Logo
FrontierNews.ai

Why Schools and Nonprofits Are Becoming Prime Targets for AI-Powered Cyberattacks

Organizations without significant IT budgets, including schools, nonprofits, and community health clinics, face the same sophisticated AI-powered cyberattacks as Fortune 500 companies but lack the resources to defend themselves. The NYU Cybersecurity Clinic, established this summer with support from Craig Newmark Philanthropies, is now addressing this critical gap by helping low-resourced institutions strengthen their defenses against deepfakes, AI-powered fraud, and emerging threats.

The timing is urgent. Recent incidents demonstrate how vulnerable these organizations have become. Canvas, a widely used classroom management platform, was hacked and temporarily shut down during the past academic semester. Meanwhile, Anthropic's AI model Mythos raised concerns about AI's ability to identify security flaws in commonly used software at scale, prompting security experts to warn that the stakes have fundamentally changed.

What Makes AI a Game-Changer for Cybersecurity Threats?

The cybersecurity landscape has shifted dramatically. According to Judith H. Germano, co-director of the NYU Center for Cybersecurity and former chief of the Economic Crimes Unit at the US Attorney's Office for the District of New Jersey, the biggest concern is how quickly AI is outpacing human defensive capabilities.

"AI brings many benefits, but the risks can quickly spiral out of control. Anthropic's AI model is so powerful and fast at not just finding software vulnerabilities but also exploiting them, and leveraging multiple smaller vulnerabilities to create significant harm," said Judith H. Germano.

Judith H. Germano, Co-Director of the NYU Center for Cybersecurity

Germano emphasized that organizations still face two major concerns. First, many have failed to implement basic cybersecurity protections like multi-factor authentication, proper password protocols, and software management. Second, AI is accelerating threats faster than defenses can adapt. To counter these next-generation threats, she noted that organizations need to leverage AI for defense while simultaneously strengthening basic protections, offline backups, and crisis response plans.

How Are Deepfakes Being Used to Target Organizations?

Deepfake social engineering represents a particularly insidious threat because it bypasses traditional security controls entirely. Deepfakes are synthetically altered media, images, videos, or audio created with AI to deceive, and they have become a major vector for fraud and financial crime. In 2024, the engineering firm Arup lost $25.6 million after a finance employee was deceived by a deepfake video conference call impersonating the company's CFO and several colleagues.

The mechanics of these attacks are straightforward and increasingly accessible to criminals. Attackers use open-source intelligence, or OSINT, to harvest publicly available audio and video from LinkedIn profiles, conference recordings, and earnings calls. Modern voice cloning engines require as little as 30 seconds of clean audio to produce a convincing synthetic voice. An executive's voicemail greeting, a single earnings call clip, or a brief LinkedIn video provides sufficient source material.

Once the synthetic media is created, attackers deploy it across multiple channels. According to Verizon's 2026 Data Breach Investigations Report, 62% of confirmed incidents involve a non-malicious human element, meaning deepfake social engineering attacks land directly in the exposure window that technical controls cannot close.

How Widespread Is the Deepfake Problem?

The scale of deepfake proliferation is staggering. An estimated 8 million pieces of synthetic media were circulating online in 2025, up from roughly 500,000 in 2023, representing a growth rate near 900% annually. According to a Gartner survey of 302 cybersecurity leaders in September 2025, 43% of organizations experienced a deepfake attack in the past 12 months, with 67% of attacks targeting voice systems.

For everyday people, the threat is equally real. A McAfee survey found that young adults aged 18 to 24 encounter deepfakes in normal scrolling, and 27% of people surveyed had been hit by an AI voice scam or knew someone who had. The FBI reported $1.4 billion in losses from AI-enabled scams in 2025 alone.

The challenge for security teams is that traditional detection methods no longer work. The visual and auditory cues that once revealed fakes, such as counting fingers or watching for stiff blinking, are mostly gone. As independent generative AI researcher Henry Ajder has noted, the giveaways shift every few months as tools improve, and careful prompting can erase the remaining tells.

Steps to Strengthen Defenses Against AI-Powered Attacks

  • Implement Basic Cybersecurity Hygiene: Deploy multi-factor authentication, disable unused software, enforce strong password protocols, and maintain rigorous cybersecurity practices. These foundational steps remain critical even as threats evolve and are often overlooked by under-resourced organizations.
  • Establish Identity and Access Management Systems: With AI agents capable of multiplying and infiltrating systems with minimal human oversight, organizations must verify not just people but also agents in systems. Strong guardrails and regularly tested human intervention protocols are essential.
  • Create Offline Backups and Crisis Plans: Redundancy and recovery systems, including offline backups and documented crisis response procedures, provide a safety net when attacks succeed despite preventive measures.
  • Map Systems and Identify Vulnerabilities: Conduct comprehensive system mapping to understand where you are most vulnerable and prioritize improvements through an interdisciplinary approach addressing technology, governance, and processes.
  • Provide Cybersecurity Awareness Training: Education and training regarding cybersecurity awareness, governance protocols, and best practices help employees recognize threats like phishing, deepfakes, and social engineering attempts across all communication channels.

The NYU Cybersecurity Clinic plans to address these gaps through workshops, publications, and stakeholder meetings. The clinic will help low-resourced organizations map their systems, identify vulnerabilities, and understand how to improve cybersecurity through an interdisciplinary approach combining technology, legal expertise, and governance strategies.

Germano emphasized that addressing these threats requires both organizational and individual accountability. "Individuals rely on organizations to keep their data safe and their systems operating and working well," she stated. "Organizations, meanwhile, are facing multiple attacks that often are lucrative or otherwise beneficial to bad actors. Since there is a balance of organizational and user accountability, we need to help organizations strengthen their cyber resilience and also better educate users regarding cybersecurity risk and best practices".

Germano

The NYU Cybersecurity Clinic is part of a national consortium of cybersecurity clinics that enables collaboration and information sharing across academic institutions and experts nationwide. This network approach allows the clinic to reach high-risk, low-resourced organizations in government, critical infrastructure, and the community that may have higher risk because of their systems or sensitive data but lack resources to address the ever-changing challenges of cybersecurity.