Blog

Your Staff Are Now the Weakest Link: How AI Is Making Social Engineering Attacks Smarter

Wed, 10 Jun 2026 00:00:00 +0000

AI-powered phishing, voice cloning and business email compromise are changing the cyber threat landscape for UK businesses. While firewalls, endpoint protection and password policies still matter, attackers are increasingly bypassing technical controls by targeting people instead. Social engineering attacks have become faster, cheaper and far more convincing because AI helps criminals write credible messages, imitate trusted voices and personalise scams at scale.

The biggest shift is not just in the technology, but in how it is used to manipulate behaviour. Modern AI scams use social engineering to condition victims over time, building familiarity, credibility and urgency across email, phone calls, messaging platforms and video meetings. Instead of relying on one obvious phishing email, attackers can now create believable multi-step conversations that feel like normal business activity.

How AI is making social engineering attacks more effective

Traditional phishing used to leave clues: poor grammar, odd phrasing, generic greetings and obvious formatting mistakes. AI strips many of those warning signs away. Criminals can generate fluent, professional language in seconds, translate it into different languages, tailor it to a specific department and even mirror the writing style of a manager, supplier or customer. Voice cloning and deepfake tools take this a step further by recreating trusted identities in phone calls, voicemails and video meetings.

This matters because social engineering works by exploiting human instincts: trust, helpfulness, speed and fear of getting something wrong. AI amplifies each of those triggers. It allows attackers to test different messages, refine what works and run campaigns across email, SMS, collaboration platforms and phone calls. According to the 2025 Verizon Data Breach Investigations Report, the human element remains involved in around 60% of breaches, underlining how often people are still the route in for attackers. It is also why AI is such a force multiplier for fraud and compromise.

Examples of AI-powered scams affecting businesses today

Executive impersonation and payment fraud: Attackers use AI-written emails or cloned voices to pose as senior leaders and push urgent payment requests. In one widely reported 2024 case in Hong Kong, a finance employee was deceived during a fake video call involving deepfake identities of executives and transferred roughly US$25 million.
Voice cloning and vishing: Criminals can create realistic voice clones from short public audio clips, then call staff pretending to be a director, supplier or colleague. These calls are designed to bypass caution by sounding familiar and authoritative.
Helpdesk and password reset manipulation: Social engineering groups increasingly target support desks, persuading staff to reset credentials or MFA methods. Recent UK reporting around major retail incidents has highlighted how operational teams and helpdesks can become prime targets when attackers want the easiest path in.
Fake recruitment and job scams: AI-generated recruiter profiles, job descriptions and follow-up messages make employment scams look highly credible. These are used both to steal personal data and to move conversations onto less secure channels where victims are easier to manipulate.
Supplier and invoice fraud: AI helps attackers mimic real suppliers, past invoice language and purchasing patterns, making payment diversion emails far more believable than the old “change our bank details” scam.

Why AI social engineering scams work: the conditioning effect

The most effective social engineering attacks are rarely a single message out of nowhere. They are staged. An attacker may first connect on LinkedIn, then send a harmless email, then reference a real supplier, project or meeting, and only later introduce the request—click this link, share that code, approve this payment, reset that account. AI makes that process easier to scale because it can maintain consistent language, remember context, adapt responses and keep the conversation feeling natural.

This is what conditioning looks like in practice: repeated contact that lowers suspicion, use of familiar names and systems, carefully timed urgency, and an appeal to routine business behaviour. The victim is not simply tricked—they are guided. By the time the harmful request arrives, it may feel consistent with everything that came before. That is why experienced, intelligent employees still get caught out. These attacks are designed to exploit normal behaviour, not ignorance.

How businesses can reduce the risk of AI-powered social engineering

Train for modern scams, not old phishing clichés. Staff need to recognise AI-polished messages, voice impersonation, fake urgency and multi-step manipulation—not just spelling mistakes.
Introduce robust verification processes. Payment changes, password resets, sensitive file requests and MFA changes should always require a second channel of verification.
Protect your public footprint. The more detail attackers can gather about your people, projects and structure, the more convincing their lures become.
Support your helpdesk and frontline teams. These teams are often targeted because they are helpful, busy and operationally critical. Give them scripts, escalation paths and permission to slow things down.
Use layered controls. Awareness matters, but it cannot stand alone. Pair training with strong identity controls, conditional access, phishing-resistant MFA and monitoring for unusual account activity.

