B (13:16)

Maybe that's an urgent message from your CEO, or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppl.com that'S-O-P p e l.com. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SOC 2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth.

C (14:38)

Take it from me, if you're thinking

B (14:40)

about compliance, take the time to check out Vanta. Get started@vanta.com cyber foreign.

C (14:59)

Long is CEO and co founder of Adaptive Security. And in today's sponsored Industry Voices segment we discuss how AI is reshaping social engineering.

A (15:11)

So I think the current state is shifting dramatically and not surprisingly, that shift is being driven by the adoption of new AI tools. So with new AI tools, attackers are able to attack with significantly more sophistication and unfortunately also success. They can use OSINT data that's collected across large language models and then they can use things like deep fakes over voice and likeness and pair those with real time models in order to run very sophisticated attacks to get into organizations and get whatever data they need in order to disrupt operations or steal money.

B (15:59)

Is it just the sophistication that's changed here or are you also tracking a difference in velocity?

A (16:07)

Yeah, I mean, so what's changed a lot even more recently, just in the last year, because it's been about three years since I think we kind of saw the dawn of the AI revolution when ChatGPT came out. But more recently the models have become very cheap and you can get a really good large language model and run it at basically no cost locally on your own device. There's over 2 million models available on sites like Hugging Face. So that's really changed not only the quality but also the volume. And as a result, we've seen over a 4.4x increase in social engineering phishing attacks since ChatGPT came out. And if you look at sophisticated attacks like deepfakes, you know, they grew 17x from 2023 to 2024 with over 100,000 deepfake attacks in just 2024, and that those numbers, you know, further grew exponentially in 2025.

B (17:08)

What are some of the things that you see behind these successful incidents? Are there patterns that you all track?

A (17:15)

Yeah, I mean, look, we, we, we track a number of different patterns. I, I think that the biggest pattern I, I've seen though is that, you know, traditionally when, when you heard impersonation attacks, you'd think it's, they're going to be the CEO asking for the gift cards type of thing, right? I, I, I think what's changing is you see more attacks now where they might be impersonating something, someone who's in the middle of the organization, right? They're gonna, they're gonna pretend to be the controller. You know, I, I just heard someone where they pretended to be, you know, the CFO telling the controller to do something right in their voice, their likeness, knowing everyone's names, knowing context on the business. And I think that's where you see it going.

C (17:53)

From a defender's point of view, what

B (17:55)

are the, some of the specific challenges

C (17:57)

that we face here?

A (17:59)

Man, where to begin? I mean, there's a lot of challenges. You know, I think number one is if you are a defender at an organization, you know, you're probably managing over 50 tools. You've probably got a, you know, every day you feel like you've got thousands of different alerts telling you things that are, that are wrong, things you need to deal with, and you're, you're, you know, you're being attacked every single day. So it's hard to find the time to keep up with the newest threats and feel like you're even just keeping your head above water, you know, let alone dealing with what the new stuff is. So I think time and, and, and, and resourcing is, is something that we hear is a consummate issue for security teams first and foremost.

B (18:45)

I know you and your colleagues talk

C (18:47)

about how detection is not enough. That, that, that's not really a reliable plan these days.

A (18:53)

Yeah, look, I mean, I think that, you know, number one, it's, it's hard to implement detection so that it actually is covering all your surface areas at a company first. Maybe you've got something for corporate email, but does it cover personal emails? You probably don't have anything for phone calls or text messages. And then on video, maybe you have something for your own video chat, but it doesn't work if they just drive the person to a video chat outside of your instance. So it's pretty hard to really feel buttoned up.

B (19:27)

What's your take on security awareness training? What part does that have to play?

