Kasey Cromer, Netlok | January 15, 2026
The uncomfortable truth about workplace security in 2026 is that the biggest threat probably isn’t some hacker halfway around the world. It’s the 1) employee who already has access to your systems, 2) AI tool someone downloaded without telling IT, or 3) remote worker logging in from a coffee shop with sketchy Wi-Fi. This blog explores these converging threats facing organizations in 2026 and why traditional defenses are failing. The facts are:
| Metric | Finding | Source |
| Security leaders saying risk has never been higher | 72% | Vanta 2025 |
| Average annual cost of insider incidents | $17.4 million | Ponemon 2025 |
| Days to detect and contain insider incident | 81 days | Ponemon 2025 |
| Companies reporting AI powered attacks increased | 50% | Vanta 2025 |
| Organizations with formal AI security policies | Only 44% | Vanta 2025 |
| Organizations reporting physical security breaches | Over 60% | Zona Facta 2025 |
Security folks have been warning about “evolving threats” for years. But 2026 really is different. The reason? AI stopped being experimental. Google Cloud’s Cybersecurity Forecast 2026 puts it bluntly: attackers have “fully embraced AI.” They’re not dabbling anymore. They’re using it to craft perfect phishing emails, generating deepfake videos of executives, and cracking passwords faster than we ever thought possible.
According to Vanta’s State of Trust Report, 72% of security leaders now say risk has never been higher. That’s up from 55% just a year ago. These aren’t people prone to panic. They’re professionals watching the threat landscape shift beneath their feet in real time.
What concerns me most? SecurityWeek predicts that deepfakes have gotten “good enough and cheap enough to convincingly impersonate executives.” Think about what that means. When your CFO gets a video call from the CEO asking for an urgent wire transfer, how do they actually know it’s the real CEO on the other end? The visual and audio cues we’ve relied on for decades to verify identity are becoming meaningless.
Remember shadow IT? Back when employees started using Dropbox and Google Docs without permission because the company tools were too clunky? We’re seeing the exact same pattern with AI now, except the stakes are dramatically higher.
IBM is predicting that there will be “major security incidents where sensitive IP is compromised through shadow AI systems” this year. Here’s what’s happening in practice: employees are feeding proprietary data into ChatGPT and other tools without thinking twice. Marketing is using AI to draft customer communications. Engineering is debugging code with AI assistants. Legal is summarizing contracts. And IT often has absolutely no idea any of it is happening. Each of these interactions potentially exposes company secrets data and other system & company information to systems they don’t control.
But it gets even stranger. Palo Alto Networks warns that AI agents themselves are becoming insider threats. These autonomous systems can access privileged data, operate around the clock, and if misconfigured, cause damage at machine speed. We’re not just worried about rogue employees anymore. We’re worried about rogue algorithms that never sleep and can process thousands of transactions before anyone notices something is wrong.
The Ponemon Institute’s latest research delivers some brutal numbers: inside related incidents cost companies an average of $17.4 million per year. It takes an average of 81 days just to detect and contain these threats. That’s nearly three months of damage accumulating before you even realize something is wrong. And the longer it takes, the worse it gets. Incidents that drag past 90 days cost nearly $19 million per company on average.
Here’s a twist that sounds like something from a spy novel: Security Boulevard reports that real human operatives, not bots or AI, are now getting hired as remote employees. They use stolen identities to pass interviews and background checks, then gain completely legitimate access to company systems. North Korean operatives have already pulled this off at multiple Western companies. Your next security breach might come from someone sitting in your own Slack channels, attending your team meetings, and collecting a paycheck while they exfiltrate your data.
DTEX Systems’ 2026 forecast emphasizes something important: insider risk is no longer confined to malicious employees. It now includes unmanaged AI use, machine identities, agentic systems, and coordinated nation state infiltration. The old categories we used to think about insider threats have basically exploded. The boundary between “inside” and “outside” barely means anything when your attack surface includes every AI tool, every remote connection, and every automated system with access to your network.
By now, nearly 70% of the global workforce works remotely at least part of the time. That means your security perimeter now includes every employee’s home network, their local coffee shop, that hotel Wi-Fi they used on vacation while “just checking email real quick,” and every personal device that’s ever connected to company resources.
Vena Solutions found that 42% of organizations got hit by successful phishing attacks where remote workers were targeted in 2025. And here’s the part that should worry every security leader: only 6% of organizations feel confident they’ve actually covered all their security gaps. That’s a whole lot of hope and not much certainty. Most companies are essentially crossing their fingers and hoping their distributed workforce doesn’t accidentally open the door to attackers.
With all the focus on cyber threats, it’s easy to forget that physical security is still a massive concern. Medical Economics reports that healthcare workers are getting attacked at alarming rates. A staggering 91% of emergency physicians reported being threatened or assaulted in the past year. California’s new SB 553 law now requires most employers to have written workplace violence prevention plans, and other states are following with similar legislation.
According to Zona Facta’s analysis, over 60% of all organizations experienced a physical security breach last year, costing mid-sized companies around $450,000 per incident. Yet only 20% have an updated, documented security strategy. That disconnect between the reality of the risk and the preparedness to handle it is a serious problem that needs attention.
Every security incident I’ve described, whether it’s a hacker, a rogue employee, a deepfake scam, or a nation state operative, eventually comes down to one thing: authentication. Someone got access they shouldn’t have. And our current methods are failing badly.
Passwords get phished, guessed, or cracked by AI in seconds. SMS based two factor authentication are vulnerable to SIM swapping attacks that are easier to pull off than most people realize. Even biometrics have serious problems. You can’t exactly change your fingerprints or retina scan if that data gets compromised. Once it’s stolen, it’s stolen forever.
This is exactly why we built Photolok at Netlok. Instead of passwords or static credentials that can be stolen, Photolok uses photos you select with encrypted codes embedded through steganography. The photos are randomize every session, so there’s no pattern for AI to learn or attackers to exploit. And unlike a password, which requires creating and memorizing something new, or a biometric, where you quickly run out of options, you can swap your Photolok photos in seconds. If you think something might be compromised, just pick new photos and you’re secure again immediately.
