James McGoldrick at Systal explores multichannel threats and describes how businesses can defend themselves
Earlier this month, it was revealed that the UK has seen a 94% year-on-year surge in multichannel cyber-attacks. Cyber-attacked are no longer just about phishing emails, attackers are now combining channels like SMS, voice calls, and social media to increase their chances of success. These attacks represent a huge shift in the threat landscape, one that no business can afford to ignore.
What makes multichannel cyber-crime so troubling for businesses is not just its recent growth, it’s also the sophistication and coordination these attacks can employ. We’re seeing scams evolve from just one-off phishing emails to well-organised campaigns that span email, messaging apps, voice calls, and even video. Imagine receiving an urgent WhatsApp message from your CFO instructing you to pay an invoice, followed minutes later by a convincing voicemail that sounds exactly like them. In that moment, traditional red flags like checking in with the sender can be rendered useless.
Why are multichannel attacks so dangerous?
Multichannel attacks are designed to overwhelm normal business defences by layering multiple forms of communication to build credibility. When a victim receives a realistic voice message making a request made via email or chat, the instruction suddenly feels legitimate. This undermines the basics of most employee security awareness training, which typically advises users to “verify the request” through another channel. But what happens when every channel actually appears to check out?
A typical scenario might involve a finance team member getting a voicemail that says, “Hi, just out of our executive board meeting and we need to urgently pay the invoice I’ve just sent you on email. If we don’t, our business operations could be disrupted going forwards. Please drop everything and make this payment as soon as possible. Thank you.” Moments later, the same employee receives an email with the invoice and a payment link. The urgency, layered delivery, and trusted voice create a highly realistic scam.
Even organisations with well-trained employees are vulnerable. As the goal of these multichannel attacks is to confirm the usual employee checks, this is what makes them so effective and so dangerous.
The role of AI in multichannel threats
The barrier to entry for complex cyber-attacks is falling rapidly, largely thanks to generative AI. Attackers no longer need highly technical skills to orchestrate multichannel scams; they simply need access to AI tools that are able to do the heavy lifting.
Voice cloning technology is a prime example. With just ten minutes of audio, which is often easily found through public speaking events, webinars, or social media, attackers can train AI models to replicate the voice of a company executive. These synthetic voices can then be used in voicemails or live scam calls, instructing staff to take urgent action. The tone and accent which these calls mimic can be uncannily accurate.
But it doesn’t stop there. AI also enables attackers to craft highly realistic phishing emails, fake websites, and social media content with minimal effort. Even commercial AI models can find details about your company’s structure, executive team, and recent activity, allowing attackers to craft personalised narratives that feel authentic.
Previously, such attacks might have taken a threat actor days or weeks. Now, with the help of AI, it can be done in hours.
Are businesses equipped to fight back?
Fortunately, there are ways to counter these threats. While cyber-criminal tactics have grown more sophisticated, many core cyber-security principles still remain, even if they now require a more modernised approach.
One key strategy is layered verification. Relying on a single channel to confirm requests is no longer sufficient. For instance, if a request comes via voicemail, it’s best not to respond directly through that same channel. Instead, call the person back through a known, trusted number to confirm. For sensitive actions like high-value payments, consider implementing a two-person integrity rule, ensuring that no individual can authorise significant transactions alone.
Technical defences also remain a key line of protection. Today’s email and phishing detection tools, when correctly configured and regularly updated, are still highly effective at catching malicious content. With the rise of AI-generated threats, it’s especially important to ensure these systems are able to recognise subtle, synthetic indicators.
Another often-overlooked vulnerability lies in an organisation’s digital footprint. Multichannel attacks frequently begin with information gathered from public sources. Businesses should conduct regular audits of what data is publicly accessible about their leadership teams and departments. Employees should be encouraged to lock down their personal social media profiles and remain mindful of what they share online, as even seemingly innocuous details can be used to craft convincing scams.
Training is also evolving. Traditional security awareness programs must expand to include multichannel threat recognition. Staff should be equipped to identify not only suspicious emails, but also questionable phone calls, WhatsApp messages, or social media direct messages, even when they appear to come from familiar sources. The emphasis should always be on verifying the legitimacy of any request through live, direct communication.
Finally, just as attackers are harnessing AI to enhance their efforts, defenders can do the same. AI-driven security tools are increasingly capable of detecting signs of synthetic content, such as subtle inconsistencies in tone, phrasing, or visual artifacts. These tools can act as a crucial early warning system, flagging threats that may otherwise slip through traditional filters.
Business security going forwards
Multichannel attacks are a clear signal that we’re entering a new phase of cyber-crime, one where attackers mimic trust across platforms to create a seamless and believable experience for their targets. With AI rapidly lowering the skill floor for these kinds of attacks, businesses must act now.
Defending against multichannel cyber-crime isn’t just about better tools, it’s about informed employees, stronger processes, and the willingness to challenge even the most convincing messages. Because in a world where your CFO might not be your CFO, trust must be earned, not just assumed.
James McGoldrick, Head of Security Services at Systal
Main image courtesy of iStockPhoto.com and SmileStudioAP
Click Here For The Original Source.
