UK-wide: A Crisis PR & Communications Overview

AI-Driven Cybercrime: The New Landscape of Crisis Reputation Management

As we move through 2026, corporate and private clients continue to face an increasingly complex and interconnected array of reputational risks. Of all these threats, few are more pressing – or evolving more quickly – than AI-enabled cybercrime.

The far-reaching impact of AI on all forms of cybercrime should not be underestimated. At its core, AI technology adds enormous scale and penetrative strength to “conventional” cyber-attacks, not least ransomware incidents. AI has fundamentally democratised access to cybercrime, making it far quicker and easier to plan and execute sophisticated strikes on organisations and individuals, empowering threat actors and lowering the barrier to entry for any group or actor seeking to act maliciously.

All the while, individuals, corporates, institutions and governments are navigating an increasingly hostile global information landscape in which data, information and content are increasingly open to manipulation and difficult to verify as disinformation becomes more sophisticated. AI technology should be viewed not only as a significant escalation to cybercrime risk in its own right, with obvious legal and commercial consequences, but as a powerful and compounding catalyst for reputational attacks more generally. Hard-earned reputations, goodwill, and stakeholder trust have never been more vulnerable. Senior leaders, PR advisers and legal counsel must be aware of the threats posed.

A new phase of cyber risk

In some respects, the core pillars of cyber risk remain unchanged. Ransomware, data exfiltration and extortion, denial-of-service, fraudulent payments and more have been clear threats for a considerable time. The damage these incidents can cause to enterprise value is well documented, including potentially catastrophic business interruption, financial loss, regulatory sanction, loss of stakeholder trust and reputational harm.

However, the choreography and tactics used in preparing and executing cyber-attacks have evolved and escalated, driven by AI technology. Threat actors are already using agentic AI to coordinate attacks, from identifying potential victims, mapping exposed systems, and detecting vulnerabilities, to gaining access, harvesting credentials, navigating internal environments, locating valuable information, and preparing data for exfiltration.

Meanwhile, groups are exploiting AI tools and platforms as a potential vulnerability in enterprise cybersecurity, by manipulating authorised AI applications with hostile instructions, taking advantage of weaknesses in AI-engineering platforms, and setting up deceptive AI-related services that appear legitimate but are designed to capture confidential information. Each updated model that is released shifts risk profiles, creating new potential areas of vulnerability for companies to be aware of.

Disinformation and multi-layer extortion

Generative AI has now reached a level of sophistication at which compelling, convincing and seemingly plausible content can be developed easily and quickly by virtually anyone. This was not the case even 18 months ago. Given the speed at which the technology is improving, we may reasonably predict that in 12 months’ time, AI-developed content may be truly indistinguishable from authentic fact.

AI’s impersonation abilities significantly enhance the effectiveness of phishing and whaling attacks. False documents and images, voice clones and synthetic video, perfected local language translations and mimicked writing styles can be produced quickly and cheaply. The 2024 Arup Hong Kong incident, in which a finance employee was persuaded to transfer USD25 million after joining what appeared to be a video call with senior colleagues, remains perhaps the highest-profile and most costly example of a successful attack using synthetic media, though there have been other examples of near misses at Ferrari and WPP. The volume and plausibility of such attacks are increasing daily, and the decreasing costs make the targeting of smaller corporates viable for criminal groups.

AI’s impact in facilitating dis- and mal-information smear campaigns is hugely significant generally, and within cybersecurity risk specifically. Ransomware groups are increasingly moving beyond the familiar model of double extortion, whereby a victim’s data is both encrypted and stolen, to attacks involving triple, quadruple or multi-layered extortion. Here, threat actors threaten to publish not only the victim’s authentic exfiltrated data, but also additional false content developed quickly and convincingly by AI, designed to cause maximum reputational damage and often unrelated to the breach; for example, by seeming to reveal senior executive wrongdoing or corporate decision-making that runs counter to the company’s stated brand values. Distributing false but seemingly plausible claims about the scale of the breach, the sensitivity of the data or the company’s response can be used to increase pressure and unsettle stakeholders, to drive the victim into ransom payment negotiations.

Often, the material does not need to be completely fabricated. Some of the most effective smear campaigns deliberately mix facts with insinuation and omission, creating concerns and allegations that are hard to disprove, at least at first. The attacker’s aim is to create credible fear, uncertainty and doubt, not necessarily prove a case. In the early stages of an incident, when facts are incomplete and the organisation is still investigating, the information vacuum is the area of greatest vulnerability to precisely this type of multi-pronged AI-driven disinformation extortion.

Varied targets and motivations

The actors behind these campaigns of course vary in motivation. Criminal groups may use false or distorted claims to increase pressure during extortion negotiations. Meanwhile, nation-state actors may seek to weaken public confidence in institutions, disrupt critical infrastructure, influence political debate or damage companies seen as economically or geopolitically important. The growth of “decline porn” as a new frontier of “rage bait” is one new example of this and speaks to the social and political goals of those responsible. Public sector bodies, including several regional mayoral offices and local councils, are already beginning to grapple with this new form of disinformation – such as with London Mayor Sadiq Khan’s embrace of “Londonmaxxing” to combat online attacks on the city. Competitors, disgruntled former employees, activists, litigants or private individuals may use the same techniques for commercial, personal or ideological reasons, to present companies, institutions or individuals as corrupt or failing.

It is not only corporates and institutions that are at risk. The case of West Midlands teacher Cheryl Bennett is a timely reminder that no one is immune from being victimised by disinformation. Bennett, a teacher from the West Midlands, was helping a Labour candidate with local election canvassing when doorbell footage of her was manipulated to make it appear that she had used a racial slur. The doctored video was subsequently shared on social media by an influencer and political candidate, prompting abuse and threats to her personal safety. While the creator of the deepfake was never identified, Bennett later won the UK’s first legal settlement concerning a political deepfake.

Resilience and readiness

There are a host of steps organisations and individuals should take to ensure they can defend their data privacy, cybersecurity and broader reputations from the risk of AI-powered multi-layered extortion cyber-attacks and disinformation campaigns. Measures range from effective governance and oversight to enterprise-wide training, incident response planning, pre-bunking strategies and effective stakeholder relationship management, plus careful coordination of forensic, legal and PR advisers to respond quickly and ensure false content is disproved clearly and publicly without undue delay.

The incoming Cyber Security and Resilience Bill in the United Kingdom will shift the compliance requirements on companies further. Most fundamentally, and perhaps most pertinent for PR advisers, is the need to acknowledge – from board level down – that information veracity and narrative control are now critical strategic disciplines.