AI has made cybercrime faster and far more convincing. The scams now look real, sound real, and move quickly. For a small or mid-sized business, the question is not if one lands in your inbox, but when. Here is what I am seeing and what actually helps.
A few numbers to set the scene: the FBI's 2025 Internet Crime Report put business email compromise losses over 2.9 billion dollars, much of it now AI-assisted. AI-driven phishing climbed sharply in 2025, and small businesses made up a large share of the targets.
Phishing that looks perfect
Phishing used to be easy to spot: bad grammar, odd phrasing, a sketchy link. That tell is gone. AI now writes clean emails that match your team's tone and branding, and clones a login page down to the pixel. In late 2025 a New Jersey manufacturer lost 180,000 dollars to an email that looked like it came from their CFO, complete with internal project names and the right signature.
Deepfakes that fool your team
A criminal needs only a few minutes of audio, easily pulled from a podcast or a social video, to clone someone's voice. A CEO calls and asks for an urgent wire, and the request sounds exactly right. These attacks skip your technical defenses and go straight at trust, which is the hardest thing to patch.
Ransomware anyone can rent
You no longer need skills to launch an attack. Ransomware-as-a-Service platforms use AI to find weaknesses and tailor the attack, and they rent for a few hundred dollars. That puts serious tools in a lot more hands.
Why small businesses get hit
- Leaner budgets and smaller IT teams make for an easier target than a big company with a full security team.
- Most do not have an AI-specific policy or an incident plan yet.
- You hold customer data, financial records, and intellectual property with fewer protections around them.
- You can be the way in to a larger client or partner.
Five things to do this week
- Turn on multi-factor authentication everywhere. It blocks the large majority of automated attacks on its own.
- Require a voice or in-person check for any unusual money or data request, even one that looks like it came from the boss.
- Run short security training monthly, not once a year, with current real examples.
- Set up SPF, DKIM, and DMARC so nobody can spoof your domain.
- Back up critical data daily, keep a copy offline, and test that it restores.
Firewalls and basic antivirus alone do not stop this anymore. If you want someone to check where your business is exposed and close the gaps, that is what I do for New Jersey businesses.