The uncomfortable truth is that employees are now on the frontline of cyber security. They are being targeted by AI-powered phishing, deepfake fraud, vishing and business email compromise attacks that are engineered to look legitimate and feel routine. For organisations, that means cyber security can no longer focus only on systems and software. It must also address human trust, verification processes and the ways social engineering attacks manipulate behaviour over time.

If your business wants to reduce cyber risk in the AI era, start by recognising that the threat has changed. Today’s attackers do not just exploit software vulnerabilities—they exploit people, processes and trust. The most vulnerable employee is often not the careless one, but the conscientious member of staff facing an AI-enabled scam that sounds credible, looks familiar and arrives at exactly the wrong moment.

How does this impact my business?

Threats are evolving at a rapid pace and a lot of traditional security tools are keeping pace, making some organisations that rely on basic security measures vulnerable. If you have been impacted by an AI scam or would like advice or more protection measures, call us on 01722 411 999

Don't Fall Victim To A Sextortion Email

Wed, 03 Jun 2026 00:00:00 +0000

This week has been a bit like a blast from the past, having seen a significant increase in what's referred to as "Sextortion" emails. These used to be a common form of phishing but they dwindled into obscurity which is why it is interesting to see them make a resurgence.

Sextortion are typically phishing emails sent to millions of recipients hoping that one or two will get through and cause panic or alarm with the reader. One of the tricks they commonly use is with less secure email configurations is to spoof the email address of the recipient so they can pretend they have taken over the computer with a message like "you can see I have hacked your computer because I have sent this email from your account", which couldn't be further from the truth.

Most of the time that one of these emails gets to someone's inbox is because of their email not having the correct settings or a proper security system in place.

The emails that claim to have recorded the recipient in a compromising situation and threaten to send the video to friends, family, or colleagues unless a payment is made in Bitcoin. These messages are designed to create panic and embarrassment, pushing people to act quickly without stopping to think. In most cases, however, this is nothing more than a scare tactic and a form of phishing. The sender is bluffing, hoping fear will do the work for them.

This Is Phishing, Not Proof of a Hack

The important message for anyone who receives one of these emails is simple: do not engage, do not reply, and do not pay. Guidance from the National Cyber Security Centre says these so-called “sextortion” emails are a type of phishing attack. Criminals send them out in bulk and rely on fear, shame, and urgency to trick a small number of people into transferring cryptocurrency. They usually do not know whether the recipient has a webcam, whether they have visited any adult sites, or whether any compromising video even exists at all. They are guessing, and they are hoping the threat alone is enough to make someone pay. If they genuinely had compromised your computer they would use either a still or a video clip proving it rather than relying on pure panic and an old password scraped from a data breach alone.

Sometimes these emails include an old password to make the threat seem more believable. That can be alarming, but it still does not mean the sender has access to your device or your camera. In many cases, those passwords have been taken from historic data breaches and are being reused as part of the scam. If a message includes a password you still use, change it immediately and make sure multi-factor authentication is enabled on the account. Otherwise, the email itself can usually be ignored, reported as phishing, and deleted.

What to Do If You Receive One

Do not reply to the sender.
Do not pay the Bitcoin demand.
Mark the message as phishing or junk and delete it.
If it includes a password you still use, change that password immediately.
Enable multi-factor authentication wherever possible.
If appropriate, report suspicious emails to your IT team or security provider.

Prevention Is Better Than Panic

While these emails are typically just phishing and can usually be ignored, organisations should not rely on luck alone. A far better approach is to harden email security so that spoofed and malicious messages are less likely to reach users in the first place. That starts with proper email authentication and strong filtering controls.

SPF (Sender Policy Framework) helps receiving mail servers verify which systems are authorised to send email on behalf of your domain.
DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing mail so recipients can confirm the message has not been altered and really came from your domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on both SPF and DKIM by telling receiving servers what to do when a message fails those checks, while also providing reporting that helps identify abuse and misconfiguration.
A robust email security service that provides content filtering, threat detection and prevention and protects from SPAM.

Together, these controls make it much harder for attackers to spoof your organisation’s address and use your domain in phishing campaigns.

Alongside SPF, DKIM, and DMARC, every business should use a robust anti-spam and anti-phishing filter to catch malicious messages before they reach the inbox. No single control is perfect, but layered protection greatly reduces risk. When strong technical controls are combined with staff awareness, phishing campaigns like these become far less effective.

The bottom line is this: if you receive one of these threatening Bitcoin emails, treat it as phishing unless there is genuine, specific evidence to suggest otherwise. Do not panic, do not pay, and do not let embarrassment drive your decision-making. Delete the message, secure any affected accounts, and make sure your email environment is protected with SPF, DKIM, DMARC, and a dependable anti-spam filter.

