A new attack vector emerged as a significant threat in 2025: AI-powered cyberattacks. In addition to malicious insiders (disgruntled employees and vendors) and external threat actors (the lone wolf and organized groups of hackers) who continue to carry out “traditional” human-scale phishing and malware attacks against identified businesses and individuals, companies can now add highly automated cyberthreats leveraging the power of artificial intelligence to focus their attention.
In 2025 81% of small businesses reported suffering a security breach, data breach, or both. AI-assisted attacks were identified as a root cause in more than 40% of security incidents. This, according to the Identity Theft Resource Center (ITRC) 2025 Business Impact Report published in December 2025, represents a dramatic shift in criminal behavior that most small businesses are not prepared to defend.
The ITRC conducted an online survey of 662 small business owners and senior executives at organizations with up to 500 employees across multiple industries. What they found is that being attacked is the rule, not the exception. It’s merely a question of how and the attack surface is only expanding. AI is a double-edged sword, and in the wrong hands it can be weaponized quite effectively.
Same Goals, Different Threats
The criminals’ goals haven’t changed: they are still looking for network vulnerabilities and user credentials to steal identities and intellectual property, execute account takeovers to commit fraud and financial transfers, and install malware to hold systems and data for ransom.
Neither have their preferred targets: small businesses, defined by the U.S. Small Business Administration as companies with under 500 employees. Threat actors (rightfully?) believe smaller businesses have fewer resources dedicated to cybersecurity, disaster recovery/data backup and employee education, making them a prime target for phishing and ransomware attacks.
Only now, instead of focusing on a select victim with carefully crafted social engineering hooks or trying to crack user passwords in a brute force attack, criminals have access to AI-powered tools that automate, scale and dramatically improve the quality of their methods.
Single Incident Attacks Up
One trend highlighted in the 2025 ITRC Report found a sharp year-on-year decrease in the number of businesses targeted multiple times with a corresponding increase in businesses experiencing only one security-related event.
This implies a shift in criminal strategy. Rather than using manual processes or bots to repeatedly attempt to penetrate the same company, hackers are trading frequency for volume. Armed with AI-powered tools they can massively scale and automate their attacks across hundreds or thousands of targets at once – and only once.
Weaponized AI makes it possible for anyone with bad intentions to commit cybercrimes that just a short time ago required a tremendous amount of skill and computing power. Criminals now use AI tools to scan a company’s IT environment, identify network vulnerabilities and build a profile of the business and its key employees using public data before an attack so they have everything they need to know on the first attempt.
Hyper-Realistic Threats
Not only does AI automate reconnaissance for criminals, but it also transforms that information into phishing emails and deepfake audio and video clips so convincing they can fool automated biometric authentication systems, email spam filters and trick employees into bypassing established security protocols for an “emergency.”
One example cited in the ITRC Report described how an AI-generated deepfake of a CEO deceived an employee into authorizing a multi-million dollar wire transfer to a bogus supplier. AI-powered cyberattacks mean scammers no longer need someone on the inside to give them the digital lay of the land or expose user credentials. They can become the person on the inside.
As a result, many small businesses no longer believe their current defenses are sufficient against the latest threats. In fact, the ITRC survey found the percentage of leaders appraising their business as “very prepared” for a cyberattack fell from 56.5% in 2024 to 38.4% in 2025 – a drop of 18 points in just one year!
Fight Fire With Fire – If You Can
The best line of defense to combat AI-powered cyberattacks is with AI-powered fraud detection tools – if you have the resources. Small businesses with budget should consider upgrading their defenses beyond standard user authentication and malware detection measures to include solutions that use AI to look for signs of AI-generated messages and deepfakes.
However, those tools can be costly and take time to implement. With or without them there are a certain actions you should do to fortify your defenses against AI-powered cyberattacks at limited cost.
5 Strategies to Stop Deepfakes and AI-powered Cyberattacks
-
Build a human firewall. Create a culture of security by educating staff on the latest cyberthreats and telltale signs to look for in deepfake audio and video messages. Train employees to not always believe their eyes, to feel empowered to question unusual requests, and report suspicious activity to management.
-
Implement human verification processes for sensitive requests. In other words, take tech out of the process for a moment. Returning to our wire transfer example, should an employee receive an urgent email or video call from the CEO to make a financial transaction or release information known to be confidential, that employee must first confirm its authenticity through an independent means like a phone call or an in-person approval from the CEO before completing the request.
-
Optimize your existing network defenses. Configure firewalls to limit network access to known users and approved domains, install security patches and software updates from providers as soon as provided to guard against the latest threats, secure wireless networks with encryption, and segment networks into smaller zones that can be isolated in the event of an attack.
-
Protect your data! Encrypt data when in transit and at rest. Make sure encryption is active on all laptops in case one gets lost or stolen, and commit to a strict data backup schedule with at least one repository located off premises. Having ready access to updated, duplicate data neutralizes the threat of ransomware.
-
Implement centralized access controls and activate multi-factor authentication (MFA). Use a password manager application to create and store strong user credentials and monitor all password-related activity. Activate MFA to require at least two verification factors to grant access, and only give users permission to the bare minimum of systems needed to perform their jobs, a.k.a. the principle of least privilege (PoLP) and role-based access control (RBAC).
Protect Your Business from AI-powered Cyberattacks with Passpack
The bottom line is that there’s not much you can do to stop cybercriminals from targeting your business, but with the right combination of technology and employee education you can stop them from penetrating your business. That’s where Passpack comes in.
The Passpack password manager application wraps a layer of protection around your sensitive data. It provides a suite of access controls that mitigate criminals’ ability to compromise user passwords. A high number AI-powered cyberattacks are really all about: creating better scams and more convincing deepfakes that trick users into revealing business credentials. Different means, same end.
But their efforts will prove unsuccessful if those credentials are:
- Created using a random character password generate or with control over password length, strength and policies for reuse and rotation.
- Managed by a centralized password administrator who has 100% visibility into every password-related action and control over every user and sharing permissions.
- Organized into groups by role or responsibility to adopt PoLP/RBAC policies and facilitate secure offboarding.
- Guarded by MFA to ensure user verification.
- Encrypted, stored in secure vaults and never shared in human-readable form.
Passpack delivers all these capabilities and more. Built on a zero-knowledge architecture, employing 256-bit end-to-end encryption and infinitely expandable to support an unlimited number of users, teams and passwords, Passpack puts a strong first layer of protection between your credentials and the most advanced AI threats.
Best of all, you can put Passpack to work today, for as little as $1.50 (Teams Plan) / $4.50 (Business Plan) per user per month – a small price to pay to save huge headaches tomorrow.
Still not sure? Act now and try the Passpack Business Plan FREE for 28 days to keep pace with the changing nature of cyberthreats at no risk!