We also built in a Duress Photo feature that addresses a scenario most security tools completely ignore. If someone forces you to log in, whether that’s a robbery, coercion, or an emergency situation, you select a designated photo that grants access but silently alerts security and/or IT that something is wrong. The system lets you comply with the threat while simultaneously calling for help. It’s the kind of feature you hope you never need, but you’ll be grateful it exists if you ever do.
In an era where AI, insiders, and remote work all converge on authentication as the weakest link, Photolok gives you a modern control point that attackers can’t easily mimic, phish, or reuse. It’s authentication built for the threats of 2026, not the threats of earlier times.
Here’s what keeps me up at night: being able to catch an insider threat early versus late the impact can be enormous. Ponemon found that incidents resolved within 31 days cost around $10.6 million on average. Let them drag past 90 days and you’re looking at nearly $19 million. That’s not a rounding error. The $10 million loss may well end your career as well.
BlackFog reports that 77% of corporate boards have now discussed the material and financial implications of cybersecurity incidents. That’s up 25 percentage points since 2022. Security failures aren’t just IT problems buried in some technical report anymore. They’re board level governance issues that can tank stock prices and destroy reputations overnight.
Forrester is predicting that 2026 will see agentic AI cause a major public breach. When that happens, and it’s a matter of when not if, every executive is going to be asking their security team if they are prepared and if not, why not.. The organizations that took action early will have answers. The ones that waited will be scrambling to explain why they ignored all the warning signs.
If you’re responsible for security at your organization, here’s where to focus:
The workplace security landscape in 2026 is messy, complicated, and honestly frightening. AI is supercharging attacks in ways we’re only beginning to understand. Insiders, both human and algorithmic, pose risks that traditional security tools weren’t designed to handle. And the permanent shift to hybrid work has expanded what you need to protect far beyond any physical office.
But here’s what I keep telling people: the organizations that act now, rather than waiting for a breach to force their hand, will be the ones that come out ahead. The question isn’t whether you’ll face these threats. It’s whether you’ll be ready when they arrive.
Want to see how Photolok can help protect your organization?
Request Your Personalized Demo
Kasey Cromer is Director of Customer Experience at Netlok.
[1] Google Cloud. “Cybersecurity Forecast 2026.” November 2025. https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2026/
[2] Vanta. “Top 6 AI Security Trends for 2026.” December 2025. https://www.vanta.com/resources/top-ai-security-trends-for-2026
[3] SecurityWeek. “Five Cybersecurity Predictions for 2026.” December 2025. https://www.securityweek.com/five-cybersecurity-predictions-for-2026-identity-ai-and-the-collapse-of-perimeter-thinking/
[4] IBM. “Cybersecurity Trends: Predictions for 2026.” December 2025. https://www.ibm.com/think/news/cybersecurity-trends-predictions-2026
[5] Palo Alto Networks / Harvard Business Review. “6 Cybersecurity Predictions for the AI Economy in 2026.” December 2025. https://hbr.org/sponsored/2025/12/6-cybersecurity-predictions-for-the-ai-economy-in-2026
[6] Ponemon Institute. “2025 Cost of Insider Risks Global Report.” 2025. https://ponemon.dtexsystems.com/
[7] Security Boulevard. “Security Predictions 2026: Insider Risk & Trust.” January 2026. https://securityboulevard.com/2026/01/security-predictions-2026-insider-risk-trust/
[8] DTEX Systems. “2026 Cybersecurity Predictions.” December 2025. https://www.dtexsystems.com/blog/2026-cybersecurity-predictions/
[9] Baarez Technology Solutions. “Cybersecurity for Hybrid Workforces.” April 2025. https://baarez.com/cybersecurity-risks-for-hybrid-workforces-in-2025/
[10] Vena Solutions. “Remote Work Statistics and Trends for 2026.” November 2025. https://www.venasolutions.com/blog/remote-work-statistics
[11] Medical Economics. “Workplace Violence Prevention in 2026.” November 2025. https://www.medicaleconomics.com/view/6-tips-for-strengthening-workplace-violence-prevention-in-2026-and-beyond
[12] Zona Facta. “Reassess Your Workplace Security Strategy Before 2026.” November 2025. https://zonafacta.com/how-to-reassess-your-workplace-security-strategy-before-2026/
[13] Netlok. “How Photolok Works.” 2025. https://netlok.com/how-it-works/
[14] BlackFog. “Enterprise Cybersecurity in 2026.” December 2025. https://www.blackfog.com/enterprise-cybersecurity-2026-strategies-trends/
[15] Forrester. “Predictions 2026: Cybersecurity and Risk.” October 2025. https://www.forrester.com/blogs/predictions-2026-cybersecurity-and-risk/
Kasey Cromer, Netlok | January 5, 2026
Executive Summary
Insider threats now cost an average of $17.4 million annually per enterprise, and 93% of security leaders say these attacks are harder to detect than external breaches. The uncomfortable truth: your most significant security vulnerability isn’t a sophisticated hacker probing your perimeter. It’s the trusted employee, contractor, or compromised credential holder who already has the keys to your kingdom. As AI-powered attacks accelerate and traditional authentication methods fail, organizations must fundamentally rethink how they verify identity at the point of access.
Predictions at a Glance
| Metric | Finding | Source |
| Average annual cost of insider incidents per enterprise | $17.4 million | Ponemon Institute 2025 [1] |
| Organizations experiencing insider incidents in past year | 83% | Cybersecurity Insiders 2024 [2] |
| Security leaders who find insider threats harder to detect than external attacks | 93% | Cybersecurity Insiders 2025 [3] |
| Breaches involving stolen credentials | 22% | Verizon DBIR 2025 [4] |
| Average days to detect and contain an insider incident | 81 days | Ponemon Institute 2025 [1] |
| Cost of incidents taking 91+ days to contain | $18.7 million | Ponemon Institute 2025 [1] |
| Organizations confident in preventing insider threats before damage occurs | 23% | Cybersecurity Insiders 2025 [3] |
The Insider Threat Problem Is Getting Worse
When CrowdStrike, one of the world’s leading cybersecurity firms, announced in November 2025 that it had terminated an employee for sharing internal screenshots with hackers, it sent shockwaves through the industry [5]. If a company whose entire business model revolves around stopping breaches can be compromised from within, what chance does the average enterprise have?
