State-sponsored hacking groups have always been well-funded and patient. Add AI to that mix and the threat profile shifts in a specific, uncomfortable way: the things that used to give attacks away - awkward phrasing, generic lures, obvious translation errors - get fixed.
A security post from the Choosing Victory newsletter lays out practical defensive steps for individuals who might be targets. It's aimed at a wider audience than just enterprise IT teams, which is overdue. Journalists, lawyers, political operatives, activists, executives, and researchers are all plausible targets for state actors, and most of them have no IT department watching their back.
What AI Actually Changes for Attackers
Spearphishing (targeted emails that impersonate someone you know or reference things specific to you) has always been the primary entry point for sophisticated attacks. The limiting factor was the human labor required to research each target. AI removes that bottleneck. A state actor can now ingest your public social media, your published work, your company's website, and your professional network, then generate a convincing message in your native language referencing your specific projects or colleagues - at volume, automatically.
Deepfakes add another layer. Audio and video impersonation have become cheap enough that a fake call from a "colleague" asking you to open a file or approve a transfer is now a realistic attack vector, not a theoretical one.
That's the threat model. The defenses aren't complicated, but most people skip them.
The Practical Steps That Actually Matter
Hardware security keys are the single highest-leverage change most people can make. These are physical USB or NFC devices (YubiKey is the most common brand) that serve as a second factor for logins. Unlike SMS codes or authenticator apps, they can't be intercepted by a phishing site because the key cryptographically verifies the actual domain before it responds. If a state actor tricks you into a fake login page, the key won't work - the attack fails regardless of whether you noticed the fake URL.
Passkeys - the newer login standard built into most phones and password managers - work on the same principle and are gradually replacing passwords for major services.
Compartmentalization matters more than most people realize. Keeping sensitive communications, financial accounts, and work tools on separate devices or profiles limits how much an attacker can access after a single compromise. It's inconvenient. It's also the difference between one account getting drained and everything getting drained.
AI-generated phishing messages will look more credible than what you're used to seeing. The mental filter most people use - "this email is probably fake because the grammar is off" - is now unreliable. Assume any unexpected request involving credentials, payments, or file downloads is suspicious regardless of how polished it looks. Verify through a separate channel before acting.
End-to-end encrypted messaging (Signal is the standard recommendation) prevents communications from being readable even if intercepted. Regular SMS and most email are not encrypted in transit in any meaningful sense.
Software updates remain unglamorous but essential. The vast majority of successful attacks exploit vulnerabilities that have already been patched - attackers count on users not updating.
None of this is exotic. The gap between knowing these steps and actually doing them is mostly friction, not knowledge. The choosingvictory.com post is worth reading in full if you're in a profession that makes you a plausible state actor target - or if you just want to stop being the easiest mark in the room.