AI is turbo-charging cyber attacks: are you ready?

How criminals are using AI against you

Phishing emails used to be easier to spot – poor grammar, odd phrasing, something slightly off. That is no longer the case. AI can now generate grammatically perfect, convincing messages that replicate the writing style of colleagues, partners or clients, complete with the right logos and tone. For any organisation managing client correspondence and financial transactions, this significantly increases the risk of convincing payment diversion or email account takeovers.

Phishing is already the most common form of cyber attack facing organisations. The UK Government’s Cyber Security Breaches Survey 2025 found that 79% of UK businesses experienced phishing attacks, making it the most widely reported cyber incident. AI is making this method more effective, with AI-generated phishing achieving significantly higher click-through rates than human-crafted attacks.

Then there are deepfakes. In 2024, a finance worker transferred $25 million after a video call in which every participant – including the CFO – was a deepfake. This tactic could easily target anyone handling sensitive data, confidential information or financial transactions. A convincing deepfake posing as a colleague, client or senior leader is simply all it takes.

The repercussions are severe – and most businesses are not ready

A successful cyber attack goes well beyond taking down your systems; It could end your business.
The average cost of a data breach in the UK now stands at £3.29 million – before factoring in downtime, recovery costs, and reputational damage. The ICO can issue significant fines under GDPR Article 32, and all organisations have a legal obligation to protect the personal and financial data they hold. Understanding your exposure before an incident occurs has never been more critical.

Yet the gaps are stark. Only 19% of businesses have any cybersecurity training programme in place, and 78% have no incident response plan. Board-level responsibility for cyber risk has fallen to just 27% of organisations.

Also highlighted in our recent webinar: 
“Too many organisations assume their IT provider is responsible for cyber risk management. It is not the same thing. Cyber risk management is a board-level responsibility – and if it goes wrong, it is the owners and directors who will end up paying the bill.”

Cyber risk management and IT support are not the same thing – and those that recognise this are the ones best placed to respond to cyber incidents.

What you need to do

Cyber attacks are inevitable. What you do now is what matters. The right response comes down to three things: Assess your exposure. Act on the gaps. Assure ongoing resilience.

Assess: start with an independent risk assessment – covering people, processes and governance, not just technology. Your IT provider cannot do this objectively. With AI lowering the bar for attackers, gaps that once seemed minor are now critical.

Act: build and test an incident response plan. If your organisation suffered a cyber attack tomorrow – AI-driven or otherwise – would you survive? Furthermore, if your staff are using AI tools such as Copilot or ChatGPT, ensure clear policies are in place on what client data is being shared.

Assure: board-level accountability is no longer optional – cyber risk is a leadership issue, not an IT one. Treat it as an ongoing discipline, rather than a one-off exercise. That means regular assessments, continuous oversight, and having a trusted cyber partner with specialist expertise.

How Mitigo can help

Mitigo is a specialist cyber risk management provider, supporting built environment practices to assess their exposure, close critical gaps and build lasting resilience. Services include:

• Cyber risk assessments

• Incident response planning

• Policy and process development

• Staff training and awareness

• Ongoing monitoring

• Regulatory compliance support

 
Mitigo supports structural engineering practices in identifying cyber risk, protecting sensitive project data and maintaining operational resilience.

Contact Mitigo to understand where your organisation may be exposed.

Mitigo

Mitigo’s cyber security solution has been designed for structural engineering firms to offer proportionate, affordable, ongoing security, to safeguard against cybercrime. For more information about Mitigo’s cyber security services, please email [email protected] or call 020 8191 1590.