4 in 5 small businesses had cyberscams last year almost half were AI powered

pBusinessppppWire ServiceppOne more reason things cost more today cybercrimeppA survey by the Identity Theft Resource Center a San Diegobased education and victim resource nonprofit found that 38 of small businesses hit by a cyberscam or breach in the previous 12 months passed those losses to customers by raising pricesppAnother key finding Cybercrime against small businesses is increasingly fueled by artificial intelligenceppThe era of predictable humanscale threats has been superseded by a new reality of automated intelligent and massively scalable attacks powered by AI said the report which discusses trends in threats prevention and attacks It also gives detailed recommendations about network and application security data protection and employee and contractor practices The survey reached out to more than 650 companies across more than 12 industries in AugustppBecome a business insider with the latest newsppOr with ppBy signing up you agree to our Terms of Service and Privacy PolicyppEva Velasquez the CEO of the Identity Theft Resource Center said the results offer a stark reminder that hackers arent picky They will grab data and money from anyone including large and small businesses and individualsppWhen we think about risk it really is all businesses Velasquez said From mom and pops to large companies Theyre all attractive to hackers Small businesses sometimes dont pay enough attention to cybersecurity because they think theyre not vulnerable They think Well why would anybody target meppNot only are they being targeted but they are being successfully breached some multiple times a year Two or three breaches in a 12month period was the most common pattern Another 34 had one breach and almost 12 had four or moreppOne encouraging shift The percentage of companies with one or two breaches increased from 2024 while the percentage of companies with more than two breaches dropped Perhaps companies are improving their cybersecurity protocols after a first or second breachppThe report however said companies being hit only once says something about cyber attackers methodsppThreat actors appear to be focusing on opportunistic highvolume strikes This alters the risk calculus for small businesses shifting the primary challenge from defending against a determined persistent adversary to repelling a continuous barrage of singleshot attacks from a multitude of sourcesppThe nonprofit helps individuals for free and business in some cases get charged fees used to fund its free services The nonprofit faced a significant drop in federal government grants last year but remains financially robust thanks to private donors and unclaimed awards from classaction settlements Velasquez saidppOur services remain available at the same level they were prior to changes in the federal grant processesavailability Velasquez saidppFour out of five small businesses reported they were victims of a security or data breach in the past 12 months a statistic unchanged from a year beforeppBut the nature of these attacks has changed with AI taking center stageppIn past surveys of small businesses that suffered cyber and data breaches incidents were caused by insecure cloud environments ransomware hackers malicious employees or contractors lapses by remote workers software flaws and attacks on thirdparty vendors the report saidppAI was not even named as a cause as recently as 2024ppBut in 2025 41 of small business victims said AI was the root cause of a recent attackppGenerative AI can craft highly personalized social engineering attacks that mimic the tone and context of legitimate internal communications the report saysppHackers are launching largescale automated attacks that cover a lot more ground Velasquez saidppIn cybercrime AI is the great equalizer Sophisticated scams can be carried out by less knowledgeable wrongdoers who use generative AIppThese tools are effectively democratizing advanced attack capabilities that were once the domain of highly skilled actors the report saidppThe cause for data and cyber breaches that saw the biggest percent drop in 2025 compared to 2024 was remote work which makes sense as workers have returned to offices Every other cause of attacks has also dipped perhaps as scammers and data thieves turned to AIppWhile AI was added to the list and some causes became less prevalent no cause disappearedppWhen small businesses suffer a breach or fraud the financial hit can include lost revenue legal costs fines and penalties insurance marketing and security overhaulsppAdding up these expenses the survey found that 37 of companies lost more than 500000 last year per incident A quarter lost up to 250000 and another quarter lost between 250000 and 500000ppTo recoup costs companies used cash reserves turned to investors for funds cut jobs or tapped credit and cyber insurance They also adopted a new tactic 38 raised pricesppThis represents a significant inflationary macroeconomic ripple effect stemming directly from the worsening cyberthreat landscape for small businesses the report saidppOne reason for this change may be that other sources of funding were harder to come by A smaller percentage got money from investors to respond to cyber and data breach incidents in 2025 than 2024 Also fewer companies turned to cyber insurance with almost a quarter of companies saying they had difficulty obtaining or renewing cyber insurance after a breach This suggests that as the frequency and cost of claims have risen insurers have responded by adjusting underwriting standardsppCompared to 2024 fewer companies cut jobs as a way to offset losses due to cybercrime 18 down from 27ppRelying less on insurance and investors and opting to cut fewer jobs as a result of cyber breaches may have each or all contributed to the raising of pricesppWhich sensitive data did crooks slink away withppEmployee data was most commonly accessed in breaches with customer data and company IP both ranking close behindppTo fight back some companies have robust tools in place but the survey also found a disturbing trend The implementation of critical security measures such as multifactor authentication has declined it said One reason the report posited company leaders are overwhelmed and neglecting the very basics that provide an effective defenseppVelasquez and her nonprofit urge companies to keep studying known and evolving threats and to keep adapting their cybersecurity practicesppThe single most critical access control for any small business to implement is MFA the report said MFA stands for multifactor authentication a system of safety checks where a request to access secure information has to be vetted through multiple independent channels MFA makes it significantly harder for attackers to use stolen passwordsppExamples of these are free authenticator apps like Google Authenticator SMS codes that get sent to a users phone when they try to log in using a password and physical hardware tokensppThe report cited an alarming decline in MFA adoption for internal systems from around 33 in 2024 to around 27 in 2025 This represents a critical highpriority vulnerability that SBs must address immediatelyppReally good companies with robust cybersecurity can have a breach Velasquez said Its not an automatic indicator of negligenceppBut companies with less robust cybersecurity are far more at riskppThe report has six pages of tips for preventing cyber and data breaches and countering AIpowered attacks These range from what kind of training companies should offer to how firewalls should be set up to data encryption best practices and moreppSmall businesses need to strengthen their prevention but Velasquez also made this pitch to consumers Dont turn away from companies that are taking steps to protect your data even if its annoyingppThat crushingly long foursecond delay until a verification text message arrives the extra screen taps involved in using an authenticator app those are a sign a company is doing things rightppOne of the conflicts that we have is convenience versus security And businesses are fighting this tension between I have to be secure and I have to make people jump through hoops to prove that they are who they say they are so that I can protect their data their account their information And individuals going I want convenienceppIf we have a societal shift where we understand that some friction a little bit of inconvenience is actually good for us she saidppA company that asks you to do those things is one you should do business with Velasquez added because you know that they have put measures in place to protect you and your datappJoin the conversationppThank you for reading We welcome your thoughts on this topic Comments are moderated for adherence to our Community Guidelines Please read the guidelines before participatingp