The incident wasn’t isolated. The threat group known as Scattered Lapsus$ Hunters reportedly paid $25,000 for the insider’s cooperation, seeking authentication cookies and access to internal dashboards [6]. The attackers didn’t need zero-day exploits or sophisticated malware. They needed one person with legitimate access willing to provide critical information and look the other way.
This is the new reality of enterprise security. According to the World Economic Forum’s Global Cybersecurity Outlook 2025, identity theft has climbed to the top of the agenda, emerging as the primary cyber risk concern for both CISOs and CEOs [7]. The report notes that 72% of respondents say cyber risks have risen in the past year, with identity theft and credential compromise driving much of that increase.
Why Traditional Security Can’t Stop Insiders
The fundamental challenge with insider threats is deceptively simple: insiders already have authorized access. They know where sensitive data lives. They understand your security controls and their blind spots. Traditional perimeter defenses are useless against someone who legitimately belongs inside the perimeter.
The Verizon 2025 Data Breach Investigations Report underscores this vulnerability. Stolen credentials were the initial access vector in 22% of all breaches analyzed, and a staggering 88% of basic web application attacks involved the use of stolen credentials [4]. Once an attacker logs in with valid credentials, even robust firewalls and VPNs become irrelevant.
The detection gap is equally troubling. The 2025 Cybersecurity Insiders report found that 93% of organizations say insider threats are as difficult or harder to detect than external cyberattacks [3]. Only 21% extensively integrate behavioral indicators such as HR signals, financial stress, and psychosocial context into their detection programs. The result? Organizations are watching shadows while the real danger moves unchecked.
The Three Types of Insider Threats Bypassing Your Defenses
Understanding how insiders bypass security requires recognizing the three distinct threat profiles that enterprises face:
The Negligent Insider represents the most common category. According to Ponemon Institute research, 55% of insider incidents stem from employee negligence [1]. These aren’t malicious actors; they’re frustrated workers circumventing clunky security controls to meet deadlines, sharing passwords for convenience, or falling victim to sophisticated phishing attacks. The 2025 cost of negligent insider per incident reached $8.8 million annually.
The Malicious Insider acts with deliberate intent. The cost per malicious insider incident reached $715,366 in 2025 [8]. These individuals exploit their knowledge of internal systems and security measures to steal data, sabotage operations, or sell access to external threat actors as the CrowdStrike case demonstrated.
The Compromised Insider blurs the line between internal and external threats. This rapidly growing category occurs when an employee’s credentials are stolen through phishing, infostealers, or social engineering. The attacker then operates under the guise of a legitimate, trusted user. Verizon’s DBIR found that 54% of ransomware victims had their company domains appear in stolen credential databases, and 40% had corporate email addresses exposed in those same breaches [4].
AI Is Accelerating the Threat
The artificial intelligence revolution has fundamentally altered the threat calculus. The World Economic Forum reports that nearly 47% of organizations view adversarial advances powered by generative AI as their primary concern [7]. AI-driven deepfake technology allows criminals to impersonate individuals with deceptive accuracy, potentially bypassing verification systems that rely on static credentials or predictable biometric patterns.
The 2025 Cybersecurity Insiders report highlights growing concern about AI-enabled insider risks [3]: 60% of organizations are highly concerned about employees misusing AI tools, and the leading worries include deepfake phishing and social engineering (69%), automated data exfiltration (61%), and AI-assisted credential abuse (53%).
Traditional passwords offer no defense against these evolving attacks. AI password crackers can now breach most passwords in seconds and complex ones in minutes. When combined with social engineering techniques, AI tools can decipher credentials far more quickly than earlier systems, making password-based authentication effectively obsolete against determined adversaries.
The Authentication Failure Point
Every insider threat incident shares a common vulnerability: the authentication layer. Whether credentials are stolen through infostealers, purchased on the dark web, or simply observed over a shoulder, the point of entry remains the same. Once past the login gate, insiders have freedom to operate.
The problem with conventional authentication methods is their predictability. Passwords can be guessed, phished, or cracked. SMS-based multi-factor authentication is vulnerable to SIM swapping. Even biometrics present challenges; once compromised, they cannot be changed. The Verizon DBIR explicitly recommends against SMS one-time passwords for MFA, noting their vulnerability to bypass techniques [4].
MFA bypass has become a sophisticated attack category. Techniques like prompt bombing (flooding users with authentication requests until they accept), adversary-in-the-middle attacks (intercepting MFA prompts in real-time), and token theft are becoming standard tools for threat actors. The DBIR found that these MFA bypass techniques appeared in a significant percentage of breach incidents.
A Different Approach: Authentication Designed for the AI Era
Addressing insider threats requires authentication that operates on fundamentally different principles. These systems must be designed from the ground up to resist both human manipulation and AI-powered attacks.
Photolok, developed by Netlok, represents this new paradigm in enterprise authentication. Rather than relying on static secrets that can be stolen or replicated, Photolok replaces passwords with user-selected photos that contain embedded encrypted codes using steganography. And unlike biometrics or static passwords, users can easily update their photos at any time, making credential reset simple and immediate. This approach addresses the core vulnerabilities that make traditional authentication susceptible to insider compromise.
The system’s UltraSafe AI/ML login protection is particularly relevant in today’s threat environment. Photolok leverages the “Picture-Superiority Effect,” the scientifically proven principle that humans remember images far better than text, with randomizing photos and embedded codes every session [9]. Because login selections are based on unique, personally meaningful photos rather than static data or predictable biometric patterns, AI and machine learning tools cannot identify or learn patterns to exploit. Even with large datasets, attackers cannot brute-force or simulate a user’s photo selection.
