As we close out 2025, the cybersecurity landscape looks nothing like it did just two years ago. The same artificial intelligence tools that are helping businesses automate workflows and improve efficiency have been weaponized by cybercriminals to launch attacks that are faster, more convincing, and devastatingly effective. For small and medium-sized enterprises heading into 2026, understanding these threats isn’t just advisable—it’s essential for survival.
The Scale of the Problem
The numbers paint a stark picture. According to recent industry data, 43% of cyber attacks now target small businesses, yet 60% of SMEs that suffer a major breach close their doors within six months. The average cost of a cybersecurity incident for SMBs reached $1.6 million in 2024, up from $1.4 million the previous year. Perhaps most troubling: SMBs are three times more likely to be targeted by cybercriminals than larger enterprises, largely because attackers assume smaller organizations lack the resources for robust defences.
The global cost of cybercrime is projected to soar from $9.22 trillion in 2024 to $13.82 trillion by 2028, with AI-powered attacks driving much of that growth. Over the course of 2025, reported AI-enabled cyber attacks rose by 47% globally, and the total global cost of AI-driven cybercrime exceeded $193 billion.
How AI Has Changed the Attack Landscape
Phishing That Actually Works
Traditional phishing emails were often easy to spot—poor grammar, awkward phrasing, and generic appeals made them obvious to trained employees. AI has eliminated these tells entirely.
Today, 82.6% of phishing emails use AI technology in some form. The results are alarming: AI-generated phishing emails achieve a 54% click-through rate compared to just 12% for traditionally written messages. Research from Harvard found that approximately 60% of recipients fall for AI-generated phishing emails, matching the success rate of attacks crafted by professional social engineers.
The FBI has officially warned that criminals are leveraging AI to orchestrate highly targeted phishing campaigns, producing messages tailored to individual recipients with perfect grammar and contextually appropriate content. FBI Special Agent Robert Tripp noted these tactics can lead to “devastating financial losses, reputational damage, and compromise of sensitive data.”
One study found that AI-powered multi-channel phishing campaigns have a 42% higher success rate than traditional email-only scams. The volume has exploded as well—some metrics show a 1,265% increase in phishing emails since the advent of generative AI tools like ChatGPT.
Business Email Compromise (BEC) attacks remain particularly devastating. The FBI’s Internet Crime Complaint Center reported $2.77 billion in losses due to BEC in 2024 alone, with other estimates placing the figure as high as $6.3 billion. The average loss per BEC incident now exceeds $150,000.
Voice Cloning and Deepfakes: The New Frontier
Perhaps the most unsettling development has been the rise of synthetic voice and video attacks. Modern AI tools can clone a voice using as little as three seconds of clear audio. Voice cloning fraud rose 680% in 2024, and deepfake incidents continued their explosive growth through 2025, with Q1 alone recording 179 separate incidents.
The real-world consequences have been severe:
**The Arup Case**: In early 2024, UK engineering giant Arup lost $25 million after an employee participated in what appeared to be a routine video conference with the company’s CFO and other senior executives. Every person on that call was a deepfake. The employee, believing they were following legitimate instructions, authorized 15 separate transactions to Hong Kong bank accounts. Rob Greig, Arup’s Chief Information Officer, told The Guardian: “What we have seen is that the number and sophistication of these attacks has been rising sharply in recent months.”
**The Ferrari Attempt**: In July 2024, scammers attempted to deceive finance executives at Ferrari using a digital impersonation of CEO Benedetto Vigna. The attack was thwarted, but it demonstrated that even well-known, security-conscious organizations are targets.
**The WPP Attack**: Mark Read, CEO of advertising giant WPP, was targeted by an elaborate deepfake scam that used AI voice cloning and YouTube footage in a fake Microsoft Teams meeting. The attackers attempted to solicit money and personal details from an agency leader. The attack failed, but Read warned staff: “We all need to be vigilant to the techniques that go beyond emails to take advantage of virtual meetings, AI and deepfakes.”
**The Italian Executive Wave**: In early 2025, a coordinated wave of deepfake attacks targeted Italy’s corporate elite, including fashion icon Giorgio Armani and several prominent business executives. Criminals posed as Italian defence minister Guido Crosetto, claiming they needed help freeing journalists detained in the Middle East. At least one victim transferred €1 million to a Hong Kong-based account.
These aren’t isolated incidents. A 2024 Deloitte survey found that more than 1 in 4 executives revealed their organizations had experienced one or more deepfake incidents targeting financial and accounting data, with 50% expecting attacks to increase over the following 12 months.
Accelerated Malware and Vulnerability Discovery
AI doesn’t just help with social engineering—it’s accelerating technical attacks as well. It’s predicted that by 2027, 17% of all cyberattacks will be executed with the help of generative AI. AI-enhanced malware can modify its behaviour to evade detection, analyse network patterns to find optimal attack vectors, and automate the discovery of software vulnerabilities faster than human security teams can patch them.