What does this mean for my business?

If you are unsure if you have measures in place or want reassurance or any help with any of the above, call us on 01722 411 999 and we will be happy to help. As we said earlier, prevention is better than panic.

How Can You Protect Yourself From A Third Party's Poor Security Practices

Wed, 27 May 2026 00:00:00 +0000

We used to say there were two certainties in life: death and taxes. Now there is a third: at some point, often through no fault of your own, your personal data may be leaked, sold, or exposed online.

The good news is that while you cannot remove the risk entirely, you can reduce your exposure and take action if an organisation fails to protect your information.

Why data exposure has become the new normal

Every order, signup, app, and account adds to your digital footprint. Businesses collect data, brokers trade it, and criminals target it. Even careful people can be caught in a breach. In the UK, organisations must report certain breaches to the Information Commissioner’s Office (ICO) within 72 hours and tell affected individuals quickly if the risk is high.

How to tighten your personal data controls

Protecting your data is about reducing exposure, making stolen information less useful, and spotting problems early.

Use a password manager and strong, unique passwords.
Turn on multi-factor authentication for email, banking, and social accounts.
Review privacy settings and remove permissions you do not need.
Share less personal information unless it is truly necessary.
Keep devices, browsers, and apps updated.

Use secure products that help you spot trouble early

Good habits matter, but the right tools help too. Reputable antivirus and endpoint security can block malware and unsafe websites, while monitoring tools can flag unusual logins, suspicious behaviour, or exposed credentials before a small issue becomes a major one.

Choose trusted security software with automatic updates and real-time protection.
Use device encryption and screen locks on laptops and phones.
Back up important files regularly.
Monitor bank accounts and key online services for unusual activity.

What to do if a business leaks your data through poor security

If a business exposes your data, act quickly. Contact the organisation through its official channels, ask what happened and what data was involved, and change affected passwords immediately. If financial details or identity documents may be at risk, contact your bank or provider and monitor accounts closely.

Keep records of messages, calls, and screenshots related to the breach.
Watch for phishing, scam texts, and fake compensation offers.
Check for unauthorised activity and change security questions if needed.
Complain to the ICO if you believe the organisation mishandled your data.
In the UK, you may be able to seek compensation if the breach caused loss or distress.

Keep evidence of the breach and its impact. If the consequences are serious, consider speaking to a qualified solicitor or specialist adviser. You do not have to accept the fallout quietly if a business failed to protect your information.

How does this affect you or your business?

Data leaks are now a routine risk of modern life. But you are not powerless. Share less, secure more, use trusted tools, and know your rights when organisations get it wrong.

If you would like more information about tools such as secure password managers, real time monitoring, penetration testing, removing information from data brokers or anything that might have affected in this article, call us on 01722 411 999 and we can provide help and advice.

This article is for general information only and is not legal advice. If you have been affected by a serious data breach, consider seeking guidance tailored to your situation.

Did you know you can build your own AI Agents quickly and easily?

Wed, 20 May 2026 00:00:00 +0000

It's easy with Copilot Studio, which is Microsoft’s tool for building AI helpers, often called AI agents. These agents can answer questions, find information, and carry out simple tasks, which makes them useful for customer service, internal support, and everyday business work.

Put simply, Copilot Studio helps organisations create digital assistants without needing to build everything from scratch or be highly technical.

What Is Copilot Studio?

Think of Copilot Studio as a way to create an AI-powered assistant for your organisation. You can give it trusted information, tell it how to behave, and let it help people by answering questions or completing routine tasks.

Older chatbots often felt clunky and scripted. Copilot Studio is designed to be more natural, so conversations feel closer to talking with a helpful assistant rather than clicking through a rigid menu.

What Can It Do?

Answer questions: It can use company information to give helpful replies.
Find what people need: It can point users to the right documents, answers, or next steps.
Do simple tasks: It can help start processes or trigger actions in other systems.
Work where people already are: It can be used in Microsoft tools and other supported channels.

How Do You Make an AI Agent?

You do not need to start with code. In simple terms, the process looks like this:

Pick one job: Choose a clear purpose, such as answering staff questions or helping customers.
Give it the right information: Connect the documents or knowledge it should rely on.
Test and improve it: Try real questions, fix weak answers, and then roll it out carefully.

The best AI agents usually do one thing well rather than trying to do everything.

In short, Copilot Studio is a practical way to build AI assistants that help people get answers and save time. Start small, keep it focused, and build from there.

