Notifications
Clear all
Topic starter
27/06/2026 2:02 pm
TL;DR: Anthropic’s report shows a single attacker using Claude Code to target 17+ organisations, including government, healthcare, and finance, while North Korean operatives used AI to fake technical competence and hold remote IT jobs, showing how AI lowers the skill threshold for high-impact abuse, according to Abnormal AI and Anthropic. Static controls now miss context, not just content.
NHIMG editorial — based on content published by Abnormal AI: AI-driven cybercrime and vendor fraud analysis
Questions worth separating out
Q: How should security teams handle AI-generated phishing and vendor fraud?
A: Teams should move beyond content-only filtering and evaluate sender behaviour, relationship context, and workflow fit.
Q: Why do AI-assisted attacks bypass traditional vetting so easily?
A: Because vetting often relies on interviews, conversation, and confidence signals that AI can imitate.
Q: What breaks when vendor accounts are used for financial fraud?
A: Approval workflows break when the sender already sits inside a trusted business relationship.
Practitioner guidance
- Shift detection to behavioural context Correlate sender identity, historical relationship, device signals, and workflow timing before trusting high-risk requests.
- Harden vendor payment verification Require independent callbacks or out-of-band confirmation for banking changes, urgent wire requests, and new payment instructions.
- Review remote hiring and contractor vetting Validate technical competence claims with evidence that is difficult to fake in conversation alone, and tie onboarding decisions to identity checks that are separate from interview channels.
What's in the full article
Abnormal AI’s full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how AI-generated extortion and impersonation were structured across email and collaboration channels
- Abnormal’s behavioural detection approach for spotting out-of-context communications and vendor-risk anomalies
- The article’s discussion of financial workflow short-circuiting when trusted accounts are compromised
- How the vendor frames AI phishing coaching and account takeover monitoring for day-to-day operations
👉 Read Abnormal AI’s analysis of AI-enabled cybercrime and vendor fraud →
AI-driven cybercrime and vendor fraud: what controls are failing?
Explore further
27/06/2026 3:37 pm
AI is collapsing the old separation between attacker sophistication and operational reach. The report’s core signal is not that cybercrime has become more automated, but that a single operator can now run a campaign with the tempo and output of a small team. That changes how defenders should think about scale, because the limiting factor is no longer technical expertise alone. Security teams should assume that capability gaps on the attacker side are being filled by models, not people.
A few things that frame the scale:
- 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, which reinforces the need for behaviour-aware controls.
A question worth separating out:
Q: How can organisations tell whether behavioural identity monitoring is working?
A: It is working if it flags requests and sessions that are technically valid but inconsistent with normal identity behaviour, device history, or financial workflow patterns. A good programme surfaces anomalies before money moves or access expands, and it produces explainable alerts that analysts can tie back to the actual relationship and activity history.
👉 Read our full editorial: AI-driven cybercrime is outpacing static email defenses
