How cybercriminals are using AI to attack small businesses

For most of the last decade, the thing that protected a small business from serious cybercrime was not its security stack. It was economics. Crafting a convincing, targeted attack took an attacker real hours – researching the company, writing in fluent English, building a believable pretext, maintaining a conversation. That labor cost meant attackers concentrated on large targets where the payoff justified the effort. A 25-person business was usually too small to be worth a human attacker’s individual attention, so it caught only the cheap, mass-produced attacks that were easy to spot.

AI has removed that protection. The research, the writing, the translation, the impersonation, the reconnaissance – the expensive parts of a targeted attack – are now fast and nearly free. An attacker can run against a small business the kind of customized campaign that used to be reserved for an enterprise, at a fraction of the cost, and run it against hundreds of small businesses at once. The result is not a new category of attack. It is the same attacks – phishing, business email compromise, fraud, intrusion – delivered faster, cleaner, more personalized, and at a scale that makes “we are too small to be a target” no longer true.

This article is the attacker-side companion to the rest of the AI cluster. The AI security risks overview catalogs the risks; this piece goes inside the attacker’s workflow – how a criminal actually uses AI at each stage of an attack, why the economics changed, why traditional security awareness training is losing effectiveness against it, and what the defense side looks like. It is written for SMB owners, operations managers, and in-house IT generalists who need to understand the threat well enough to make sensible decisions about where to spend defensive effort.

Short answer

Cybercriminals use AI the same way legitimate businesses do: to work faster, scale further, and lower the cost of skilled labor. For attackers, that means phishing emails with no grammar mistakes and real personalization, business email compromise built from AI-summarized reconnaissance of a hacked inbox, malware variants generated faster than signatures can catch them, automated scanning that finds an exposed system within hours of a vulnerability being published, and voice and video impersonation cheap enough to use against a 20-person company. The most important shift is economic, not technical: AI collapses the cost of a targeted, customized attack, which means small businesses that were previously too small to be worth individual attention are now economically viable targets. The defenses have not been rewritten – MFA, patching, payment verification, email filtering, and offline backups all still work – but the single defense that AI has genuinely weakened is the old “spot the bad grammar” style of security awareness training. That training needs updating. The rest of this article walks the attacker’s playbook stage by stage so the defensive priorities are clear.

How attackers use AI, at a glance

Attack stage	What AI does for the attacker	What still stops it
Target selection	Scrapes and ranks thousands of SMBs by revenue, sector, exposed services, and named staff in minutes	Reducing public attack surface; nothing makes you invisible, but less exposure means lower ranking
Reconnaissance	Builds a dossier on named staff from LinkedIn, news, social media, podcasts, and breach data	Limiting what staff overshare publicly; assuming the dossier exists
Phishing	Writes fluent, personalized, error-free phishing in any language, at volume	Email filtering, DMARC/SPF/DKIM, link protection, updated awareness training
Business email compromise	Summarizes a compromised inbox to find invoices and vendor patterns; drafts mid-thread reply attacks	MFA on every mailbox, payment verification by voice, forwarding-rule alerts
Voice and video impersonation	Clones an executive’s voice from public audio; generates deepfake video for live calls	Out-of-band verification protocols; never trusting a single channel
Malware and exploit code	Generates and mutates malware variants; helps write and refine exploit code	EDR with behavioral detection, patching, least privilege, application control
Vulnerability scanning	Finds and characterizes exposed, unpatched systems faster after a CVE is published	Tight patch cycles, exposed-service inventory, MFA on every login
Attack at scale	Runs all of the above against hundreds of SMBs simultaneously, not one large target	Defense in depth – no single control, layered controls
Evasion	Rewrites payloads and messages to dodge signature-based detection	Behavioral detection over signatures; monitoring for anomalies
Post-breach	Summarizes stolen data fast to find the most valuable and most leverageable material	Encryption, data minimization, fast detection and response

The rest of the article walks these stages in detail and ends with the defensive priorities.

The shift that matters: attack economics, not attack technology

Before getting into specific techniques, it is worth being precise about what actually changed, because it shapes every defensive decision that follows.