For organizations concerned about coerced access, a scenario where an insider is forced to authenticate under duress, Photolok offers a unique Duress Photo feature that functions as a visual silent alarm. When an account owner feels endangered or forced to provide access, they can select their designated duress photo. The system grants access normally while simultaneously alerting security administrators that the account may be compromised and the user may need assistance [10].
The 1-Time Use Photo capability addresses another common insider attack vector: shoulder surfing and observation attacks. In public or office environments where screens may be visible, users can designate photos for single-use authentication, defeating replay attacks and making credential theft through observation ineffective.
Building Resilience Against Insider Threats
Effective insider threat management requires more than technology; it demands a comprehensive approach that combines preventive controls with detective capabilities. The Ponemon Institute research found that organizations with formal insider risk management programs reduced containment time significantly, with 65% reporting their program was the only security strategy that enabled them to pre-empt breaches by detecting insider risk early [1].
Key elements of a resilient insider threat program include:
Authentication that resists credential theft by eliminating static secrets attackers can steal, guess, or crack. Solutions like Photolok that use unique photo selection rather than memorized strings fundamentally change the economics of credential attacks.
Behavioral analytics that correlate cyber, physical, and organizational signals to identify potential threats before they escalate. The 2025 research shows that only 12% of organizations have mature predictive risk assessment models [3], a capability gap that creates significant exposure.
Zero trust principles that verify identity continuously rather than granting persistent access based on a single authentication event. When combined with strong initial authentication, this approach limits the damage any single compromised credential can cause.
The Cost of Inaction
The financial case for addressing insider threats is unambiguous. Organizations that detect insider risk early report significant benefits: reduced containment costs, preserved data integrity, and protected reputational capital. The contrast with delayed detection is stark, incidents taking over 91 days to contain cost an average of $18.7 million, compared to $10.6 million for those resolved within 31 days [1].
Beyond direct costs, insider incidents create cascading effects that damage customer relationships, trigger regulatory scrutiny, and undermine competitive positioning. In an era where digital trust is a strategic asset, organizations cannot afford authentication systems that remain vulnerable to their most predictable attack vector.
Taking Action
The insider threat landscape will continue to intensify as AI capabilities advance and hybrid work models expand the attack surface. Organizations that wait for a breach to force action will pay the highest price in dollars, disruption, customer relations and damage to stakeholder trust.
Forward-looking security leaders are moving now to implement authentication solutions designed for the realities of AI-era threats. By replacing vulnerable password-based systems with UltraSafe authentication like Photolok, enterprises can close the authentication gap that insiders exploit while providing their workforce with a simpler, more intuitive login experience.
The question isn’t whether your organization will face insider threats. It’s whether your authentication infrastructure will stop them.
Ready to strengthen your defense against insider threats?
Request Your Personalized Demo of Photolok
About the Author
Kasey Cromer is Director of Customer Experience at Netlok.
Sources
[1] Ponemon Institute. “2025 Cost of Insider Risks Global Report.” February 2025. https://ponemon.dtexsystems.com/
[2] Cybersecurity Insiders. “2024 Insider Threat Report.” 2024. https://www.cybersecurity-insiders.com/
[3] Cybersecurity Insiders and Cogility. “2025 Insider Risk Report.” November 2025. https://www.cybersecurity-insiders.com/2025-insider-risk-report-the-shift-to-predictive-whole-person-insider-risk-management/
[4] Verizon. “2025 Data Breach Investigations Report.” May 2025. https://www.verizon.com/business/resources/reports/dbir/
[5] TechCrunch. “CrowdStrike fires ‘suspicious insider’ who passed information to hackers.” November 21, 2025. https://techcrunch.com/2025/11/21/crowdstrike-fires-suspicious-insider-who-passed-information-to-hackers/
[6] SecurityWeek. “CrowdStrike Insider Helped Hackers Falsely Claim System Breach.” November 24, 2025. https://www.securityweek.com/crowdstrike-insider-helped-hackers-falsely-claim-system-breach/
[7] World Economic Forum and Accenture. “Global Cybersecurity Outlook 2025.” January 2025. https://www.weforum.org/publications/global-cybersecurity-outlook-2025/
[8] Syteca. “Insider Threat Statistics for 2025: Facts, Reports & Costs.” October 2025. https://www.syteca.com/en/blog/insider-threat-statistics-facts-and-figures
[9] Netlok. “Company Overview.” 2025. https://netlok.com/company-overview/
[10] Netlok. “How Photolok Works.” 2025. https://netlok.com/how-it-works/
Kasey Cromer, Netlok | December 4, 2025
Part 1 (November 14, 2025) took a deeper dive into the deepfake epidemic itself—the $25 million video call scams, the 1,000%+ increase in attacks since 2023, and why human detection capabilities are failing at a 75% rate. We examined why detection alone cannot win this arms race and outlined an enterprise defense framework.
In Part 2 (November 21, 2025) of this series, we examined the staggering scope of AI-powered fraud—a $40 billion crisis by 2027 that is overwhelming enterprise security teams. We explored how generative AI has transformed the fraud landscape, with 93% of financial institutions expressing serious concern about AI-driven fraud acceleration and deepfake incidents surging by 700%.
Now, in this concluding installment, we look ahead to how these same dynamics will reshape authentication between 2026 and 2028—and what security leaders can do today to get ahead of that curve. The threats documented in Parts 1 and 2 are not static; they are accelerating. As we approach 2026, enterprises face a critical turning point where the convergence of advancing AI capabilities and expanding data exposure creates unprecedented authentication challenges. The question is no longer whether to evolve your security posture, but how quickly you can implement defenses designed for the threats of tomorrow. You can’t afford to wait.
The authentication landscape stands at an inflection point. Forrester predicts an agentic AI deployment that will cause a publicly disclosed breach in 2026, while Gartner warns that by 2027. The key point is AI agents will reduce the time to exploit account exposures by 50%. As deepfake technology becomes increasingly accessible and massive data exposures amplify attacker capabilities, traditional authentication methods face obsolescence. This article examines the converging threats shaping 2026 and beyond—and demonstrates why Netlok’s Photolok, with its patented steganography, AI/ML defense, and unique user security features like Duress Photo and 1-Time Use Photo, represents the authentication paradigm shift enterprises require.
