Deepfakes, DMs, and Deception: Dune Security on Human Cyber Risk

Victoria Barber: Welcome to SHI's Research Breakdown, where we turn complex research into quick conversations that matter to your business. Today's conversation draws on Dune's Inside Access research report, "CISOs on the Emerging Threats Redefining Human Cyber Risk," which featured in the October 17th issue of the Research Roundup LinkedIn newsletter.

For this report, Dune surveyed CISOs and analyzed data from hundreds of thousands of user simulations to identify compelling data points highlighting how underprepared organizations are for the increasing volume and sophistication of AI-enabled social engineering attacks. The authors also provide analysis, insights, and advice in this comprehensive 38-page report.

I'm Victoria Barber, Head of the Strategic Insights function here at SHI, and once again, I have my field CISO colleague, Brad Bowers, with me. Today, we're joined by David DellaPelle, CEO of Dune Security, to discuss how phishing has evolved faster than awareness training.

Victoria Barber: So, David, can you give us some examples of how social engineering attacks are changing, and what does this mean for enterprise defense?

David DellaPelle: Yeah, Victoria, thank you for having me. At a high level, it’s important to zoom out a bit. We've had many technological revolutions over time, really starting from the industrial revolution. But this one feels different. AI is moving at an incredibly fast pace. The technology is evolving so rapidly that CISOs are struggling to keep up and figure out how to defend against these new types of threats.

Let’s dive deeper and answer your question more directly. How are social engineering attacks changing? The first thing to think about is the old-school form of phishing. Previously, a phishing message would be sent to thousands of employees, often the same message to a variety of employees at once. But now, with the help of AI, attackers can gather open-source intelligence data and send thousands of highly specific, personalized messages to every employee in the company. We call this AI-powered spear phishing.

What our data shows is that AI spear phishing is three times more likely to drive interaction and failure on the part of the employee than traditional phishing. And phishing remains the top concern for 85% of CISOs. Organizations focus heavily on email security, but phishing has really modernized. It’s no longer about "spray and pray." Now it’s highly targeted, hyper-personalized at scale. Phishing is still prevalent, but it’s not the only threat we’re seeing. We’re now dealing with multi-channel, omni-channel attacks—deepfake voice cloning, vishing through the phone, deepfake video, and even attacks that occur out of band, through encrypted channels like WhatsApp and Signal.

Brad Bowers: Dave, you mentioned multi-channel threats. Can you give us more details on the vehicles that threat actors are using and the impact this has had on phishing overall?

David DellaPelle: Yeah, great question. Think back 10 years ago. When an attacker tried to break into a company, they’d use social engineering, primarily sending phishing messages to every employee. That’s changed. Today, attackers use a hybrid approach. They can send an AI-generated, hyper-specific spear phishing message while also reaching out through Slack, WhatsApp, or even voice calls, with video messages—maybe even impersonating someone like their boss.

These are hybrid attacks, which we consider the most sophisticated type of attack today. They’re typically used to target high-value employees, like executives. What’s concerning is that 0% of CISOs are actively defending against social engineering on encrypted or informal apps like Slack, Teams, WhatsApp, or Signal, despite 64% acknowledging they’ve been attacked on those platforms. There’s a huge imbalance, and it’s becoming much easier for attackers to launch these hybrid attacks. Organizations need to start defending against them.

Brad Bowers: Why do you think this has become less of a focus for CISOs?

David DellaPelle: I think, in part, it’s because technology hasn’t caught up yet to provide enterprise-level visibility into these solutions. WhatsApp, for example, has 200 million businesses using it, so it’s clearly being used for corporate purposes. However, CISOs are focusing on other areas or assuming that their existing training and awareness programs will mitigate this risk. Perhaps they’re moving towards passwordless authentication or other measures, thinking these will address the issue.

Brad Bowers: So you think it's partly a cultural issue, with CISOs not viewing these out-of-band channels as part of their domain?

David DellaPelle: Yes, that’s one part. CISOs may view things happening on personal phones as outside of the scope of corporate security, not considering them within the "approved" communication channels. The second issue is tooling. There isn’t good technology for red-teaming or testing these encrypted channels and quantifying the risks. And the third issue is that some CISOs have so many priorities that they can only focus on the top five issues. It often takes a breach or event before they recognize the importance of securing encrypted channels.

Victoria Barber: So, looking forward, how do you see awareness training and phishing protection evolving?

David DellaPelle: When we surveyed enterprise CISOs, we found that only 12% believe their current security awareness training program is effective. Only 26% rated their insider threat readiness as high. We also found that 30% of employees went all the way down the kill chain when faced with AI-powered spear phishing.

In terms of user risk, we’ve identified three main buckets: 75% of employees are low-risk, 20% are moderate-risk, and 5% are high-risk. Moderate-risk employees may just need basic compliance training. For moderate-risk employees, we apply user-adaptive training and testing, which continuously measures improvement. For high-risk users, we restrict access, either through user risk scoring, MFA step-ups, or graduated authentication, to reduce their access to sensitive data.

Brad Bowers: David, you mentioned insider threats, which are becoming a bigger part of these targeted attacks, especially on executives. What are you seeing in terms of nation-state actors, like North Korea, using AI and deepfakes to target organizations?

David DellaPelle: This is a concerning threat. We’re seeing more cases of nation-state actors, such as North Korean spies, applying for remote IT jobs at American companies to gain access. They use AI to create deepfake Zoom calls or to answer interview questions, making themselves appear legitimate. The attackers may even gain access to company laptops, tunnel in remotely, and collect sensitive information. This is a growing concern for Fortune 1000 companies and their CISOs.

Brad Bowers: It’s clear that cybercrime is becoming a highly organized industry, and it’s only going to continue growing. How can industry professionals collaborate to better fight this?

David DellaPelle: Collaboration is key. While business competitors might be hesitant to share information, CISOs tend to collaborate more. Sharing data, best practices, and insights can only make us stronger. We’ve seen more integration between security manufacturers like Dune Security and major players in the firewall and endpoint sectors, where they agree on common taxonomies for events and severity. This collective collaboration is essential in strengthening our defense against these increasingly sophisticated attacks.

Victoria Barber: Thank you both for joining us today. This has been another insightful discussion. I highly encourage our listeners to read the full Inside Access findings for deeper insights into user-layer defense. There’s so much to unpack, and these findings can help spark important internal conversations and actions within your organizations.

Thank you to our listeners as well. You can find more episodes of the Research Breakdown wherever you get your podcasts, and you can sign up for the Research Roundup on SHI's LinkedIn page. SHI Media. You heard it here.