AI did not invent a new class of cyberattack. Phishing, business email compromise, malware, credential theft, and fraud all predate AI by years. What AI changed is the cost structure of running them. Three costs collapsed:

• The cost of skill. Writing fluent, persuasive English used to be a real barrier for the large share of attackers who do not speak it natively. The “bad grammar” tell that defenders relied on was, in effect, a skill tax on attackers. AI removed that tax entirely. So did the cost of writing working code, building a convincing fake document, or constructing a plausible pretext.
• The cost of research. Building a useful profile of a target – who the CFO is, who they report to, which vendors they use, what projects are active, when invoices typically go out – used to take a human attacker hours per target. AI does it in minutes by summarizing public sources and breached data.
• The cost of scale. Because the per-target labor dropped, the same attacker can now run a customized campaign against hundreds or thousands of small businesses at once. Customization and scale used to be a trade-off. They no longer are.

The consequence for a small business is direct. The old mental model – “serious targeted attacks happen to big companies; we just get the spray-and-pray junk” – was true because of the labor economics, and the labor economics no longer hold. A 15-to-50-person business is now worth a customized attack because the customization is cheap. This is the single most important thing for SMB leadership to internalize, and it is covered from the risk side in the AI security risks article. Everything below is a specific instance of these three collapsed costs.

Stage 1: target selection and reconnaissance

An AI-assisted attack starts before any email is sent. The attacker uses AI to decide who to hit and to learn enough about them to be convincing.

Target selection. An attacker can feed AI tools lists of businesses and have them ranked by attractiveness – estimated revenue, industry (some sectors pay ransoms more reliably than others), publicly visible technology, exposed services, and named employees in finance or leadership roles. What used to be tedious manual triage is now an automated sort. Small businesses do not get skipped in this process; they get scored and queued.

Reconnaissance. Once a target is selected, AI builds the dossier. LinkedIn gives the org chart, job titles, and tenure. Company news and press releases give active projects and partnerships. Social media gives travel schedules, personal details, and the names of colleagues. Podcast and webinar appearances give voice samples. Breached-data lookups give old passwords and confirm email formats. An attacker can have all of this summarized into a clean profile of a specific executive – how they write, who they trust, what they are working on, when they are traveling – in the time it takes to get a coffee.

The defensive reality here is uncomfortable but clarifying: you cannot stop reconnaissance on a business that has any public presence. The mitigation is not to disappear. It is to (1) limit gratuitous oversharing – staff posting detailed travel plans, finance staff publicly identified by exact role and reporting line – and (2) assume the dossier exists and train staff accordingly. If you assume an attacker already knows your CFO’s name, your AP clerk’s name, your main vendors, and your billing cycle, the right defensive posture is verification habits, not secrecy.

Stage 2: AI-generated phishing

Phishing is still the most common entry point into a small business, and it is where AI’s effect is most visible to the average employee.

The pre-AI phishing email that staff were trained to catch had recognizable tells: awkward grammar, generic greetings (“Dear Customer”), obvious urgency, mismatched sender domains, clumsy formatting. Security awareness training was built around spotting those tells.

AI-generated phishing has none of them. It is fluent. It is grammatically perfect in any language. It uses the recipient’s name, role, and real context – “Following up on the Henderson contract before your Thursday trip” – because the reconnaissance stage supplied that context. It mimics the writing style of the person it claims to be from, because the attacker fed it samples of that person’s real emails. It is formatted like a normal business message because AI produces normal business formatting by default.

A full treatment of AI-generated phishing – the new signals to watch for, the technical controls that catch what training misses – is the subject of its own article in this series. The point for this article is the attacker’s side: producing a hundred personalized, polished phishing emails is now the same amount of work as producing one. The volume and the quality both went up at the same time, which is the combination defenders find hardest.

Stage 3: business email compromise, supercharged

Business email compromise – where an attacker either spoofs or takes over a real email account to redirect payments or steal data – was already the single largest source of financial loss in SMB cybercrime before AI existed. AI made the most damaging version of it considerably more effective.

The damaging version is account takeover: the attacker gets into a real mailbox, usually through phishing or a reused password, and operates from inside it. Here is where AI changes the attacker’s job:

• Inbox triage. A compromised mailbox can hold years of email. Previously an attacker had to manually read through it to find the useful material – pending invoices, vendor relationships, payment patterns, who approves what. AI summarizes the entire mailbox in minutes and surfaces exactly the threads worth exploiting.
• Pattern learning. AI extracts the billing cycle, the typical invoice amounts, the vendors that get paid without much scrutiny, and the internal approval chain – everything needed to make a fraudulent request look routine.
• Reply-in-thread fraud. The most convincing BEC attack is not a new email – it is a reply injected into a real, existing thread. The attacker waits inside the compromised account, finds a live conversation about a real payment, and replies with updated “banking details,” in the account owner’s real voice, in a thread the recipient already trusts. AI drafts that reply in minutes, perfectly matched to the thread’s tone and history.

