← Back to Blog

Your Identity Is the New Attack Surface: Protecting Yourself in the Age of Agentic AI

Alexandros Fotiadis
security ai identity fraud smb
Your Identity Is the New Attack Surface: Protecting Yourself in the Age of Agentic AI

Until recently, serious identity fraud was expensive. You needed a convincing voice actor, a credible pretext, a team to run the call, and enough research to make the story hold together. That cost filtered the target list: CEOs, CFOs, high-net-worth families, and occasionally a senior accountant who happened to be on someone’s list.

In 2026, none of that is true anymore. Thirty seconds of clean audio, a forty-euro API bill, and an evening with a half-decent model is enough to clone a voice well enough to fool a distracted person on a noisy line. That shift changes the threat model for everyone who runs a business, handles money, or has relatives who do.

Who the new targets actually are

The old mental model — “fraud is a problem for C-levels and politicians” — is wrong in 2026. The economics now favour high-volume, medium-value attacks over the occasional whale.

  • SMB owners with signing authority over small-company accounts, where one €12,000 wire sits below fraud detection thresholds.
  • Finance clerks and bookkeepers who handle supplier changes, IBAN updates, and payroll files — the ideal choke point for a “we’ve changed banks” attack.
  • Family offices, law firms, and notaries where a single misdirected escrow payment funds the rest of the attacker’s month.
  • Vendors in supply chains, impersonated to their own customers. If you invoice a hospital group, you are now a credible target because your clients are.
  • Older relatives of anyone professionally visible. Your LinkedIn is their attack surface.

If you were sceptical a year ago that any of this applied to you, it’s worth recalibrating.

What the attacks look like now

Four patterns dominate the inbound cases we hear about from clients and peers:

  1. Voice-clone wire fraud. A “CEO” calls the accountant late on a Friday, mentions a real ongoing deal by name (scraped from a press release or LinkedIn post), and asks for an urgent transfer. The voice is right. The pretext is right. The deadline is artificial.
  2. AI phishing at scale. Personalised emails written from your real LinkedIn bio, referencing a talk you gave or a repo you starred, with a link to a convincing login page. Spelling mistakes are gone. So is the language gap — Greek, German, and English are all equally fluent.
  3. Agentic account takeover. An attacker’s agent, not a human, systematically tries account-recovery flows across dozens of services, combining leaked password fragments, SMS-interception attacks, and helpdesk social engineering until one gives way.
  4. Synthetic identity fraud. Entirely fabricated people with AI-generated faces, AI-generated voices, and AI-generated employment histories, used to open accounts, apply for credit, or pass KYC on regulated platforms.

What connects all four is that the marginal cost of one more attempt has collapsed. Defences built around “attackers won’t bother with us” no longer hold.

A concrete 5–7 step defence plan

None of the following requires a CISO or a six-figure budget. It requires one afternoon of decisions and two weeks of rollout.

  1. Adopt passkeys or hardware keys for every account that touches money or data. Passwords with SMS fallback are finished. A €50 YubiKey per employee is cheaper than one failed wire.
  2. Establish a callback protocol for any payment change. Any request to change an IBAN, a payee, a supplier bank account, or a payroll destination requires a callback on a number already in your records — not the number on the email, not the number the caller gave you. Write this down. Train on it.
  3. Use a code word for urgent voice requests. Agree a rotating word with your accountant, your spouse, your elderly parent. “Did the cat eat the roses this week?” is absurd, and that is the point — it cannot be guessed from public data.
  4. Freeze your credit and your children’s credit where legally possible. In most EU jurisdictions this is free. It removes the monetisation path for synthetic identity fraud against you specifically.
  5. Inventory what is public about you and your company. Executive bios with birth dates, staff pages with direct dial numbers, org charts in pitch decks — each one is a free gift to an attacker. Trim what you can.
  6. Turn off SMS as a second factor wherever an authenticator or passkey is offered. SIM-swap attacks are cheap and local.
  7. Practise one drill a quarter. Send a fake CEO-fraud email to your own team. Call your own accountant from an unknown number and ask for something suspicious. Measure the response. Fix what you find.

What “good” looks like

A healthy small company in 2026 looks like this: passkeys everywhere, hardware keys for admins, no SMS 2FA, a written callback rule that every finance person can recite, a code word with the bookkeeper, and a quarterly drill that catches at least one mistake. None of it is exotic. All of it is cheap compared to the alternative.

We help clients put this stack in place — often as part of a broader automation and identity project. If you want a second pair of eyes on your current posture, get in touch. It is a one-hour conversation that tends to pay for itself the first time something suspicious lands in an inbox.