The phone buzzes. Your CEO’s name appears on a text message: “Hey, are you around? Need you to grab some gift cards for a client emergency. I’ll pay you back tomorrow.” It looks legitimate. The number matches. The wording feels normal.
But the number was spoofed, and the voice was cloned from a LinkedIn video posted three years ago. By the time you realize what happened, $12,000 is gone.
This isn’t science fiction. It’s happening to real businesses right now, and the attacks are getting harder to spot.
The numbers don’t lie
The FBI’s Internet Crime Complaint Center reported $20.88 billion in losses to cybercrime in 2025 alone. That’s a 26% spike from the year before. More than a million Americans filed complaints.
For small and medium businesses, the math is brutal. Sophos found the average ransomware recovery cost for companies with 100-250 employees hit $638,536 excluding ransom payments. That figure covers downtime, forensic work, lost business, and rebuilt systems. No wonder 75% of SMBs surveyed by CyberCatch said a single ransomware incident could shut them down for good.
And here’s the statistic that keeps chief information security officers up at night: 95% of cybersecurity incidents trace back to human error. Not zero-days. Not sophisticated nation-state tooling. People clicking links they shouldn’t, reusing passwords, or responding to messages that feel urgent and real.
The 2026 Verizon Data Breach Investigations Report, published this spring, surfaced another shift. For the first time in nearly two decades, vulnerability exploitation overtook stolen credentials as the leading initial access method. Attackers aren’t always hacking in. They’re walking through unlocked doors that developers forgot to close.
Why your people are the target
Phishing has been the top threat to SMBs for years, and it’s not going away. The volume is staggering. According to CyberTec Security’s February 2026 analysis, millions of phishing attempts launch every quarter. SMBs are favorite targets because they’re accessible, often understaffed on security, and frequently lack the awareness training that enterprises run routinely. An attacker can spray 10,000 emails at a Fortune 500 with sophisticated filters working overtime, or they can hit a 50-person accounting firm where everyone shares a single Microsoft 365 admin account.
The human factor compounds the problem. When People.ai analyzed breach causes, they found 68% of cybersecurity incidents came from human error. Human error is cheap to exploit. You don’t need to find a zero-day when an email promising “your payroll is ready” will do.
AI changed the game
The thing that separated 2025-2026 from earlier years wasn’t just phishing — it was the weaponization of AI. Deepfake audio attacks emerged as a genuine threat to businesses of every size. The most documented case: a Hong Kong firm where a CFO received a call he swore was his UK-based CEO. Voice, cadence, even background noise. He transferred $25 million in a single afternoon.
AI-generated phishing emails are now indistinguishable from legitimate correspondence. They carry proper grammar, correct tone, and personalized content pulled from LinkedIn profiles or recent company announcements. Spelling errors — once the telltale sign of a fraudulent message — are largely gone.
What to actually do
Most security advice reads like a to-do list that goes nowhere. Here’s what actually moves the needle for SMBs with limited budgets and even more limited time.
Verify first. Any request involving money or sensitive data should go through a secondary channel. Call the person back on a known number — not the one that just texted you. If the CFO calls asking for an urgent wire transfer, hang up and dial the extension you have on file.
Run table-top exercises. Once a quarter, walk your team through a hypothetical breach scenario. Not to scare them, but to build the reflex to question unusual requests. The people who catch phishing attempts most reliably are the ones who’ve thought about what one looks like before they encounter it.
Lock down multi-factor authentication everywhere. Email, banking, cloud storage, remote access tools. If it doesn’t have MFA enabled, it’s a single point of failure. Time-based authentication apps or hardware keys are the gold standard — SMS is better than nothing but remains spoofable.
Practice your incident response before you need it. Know who you’re going to call, what you’re going to disconnect first, and who has the authority to make decisions at 2am on a Saturday. Breaches handled in the first hour cost a fraction of those that spread while teams figure out their own playbook.
Your team isn’t the weakest link in your security posture. They’re your biggest risk and your best defense. Invest accordingly.