A (19:32)

Yeah, so look, we operate the world of security awareness training, and I think in what's happening now with the AI revolution, it really plays two important parts. One is spreading awareness of what these AI attacks are capable of. Because I think that as much as the modern CISO may have a pretty good idea of what's possible and they're staying on top of these things and playing around with these tools, the average employee definitely has no idea. So I think a awareness and education of their employees is a big, big piece of it. And then I think that the second piece to me is controls. Right. A lot of organizations, they're still adjusting to a remote workforce. Maybe they never meet people on their team. And one of the biggest growing attacks is impersonation to get the job and then inside a risk. You know, Gartner estimated that I think by the year 2029, Gartner said that one in four job applicants will be an impersonation, will be fake. So, you know, I think that there's many different areas of the org where you know, oh no, we've got identity lockdown. People can't do anything. It's like, well, what if we hire someone and then all of a sudden they seem like they're normal and then they're not. Right. And I also think, look, usage is changing a lot with AI agents and people using these tools on their own computers. And you know, the tool can do all sorts of thing. It's going to mess up all the sensors because, you know, stuff that looks like it would have been bad bot traffic is now just going to be an agent doing something for a person as normal. And that's going to make it a lot harder for us to tell fish from foul.

B (21:10)

Well, I mean, given all these realities, what are your recommendations?

C (21:14)

How do you suggest folks should come at this?

A (21:16)

Yeah, look, number one, I think awareness is what you need to do now. You know, you need to make sure that everyone in your company is aware of what AI's capabilities are and what they need to do to just the basics to protect themselves and be aware for them. But you know, I think it's, it's beyond just a company thing, you know, it's a personal thing too. What do they need to know for their own children, for their own, you know, parents? You know, we also have a lot of free training courses that we offer for say children's in schools to help educate children around, you know, the take it down act and non consensual deepfake abuse in schools. And that's, you know, something that unfortunately is a huge problem in schools all the way up to senior citizens who unfortunately are some of the biggest targets of these, these types of social engineering attacks.

C (22:05)

What do you suppose the future looks like here? How are we going to get control of this situation?

A (22:11)

Yeah, look, I think the future is that people need to become accustomed to a different sense of identity. Right? They need to be aware that, you know, someone is, it's very easy for someone to impersonate a loved one, to know a lot of information about you and your family. And you know, if they're asking you to do something that seems wrong, seems hokey, you know, they're calling you from some number you've never heard before. You know, you need to have a code word, you need to have steps you take in order to authenticate them before doing anything.

B (22:44)

Any closing words of wisdom for folks out there best looking to come at this problem.

A (22:50)

Yeah, look, my word of wisdom would be it all seems a little scary and a little overwhelming. But if we just train ourselves and our people to take a minute when something seems a little off, take a step back and really when in doubt, you can take a minute and not do anything. You know, there are a few times where, you know, urgent action is really required. And I think especially with something that seems like a, you know, impersonation attack where they really, really push on. Urgency is the opportunity for people that to take a second, think logically and then look at the controls of the organization or, you know, if it's in your own household.

C (23:34)

The code words that's Brian Long, CEO and co founder of Adaptive Security.

B (23:53)

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com.

C (24:39)

Ever wished you could rebuild your network

B (24:41)

from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together.

C (24:58)

The result?

B (24:59)

Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs.

C (25:06)

From wired and wireless to routing, switching,

B (25:09)

firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.

C (26:02)

And finally, the OpenID foundation is warning that the Internet has a serious blind spot. What happens to our digital lives after we die? In a new report, the Unfinished Digital Estate, the group says there's no consistent global standard for handling the accounts of deceased users, leaving everything from email and social media to cryptocurrency in a legal and technical gray area. Right now, platforms treat death like a rare corner case, even though it eventually applies to every Internet user. According to the report, the lack of coordination could invite fraud, identity abuse and even scams powered by deepfake technology that impersonates the deceased to manipulate friends or relatives. The problem is compounded by privacy laws like GDPR and ccpa, which largely stop protecting personal data after death. The foundation is urging policymakers and tech companies to establish clearer digital inheritance rules, stronger identity protections, and standardized systems that allow trusted individuals to manage accounts without relying on shared passwords. Because while the Internet never forgets, it also hasn't figured out when it should let go. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes, our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I, Dave Bittner.

B (28:20)

Thanks for listening.

C (28:21)

We'll see you back here tomorrow.

B (28:28)

Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026.

C (28:51)

It's happening March 23rd through the 26th

B (28:54)

in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26.

C (29:22)

I'll see you in San Francisco.

B (29:35)

Most security conferences talk about Zero Trust. Zero Trust World puts you inside. This is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in Live Hacking Labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether your Blue Team, Red Team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from theory to execution.