If you would like more information about building your own AI Agents using Copilot Studio, call us on 01722 411 999 and we can help you set it up and work for you.

Businesses Are Embracing AI – Don’t be left behind

Wed, 13 May 2026 00:00:00 +0000

Businesses across every sector are embracing AI, but most are doing so gradually rather than through full-scale implementation.

Instead of rushing change, organisations are testing practical use cases, building confidence, and introducing AI where it can deliver clear value.

Change is inevitable, and businesses that fail to engage with AI risk losing competitive advantage to those already improving efficiency, decision-making, and responsiveness.

Will this replace staff?

No, the most effective organisations are taking a human-centric approach, using AI to augment people rather than replace them.

This means reducing repetitive work, speeding up research and administration, and helping staff focus on higher-value tasks where judgment, creativity, and relationships matter most. In many cases, AI is becoming a tool that strengthens capability rather than a strategy for simple cost cutting.

This measured approach allows businesses to increase capacity without always increasing headcount, enabling existing teams to do more with the support of intelligent tools. A slow embrace is not a sign of hesitation; it is often a sign of maturity. But a slow embrace is very different from inaction.

What does this mean for my business?

Businesses that adopt AI thoughtfully will be better placed to grow, adapt, and compete, while those that ignore it altogether risk being left behind.

Imagine being able to increase your productivity, without the increased headcount and salary overhead, it’s what other businesses are doing.

If you would like more information about how AI could help improve productivity or just to see what it can do, call us on 01722 411 999

What Is The Weakest Link In Your Business's Security?

Wed, 06 May 2026 00:00:00 +0000

Did you know that there is a survey done every year, asking thousands of people to share anonymously the passwords they use most and to detail their password habits.

One thing that is surprising, shocking and disappointing is that each year we see the same results, time and time again.

The Top Ten Most Used Insecure Passwords

Year after year, certain passwords consistently appear in the top ten rankings of insecure passwords. These choices are often simple, memorable, and unfortunately, highly vulnerable to unauthorised access and VERY easy to guess.

Below is a list of the most commonly used insecure passwords, along with how long each has remained in the top ten:

Top 10 Weakest Passwords (2026) - source Wikipedia

123456 (Ranked #1, Top spot for over a decade)
123456789 (Ranked #2)
12345678 (Ranked #3)
password (Consistently top 5 for over 15 years)
12345 (Consistently top 10)
qwerty (Top 10 for over 10 years)
1234567 (Top 10 for over 10 years)
1234567890 (Top 10 for over 10 years)
111111 (Common staple for 5+ years)
qwerty123 (Top 10 for over 5 years)

These passwords have remained popular largely because they are easy to remember, but this simplicity comes at the expense of security.

Note: Other variants, such as "admin," "123123," and "P@ssw0rd," are also commonly found in the top 25.

Why Insecure Passwords Persist

Many users opt for simple passwords out of convenience, habit, laziness, or a lack of understanding about security risks. Reusing passwords across multiple accounts or choosing patterns like "123456" makes them quick to enter but leaves accounts exposed to brute-force attacks and data breaches. The most widely used passwords are the first ones they try when attacking a system.

The persistence of these insecure choices highlights the need for ongoing awareness and training.

Protecting Your Business

Businesses must take proactive steps to mitigate the risks posed by weak passwords. Start by implementing strong password policies that require complexity and regular changes. Encourage the use of password managers to help staff generate and store unique, robust passwords for every account.

Multi-factor authentication (MFA) should be enabled wherever possible, adding an extra layer of protection against unauthorised access.

Educating Staff

Staff education is key to improving password security. Provide regular training sessions to raise awareness about the dangers of insecure passwords and best practices for creating strong credentials. Share real-world examples of breaches caused by weak passwords and encourage open dialogue about password management. Make sure staff understand how to recognise phishing attempts and know the procedures for reporting suspicious activity.

How does this affect your business?

Insecure passwords continue to be a significant threat to business security. By understanding the prevalence of weak password choices and taking practical steps to address them, businesses can better protect their data and assets. Prioritising staff education and enforcing strong password policies will help foster a culture of security and vigilance. Now is the time for every organisation to make password protection a top priority.

At The Silver Cloud Business we can offer a range of online training and awareness sessions that businesses can use to educate staff about the importance of password security. We can also configure your environment to require complex passwords that meet a minimum level of security and we can help deploy password management solutions to ensure complex passwords are kept safe and secure.

If you would like more information about password security and eduction, call us on 01722 411 999 and we will happily help secure your business.