The Trust Crisis: AI Attacks Breach 88% of Firms, Legacy Security Fails

ATLANTA, GA – January 29, 2026 – A staggering 88% of organizations have been breached by security incidents that have fundamentally undermined trust in digital communications over the past year, according to a landmark new study. The report, commissioned by AI email security firm IRONSCALES and conducted by Osterman Research, exposes a deepening crisis for enterprises as artificial intelligence fuels a new generation of cyberattacks that legacy security tools are failing to stop.

The study, titled Restoring Trust in Business Communications, surveyed 128 cybersecurity leaders and paints a grim picture of a threat landscape that has been radically altered. While 82% of these leaders report a spike in threat actor interest in exploiting trusted communication channels, a concerning 60% admit they lack confidence in their ability to defend against sophisticated deepfake attacks, one of the most insidious new weapons in the AI arsenal.

The AI-Powered 'Phishing Renaissance'

For years, cybersecurity experts considered many forms of phishing to be a largely solved problem, manageable through a combination of email filters and employee training. That era is definitively over. The new research indicates the dawn of a “phishing renaissance,” where AI has completely reset the rules of engagement.

“The threat curve just got reset,” stated Michael Sampson, Principal Analyst at Osterman Research. “Even ‘solved’ attack types like phishing and business email compromise have become immature again. BEC attacks from 2025 bear little resemblance to those from 2020—they're now hyper-personalized, multi-channel, and can be launched autonomously at scale.”

This new breed of attack leverages generative AI to eliminate the tell-tale signs that once betrayed malicious intent. Awkward phrasing, grammatical errors, and suspicious sender addresses—hallmarks that both security systems and trained employees relied upon—have vanished. Attackers can now craft flawless, contextually aware messages in any language, personalized at an unprecedented scale. These attacks are no longer confined to email but arrive simultaneously through collaboration platforms like Slack and Teams, SMS messages, and even AI-generated voice calls, creating a multi-front assault on employee trust.

Disturbingly, the study suggests that organizations are already being overwhelmed by attacks that have not yet reached their full potential. A significant portion of respondents believe threat actors are still in the nascent stages of weaponizing AI, with 28% stating AI-generated phishing is “just getting started,” and similar sentiments expressed for deepfake audio (25%) and video (28%) attacks. The implication is clear: as bad as things are, they are poised to get much worse.

Human Defenses and Digital Trust on the Brink

The long-standing cybersecurity mantra of “employees are the last line of defense” is crumbling under the weight of AI-driven deception. The research delivers a stark verdict on the effectiveness of traditional security awareness training against these advanced threats. Nearly one in five security leaders now state that their training programs are proving ineffective.

When rated on their ability to prepare employees for specific AI-enhanced threats, the results were sobering. Training for detecting deepfake audio was rated from “not at all effective” to “moderately effective” by 38% of respondents. The figure rose to 39% for deepfake video and a concerning 43% for AI-generated phishing emails. The psychological foundation of these training programs—teaching employees to spot anomalies—is failing because the anomalies are disappearing. The attacks look, sound, and feel real.

This technological erosion of human detection capabilities is fueling a broader crisis of trust. When employees can no longer be certain whether they are communicating with a trusted colleague or a sophisticated AI impersonator, the efficiency and integrity of business operations are put at risk. This digital trust deficit forces a fundamental re-evaluation of where the responsibility for security lies, shifting the burden away from fallible human judgment and back toward more intelligent, adaptive technological solutions.

Finance Departments in the Crosshairs

Nowhere is this trust crisis more acute than in corporate finance departments. The study identifies a perfect storm of vulnerability, designating finance teams as both the highest-priority target for attackers and the employee group that security leaders are most worried about. An identical 59% of organizations rated their finance teams as “high” or “extreme” priority targets for threat actors, while 59% also expressed high concern about their readiness to defend against these sophisticated, trust-based attacks.

“Finance teams control the money, so they're priority number one for attackers,” noted Audian Paxson, Principal Technical Strategist at IRONSCALES. “But cybersecurity leaders report the lowest confidence in these teams' ability to spot sophisticated BEC and impersonation scams. That gap is getting exploited daily.”

The data bears this out. In the past year alone, over a third of organizations (33%) reported incidents where threat actors successfully masqueraded as trusted vendors to steal funds or sensitive information. Attacks involving vendor impersonation are not just common; they are increasing significantly, with 13% of firms reporting a major year-over-year increase.

A Mandate for Change: Enterprises Ready to Overhaul Security

The escalating threat has triggered a moment of reckoning in boardrooms and security operations centers across the country. The consensus is that the old way of doing things is no longer viable. “Legacy email protections are too blunt an instrument to recognize the subtle indicators of modern AI-powered attacks,” Sampson warned. “Organizations can no longer trust these legacy solutions to protect against threats that didn't exist when they were designed.”

The cost of failing to adapt is severe. Over half (55%) of security leaders believe that an inability to defend against these attacks significantly increases the likelihood of a major data breach, with cascading consequences including regulatory fines, reputational damage, reduced productivity, and severe operational disruption.

This high-stakes environment is driving an unprecedented willingness to invest and change. The research found that an overwhelming majority of organizations are prepared to take immediate and decisive action. A full 70% of security leaders stated they are willing to add best-in-class point solutions to plug security gaps. Furthermore, 68% are willing to change security vendors entirely, and a remarkable 70% are prepared to replace their entire security technology stack if necessary to counter the threat. This signals a seismic shift in the market, away from outdated, signature-based systems and toward a new generation of security platforms built on adaptive AI and behavioral analysis that can evolve as quickly as the threats they are designed to fight.