Key takeaways

Cybersecurity and fraud risks constantly evolve, though not always in the way we expect. Huntington Security teams track emerging threats across industries. This year, what stands out isn’t new threats, but how quickly known tactics are scaling, amplified by digital transformation and artificial intelligence (AI).

Cybersecurity and fraud threats have intensified and become more connected

The threats organizations have faced for years have not fundamentally changed. The frequency, scale and sophistication of these threats have intensified as artificial intelligence accelerates the execution and effectiveness of attack methods.

Industry research underscores how widespread and persistent these threats have become:

  • Cyber incidents and data breaches continue to grow in volume and complexity. The FBI’s Internet Crime Complaint Center (IC3) reported $20.877 billion in total losses in 2025 from cyber-related crimes, a 26% increase from the year prior1.
  • A majority of organizations have experienced attempted or successful fraud. The latest IC3 data show that cyber-enabled fraud accounted for 85% of all losses reported in 2025, amounting to more than $17 billion. Business email compromise (BEC) represented more than $3 billion of that figure1.
  • Many attacks now combine technical compromise with human manipulation. Social engineering has become one of the most common threat vectors, representing 16% of all reported breaches in 20252.

Social engineering: What you should know to help you stay safe

Scammers are smarter than ever. The good news? Once you know how these scams work, they’re much easier to spot. 

Attackers are exploiting unpatched software vulnerabilities, weak or reused credentials, and gaps in third-party environments at increasing speed. Rising concern over these threats has prompted recent U.S. executive orders aimed at curbing cybercrime, fraud, and predatory attacks4 and advancing AI innovation and security5.

The “human element” remains a critical target

The convergence of cyber and fraud risk is particularly visible in how attackers target organizations' ‘human layer.’ Threat actors prey on employees’ desire to be helpful through social engineering tactics that mimic legitimate business processes, exploit time-based pressure and trust, requiring only one successful interaction to cause damage. These tactics now extend well beyond email to include voice and text-based impersonation, and highly personalized requests designed to create urgency and intimacy. 

Despite technological advances designed to flag malicious attempts, these attacks still succeed at a troubling rate. The “human element” was present in 62% of reported breaches last year2.

The good news is that establishing strong security education and culture works. Employees who received recent training reported simulated phishing emails at a 21% rate – significantly higher than those without it2. As AI makes attacks more convincing, organizations that build a strong security culture create an environment where employees act as an active detection layer.

AI can be a force multiplier for attackers and defenders

AI is accelerating your organization's defenders and its attackers. On the attack side:

  • AI is enabling attackers to automate reconnaissance, generate realistic communications, and execute attacks with greater precision. In 2025, the average threat actor researched or used AI assistance across 15 documented techniques2, according to industry research.
  • Fraud attempts are becoming more convincing, more consistent, and harder to detect. IC3 received more than 22,000 AI-related fraud complaints in 2025, with adjusted losses exceeding $893 million1.
  • Employee use of AI is growing rapidly, but unapproved or “shadow” AI introduces data exposures. BYOD policies can blur the line between corporate and personal account use. As many as 67% of employees use a non-corporate account on their corporate device to access both authorized and unauthorized AI platforms2.

On the defensive side, advances in AI are strengthening capabilities such as unusual behavior detection and threat identification. However, many organizations are still early in adopting and operationalizing these tools, creating a gap where advancing threat capabilities risk outpacing organizations' security controls.

The exposure for businesses and organizations is expanding

As organizations expand their ecosystems by adopting complex payment systems, adding integration points, and relying more on third-party vendors, their exposure grows. Two areas represent the greatest vulnerability:

Technology and systems

Every new tool, application or platform introduced to an organization increases complexity and potential entry paths for attackers. Exploiting security vulnerabilities in networks, software and systems has become one of the most common initial access vectors for breaches. Organizations that don't prioritize vulnerability management and monitor their networks for unusual behavior can face costly consequences.

