of Conduct.

About Chris Donnelly

Chris Donnelly is a UK entrepreneur, digital creator with over 3 million followers, and founder of The Creator Accelerator, Verb Brands, and Lottie. He also co-hosts the popular business podcast, Secret Leaders podcast. The Creator Accelerator empowers entrepreneurs and creators to build impactful personal brands and engage audiences through organic growth strategies. Learn more at TheCreatorAccelerator.com.

Top 10 Tips to Help Businesses Counter Advanced AI Phishing Scams:

Ethical Hacker Katie Paxton-Fear shares her top ten tips to help safeguard your business from advanced AI-driven phishing scams:

1. Implement multi-factor authentication (MFA) across all business accounts and systems

The implementation of multi-factor authentication allows businesses to have a safety net so that, even if one account is compromised, there are several walls that the hacker must try and pass before getting into your accounts. This is also a way to alert you to any suspicious activity surrounding your accounts.

2. Keep security software updated

Installing the latest security or software updates places you and your business in the most favourable position to prepare for scammers and hackers. Scams adapt to differing levels of protection and will often find a way to penetrate security walls; however, having the latest update will mean that these security measures will be newer and stronger.

3. Keep passwords updated, unpredictable and undiscoverable

Passwords should be regularly changed so that your account has less chance of being listed on a security breach. These passwords should also all be different and include numbers and symbols to make it harder to breach. A strong password should be as unpredictable as possible, so including your birth year or any findable personal information should be omitted. Passwords should also be undiscoverable. It can be tricky having to remember all your passwords, especially as each account should have a separate one. However, you must not write down these anywhere that a hacker can find them.

4. Educate staff on what to look out for and what they can or can’t make public

Companies should set clear guidelines with employees about what information they are distributing. These businesses should hold regular educational sessions to provide their staff with the security and reassurance that they are not putting themselves or the company at risk of any would-be hacker. Having these measures in place will better prepare the business as a collective against online threats. An effective way to achieve this would be to regularly practice identifying phishing emails through simulated exercises and establish protocols for reporting suspicious activities. The company should also invest in trusted anti-virus and AI-detecting software for peace of mind.

5. Always ask for ID and verification

Although businesses would like to trust everyone that they come into contact with, this is a dangerous approach. Instead, before speaking or communicating with any external party you should always seek verification that the person or company that you are dealing with is authentic. This could be done by asking to see their ID or that they can relay some information to you that only the genuine company would know (as long as it isn’t compromising). You can even try to ask them for some security questions to be sure. Businesses should also consider maintaining and updating a list of approved vendors and their contact information.

6. Never give out personal information

Hackers can be sneaky – they have effective ways of getting you to reveal personal information. In almost every case, giving out personal information will not be a requirement for a genuine company.

7. Keep your friends close

AI scams are increasing significantly, with many scammers now having the technology to impersonate fellow friends and work colleagues’ voices and even faces. If you are in any doubt, always check with the person you know if they sent or tried to speak with you. AI is adapting and evolving rapidly, and identity theft and impersonations are becoming far more convincing and difficult to detect, leaving many businesses vulnerable to hackers and scammers.

8. Be wary of links

In business, and in your personal life, you should always be wary of clicking on links as these are one of the main ways in which hackers breach your security net. If you are unsure, always use a trusted web link checker website to test the validity of the link before clicking it and, once on the website, always try to see if it is listed as a trusted and verified page with a padlock symbol.

9. Encrypt sensitive data

Sensitive data such as bank details or GDPR-related information would be best protected if you encrypt it while using and sending. This way, even if it gets intercepted in transit, a hacker cannot penetrate it.

10. Preparation is key

Finally, it should be good practice to have protocols in place that allow all staff to verify requests. Once this has been established, it will become second nature and create a safer working environment. This also applies to having a contingency plan ready to go if your business has been compromised by a hacker, as it will be safer to deal with and quicker to execute.