Ransomware continued to evolve through 2025, with demands having increased by 140% in 2024. The combination of AI-powered phishing (which leads to ransomware 54% of the time) and increasingly sophisticated encryption methods has made ransomware a persistent threat. The average cost per incident now reaches $254,445 for small businesses, with 76% of victims ultimately paying despite recommendations against doing so.
The Confidence Gap
One of the most concerning findings from 2025 research is the disconnect between perceived and actual security posture. While 85% of SMB leaders report feeling confident in their security, only about 30% have implemented basics like multi-factor authentication, and 71% have no endpoint security in place.
A World Economic Forum report found that while 66% of respondents expect AI to impact cybersecurity within the next 12 months, only 37% have processes in place to ensure its safe deployment. Furthermore, only 14% of companies are confident that their teams have the skills to handle AI-enabled cybersecurity threats.
This confidence gap creates dangerous blind spots. New hires, for instance, show a 44% higher phishing click rate during their first 90 days of employment. Employees under tight deadlines are three times more likely to click phishing emails. Senior executives are 23% more likely to fall for AI-personalized attacks.
Practical Defences for 2026
The threat landscape is serious, but SMEs aren’t defenceless. The key is implementing layered security measures that address both technical vulnerabilities and human factors.
Multi-Factor Authentication Everywhere
This remains the single most effective control available. MFA should be deployed on email, financial systems, remote access, and any tools with access to sensitive data. Phishing-resistant MFA options like FIDO2 or WebAuthn provide stronger protection than SMS-based codes.
Verification Protocols for Financial Requests
Every organization should establish clear procedures for verifying unusual requests, regardless of who appears to be asking. This includes:
– Pre-agreed code words or phrases for confirming identity before transferring money
– Multi-person authorization requirements for transactions above certain thresholds
– Mandatory callback verification to known numbers for any wire transfer requests
– Never using contact details provided in the request itself
Email Authentication
Deploy DMARC, SPF, and DKIM to prevent email spoofing. These technical controls make it harder for attackers to impersonate your domain when targeting employees or business partners.
Regular Security Awareness Training
Training must evolve to address AI-powered threats specifically. Staff need to understand that perfect grammar and contextually appropriate language no longer indicate a message is legitimate. Training should include deepfake awareness and scenarios involving voice and video impersonation.
Organizations with trained employees see a 30% reduction in successful BEC compromises. The investment in ongoing education pays measurable dividends.
AI-Powered Security Tools
Fighting fire with fire makes sense. Organizations using extensive AI and automation in their security operations save an average of $2.2 million compared to those without these technologies. AI-based endpoint protection can detect behavioural anomalies that signature-based antivirus would miss entirely, including novel fileless attacks and credential theft attempts.
Many security vendors now offer AI-powered assistants for threat detection and response, and managed detection and response (MDR) services make enterprise-grade protection accessible to smaller organizations.
Third-Party Risk Management
With supply chain compromises becoming more common, due diligence on vendors with system access is essential. Security requirements should be included in vendor contracts, and response plans should account for vendor-related breaches.
Incident Response Planning
Having a clear, documented response plan means the difference between a contained incident and a catastrophic breach. Plans should include immediate steps for securing accounts, communication protocols, legal and regulatory notification requirements, and procedures for evidence preservation.
The Investment Calculation for 2026
The mathematics of cybersecurity investment are straightforward. Basic IT support with consumer antivirus might cost $200-500 per month and provides virtually no protection against modern AI-powered threats. Professional cybersecurity with 24/7 monitoring and incident response typically runs $3,000-8,000 per month but reduces attack success rates by over 90%.
Given that average attack recovery costs exceed $250,000 and 60% of attacked businesses never recover, comprehensive protection represents one of the highest-return investments available to SME owners.
Organizations using proactive cybersecurity measures reduce breach costs by an average of $1.76 million compared to reactive approaches. The investment isn’t just about prevention—it’s about survival.
Looking Ahead to 2026
AI-powered threats are not a future concern—they’ve been today’s reality throughout 2025, and they’ll only intensify in 2026. The technology will continue to become more sophisticated and more accessible to criminals. The barrier to entry for voice cloning has already collapsed, real-time deepfake video calls are approaching the point of being indistinguishable from reality, and AI agents have demonstrated they can outperform elite human red teams in phishing effectiveness.
But the same AI advancement that enables these attacks also powers better defences. The organizations that invest now in modern security tools, ongoing training, and robust verification procedures will be far better positioned to weather the year ahead.
The threats facing SMEs as we enter 2026 are real and growing. They’re not insurmountable. Awareness and preparation remain our best weapons.
—
*This article draws on 2024-2025 data from the FBI’s Internet Crime Complaint Center, IBM Security’s Cost of Data Breach Report, the World Economic Forum, Verizon’s Data Breach Investigations Report, and verified incident reports from Arup, WPP, Ferrari, and other organizations.*