The defenses for BEC have not changed, and they work: MFA on every email account without exception, so account takeover gets much harder in the first place; mandatory voice verification – on a known phone number – for any change to payment instructions, no matter how routine the request looks; alerts on the creation of inbox forwarding rules, which is a near-universal fingerprint of a compromised mailbox; and a quarterly review of login locations on email accounts. The Microsoft 365 security hardening guide covers the M365-specific controls, and the phishing attack prevention article covers the entry-point defenses that stop the account takeover before BEC is even possible.

Stage 4: voice cloning and deepfakes

The attack that SMB leaders find hardest to believe applies to them is voice and video impersonation – and it is no longer expensive or difficult.

A usable clone of a person’s voice can be generated from a small sample of public audio: a podcast appearance, a webinar recording, a conference talk, a video on the company website, even a voicemail greeting. With the clone, an attacker can place a phone call that sounds like the company’s owner or CFO instructing an employee to process an urgent payment. Deepfake video has reached the point where it can sustain a short live video call convincingly enough to fool someone who is not specifically scrutinizing it.

The reason this matters for small businesses specifically: the controls that make this hard at a large company – layered finance approvals, segregation of duties, formal payment workflows – are exactly the controls small businesses tend not to have. A 20-person company often has one bookkeeper who will act on a direct instruction from the owner. That is the exact scenario voice cloning exploits.

The defense is a verification protocol, and it is cheap to implement: any payment instruction, any change to banking details, and any urgent financial request gets verified through a second, pre-agreed channel before action – regardless of how certain the staff member is that they recognized the voice. Recognizing the voice is no longer evidence of anything. This is covered in depth in the dedicated voice cloning and deepfakes article later in this series; the attacker-side point here is that the cost of doing this has dropped low enough that small businesses are now inside the blast radius.

Stage 5: AI-assisted malware and exploit development

On the technical side of attacks, AI acts as a force multiplier for attackers writing malware and exploit code.

It is worth being measured about this rather than alarmist. AI does not let a complete novice produce sophisticated, novel malware – the well-known AI tools have guardrails against the most blatant requests, and serious malware development is still skilled work. What AI does is make a moderately skilled attacker substantially more productive:

• Variant generation. AI can rapidly produce variations of existing malware – functionally similar, structurally different. This matters because signature-based antivirus detects known patterns. A flood of variants, each slightly different, slips past signature detection more easily.
• Code assistance. Refining exploit code, adapting a known exploit to a specific environment, debugging a payload, translating malware between languages – all of it is faster with AI coding assistance.
• Obfuscation and evasion. AI helps rewrite code to dodge detection rules, and rewrite phishing payloads and malicious documents to evade content filters.

The defensive implication is one many small businesses have not made yet: traditional signature-based antivirus is increasingly inadequate, because the whole premise of signature detection – recognizing known-bad patterns – is exactly what AI-assisted variant generation defeats. The defense that works is behavioral detection: endpoint detection and response (EDR) tools that flag what a program does (encrypting files rapidly, injecting into other processes, contacting known-bad infrastructure) rather than what it looks like. The endpoint detection and response article covers why behavioral detection is now the baseline, not an upgrade. Patching, least privilege, and application control remain the other layers, because no single detection technology catches everything.

Stage 6: automated vulnerability scanning at machine speed

The internet has always been scanned constantly for vulnerable systems. AI changed the speed and the targeting of that scanning.

The most consequential shift is the compression of the window between disclosure and exploitation. When a new vulnerability in a common product – a firewall, a VPN appliance, a webmail system, a remote access tool – is publicly disclosed, AI-assisted tooling helps attackers locate exposed instances and characterize them faster than before. The time a business has to patch before automated scanning reaches its exposed systems has shrunk from weeks to, in some cases, hours.

For a small business, the practical implications are concrete:

• Patch cycles on internet-exposed systems have to be tight. Critical patches on anything reachable from the internet – firewalls, VPN gateways, mail servers, remote access tools – need to be applied within days of release, not deferred to a maintenance window weeks out.
• You have to know what is exposed. The dangerous gaps are the forgotten ones: RDP left open on a single workstation, an old VPN concentrator nobody decommissioned, a NAS that became internet-reachable through a misconfiguration. A network assessment inventories what is actually exposed, including the things nobody remembers.
• MFA on every exposed login, without exception. AI-scaled credential-stuffing – trying breached username and password pairs against your logins – hits harder than it used to. MFA is what makes a working stolen password insufficient on its own.

