Most people now understand that AI can write a convincing scam. The faster-moving story is that AI can increasingly run one — chaining steps together, reacting to what it finds, and pushing toward a goal with far less human hand-holding. This is the shift from AI as a tool to AI as an operator, and it changes the economics of attack.
From one clever email to a whole campaign
A human attacker is a bottleneck: they can only work so many targets at once. An AI agent is not. Point it at a goal — “find finance staff at these companies, craft a tailored pretext for each, and follow up” — and it can carry out the reconnaissance, the personalisation, and the persistence across thousands of targets in parallel, at a cost that keeps falling.
Reconnaissance that never sleeps
Agents can continuously scrape public data, map who reports to whom, learn a company’s tone and vocabulary, and time an approach for the worst possible moment — a finance lead on holiday, a Friday-afternoon invoice, a merger in the news. The result is social engineering that feels uncannily well-informed because, in effect, it is.
Prompt injection turns your own tools against you
As organisations connect AI assistants to email, files, and internal systems, attackers hide instructions inside the content those assistants read — a web page, a document, an inbound message. A vulnerable assistant can be quietly redirected to leak data or take actions on a user’s behalf. The attack surface is no longer just your people; it is the automation you have given them.
What defenders should do now
- Keep a human on consequential decisions. Anything that moves money, grants access, or changes a payee should require independent human confirmation — no matter how convincing the request or how “automated” the workflow.
- Limit what your AI tools can reach. Give assistants the least access they need, and be deliberate about letting them act on untrusted content. An agent that can only read is far safer than one that can also send, pay, or delete.
- Fight scale with scale. Manual review cannot keep up with automated attacks. Use AI-assisted monitoring and detection so your defences operate at the same tempo as the threats.
- Rehearse the failure. Run exercises where the pretext is flawless and the pressure is real. The goal is a team whose instinct is “verify independently,” not “comply quickly.”
Agentic attacks are not science fiction and they are not evenly distributed yet — which is exactly why now is the time to prepare. The defences are not exotic: least privilege, human checkpoints on money and access, and a culture of independent verification. Put them in place before the automated version of the attacker arrives, not after.
Want a clear-eyed look at where AI raises your risk — and a prioritised plan to close the gaps? Start a conversation with Krypsis Guardian.