The next 12 to 24 months will reshape enterprise cybersecurity in fundamental ways-Leading research firms to issue stark warnings about what lies ahead.
Forrester’s Predictions 2026: Cybersecurity and Risk report forecasts that an agentic AI deployment will cause a publicly disclosed data breach next year, leading to employee dismissals. As organizations rush to build agentic AI workflows, the lack of proper guardrails means autonomous AI agents may sacrifice accuracy for speed—creating systemic vulnerabilities that cascade across enterprises [1].
Gartner’s analysis is equally sobering. By 2027, AI agents will accelerate the time it takes threat actors to hijack exposed accounts by 50%. The firm also predicts that 40% of social engineering attacks will target executives as well as the broader workforce by 2028, with attackers combining social engineering tactics with deepfake audio and video to deceive employees during calls [2]. Perhaps most alarming: by 2028, 25% of enterprise breaches will be traced back to AI agent abuse from both external and malicious internal actors [3].
The World Economic Forum reinforces these concerns, noting that deepfake fraud cases surged 1,740% in North America between 2022 and 2023, with financial losses exceeding $200 million in Q1 2025 alone [4]. Voice cloning now requires just 20-30 seconds of audio, while convincing video deepfakes can be created in 45 minutes using freely available software.
| Prediction | Source |
| Agentic AI will cause a public breach in 2026 | Forrester [1] |
| AI agents will reduce account exploit time by 50% by 2027 | Gartner [2] |
| 30% of enterprises will consider standalone IDV unreliable by 2026 | Gartner [5] |
| 25% of enterprise breaches traced to AI agent abuse by 2028 | Gartner [3] |
| Deepfake fraud projected to surge 162% in 2025 | Pindrop [6] |
The AI fraud threat does not exist in isolation. Its potency is directly amplified by the availability of personal data. When attackers possess comprehensive personal information—names, dates of birth, addresses, Social Security numbers, family relationships—AI-powered fraud becomes exponentially more dangerous and convincing.
Recent events have underscored how data handling practices can dramatically increase this risk. In August 2025, a whistleblower complaint revealed that personal information belonging to more than 300 million Americans had been copied to a cloud environment with reduced security controls. According to reporting from NPR and other outlets, career cybersecurity officials described the situation as “very high risk,” with one internal assessment warning of a potential “catastrophic impact” and noting the possibility of having to reissue Social Security numbers to millions of Americans in the event of a breach [7][8]. The Social Security Administration has stated that it is not aware of any compromise and that data is stored in secure environments with robust safeguards—but the episode underscores how concentrated datasets can amplify identity theft risk if controls fail.
This scenario illustrates a broader concern: as massive datasets containing sensitive personal information become more accessible—whether through breaches, mishandling, or inadequate security—AI-powered attackers gain richer raw material for their schemes. Cybersecurity experts have warned that if bad actors gained access to comprehensive personal information, they could create holistic profiles that enable highly convincing impersonation attacks [9]. The combination of detailed personal data and sophisticated deepfake technology creates what researchers have characterized as a “perfect storm” for identity fraud.
For enterprises, this means authentication systems must assume attackers may already possess significant knowledge about their targets. Traditional knowledge-based authentication—security questions, personal details, even voice recognition—becomes increasingly unreliable when attackers can synthesize convincing responses using AI trained on exposed data.
The fundamental challenge facing enterprises is that authentication methods designed for a pre-AI world are now being systematically dismantled by AI-powered attacks.
Gartner has predicted that by 2026, attacks using AI-generated deepfakes on face biometrics will mean that 30% of enterprises will no longer consider identity verification and authentication solutions reliable in isolation [5]. This represents a seismic shift in enterprise security posture—nearly one-third of organizations abandoning confidence in their existing authentication stack, with direct implications for regulatory exposure, cyber insurance, and board risk oversight.
According to Entrust’s 2026 Identity Fraud Report, deepfakes now account for one in five biometric fraud attempts, with deepfaked selfies increasing by 58% in 2025 and injection attacks surging 40% year-over-year [10]. The report notes that coercion attacks are particularly difficult to detect because victims use their own genuine documents and biometrics—only under pressure or instruction from someone else. The report’s conclusion is blunt: “We’ve crossed a threshold where humans simply can’t rely on their senses anymore.”
The passwordless movement, while representing progress, does not fully address these challenges. A recent CNBC report notes that 92% of CISOs have implemented or are planning passwordless authentication—up from 70% in 2024 [11]. However, many passwordless solutions rely on biometrics that are increasingly vulnerable to deepfake attacks, or on device-based authentication that can be compromised through social engineering.
What enterprises need is not simply “passwordless” authentication, but authentication that is fundamentally resistant to AI-powered attacks—systems where there is no pattern for AI to learn, no biometric to fake, and no knowledge to extract.
Photolok represents a fundamentally different approach to authentication—one designed from the ground up to resist the AI-powered threats that are rendering traditional methods obsolete.
At its core, Photolok is a passwordless authentication solution using patented steganographic photos. Rather than relying on passwords, biometrics, or knowledge-based verification, users authenticate by selecting their coded photos during login. This approach delivers what Netlok describes as “UltraSafe AI/ML login protection” when compared to passwords, passkeys, and biometrics.
Photolok’s AI/ML Defense capability prevents artificial intelligence and machine learning attacks through a simple but powerful principle: randomization. All account photos are randomly placed in photo panels during each login. Because there is no consistent pattern—no predictable sequence or positioning—bots cannot identify which photographs to attack. This randomized, non-predictable login experience deprives agentic AI of the consistent patterns and replayable signals it needs to optimize attacks over time. This fundamentally differs from biometrics (which present a consistent target), passwords (which can be captured or guessed), and behavioral patterns (which can be learned and mimicked).
In an era of sophisticated social engineering and physical coercion attacks, Photolok offers a capability no other authentication system provides: the Duress Photo.