The reassuring part: the defenses against automated scanning are the defenses that already worked. AI mostly compressed the timeline. It did not invent a way past a patched, MFA-protected, minimally-exposed system.

Why traditional security awareness training is losing effectiveness

This deserves its own section because it is the one defensive area where AI has genuinely broken something, and where many small businesses are still relying on an approach that no longer works.

For years, security awareness training taught employees to spot phishing by looking for a checklist of tells: spelling and grammar mistakes, generic greetings, urgency, a sender address that does not quite match, hovering over links to check the destination. That training was reasonably effective because it described real properties of the phishing of that era.

AI-generated phishing breaks most of that checklist:

• “Look for bad grammar and spelling.” AI-generated phishing has perfect grammar and spelling. This signal is now actively misleading – a polished email reads as more trustworthy, which is the opposite of the lesson.
• “Watch for generic greetings.” AI personalizes. The email uses the recipient’s name, role, and real context.
• “Be suspicious of urgency.” Still somewhat useful, but AI-generated attacks now build plausible, specific reasons for the urgency rather than generic pressure.
• “Check if it sounds like the sender.” AI mimics the real sender’s writing style from samples. It sounds like them.

What this does not mean is that training is worthless. It means the content has to be rewritten. Effective training in the AI era teaches different things:

• The signal is the request, not the writing quality. Train staff to react to what is being asked – a payment, a banking change, credentials, an unusual data request, a deviation from normal process – regardless of how clean and convincing the message is. A perfectly written email asking for an unusual financial action deserves more suspicion, not less.
• Verification habits over detection skills. The durable defense is not “can the employee spot the fake” – because increasingly they cannot. It is “does the employee verify unusual or sensitive requests through a second channel as an automatic habit.” Verification works whether or not the message looked legitimate.
• Channel skepticism. Recognizing a voice, a writing style, or a face is no longer proof of identity. Staff need to internalize that any single channel can be faked.
• A safe, fast reporting path. When staff are unsure, reporting needs to be easy and blameless, so they report rather than guess.

The phishing attack prevention article covers the modern training approach alongside the technical controls. The headline for this article: if your security awareness training still leads with “look for spelling mistakes,” it is calibrated to a threat that no longer exists, and it needs updating.

What the defense side looks like

It would be easy to read the sections above as a counsel of despair. It is not. The defensive picture is actually clarifying, because of one fact that runs through every stage: AI made attacks faster, cheaper, and more scalable, but it did not make the proven defenses stop working. A patched system is still patched. MFA still blocks a stolen password. An offline backup still survives ransomware. A verified payment is still verified.

What AI changes is the priority and rigor with which the existing defenses are applied. The defensive priorities for a small business facing AI-equipped attackers:

• MFA everywhere, no exceptions. Every email account, every remote access point, every critical application. AI-scaled credential attacks make any non-MFA login a real liability. MFA alone is not enough, but it is the single highest-value control.
• Payment and data-request verification as a hard process. Out-of-band verification for any payment instruction, banking change, or sensitive data request. This single habit defeats AI-enhanced BEC, voice cloning, and deepfake fraud at once, because all three rely on a request being acted on without a second-channel check.
• Tight patching on anything internet-exposed. Days, not weeks, for critical patches on exposed systems. Plus an accurate inventory of what is actually exposed.
• Behavioral endpoint protection (EDR) instead of signature-only antivirus. Detecting what software does, not what it looks like, is the answer to AI-generated malware variants. EDR is the baseline now.
• Email security infrastructure. DMARC, SPF, and DKIM properly configured; modern email filtering with link protection; anomaly detection on email behavior. These catch a meaningful share of AI-generated phishing before it reaches a human, which matters more now that humans catch less.
• Updated security awareness training. Rewritten around the request, not the writing quality; verification habits over detection skills. Covered above.
• Offline, immutable backups. Whatever else gets through, a backup that an attacker cannot reach or encrypt is what turns a catastrophe into an incident. The how ransomware gets into small business networks article covers the entry points; backup is the recovery floor.
• Monitoring and a response plan. Faster attacks make fast detection and a rehearsed response more valuable. Knowing within hours rather than weeks that something is wrong is the difference between a contained incident and a full breach.

