When it comes to the cyber threats that keep CISOs and cybersecurity professionals awake at night, business email compromise scams, threats against critical infrastructure and the increasing use of artificial intelligence tools by cybercriminals rank in the top tier.
While concerns about AI tools used for malicious purposes have made numerous recent headlines, business email compromise (BEC) scams continue to rack up billions in losses for enterprises large and small. At the same time, threats against U.S. critical infrastructure have remained problematic for years, but the recent war with Iran has led U.S. government agencies to issue fresh alerts in the past two months as international tensions have increased.
AI, BEC and critical infrastructure vulnerabilities are among the most prominent cyber threats detailed in the FBI’s 2025 Internet Crime Report, published by the bureau’s Internet Crime Complaint Center (IC3) in early April. Overall, agents received well over 1 million complaints from U.S. victims in the last year, with losses from various schemes, scams and threats totaling $20.9 billion – a 26 percent year-over-year increase.
And while the FBI can tout some successes, such as the impact the IC3 Recovery Asset Team has had in recovering stolen funds from consumers and businesses, the report details how cyber threats affect everyday people, businesses of all sizes, government agencies and especially the cyber professionals tasked with protecting networks and IT infrastructure.
“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions. Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence,” according to the FBI report’s foreword.
While these three are not the only threats that organizations face, cybersecurity experts note that each is making the jobs of CISOs and their security teams more difficult, especially as AI helps enhance scams like phishing emails used in BEC ploys. At the same time, critical infrastructure, including industrial networks that use older operational technology (OT) and industrial control systems (ICS), remains vulnerable, especially to nation-state groups.
While AI threats, BEC and critical infrastructure vulnerabilities have evolved over the last year, the FBI points to where defenses are falling short and what cybersecurity professionals need to understand about how these and other threats are changing their jobs.
AI-Enabled Threats
The FBI IC3 report states what has become obvious over the last year – as AI technologies have become cheaper and more available, cybercriminals and threat actors have adopted these tools themselves. In 2025, agents received more than 22,000 complaints reporting AI-related cyber incidents, with adjusted losses exceeding $893 million.
Cybercriminals are using these tools in the same way office workers use AI, including writing better, more convincing emails and helping with coding and administrative support to increase the speed of attacks. The increased efficiency means the number of threats organizations face can become overwhelming, said Vincenzo Iozzo, CEO and co-founder at security firm SlashID.
“Threat actors have integrated AI across multiple dimensions of their operations. In terms of speed, AI is being used to decrease breakout time, the interval between initial compromise and lateral movement,” Iozzo told Dice. “On the scale axis, AI has dramatically amplified social engineering campaigns. Phishing emails that once required manual customization can now be generated at volume with convincing, context-aware language and a much better conversion rate.”
As other versions of AI are also released, such as agentic AI tools that let agents make decisions for themselves, defenders and cyber professionals will face more sophisticated threats.
“Agentic AI is being used by threat actors as an autonomous partner that can independently plan multi-step operations, manage the drudge work of infrastructure provisioning, and dynamically adapt its tactics in real time when it encounters defensive blocks,” Ram Varadarajan, CEO at security firm Acalvio, told Dice. “Agentic AI is being used for machine-speed swarm attacks. Legacy defenses are built for human attackers, and are now unable to fight back in either speed or scale against the agentic attacker.”
For these reasons, organizations are turning to AI to improve the speed and efficiency of their cybersecurity processes. Iozzo noted that these tools can help with threat prioritization and alert fatigue.
AI can enable security teams to process and triage alerts with significantly richer contextual information than previous rule-based or threshold-based tools provided. This extends across the full defensive stack, including security operations center (SOC) alert processing and correlation, custom detection engineering, vulnerability scanning and prioritized remediation, and threat intelligence enrichment.
“Rather than treating every alert as equally urgent, AI allows teams to focus human attention on the threats that matter most, informed by behavioral baselines and environmental context,” Iozzo added.
Varadarajan added that future cybersecurity is likely to turn away from bot-to-human and into bot-to-bot defense.
“AI can be used to strengthen defenses by orchestrating game-theoretic deception -- deploying adaptive honeypots and ‘radiant’ honeytokens that exploit a model's pattern-matching logic to misdirect and neutralize the attacker without human intervention,”.
BEC Rakes In Billions
BEC schemes have been around for a decade, but they increasingly enable cybercriminals to steal billions each year. In 2025, the FBI recorded nearly 25,000 complaints, and the losses totaled more than $3 billion, surpassing losses from data breaches and ransomware.
Traditionally, BEC schemes start with cybercriminals stealing a top executive's credentials through phishing, social media scams, or deepfakes. Then they impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. In other cases, the attackers spoof a company's business partner.
As with other frauds and scams, AI has helped improve phishing emails that target vulnerable organizations and their leadership.
“The ability for attackers to use generative AI to produce deepfake audio, imagery, and video is a rising concern, as attackers are increasingly using deepfakes to start sophisticated social engineering attacks,” Nicole Carignan, senior vice president for security and AI strategy and field CISO at Darktrace, told Dice. “While the use of AI for deepfake generation is real, the risk of image and media manipulation is not new. The challenge now is that AI can be used to reduce the skill barrier to entry and speed up production to a higher quality.”
In many ways, security training within organizations has not kept pace with the level of BEC incidents, especially as the threats have become more sophisticated. Mika Aalto, co-founder and CEO at Hoxhunt, believes that cybersecurity professionals have to help organizations change and manage human, or employee, behavior rather than providing workers with information about scams that might target them.
“Social engineering remains the easiest way into organizations. Security teams need to invest as much in preparing people as they do in technology. The most effective defense is training employees on the exact types of attacks they are likely to face, turning real-world phishing attempts into learning moments that build lasting cyber resilience,” Aalto told Dice. “Organizations need to move beyond traditional third-party risk management and adopt human risk management — hardening the human layer with the skills and reporting mechanisms that turn employees into threat sensors and feed human threat intelligence directly into detection and response.”
Critical Infrastructure Remains Vulnerable
The U.S. Department of Homeland Security recognizes 16 sectors as critical infrastructure, including the health care sector, transportation, financial services, water and wastewater treatment facilities.
The FBI’s numbers show that the majority of complaints in 2025 related to these sectors included ransomware attacks and data breaches. In the health care sector, for example, agents reported 460 ransomware incidents and another 182 related to data breaches.
A major concern remains who can access legacy systems, including OT and ICS technologies, within these sectors. Organizations need to consider how to securely manage privileged access to their critical environments. This includes ensuring employees, vendors, and third parties have the access and permissions needed to do their jobs without additional risk exposure, said James Maude, Field CTO at BeyondTrust.
“The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevate privilege, move laterally and inflict damage,” Maude told Dice. “The identity security debt accumulated by many organizations represents a far greater risk than any other area, as it only takes the attacker to log in using the right identity and all is lost because of the paths to privilege that abound in their environment.”
