Vibe Crime

A practical defense stack for AI-driven cybercrime

Vibe Crime pressures humans to approve sensitive actions quickly and quietly. The most reliable defense is not perfect detection, but a set of controls that make high-risk actions verifiable, auditable, and slow enough to interrupt an automated workflow.

Layer 1: Identity and verification controls

• Known-channel rule: confirm sensitive requests using a trusted directory entry, not the inbound message.
• Two-person approval: for payments, bank detail changes, privileged access grants, and urgent vendor changes.
• Shared secrets for leadership requests: a simple phrase or callback protocol that is not stored in inbox threads.

Layer 2: Payment and procurement guardrails

• Cooling-off window: delay first-time payees and bank change requests when possible.
• Invoice provenance checks: validate invoice origin, purchase order linkage, and vendor identity consistency.
• Out-of-band confirmation: require a call to a known vendor number for any payment detail change.

Layer 3: Communication and detection signals

Even when messages look perfect, workflows leave fingerprints. Track patterns like rapid follow-ups, cross-channel pivots, and repeated attempts across multiple staff members.

For signal patterns that work well in practice, see Signals and patterns.

Layer 4: Response hygiene

• Make reporting easy: a single mailbox and a simple template for staff to forward suspicious contact.
• Capture the workflow: preserve message headers, timestamps, channel IDs, and screenshots before accounts are cleaned.
• Train on process, not prose: teach staff the verification steps, not “spot the typo”.

Related reading

• Examples of Vibe Crime attacks
• Vibe Crime vs traditional cybercrime
• Defensive playbook

Sources

• Microsoft Digital Defense Report 2025 (PDF)
• Anthropic: Detecting and countering misuse of AI (Aug 2025)
• Trend Micro research paper: VibeCrime (PDF)