A new report published later today makes alarming reading. As Microsoft, Google and others warn of the intensifying threat from account takeovers and multi-channel AI attacks, here’s an even more worrying statistic. It turns out that tech vulnerabilities are not the biggest threat today. The biggest threat is actually you.
The report is from KnowBe4, which warns that 96% of organizations now “struggle to secure the human element,” that 2025 has seen a 90% “increase in incidents relating to the human element,” and that while 57% of incidents relate to email — Outlook and Gmail accounts draw 90% of all attacks, messaging apps are catching up fast.
This nightmare is fueled by AI, of course. There are no more easy red flags. Attackers present as coming from within your own organization or even as people you know. AI is now on both sides of the coin,” KnowBe4 CEO Bryan Palma told me. “It helps bad guys move faster, but also gives them new ways to scale and personalize their attacks.”
Keep watching your emails and you’ll miss that a phone call or Teams post or Slack message or text is fake. “Deepfake audio is now so good that vishing calls can convincingly sound like your CEO or CFO. It has already led to financial fraud and data loss because it is targeted, it is convincing, and most organizations are not prepared.”
Google came out this week and acknowledged the uncontrollable nature of agentic AI when it comes to this new threat landscape. KnowBe4 goes further. “2026 is the year that long-discussed threats show up in the real world,” Palma says. “The entry bar is no longer ‘who knows how to code’, it is ‘who knows how to ask’.”
This has been the warning for a while, but now it’s a nightmare fast coming true. AI can build a fake website with perfect copy and imagery. It can use social media to ape personas. It can design and even execute a phishing attack. This isn’t the preserve of hackers anymore. This is just a criminal mindset where everything is possible.
This threat is most acute when it comes to attacking enterprises. Where you’re the weak link, the initial entry point to a data breach or — worse — a ransomware attack. KnowBe4 says “’asking’ employees for their credentials still proves more effective than cracking passwords or finding them online from other breaches.” And AI asks at scale.
“Today, these agents are being given powerful permissions: writing and deploying code, managing cloud resources, and talking directly to production systems. It makes them incredibly attractive targets.” Palma warns “traditional security tools, which are tuned to catch unusual human behavior, will miss it. When this happens, it will force a hard reset in how the industry thinks about agent governance: Who’s watching the agents?”
KnowBe4 says email attacks still lead the pack, accounting for 57% of incidents. Where attacks come from outside an organization, that’s an even higher 64%. But that will change. Social media and messaging apps are growing faster. And while we’re all guarded when it comes to scam texts, we’re not when it comes to scam Teams chats and Slack messages that seem to come from inside our own enterprise.
“With messaging threats catching up fast,” Palma says, “the biggest driver is account takeover. Once an attacker controls a real Teams, Slack, or email identity, they don’t need to ‘spoof’ anything. Every message, file, or link comes from a trusted source. It is the perfect delivery system for AI-generated malware, deepfake-enabled vishing, or carefully crafted social engineering.”
Again, red flags of old don’t count anymore. “We’ve spent decades training people to scrutinize email headers and suspicious links, but very few employees are trained to question a message coming from their boss in Slack asking for a ‘quick favor’, or from a compromised AI agent responsible for distributing tickets or approving expenses.”
KnowBe4 warns AI is an “uncontrolled threat vector.” It means attacks can come from anyone, anywhere. The bar is now so low as to be irrelevant. “Defenders can no longer comfort themselves and think ‘only the most sophisticated actors can do this’. With AI in the mix, you have to assume almost anyone can.”
