Identity, Decentralized identity and verifiable credentials, Phishing

Identity verification: The front line to workforce security

Futuristic technology using biometric authentication for digital identity verification in a conceptual illustration.

(Adobe Stock)

COMMENTARY: The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element, but this isn't just about individual employees making mistakes. It represents a massive vulnerability that's costing enterprises billions in lost data, fraudulent transactions, and broken consumer trust.

While cybercriminals traditionally focused on breaking through technical defenses, they've now transformed their approach to simply logging in using compromised credentials. They're weaponizing social engineering, phishing, and deepfakes — now supercharged by Generative AI (GenAI) — to exploit human touchpoints across the enterprise at unprecedented scale. Every compromised employee account becomes a gateway to sensitive systems, customer data, and financial assets.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Traditional security infrastructure technology — firewalls, endpoint protection, password policies —wasn't built for this evolution. These systems can't detect when a criminal uses valid credentials obtained through social engineering to access customer records, initiate wire transfers, or exfiltrate intellectual property.

The business impact has been staggering: In 2023 alone, enterprises lost $2.9 billion to business email compromise (BEC) attacks. Major brands saw their stock prices plummet after massive data breaches started with a single phished employee. And the reputational damage from losing customer data has become almost impossible to recover from in an era of eroding digital trust.

For enterprises to protect their assets, customers and reputation, they must implement continuous identity assurance across every business process — from employee onboarding to high-risk transactions.

Why attackers exploit human weakness

Phishing and social-engineering attacks have reached unprecedented sophistication, fueled by generative AI that lets attackers craft, scale, and adaptively tune their campaigns. These tools have changed what was once a manual process, making it easier than ever to exploit human psychology at scale.

The traditional enterprise response has been additive, with organizations layering on more security measures like frequent password resets, multiple authenticator apps, and 2FA requirements. While updating security practices has become crucial, simply adding friction isn't the answer — each new hurdle creates a cascade of challenges without necessarily improving security. Despite more authentication steps, attackers can still socially engineer users, and a determined attacker with sophisticated tools can often convince employees to bypass even complex security measures.

This creates mounting pressure on security and IT teams, which face surging support tickets as users struggle with password resets and locked accounts, growing complexity in managing multiple security platforms and vendors, increased manual review processes, and rising user frustration that often leads to security shortcuts. The ripple effects extend beyond security, impacting employee productivity, and satisfaction, IT resource allocation, business process efficiency, and overall operational costs.

Teams need to implement intelligent identity assurance that can detect and stop impersonation attempts without creating unnecessary friction. Organizations require security measures that scale efficiently, while maintaining user experience and reducing operational burden on IT teams.

GenAI makes social engineering attacks more numerous and more convincing

GenAI has fundamentally changed how cybercriminals execute social engineering campaigns. It's dramatically reduced the time and effort needed to create convincing attacks, while simultaneously making these attacks more effective at deceiving employees. Here are two critical ways GenAI amplifies these threats:

  • Automated phishing at scale: GenAI has transformed phishing from a manual effort into a highly automated operation. Attackers can now instantly generate thousands of context-aware messages that perfectly mirror a company's communication style, internal processes, and executive writing patterns. These are sophisticated campaigns that adapt to an organization's specific language and workflows. When a single convincing message can compromise an employee account and lead to enterprise-wide damage, this ability to rapidly produce and refine attacks represents a serious escalation of risk.
  • Enhanced social engineering: GenAI has made social engineering attacks drastically more convincing through synthetic media. Attackers can now supplement their phishing campaigns with fake video calls where an AI-generated "executive" requests urgent wire transfers, or voicemails that sound exactly like a known vendor asking for system access. These are multi-channel attacks that leverage realistic synthetic voices, photos, and videos to make their social engineering more persuasive. When an employee receives what appears as a video message from their CEO or a voice call from a trusted colleague, it’s possible to deceive even security-trained staff.

    • How to strengthen workforce security

    Protecting the workforce doesn’t have to create more headaches for the team. Companies need to adopt smart, seamless security measures that address vulnerabilities without slowing people down. Targeting critical moments and using adaptive tools can help safeguard systems while keeping employee experiences smooth. Here are a few strategies teams can apply:

    • Integrate automated identity verification into critical workflows: High-risk moments—like onboarding, account recovery, password resets, and privileged events such as accessing sensitive systems—are prime opportunities for attackers. Embedding identity verification directly into these workflows ensures only legitimate users gain access. Look for tools that integrate effortlessly with existing systems to secure operations without adding unnecessary complexity or operational burden to internal teams.
    • Adopt multiple verification methods: Passwords alone aren’t enough to protect an organization. Combine methods like government ID checks, biometric verification (selfies), and database cross-referencing to confirm identities with confidence. To balance security with usability, employ adaptive step-up verification—adding extra checks only when risk signals demand it. This approach keeps friction low for legitimate users while blocking potential attackers.
    • Defend against deepfakes and fraud with behavioral risk analysis: Deploy verification to validate submitted information and corroborate it with observable evidence from behavioral signals and contextual data. Then use advanced link analysis across the workforce to spot suspicious patterns that could indicate coordinated attacks. This layered, intelligent approach stops sophisticated impersonation attempts while keeping the employee experience smooth.
    • Align with security and compliance standards: A company’s security strategy should also align with regulatory requirements like NIST IAL2. Meeting these standards ensures compliance, and also adds another layer of trust and protection against identity-based attacks.

      • Enterprises can protect their workforce and critical systems without creating unnecessary barriers, striking the perfect balance between security and usability.

      Today's criminals use AI-powered social engineering to target the workforce, striking during critical business moments to steal data and drain funds through convincing impersonation attacks.

      Strengthening identity verification means protecting the bottom line. By embedding intelligent verification into important workflows, organizations can stop sophisticated impersonation attempts before they result in costly breaches or fraud, while giving Infosec teams more data and time to stay on top of emerging threats.

      Today, a single successful attack can lead to millions in losses. That's why companies need to implement intelligent identity verification to protect the organization's assets and prevent devastating financial damage.

      Rick Song, chief executive officer, Persona  

      SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

       

      An In-Depth Guide to Identity

      Get essential knowledge and practical strategies to fortify your identity security.

      Related

      Related Events

      Get daily email updates

      SC Media's daily must-read of the most current and pressing daily news

      By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

      Related Terms

      Access MatrixBasic AuthenticationBiometricsCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDiscretionary Access Control (DAC)

      You can skip this ad in 5 seconds