Photolok is the only login method that uses a “visual silent alarm.” When an account owner feels they are in danger or is being forced to provide access to a bad actor, they can activate the Duress Security Alert by selecting their designated Duress photo in the first photo panel. When clicked, an email and text notification are sent immediately to IT security and other designated personnel—all while allowing the user to continue to login to their destination without any disruption that might alert the attacker.
This capability addresses a critical gap in enterprise security. As Entrust notes, coercion attacks are particularly hard to detect because victims use their own documents and biometrics under pressure; a Duress Photo gives those victims a safe, covert signal path that traditional biometrics simply do not offer. For example, if a finance leader is pressured into disclosing confidential information on a video call by a convincing deepfake impersonation, they can silently trigger Duress while “complying” with the request—enabling immediate response from security teams while preventing the authorization of fraudulent transactions.
Photolok is also the only login method that gives users the option of using a temporary photo to prevent shoulder surfing in office or public settings. The 1-Time Use Photo provides enhanced remote security by automatically removing itself from the user’s account after a single use.
If someone is using a camera, screen capture malware, or simply looking over a user’s shoulder, the 1-Time Photo protects the account because it becomes invalid immediately after use. If someone records or screenshares a login session, that 1-Time Use Photo is useless on the next attempt. This feature is particularly valuable for remote workers, traveling executives, and any scenario where login activity might be observed—addressing vulnerabilities that traditional authentication methods cannot mitigate.
Beyond these distinctive capabilities, Photolok incorporates additional security measures, including integration with existing authenticators for access codes, device authorization controls, and patented steganography that embeds encrypted codes within photos—making them highly resistant to external observation and AI analysis. The system also simplifies adoption across diverse user groups, eliminating language and literacy barriers that can limit the effectiveness of text-based authentication.
The World Economic Forum has stated plainly that traditional verification methods are “no longer sufficient” against AI-enabled fraudsters [12]. That aligns with the conclusion from Part 1 of this series: detection alone cannot close the gap against adaptive, AI-enabled adversaries; the underlying authentication factor must change. Global cybercrime now represents a $10.5 trillion industry—larger than the GDP of every country except the United States and China. Deloitte projects AI-enabled fraud losses in the U.S. will reach $40 billion by 2027.
The research is clear: enterprises that delay authentication modernization face mounting risk—in incident costs, regulatory exposure, and erosion of customer trust. As this three-part series has documented, the AI fraud threat is not theoretical—it is present, accelerating, and systematically defeating legacy security measures.
The choice facing enterprise leaders is straightforward: evolve authentication now, implement systems designed for AI-era threats, or become another statistic in the growing tally of successful AI-powered attacks. Photolok’s patented steganography technology, combined with unique security features like Duress Photo and 1-Time Use Photo, offers a proven path forward—authentication that protects against the threats of 2026 and beyond.
Don’t wait for AI-powered fraudsters to target your organization. Discover how Photolok’s patented steganography and AI-resistant authentication can protect your enterprise while improving user experience.
Request Your Personalized Demo
Author: Kasey Cromer is Director of Customer Experience at Netlok.
[1] Predictions 2026: Cybersecurity and Risk — Forrester (October 2025)
[4] Detecting dangerous AI is essential in the deepfake era — World Economic Forum (July 2025)
[6] Deepfake Fraud Could Surge 162% in 2025 — Pindrop (July 2025)
[7] Whistleblower says DOGE put Social Security numbers at risk — NPR (August 2025)
[9] Whistleblower: DOGE Put Millions of Americans’ Data at Risk — TIME (August 2025)
[11] More companies are shifting workers to passwordless authentication — CNBC (November 2025)
[12] AI-driven cybercrime is growing, here’s how to stop it — World Economic Forum (January 2025)
[13] Deepfake Statistics & Trends 2025 — Keepnet Labs (November 2025)
[14] AI-powered fraud is exploding — Cybernews/Entrust (November 2025)
[15] Forrester: Agentic AI-Powered Breach Will Happen in 2026 — Infosecurity Magazine (October 2025)
Kasey Cromer, Netlok | November 21, 2025
Executive Summary
Global cybercrime is now a $10.5 trillion industry — larger than the GDP of every country except the US and China. AI-powered fraud has reached a critical tipping point, with enterprise banks reporting a 70% increase in fraud over the past year and deepfake incidents surging by 700% [1][2][3]. As fraudsters weaponize generative AI to create hyper-realistic deepfakes and sophisticated phishing campaigns, traditional authentication methods are failing catastrophically. This analysis examines how Netlok’s Photolok – using patented photo-based steganography with AI/ML defense capabilities – provides the most effective defense against AI-driven login identity fraud.
The AI Fraud Explosion: A $40 Billion Problem by 2027
The transformation of fraud through artificial intelligence represents one of the most significant security challenges facing enterprises today. According to Deloitte’s latest analysis, GenAI-driven fraud losses in the United States alone could exceed $40 billion by 2027, up from $12 billion in 2023 [4]. This 233% increase demonstrates the exponential threat posed by AI-enabled attacks.
The numbers tell a devastating story:
The Operational Nightmare: When AI Outpaces Human Detection
The surge in AI-powered attacks isn’t just a financial problem—it’s overwhelming fraud prevention teams across industries. A recent Sift report reveals that AI-driven scams rose by 456% between May 2024 and April 2025, with fraudsters crafting convincing scams up to 40% faster using AI tools [9]. This acceleration has overwhelmed traditional fraud prevention systems.
