Cyber fraud and AI: why offense is the best defense
Most organizations adopt a reactive stance when it comes to cyberthreats. But Tim Zentz, Vice President of CODEX, argues that as AI is increasingly adopted as a tool by online fraudsters, anticipating and countering your attacker’s MO is an ever more vital element of effective defense.
Lottie Owen Jones
Listen to full conversation with Tim now!
To quote the famous Chinese military strategist Sun Tzu in The Art of War, “if you know the enemy and know yourself, you need not fear the result of a hundred battles”. In the eyes of Tim Zentz, never has this been truer than in the world of cyber fraud in 2025.
Tim is Vice President of CODEX (Cyber Offense and Defense Experts), one of four business units at intelligence services company Nightwing, which was itself spun out of Raytheon as a separate company last year. As the name suggests, CODEX takes a 360o approach to addressing online fraud, providing security research and cyber resiliency solutions to both government and commercial customers. For Tim, walking in your attacker’s shoes is a crucial part of ensuring your business is properly protected.
The coming war
Asked why cyber fraud is on the increase, Tim’s response is unequivocal.
“The short answer is I think we're seeing more and more of it because it's working,” he comments.
What’s more, with the benefit of AI, it doesn’t have to work too often to be profitable.
“It's a very easy way for these attackers to launch low-cost attacks,” explains Tim, “even if it's with a moderate chance of a return.”
If the legitimate big tech firms have left behind the ‘move fast and break things’, cybercriminals are happy to take it on – and turbocharge it.
“With AI we're going to see greater scale, and we're going to see greater speed,” says Tim. “These adversaries are going to be able to augment their TTPs – techniques, tactics, and procedures – and they're going to be able to introduce new signatures to either thwart or work their way around detection mechanisms.”
According to Tim, not only will cyberattacks get bigger and move more rapidly, they’ll also be harder to spot.
“Going back to the signature point, they're going to be able to do it with a bunch of different looks. So, they're going to be harder to pinpoint and identify, and to counter. AI is going to add a definite element of additional challenge to this problem.”
Minimize your attack surface
For Tim, the problem with traditional defensive approaches to cybersecurity is that they’re reactive and based on identified threats, rather than on an organization’s specific vulnerabilities.
“You have these network protections, these anti-virus things, all these things that you’ve got to do, but they're not in and of themselves a complete solution,” says Tim.
Think of your typical security software with its regular updates – that’s fine for dealing with known threats, but useless for anticipating what shape the next big cyberattack will take and building resilience against it.
“The number one thing is folks have to work to minimize their attack surface,” says Tim. “Attackers don't fight fair, whether they're using ransomware or some other attack methodology.”
“These adversaries aren't just going to knock on the front door and try and get in. They're going to come through a chimney, a window, you know, they're going to come in through some non-traditional means.”
The dangers of complacency
Ironically, changes in working patterns still lingering from the pandemic mean that organizations are even more vulnerable in this respect.
“In the post-COVID world a lot more people are working remotely, so, it's not like everyone's in a nice, neat little office behind a firewall with their computers plugged into it,” comments Tim. “Your workforce is geographically dispersed – who knows what wi-fi network they're using to gain access to your corporate network, so that attack surface is growing.”
“We meet with a lot of commercial companies and their attitude is ‘we have a CISO, we have a security team, we don't need you’” says Tim. “‘We're compliant with whatever standard we need to be compliant with. We do vulnerability scans. We don't need you to come in and look at our network. The problem is that their adversaries are aware of all those things too.”
The enemy within
Another issue Tim believes traditional defensive security overlooks is the potential for an attack to come – wittingly or unwittingly – from within, whether that be through a malicious employee or via social engineering.
“So many times these companies look at an attacker coming from the outside in, I think we also need to look at the security posture from the inside out,” comments Tim. “Because that introduces new and different vulnerabilities that sometimes these security teams aren't thinking about.”
A pivot in strategy
With these problems in mind, and with AI providing cybercriminals with a cheap and ever more varied toolkit, Tim believes a change in battle plan is needed.
“Just as companies get their financial statements audited to ensure that they're doing things correctly from a financial perspective, we really encourage companies to have their network security or product security audited, if you will, to make sure everything that can be done is being done.”
At the same time, a shift to a more proactive, combative approach is key to addressing the rising AI-driven cyberthreat.
“We’ve got to move to testing our infrastructure and our networks from a posture of ‘is this going to defend against a capable adversary?’” says Tim. “How could someone gain access to the system and then what could they do once they did?”
Explore more
Get the latest from Veriff. Subscribe to our newsletter
Veriff will only use the information you provide to share blog updates.
You can unsubscribe at any time. Read our privacy terms.
