If you have previously unsubscribed from Huntington marketing emails, subscribing reaffirms your agreement to receive email. This will not impact servicing email related to account activity. For questions, please consult Huntington’s Privacy and Security policy.

Midyear cybersecurity and fraud threat report: What businesses need to know
By Amber Buening, Security Outreach Director at Huntington Bank
This year’s report highlights top trends threatening organizations and covers six key prevention strategies to help reduce risk.
Cybersecurity and fraud risks constantly evolve, though not always in the way we expect. Huntington Security teams track emerging threats across industries. This year, what stands out isn’t new threats, but how quickly known tactics are scaling, amplified by digital transformation and artificial intelligence (AI).
Cybersecurity and fraud threats have intensified and become more connected
The threats organizations have faced for years have not fundamentally changed. The frequency, scale and sophistication of these threats have intensified as artificial intelligence accelerates the execution and effectiveness of attack methods.
Industry research underscores how widespread and persistent these threats have become:
- Cyber incidents and data breaches continue to grow in volume and complexity. The FBI’s Internet Crime Complaint Center (IC3) reported $20.877 billion in total losses in 2025 from cyber-related crimes, a 26% increase from the year prior1.
- A majority of organizations have experienced attempted or successful fraud. The latest IC3 data show that cyber-enabled fraud accounted for 85% of all losses reported in 2025, amounting to more than $17 billion. Business email compromise (BEC) represented more than $3 billion of that figure1.
- Many attacks now combine technical compromise with human manipulation. Social engineering has become one of the most common threat vectors, representing 16% of all reported breaches in 20252.

Social engineering: What you should know to help you stay safe
Scammers are smarter than ever. The good news? Once you know how these scams work, they’re much easier to spot.
Attackers are exploiting unpatched software vulnerabilities, weak or reused credentials, and gaps in third-party environments at increasing speed. Rising concern over these threats has prompted recent U.S. executive orders aimed at curbing cybercrime, fraud, and predatory attacks4 and advancing AI innovation and security5.
The “human element” remains a critical target
The convergence of cyber and fraud risk is particularly visible in how attackers target organizations' ‘human layer.’ Threat actors prey on employees’ desire to be helpful through social engineering tactics that mimic legitimate business processes, exploit time-based pressure and trust, requiring only one successful interaction to cause damage. These tactics now extend well beyond email to include voice and text-based impersonation, and highly personalized requests designed to create urgency and intimacy.
Despite technological advances designed to flag malicious attempts, these attacks still succeed at a troubling rate. The “human element” was present in 62% of reported breaches last year2.
The good news is that establishing strong security education and culture works. Employees who received recent training reported simulated phishing emails at a 21% rate – significantly higher than those without it2. As AI makes attacks more convincing, organizations that build a strong security culture create an environment where employees act as an active detection layer.
AI can be a force multiplier for attackers and defenders
AI is accelerating your organization's defenders and its attackers. On the attack side:
- AI is enabling attackers to automate reconnaissance, generate realistic communications, and execute attacks with greater precision. In 2025, the average threat actor researched or used AI assistance across 15 documented techniques2, according to industry research.
- Fraud attempts are becoming more convincing, more consistent, and harder to detect. IC3 received more than 22,000 AI-related fraud complaints in 2025, with adjusted losses exceeding $893 million1.
- Employee use of AI is growing rapidly, but unapproved or “shadow” AI introduces data exposures. BYOD policies can blur the line between corporate and personal account use. As many as 67% of employees use a non-corporate account on their corporate device to access both authorized and unauthorized AI platforms2.
On the defensive side, advances in AI are strengthening capabilities such as unusual behavior detection and threat identification. However, many organizations are still early in adopting and operationalizing these tools, creating a gap where advancing threat capabilities risk outpacing organizations' security controls.
The exposure for businesses and organizations is expanding
As organizations expand their ecosystems by adopting complex payment systems, adding integration points, and relying more on third-party vendors, their exposure grows. Two areas represent the greatest vulnerability:
Technology and systems
Every new tool, application or platform introduced to an organization increases complexity and potential entry paths for attackers. Exploiting security vulnerabilities in networks, software and systems has become one of the most common initial access vectors for breaches. Organizations that don't prioritize vulnerability management and monitor their networks for unusual behavior can face costly consequences.
Third-party relationships
You are only as secure as your vendors and partners, including secondary entities your primary vendors rely on. Third-party relationships, including downstream vendors, are a growing source of exposure. Breaches involving third parties increased by 60% from last year2 and depending on external organizations to remediate breaches or secure exposed data introduces additional risk.
Given these expanding attack surfaces, where should organizations focus?
Our top six cybersecurity practices to reduce risk
Chasing every new threat vector is not the most effective way to reduce risk. The better approach is to strengthen core practices and apply them consistently. Here’s what you can do now:
Reinforce security fundamentals
Strengthen identity and access management
Expand social engineering awareness
Improve detection and response readiness
Manage AI use thoughtfully
Strengthen third-party risk management
Protecting your organization: Where to focus
The organizations that succeed are those that focus on:
- Executing strong security fundamentals consistently.
- Aligning security controls with business processes, technology workflows and user behavior.
- Extending security risk management beyond the enterprise perimeter by addressing third-party and external risks.
Resilience today depends on mastering the security fundamentals while aligning people, processes, and technology to stay ahead of rapidly scaling, interconnected threats.
Today’s risk environment isn’t defined by new threats, it’s defined by how quickly familiar tactics are scaling, intersecting and amplifying impact across your organization. Success increasingly depends on how well organizations address the “human element” and manage expanding business, technical and third party risk. Organizations that succeed will move beyond reactive controls by executing on security fundamentals consistently while aligning people, processes and technology to reduce exposure and build lasting resilience.
Subscribe
Huntington Business Insights
Financial news, insights, and guidance delivered right to your inbox.
Sign up to receive emails about our latest articles, case studies, and events on topics that matter to your business.
Featured insights with industry expertise
Tap into insights designed to help you navigate today’s decisions and tomorrow’s opportunities.


Business Cyber Resilience
Cyber risks nonprofits should treat as financial risks


Business Cyber Resilience
Understanding business email compromise (BEC): A guide to help protect your organization


Scam & Fraud Protection
Six strategies to protect your business against account takeovers and scams
1 Internet Crime Compliant Center. 2026. “Federal Bureau of Investigation Internet Crime Report 2025.” Accessed June 9, 2026.
2 Verizon Business. 2026. “2026 Data Breach Investigations Report.” Accessed June 9, 2026.
3 Proofpoint. 2026. “The Human Factor 2025: Phishing and URL-Based Threats.” Accessed June 9, 2026.
4 White House. March 2026. “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens.” Accessed June 9, 2026.
5 White House. June 2026. “Promoting Advanced Artificial Intelligence Innovation and Security.” Accessed June 9, 2026.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering financial, legal, technical or other professional advice or services, or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL HAVE LIABILITY FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Third-party product, service and business names are trademarks/service marks of their respective owners.