A stark warning from the World Economic Forum’s “Global Cybersecurity Outlook 2025” paints a clear picture: the rise of Generative AI is significantly amplifying the sophistication and effectiveness of cyberattacks, with Gen AI identity theft becoming an increasingly serious concern. The report highlights a concerning trend where threat actors are leveraging the power of AI to automate and personalize deceptive communications, leading to a surge in successful social engineering attacks. 

Further underscoring this shift, the WEF report also reveals that cybersecurity managers are increasingly concerned about identity theft as a personal cyber risk, with 37% citing it as their top worry. This heightened concern isn’t isolated; it reflects a broader understanding that attackers increasingly target the human element as a potentially easier entry point into organizations.

Why the Focus on Identity? The Path of Least Resistance

This renewed focus on identity-based attacks isn’t arbitrary. It’s likely a consequence of increased investment and maturity in other areas of IT security. Robust vulnerability assessments and efficient patch management make it more challenging for cybercriminals to exploit technical weaknesses in systems and infrastructure. As these defenses strengthen, the path of least resistance often leads back to the user.  

The Human Factor: A Complex Web of Vulnerabilities

Several factors contribute to this increased vulnerability of the human element:

• Lack of Awareness Training: Insufficient or ineffective cybersecurity awareness training leaves employees ill-equipped to recognize and resist increasingly sophisticated AI-powered social engineering tactics.
• High Employee Turnover: Frequent personnel changes can lead to gaps in security protocols, inconsistent adherence to policies, and increased opportunities for insider threats, both intentional and unintentional.
• Social Issues: Various social engineering techniques prey on human psychology, exploiting trust, urgency, fear, and other emotions to manipulate individuals into divulging sensitive information or granting unauthorized access.  
• The “Quiet Quitting” Threat: A more insidious and emerging risk is the “quiet quitting” trend. As highlighted by governmenttechnologyinsider.com, disengaged employees may intentionally perform the bare minimum or pose as insider threats in more malicious cases. This could involve deliberately allowing ransomware into the company environment through negligence or even being recruited or paid by external actors. The CISA (Cybersecurity and Infrastructure Security Agency) defines intentional insider threats as malicious actions that leverage authorized access to IT systems to harm an organization.  

Gen AI: Turbocharging the Threat

The WEF report’s emphasis on Gen AI as a key driver of advanced adversarial capabilities is particularly alarming. AI can be used to:

• Craft hyper-personalized phishing emails and messages: Making them far more convincing and difficult to detect.
• Generate realistic deepfake audio and video: Enabling impersonation of trusted individuals to trick employees into divulging information or taking malicious actions.
• Automate social engineering campaigns at scale: Allowing attackers to target more individuals with sophisticated and tailored attacks.  

Protecting the Human Perimeter: A Multi-faceted Approach

Addressing this evolving threat landscape requires a multi-faceted approach that goes beyond traditional technical controls:

• Enhanced and Continuous Security Awareness Training: Organizations must invest in comprehensive and engaging training programs that educate employees about the latest social engineering tactics, including those leveraging AI. This training should be ongoing and adapted to new threats as they emerge.  
• Stronger Authentication Mechanisms: Moving beyond passwords to adopt phishing-resistant multi-factor authentication (MFA) and exploring passwordless solutions can significantly reduce the risk of account compromise.  
• Robust Insider Threat Programs: It is crucial to implement programs that monitor employee behavior, identify potential risks associated with disengagement, and establish clear reporting mechanisms.  
• Zero Trust Principles: Adopting a Zero Trust security model, which assumes no user or device is inherently trustworthy, can limit the damage even if an individual account is compromised.  

Conclusion

The World Economic Forum’s report serves as a critical wake-up call. In the age of Generative AI, the human element has become an even more significant vulnerability. Organizations must recognize this shift and prioritize strategies that empower their employees to be a strong first line of defense against increasingly sophisticated and personalized attacks. Ignoring this reality is no longer an option in the escalating cyber battleground.