None of these are new. The honest summary of AI-era defense for a small business is that it raised the cost of being careless and shortened the time you have to fix things – it did not invent an unstoppable attack. A business that does the boring fundamentals well is in a genuinely defensible position.

For an SMB without the in-house capacity to run all of this, the managed cybersecurity services for small business overview covers what a security-first managed engagement provides – the layered controls, the monitoring, and the response capability that are hard to assemble one tool at a time.

10 things small businesses get wrong about AI-enabled attacks

The recurring misconceptions and gaps:

1. “We are too small to be targeted.” True under the old economics, false now. AI made small businesses economically worth a customized attack.
2. Still teaching “spot the bad grammar.” Training calibrated to pre-AI phishing. Perfect grammar now reads as trustworthy – the exact wrong lesson.
3. Relying on signature-based antivirus. AI-generated malware variants defeat signature detection by design. Behavioral EDR is the baseline now.
4. No out-of-band payment verification. The single habit that defeats AI-enhanced BEC, voice cloning, and deepfakes – and the one most often missing.
5. Treating voice and video as proof of identity. Recognizing a voice or face is no longer evidence. Any single channel can be faked.
6. Slow patching on internet-exposed systems. The disclosure-to-exploitation window is now hours to days. A three-week maintenance cycle is a liability.
7. No inventory of what is internet-exposed. Forgotten RDP, an old VPN appliance, a misconfigured NAS – scanned faster than ever and never accounted for.
8. MFA with exceptions. One non-MFA mailbox or remote login is the gap AI-scaled credential attacks are built to find.
9. Assuming AI attacks need an AI defense. Mostly false. The proven fundamentals still work; they need more rigor, not replacement.
10. No tested, offline backup. Whatever gets through, an unreachable backup is the recovery floor. Untested or online-only backups fail when it matters.

Time to close the main AI-attack gaps

A practical sequence for a typical 20-50 person SMB getting its defenses calibrated for AI-equipped attackers:

Phase	What happens	Time
MFA audit and gap closure	Confirm MFA on every email account, remote access point, and critical app. Close exceptions.	1 week
Payment verification process	Write and roll out the out-of-band verification rule for payments, banking changes, and sensitive requests	2-3 days
Patch posture review	Inventory internet-exposed systems, tighten the critical-patch cycle to days for exposed systems	1-2 weeks
Endpoint protection upgrade	Move from signature antivirus to behavioral EDR where not already in place	1-2 weeks
Email security configuration	Verify DMARC, SPF, DKIM; confirm modern filtering and link protection are on	3-5 days
Awareness training refresh	Rewrite training around the request and verification habits, not grammar tells. Deliver to all staff.	1-2 weeks including delivery
Backup verification	Confirm backups are offline or immutable, and run a test restore	1 week
Monitoring and response review	Confirm something would be detected quickly; review or write the incident response plan	1-2 weeks
Total elapsed time	From “we should look at this” to a defensible AI-era posture	4-6 weeks

Most of this is calibration of things a reasonably run business already partly has, not net-new construction. The four-week version is where the fundamentals are mostly in place and need tightening. The six-week version is where several layers are being built or replaced.

What is next in this content series

This article covered the attacker’s playbook – how AI is used at each stage of an attack and what that means for defensive priorities. The pieces around it go deeper:

• AI-powered phishing in detail – the specific new signals to watch for, and the technical controls that catch what human awareness now misses
• Voice cloning and deepfakes – the verification protocols for finance, hiring, and vendor onboarding, and the real fraud cases
• How to evaluate whether an AI tool is safe for your business to use – the questions to ask before approving any AI vendor
• How to introduce AI tools to your team without creating security gaps – the controlled-rollout playbook
• What to do if an employee leaks business data through an AI tool – the incident response walkthrough

If you have not read them yet, the upstream pieces in this series are the shadow AI wake-up call, the AI acceptable use policy template, the data-side breakdown of AI vendor terms, the AI security risks overview, the AI and HIPAA guide for healthcare, the Microsoft Copilot rollout guide, and the AI governance framework article.

If your defenses against AI-equipped attackers are being managed inside a broader managed cybersecurity services engagement, the monitoring, the layered controls, and the response capability all belong inside it.

How Sequentur can help

If you want help assessing where your business is exposed to AI-equipped attackers, closing the MFA and patching gaps, upgrading endpoint protection, or rolling out updated security awareness training, schedule a call.