Real-World Devastation: The Deepfake Authentication Crisis
$25 Million Video Call Scam: A company’s finance team member paid out $25 million after participating in a video call where every participant except the victim was a deepfake, including the CFO who gave authorization for the transfer.[13]
Voice Cloning: 3,000% Surge: Banking institutions report deepfake voice attacks on customer service centers increased 3,000% year-over-year, with criminals needing just three seconds of audio to master someone’s voice.[14]
Synthetic Identity: $23B by 2030: AI creates fictitious identities by blending real and fake information, with projected losses of $23 billion by 2030.[15]
Why Traditional Authentication Is Obsolete
Current authentication methods were designed for a pre-AI world and are catastrophically failing against modern threats:
| Authentication Type | Documented Vulnerabilities | Sources |
| Passwords | 49% of all data breaches | [Spacelift] |
| SMS/Email OTP | SIM swapping attacks increased 400% | [7] |
| Voice Biometrics | Voice clones created from 3-second samples; 3,000% increase in attacks | [14] |
| Facial Recognition | Deepfakes increased 700%; bypass liveness detection | [2] |
The Photolok Advantage: Authentication Built for the AI Era
Photolok is a passwordless authentication solution using patented methods using steganographic photos. Rather than relying on passwords or biometrics, Photolok has users authenticate by selecting personal selected coded photos during login.
Key advantages of Photolok include:
The Window Is Closing
With AI fraud tools now accessible to anyone with an internet connection, the question isn’t whether your organization will be targeted—it’s when. The World Economic Forum warns that traditional verification methods are “no longer sufficient” against AI-enabled fraudsters [16].
The choice is stark: evolve authentication now or become another statistic in the $10.5 trillion cybercrime industry. Photolok’s patented steganography technology offers a proven path forward, combining AI/ML defense with operational efficiency and user satisfaction.
Take Action Against AI Fraud
Don’t wait for AI-powered fraudsters to target your organization. Discover how Photolok’s patented steganography and AI-resistant authentication can protect your enterprise while improving user experience.
Request Your Personalized Demo
Author: Kasey Cromer is Director of Customer Experience at Netlok.
Sources
Kasey Cromer, Netlok | November 14, 2025
Executive Summary
A single deepfake video call cost a multinational firm $25 million—and this is just the beginning. AI-driven deepfakes have exploded by over 1,000% since 2023, now fueling sophisticated attacks from executive impersonation to credential theft across every industry vertical.[1][4][22] With deepfake-as-a-service platforms offering custom attacks for under $100 and detection accuracy struggling at just 25%, enterprises face an unprecedented authentication crisis.[3][7] This guide demonstrates why Netlok’s Photolok – using patented steganography photos with AI/ML defense capabilities – offers the most robust defense against AI-powered login identity fraud.
The Deepfake Explosion: Enterprise Impact by the Numbers
The statistics paint a devastating picture of the current threat landscape:
| Threat | Current State | Business Impact |
| Deepfake attack volume | 1,000%+ increase since 2023 [1][4] | Exponential growth overwhelming security teams |
| Enterprise targeting | 73% of Fortune 500 companies attacked [22] | No organization too large to escape |
| Financial damage | $4.2M average loss per attack [2] | Direct bottom-line impact |
| Human detection capability | 75% failure rate [7] | Traditional security training ineffective |
| Executive impersonation | 89% of attacks target C-suite [1] | Enables unauthorized high-value transactions |
Real-World Deepfake Devastation
$25 Million Teams Deepfake: A European energy conglomerate lost $25M when attackers used a real-time deepfake video during a Teams call, perfectly mimicking the CFO to authorize wire transfers.[1][2]
State-Sponsored Infiltration: North Korean hackers used deepfake IDs and video interviews to infiltrate 67 tech companies as remote employees, establishing listening posts for espionage and IP theft.[1][3]
Banking Voice Attacks: 500% Surge: Major banks report AI-generated voices bypassing biometric systems in 31% of tests, with deepfake-enabled account takeovers increasing 500%.[4][20]
Deepfake sophistication has reached a critical threshold. These aren’t grainy videos anymore—they’re real-time, interactive deepfakes that fool seasoned security professionals. Traditional authentication is becoming obsolete as deepfake technology advances. [2][8]
Why Detection Fails: The Technology Arms Race
Modern deepfakes exploit psychological trust factors—familiar faces, expected contexts, and urgent scenarios—making technical detection secondary to social engineering success.[7][8] With deepfake-as-a-service platforms offering custom attacks for under $100, every employee becomes a potential target, overwhelming traditional security teams.[1][3]
Enterprise Defense Framework
Comprehensive Deepfake Defense Stack
| Security Function | Examples of Providers | How It Works | Business Value |
| Prevent Access | Photolok Authentication | Replaces passwords with AI-resistant photos | Stops deepfakes before they enter systems |
| Detect Threats | Reality Defender API | Scans all video/audio in real-time [8][17] | Catches sophisticated deepfakes others miss |
| Train Staff | Breacher.ai Simulations | Monthly deepfake detection drills [10][11] | Reduces social engineering success rates |
| Verify Requests | Direct Verification | Contact person directly through pre-verified method [2][15] | Prevents unauthorized financial transfers |
Examples of Deepfake Detection Training:
Note: These platforms are listed for informational purposes only and do not constitute an endorsement.
Why Passwords Failed—How Photolok Succeeds
Authentication Methods and Known Vulnerabilities:
| Method | Vulnerabilities | Success Rate | Sources |
| Passwords | Phishing, credential stuffing | 49% of breaches | [Spacelift] |
| SMS/Voice OTP | SIM swapping, voice cloning | 400% increase in attacks | [7], [14] |
| Biometrics | Deepfakes, spoofing | 31% bypass rate | [4][20] |
Photolok’s Revolutionary Approach:
The Path Forward
Deepfakes represent a fundamental shift in the threat landscape—rendering traditional authentication obsolete while democratizing sophisticated attacks.[1][3][4] Unfortunately, many organizations still rely on password-based authentication — an approach increasingly outmatched by AI-driven, deepfake-enabled attacks.[7][22] But those embracing photo-based authentication with patented steganography, continuous training, and proactive detection build resilience against even nation-state actors.[1][8] The choice is clear: evolve authentication now or become tomorrow’s breach headline.[4][25]
Ready to Protect Your Enterprise?
See how Photolok can defend your organization against deepfake attacks and AI-powered fraud. Our team will demonstrate how patented steganography and AI-resistant authentication can secure your most critical assets.
Schedule Your Photolok Demo Today
Author: Kasey Cromer is Director of Customer Experience at Netlok.
