AI-Powered Fraud and the Rising Duty of Cyber Vigilance

Synthetic identity fraud differs from traditional phishing or hacking. Instead of stolen credentials alone, attackers blend fragments of real personal or business information with AI-generated content such as: voice clones, realistic identification documents, even fabricated video calls in an effort to increase their appearance of legitimacy.

From a legal perspective, this trend raises questions about contractual duties and standards of care. In many industries, vendors and partners are bound by service agreements to maintain “commercially reasonable” security practices. If an AI-driven attack succeeds because of outdated security practices, a victimized party could allege breach of contract, negligence, or even gross negligence.

As the tools for increased security become more widely available, the bar of what is “commercially reasonable” rises as well. Businesses should expect plaintiffs’ attorneys to increasingly argue that “commercially reasonable” now means adopting more sophisticated security measures such as multi-factor authentication (MFA) biometric verification, real-time behavioral analysis, and out-of-band confirmations for sensitive requests. The harm suffered by businesses that fail to modernize their security practices will include not only monetary damages but also reputational harm and regulatory penalties.

In addition to changes to accepted security practices, the regulatory climate is also shifting. California, New York, and the European Union are each evaluating rules requiring heightened verification for financial transactions, real estate closings, and data access. This changes could affect banks, escrow companies, brokers, and any business handling customer funds or sensitive data. These government requirements will push the commercially reasonable bar yet higher.

In the face of these security challenges, contract review is essential. Businesses should examine limitation-of-liability clauses, indemnification provisions, and data breach response requirements in their agreements. A clause drafted five years ago may be insufficient against today’s AI-enhanced threats, especially if it fails to specify how authentication must be performed before releasing funds, goods, or information.

In addition to legal safeguards, internal training is critical. Just as companies once held fire drills, we now recommend that companies consider conducting “cyber drills,” which involve simulated fraud attempts to test employee responses.

For small businesses, the days of believing their size make them a small target for cyber criminals are over. Fraudsters often view smaller companies as softer targets due to limited IT budgets and lax security practices. However, hope is not lost, affordable tools now exist for voice verification, device fingerprinting, and fraud detection. Incorporating these into business operations can provide both security and bolster a legal defense that “commercially reasonable” security steps were taken to prevent foreseeable harm.

Ultimately, cyber vigilance in 2025 means recognizing that the threat landscape evolves faster than most business plans. The combination of AI-generated deception and human error is potent. Legal counsel, IT teams, and leadership must work together to implement layered protections and keep contractual and compliance frameworks up to date.

If your business hasn’t conducted a fraud-prevention review in the past year, now is the time. The cost of prevention is almost always lower than the price of litigation, regulatory fines, and reputational damage.