The Most Dangerous Thing About AI Isn't What Criminals Can Do — It's Who Can Now Become a Criminal
This intelligence brief analyzes the operational methodology of AI-enabled fraud, the behavioral mechanisms it exploits, and actionable recommendations for organizations to defend against this emerging threat.
Bottom Line
AI-enabled fraud is not just a technological threat; it is a social and behavioral one. The most dangerous aspect of this emerging threat is not the sophistication of the tools themselves, but the fact that they lower the barrier to entry for criminal activity. Individuals who previously lacked the technical skills to commit fraud can now leverage AI to impersonate others, manipulate communications, and exploit human trust. This democratization of criminal capability poses a significant risk to organizations, as it increases the pool of potential attackers and complicates traditional defense strategies.
Artificial Intelligence is getting smarter. The articles about AI published last month quickly becomes irrelevant as the technology evolves at a rapid pace. As AI continues to learn from its own data it gathers, the era of carefully crafting prompts is a thing of the past. The potential that AI brings to the society is immense; streamlining the workflow, improving the quality of life and bringing ideas to life. But what I learned from my years studying Criminology taught me this: where there is opportunity, exploitation exists.
Over the past couple of years, online crimes have accelerated at a record pace alongside advances in AI. From romance scams, phishing emails, voice cloning - the list goes on with how criminals exploit the technology. What once took hours, days or even months to execute can now be done in minutes or seconds. What is most concerning is not much about the sophistication of these attacks. As everyone now have access to AI, the more pressing question is 'who is willing to commit crime'?
In order for organizations to respond effectively to AI-enabled threats, understanding who is behind them matters. Based on historical incidents and criminal methodology research, three categories of new-entrant profiles is worth describing:
The Affiliate: Typically, these group are the individuals who are persuaded to purchase Ransomeware-as-a-Service or affiliation to a criminal platform(s). They have limited technical knowledge with a basic understanding of how operations work. They are often motivated by financial gain, where their action is driven by profit-sharing advertised in RaaS platforms. Small and mid-sized organizations are likely target from this group due to weaker security and likeliness to pay a ransom.
The Opportunist: Mainly motivated by financial gain with no previous criminal history, the crimes this group commit is not technically complex. The most common crimes are romance scams, AI-generated persona for fraud, mass phishing campaigns, and so on. Volume is the priority over quality/precision, which in other words interprets to a higher victim count.
The Insider Threat: A current or former employee who employs AI tools to commit crime against their own organization. The group existed long before AI rose to the surface, but AI has removed many of the constraints that limited what they could do. For example, Coinbase breach - which resulted in 70,000 customers' data being leaked was the result where criminals bribed the company's contractors to obtain unauthorized access. Advanced technical skills were not required.
What Does This Mean for Companies in BC? The common threal model for small and mid-size companies is built around based on small population of sophisticated criminal actors. Most of the organizations have implicit reasoning of "Do I have something worth stealing that would justify the attacker's investment?". Before the AI-era, criminals had to carefully select their victims to weight their resources against the potential return, which often ruled out smaller targets.
Now, with the assistance of AI, attackers do not need to carefully select victims because they can target everyone simultaneously at marginal cost. Adversaries are moving fast unfortunately due to the AI automation. Scaling such cyber attacks can be immense and even individuals with non-technical background can quickly jump into the criminal world if they have the intention to do so.
Canadian companies are investing heavily in cyber defence. From 24/7 intrusion detection, real-time threat monitoring and automated alerts, the tools are built as a shield and catch sophisticated advanced attackers. But the threat landscape is shifting toward actors who operate in a different way. Today, phishing emails generated by AI can easily bypass most spam filters simply due to naturally sound sentence structures, legitimate-looking email addresses and accurate personal details. If the spam is fabricated to look normal, there's nothing for a filter to flag. It's all about humans who need to be more vigilant. AI has not fundamentally changed criminal methodology; it has changed who can exploit that element.
In today's AI-era, organizations should understand that a specific criminal group does not commit specific type of crime. Before rushing to subscribe to the highest-level threat detection software program, consider asking yourself this question: do you and your employees have the foundational skills to detect cyberattack at a basic level? Sophisticated defence tool is not enough to stop the organization from being attacked. It's humans who needs to be the forefront of the defence.