Third-party relationships

You are only as secure as your vendors and partners, including secondary entities your primary vendors rely on. Third-party relationships, including downstream vendors, are a growing source of exposure. Breaches involving third parties increased by 60% from last yearand depending on external organizations to remediate breaches or secure exposed data introduces additional risk.

Given these expanding attack surfaces, where should organizations focus?

Our top six cybersecurity practices to reduce risk

Chasing every new threat vector is not the most effective way to reduce risk. The better approach is to strengthen core practices and apply them consistently. Here’s what you can do now:

Reinforce security fundamentals

  • Keep operating systems, applications, and devices up to date with security patches. Consider an automated patching approach.
  • Limit or disable unnecessary remote access methods, and confirm systems and devices are securely configured with protective controls enabled.
  • Reduce reliance on outdated technologies and manual processes where possible.

Strengthen identity and access management

  • Use strong password management practices and transition to passkeys.
  • Use multi-factor authentication for critical systems.
  • Monitor for unusual login and account activity.
  • Limit privileged access to only what is necessary.

Expand social engineering awareness

  • Educate employees to recognize email, voice, text, and real-time impersonation attempts.
  • Encourage a culture of verification, especially urgent, sensitive or change requests.

Improve detection and response readiness

  • Establish clear escalation and response processes.
  • Coordinate across cybersecurity, finance and operations teams.
  • Act quickly when suspicious activity is identified.

Manage AI use thoughtfully

  • Map where AI tools are being used within the organization.
  • Protect sensitive data from unintended exposure.
  • Align AI usage with existing security and governance frameworks.

Strengthen third-party risk management

  • Evaluate vendor security controls.
  • Define expectations around access, authentication and incident response.
  • Monitor third-party connections to critical systems.

Protecting your organization: Where to focus

The organizations that succeed are those that focus on:

  • Executing strong security fundamentals consistently.
  • Aligning security controls with business processes, technology workflows and user behavior.
  • Extending security risk management beyond the enterprise perimeter by addressing third-party and external risks.

Resilience today depends on mastering the security fundamentals while aligning people, processes, and technology to stay ahead of rapidly scaling, interconnected threats.

Today’s risk environment isn’t defined by new threats, it’s defined by how quickly familiar tactics are scaling, intersecting and amplifying impact across your organization. Success increasingly depends on how well organizations address the “human element” and manage expanding business, technical and third party risk. Organizations that succeed will move beyond reactive controls by executing on security fundamentals consistently while aligning people, processes and technology to reduce exposure and build lasting resilience.

Featured insights with industry expertise

Tap into insights designed to help you navigate today’s decisions and tomorrow’s opportunities.

Business Cyber Resilience

Cyber risks nonprofits should treat as financial risks

Artificial intelligence (AI) is increasing the speed, scale and sophistication of cyberattacks. For nonprofits, these threats are often harder to manage due to limited resources.

Business Cyber Resilience

Understanding business email compromise (BEC): A guide to help protect your organization

Business Email Compromise (BEC) scams can be surprisingly convincing. A quick pause to verify unexpected requests can make a difference in preventing fraud.

Scam & Fraud Protection

Six strategies to protect your business against account takeovers and scams

Brand impersonation and account takeovers are on the rise. These tactics can help organizations combat the threat and protect their brand identity.

1 Internet Crime Compliant Center. 2026. “Federal Bureau of Investigation Internet Crime Report 2025.” Accessed June 9, 2026.

2 Verizon Business. 2026. “2026 Data Breach Investigations Report.” Accessed June 9, 2026.

3 Proofpoint. 2026. “The Human Factor 2025: Phishing and URL-Based Threats.” Accessed June 9, 2026.

4 White House. March 2026. “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens.” Accessed June 9, 2026.

5 White House. June 2026. “Promoting Advanced Artificial Intelligence Innovation and Security.” Accessed June 9, 2026.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering financial, legal, technical or other professional advice or services, or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL HAVE LIABILITY FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Third-party product, service and business names are trademarks/service marks of their respective owners.