This threat involves the use of advanced artificial intelligence technologies by scammers to enhance phishing and social engineering attacks. AI enables the creation of deepfakes—highly realistic synthetic audio and video impersonations—that scammers use to mimic trusted individuals such as family members, celebrities, or company executives. These deepfakes can be deployed in real-time video or audio calls, increasing the likelihood of successful deception. AI also facilitates the rapid generation of convincing phishing websites that use HTTPS, cookie consent banners, and professional designs, making them difficult to distinguish from legitimate sites. Additionally, AI-powered chatbots and browser assistants, which many users rely on for convenience, can be manipulated to visit phishing sites and even submit sensitive information automatically, effectively bypassing user scrutiny. Automated voice bots simulate legitimate customer support calls to extract confidential data. The use of AI reduces the cost and effort required to conduct large-scale, personalized scams such as “pig butchering” romance scams, where scammers build long-term emotional relationships to defraud victims. The threat is compounded by the availability of AI deepfake creation services on the dark web at relatively low prices, making these tools accessible to a wide range of malicious actors. Although some dark web offerings may be scams themselves, the overall trend shows a significant increase in AI-assisted fraud sophistication. The threat does not require technical vulnerabilities in software but exploits human trust and social engineering, making it highly effective and challenging to counter.

For European organizations, the impact of AI-enhanced phishing and scams can be severe. Financial institutions, government agencies, and large enterprises are prime targets due to the potential for high-value fraud and data breaches. Employees may be tricked into revealing credentials or authorizing fraudulent transactions, leading to direct financial losses and regulatory penalties under GDPR for data breaches. The reputational damage from successful scams can erode customer trust and brand integrity. Small and medium enterprises (SMEs) may suffer disproportionately due to limited cybersecurity resources and awareness. Individuals are also at risk of significant personal financial loss and identity theft, especially from romance scams and deepfake impersonations. The use of AI to create realistic phishing websites and automated calls increases the scale and success rate of attacks, potentially overwhelming existing detection and response capabilities. The threat also complicates incident response, as attackers use multiple channels and personas to evade detection. Overall, the threat increases the attack surface and requires enhanced vigilance and adaptive security measures across Europe.

European organizations should implement multi-layered defenses tailored to AI-enhanced social engineering threats. Specific measures include: 1) Conducting targeted employee awareness training focused on recognizing AI-generated deepfakes, phishing websites, and automated scam calls, including practical verification techniques such as out-of-band confirmation and code words for sensitive requests. 2) Deploying advanced email and web filtering solutions that incorporate AI-based detection of phishing URLs and suspicious content, complemented by real-time threat intelligence feeds. 3) Enforcing strong multi-factor authentication (MFA) to reduce the impact of credential theft. 4) Monitoring for anomalous user behavior and transaction patterns indicative of social engineering compromise. 5) Restricting and auditing permissions granted to AI-powered browser assistants and chatbots, limiting their ability to access sensitive data or perform transactions without explicit user consent. 6) Encouraging users to verify unexpected requests for money or sensitive information through independent communication channels. 7) Implementing domain and certificate monitoring to detect fraudulent phishing sites quickly. 8) Collaborating with law enforcement and cybersecurity communities to share intelligence on emerging AI scam tactics. 9) For individuals, promoting skepticism of unsolicited offers, especially those involving urgency or financial transactions, and verifying identities through multiple channels. 10) Regularly updating security policies to address the evolving AI threat landscape and integrating AI threat detection capabilities into security operations centers (SOCs).