Resources
Kasey Cromer, Netlok | October 6, 2025
Executive Summary
2025 is setting new records for cyberattacks, with over 16 billion passwords exposed and more than half of data breaches involving personally identifiable information (PII). Given increased regulatory scrutiny, increasing penalties, customer-facing risks, combined with new methods to protect yourself, every digital service user should take proactive steps to protect themselves.[1][2][3]
1. Data Breach by the Numbers
Defining Personally identifiable information (PII): PII is any type of data that can be used to distinguish or trace an individual’s identity by itself or when combined with other information. This includes direct identifiers—like full names, Social Security numbers, passport information, or biometric data (e.g., fingerprints, facial scans), and indirect ones—such as date of birth, race, gender, or place of birth that when combined with other data, can reveal the identity of a person.[4][5][6] Sensitive PII includes information like financial details, medical records, driver license numbers, phone numbers and email addresses, making this data highly valuable to cybercriminals. Protecting PII is crucial to prevent identity theft and unauthorized use.
| Metrics for 2024 | Value | Source |
| Passwords exposed | 16 billion | [1] |
| Global cost per breach | $4.88M | [2] |
| U.S. cost per breach | $9.36M | [7] |
| Breaches exposing PII | 53% | [3] |
| Average cost per PII record | $173-$189 | [3] |
| Regulatory fines (32% of orgs) | $100,000+ | [8] |
| Breach Volume Trends 2021-2025 |
| Data Breaches by Year: |
| 2021: ████████████ 1,100 |
| 2022: ██████████████ 1,400 |
| 2023: ████████████████ 1,700 |
| 2024: █████████████████████ 2,100 |
| 2025 YTD: █████████████████████████ 2,500 |
2. Who Gets Hurt—and How?
Victims of recent breaches recount losing retirement savings, having mortgage applications denied, and enduring relentless phishing and fraud attacks. A Connecticut bank customer saw their information used to open credit cards. Another family faced insurance fraud after health data was leaked. The takeaway, even when attackers don’t steal money immediately, is that exposed personal information often causes financial, emotional, and reputational turmoil for years.[9][10]
“The shift we’re seeing in 2025 is from passive acceptance of breaches to active customer empowerment. New regulations, better insurance options, and innovative authentication technologies are giving consumers real tools to protect themselves—but only if they use them.”
— Industry perspective from leading cybersecurity analysts[2][3]
3. Salesforce as Case Study—But Risks Are Everywhere
The high-profile Salesforce breach, in 2025, impacted thousands of organizations, exposing credentials and customer data through a third-party integration. Yet these methods—phishing, stolen PII, exploiting software integrations—also enable attacks on hospitals, insurers, banks, universities, and government offices across the globe. Every digital user is potentially a target.[11][12][13]
| Attack Vectors by Industry (2025) |
| Industry Breakdown of Data Breaches: |
| Healthcare 35% ███████████████████████████████████ |
| Financial 28% ████████████████████████████ |
| Retail/E-comm 22% ██████████████████████ |
| Government 10% ██████████ |
| Other 5% █████ |
4. Regulation & Insurance: What Changed in 2025
Regulatory Breach Notice Deadlines—At a Glance
| State/Regulation | Deadline |
| NY, CA | Immediate |
| Oklahoma | 48 hours |
| HIPAA (all U.S. healthcare) | Up to 60 days |
5. Emotional & Financial Toll: Human Stories Matter
Exposed PII allows cybercriminals to send customized scam emails, create socially engineered support lines, and commit medical or financial fraud in victims’ names. Victims often spend months, sometimes years, repairing records, refuting fraudulent activity, and regaining lost access. For most simple cases, recovery is possible within weeks to a few months, but for a substantial minority, especially those involving government fraud or major financial harm, the process can extend for 1-2 years or longer. [18]
| Average Recovery Timeline After Breach |
| Timeline to Full Recovery: |
| Day 0 ▓ Breach Detection |
| Days 1-7 ▓▓▓ Notification Period |
| Days 7-30 ▓▓▓▓▓▓▓ Account Security Measures |
| Days 30-90 ▓▓▓▓▓▓▓▓▓▓▓▓▓ Credit Monitoring Setup |
| Months 3-24 ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ Full Recovery Process |
6. What Every Customer Should Do
Within 24 hours of breach notice:
Within 48 hours:
Week 1:
First month:
Ongoing:
7. Why Passwords Are the Problem—and Photolok Is the Solution
Traditional passwords remain the weakest link in cybersecurity, with 88% of web application attacks exploiting stolen credentials.[3] That’s why at Netlok, we’ve developed Photolok—a revolutionary visual authentication system that eliminates passwords entirely.
How Photolok Protects You:
Visual Authentication
Instead of typing passwords that can be stolen, you select encrypted photos from Photolok’s proprietary library and log in to your private account. Hackers can’t use what they can’t steal.
One-Time Use Photos
Each photo can be set for single use, expiring after login. Even if someone sees you authenticate, they can’t reuse that image.
Duress Protection
Select a special “duress photo” to silently alert authorities or trusted contacts if you’re forced to log in under threat—a feature no password can offer.
Easy Setup & Management
Built for Everyone
From tech-savvy professionals to seniors who struggle with passwords, Photolok’s intuitive design makes strong security accessible to all users.
Real-World Impact:
When the recent Salesforce breaches exposed consumer passwords, Photolok users remained protected. You can’t phish a photo that changes with each login.
Ready to move beyond passwords? Learn more about Photolok or Request a Demo to see how visual authentication can protect your accounts today.
8. The Path Forward
Data breaches aren’t slowing down—they’re accelerating. But customers don’t have to be victims. Through vigilance, advocacy, and adoption of advanced authentication solutions like Photolok, every user can take control of their digital security.
Author & Credentials
Kasey Cromer is Director of Customer Experience at Netlok, focused on authentication, incident response, and SaaS security for over a decade.
Resources
Published September 2025. Content reviewed quarterly for accuracy and compliance. Netlok’s Photolok solution is featured as an innovative approach to password-free authentication in the evolving cybersecurity landscape.
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2026 Netlok. All rights reserved.