AI won’t invent brand-new categories of cybercrime so much as industrialise the old ones: phishing, ransomware, fraud, intrusion and data theft — at higher volume, with better targeting, and lower skill needed to run campaigns. That’s the core message running through the UK’s own threat assessments: attackers are already using AI to enhance tactics, techniques and procedures — increasing efficiency, effectiveness and frequency.
Below is a realistic UK-focused forecast for the next five years, based on the NCSC’s near-term assessments and Annual Review, plus fraud trends from UK Finance.
The baseline: what’s already true (and will shape the next five years)
AI makes cybercrime cheaper and more scalable
The NCSC assessment of AI’s impact stresses near-term shifts in effectiveness over the next two years, and its 2025 “to 2027” work warns that organisations unable to defend against AI-enabled threats face greater risk.
Ransomware remains acute — and the ecosystem adapts
The NCSC Annual Review 2025 describes ransomware as one of the most acute and pervasive threats to UK organisations, noting the ecosystem’s resilience and diversification even after major disruptions to prominent groups.
Fraud is adaptive, and banks are often the “last line of defence”
UK Finance’s Annual Fraud Report emphasises that criminals change tactics when one vulnerability is closed, and that many scams occur upstream (online or phone) before banks can intervene.
2026–2027: “Automation everywhere” (the near-term surge)
1) Spear-phishing becomes semi-automated, persistent and personal
Expect more campaigns that look hand-written: perfect grammar, correct context, and convincing follow-ups — because LLMs can produce tailored messages at scale. The NCSC notes AI-enabled social engineering and fully automated spear-phishing techniques have been observed by security researchers in recent periods.
UK reality check: invoice fraud, “HMRC-style” lures, supplier payment diversion and CEO impersonation attempts rise, especially against SMEs with thin finance controls.
2) AI-assisted vulnerability research accelerates break-in speed
The NCSC Annual Review flags AI-assisted vulnerability research and exploit development as a likely significant near-term development.
That points to a shorter window between “bug found” and “bug exploited”, especially in widely used software and misconfigured cloud services.Advertisement
3) Deepfake voice and synthetic identity fraud grows legs
The NCSC has explicitly warned that generative AI is already being used to impersonate, clone and deceive people and systems.
This maps neatly onto UK fraud patterns: more scams will move to voice notes, calls, and “urgent verification” requests because that’s where humans are weakest.
2028: The “attack surface expands” phase
1) More attacks through suppliers, MSPs and shared platforms
As UK firms standardise on the same productivity tools, security stacks, cloud services and outsourced IT, attackers will keep chasing “one-to-many” compromises (one supplier breach, many downstream victims). The NCSC’s view of cyber resilience challenges includes managing an expanded attack surface and coping with increased volume.
2) Attacks start targeting AI systems directly (not just using AI)
By 2028 you should assume a routine playbook against AI-enabled organisations, including:
- prompt injection to manipulate outputs in customer service and internal tools
- data poisoning (corrupting training or retrieval data)
- model and system theft (stealing prompts, weights, embeddings, or sensitive context)
These techniques won’t replace ransomware — they’ll sit alongside it as “new doors” into real money and real data.
3) Ransomware becomes more “service-like”
Ransomware-as-a-Service already lowers entry barriers; AI makes customer acquisition (victim selection), initial access and negotiation more efficient. NCSC describes diversification and resilience in the ransomware ecosystem; expect it to behave increasingly like a professional service market.
2029–2030: The “trust crisis” phase (where the damage feels societal)
1) High-volume deception becomes normal
By the end of the decade, a bigger share of UK organisations will treat “proof of identity” as a security control, not a courtesy. Deepfake-enabled fraud attempts are likely to be common enough that policies change: call-backs, code words, secure approvals, verified channels only.
2) Critical services feel the strain of persistent AI-enabled harassment
The NCSC “to 2027” assessment explicitly warns about risks across critical systems and the economy and society.
Extrapolating forward: even when attacks don’t cause catastrophic outages, the operational drag (incident response, patching, fraud handling, insurance costs, staff burnout) becomes a constant tax on UK productivity.
3) Regulation and liability tighten around preventable failures
Fraud reimbursement rules and public pressure already push accountability down the chain. UK Finance argues tactical fixes just move criminals elsewhere — which is a polite way of saying: expect a stronger, coordinated push on telcos, platforms, ID verification and scam disruption, not just banks.
What will not happen (despite the hype)
AI won’t make every attacker a super-hacker
The NCSC’s framing is that AI mostly enhances existing methods, rather than creating entirely novel attacks.
So the biggest risk is not Hollywood cyber-magic — it’s more of the same, delivered better.
Practical “UK business” checklist for the next five years
If you do only 6 things
- MFA everywhere (especially email, admin panels, finance tools)
- Payment controls: dual approval + call-back verification for bank detail changes
- Backups that actually restore (test them)
- Patch discipline (prioritise internet-facing systems)
- Supplier checks (MSPs, payroll, booking systems, CRMs)
- Staff drills for AI-quality phishing and voice scams
For data and AI deployments, align with the UK GDPR approach to AI processing and transparency expectations highlighted in the ICO’s AI guidance (noting it’s under review following the Data (Use and Access) Act).
Source links and further reading (live links)
UK Government / NCSC
- https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027
- https://www.ncsc.gov.uk/news/ai-to-2027-threat-assessment
- https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat
- https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025
- https://www.ncsc.gov.uk/blog-post/preserving-integrity-in-age-generative-ai
UK fraud landscape
- https://www.ukfinance.org.uk/system/files/2025-05/UK%20Finance%20Annual%20Fraud%20report%202025.pdf
- https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps600-million-stolen-fraudsters-in-first-half-2025
Data protection and AI
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
