For its 2025 Business Impact Report the Identity Theft Resource Center (ITRC) surveyed 662 owners and senior executives at businesses with 500 or fewer employees about their IT security posture and how they plan to combat ai challenges. The study found that only 38% of small business leaders felt their organizations were “very prepared” to fend off a cyberattack or recover from a data breach.1
ITRCs 2024 survey had pegged this number at 56% – an 18% drop in just one year! That’s not a slow moving trend, but more like a tsunami of change in the perception of threat preparedness and recovery.2
This article digs into the reasons behind this shift, what small business leaders can do to protect their firms, and how password managers can help businesses stay safe in the face of new threats.
AI-powered Cyberattacks are Changing the Threat Landscape
Deepfakes. Credential-stuffing bots. Zero-day attacks. API token attacks. Automated DDoS. Injection attacks. Clickjacking. AI model data poisoning. Hyper-realistic phishing attacks. Infostealers.
These are just some of the emerging cyberthreats businesses face when the power of AI is in the wrong hands. Add them to the list of traditional attack vectors (malware and ransomware, social engineering, phishing/baiting, Trojan horse viruses, man-in-the-middle attacks, SQL injection attacks, etc.) and it’s no wonder the majority of small business leaders admit the threat landscape has outpaced their current defensive capabilities.
In fact, the 2025 ITRC survey found that fully 80% of respondents say fear of AI-powered attacks are influencing their IT security decisions and actions.3
Paralysis by Analysis
Given the pace of AI-driven threat evolution and the widespread recognition of the problem, you might expect a corresponding leap in security spending and the adoption of simple yet effective access controls like multi-factor authentication (MFA). But there’s a huge disconnect.
The 2025 ITRC survey actually found a 7% decrease in the use of MFA, falling from 34% to 27% in the past year, and a 15% drop in spending on new cybersecurity tools. Some experts attribute these stats to the adoption of passkey technology, a password-less authentication option that uses cryptographic keys and biometrics, bypassing the need for MFA. But here at Passpack, we believe something else is driving this trend: Paralysis by analysis.
First, as mentioned, AI-powered cyberthreats take various forms: deepfake audio and video messages, realistic phishing emails, clickjacking attacks that take users to spoofed websites or install infostealer malware, and others. Dark web forums offer criminals advanced tools to perform face-swapping, voice cloning, and compose phishing emails so convincing they can fool automated authentication systems and email spam filters to reach their marks. It is getting harder to determine what is real and what is not.
Second, these AI-powered tools allow criminals to mechanize and scale their attacks on a level never seen before. Consider:
- Rather than manually entering stolen usernames and passwords into login windows in a brute force attack, credential stuffing bots automate the process to target hundreds or thousands of accounts in one session.
- Instead of crafting phishing emails aimed at a specific user or company, threat actors can scrape legitimate company and executive data from public sources to author and spray phishing emails across entire industries in multiple languages simultaneously.
- AI engines are used to scan a company’s IT environment to identify network vulnerabilities to launch a zero day attack, giving hackers unlimited system access until a patch is released.
- Once discreetly installed on a user’s device in a clickjacking or phishing attack, infostealer malware continuously intercepts user credentials and sends them to the criminal’s server each time a new account is created, allowing breaches to occur within seconds of account creation.
Feeling Helpless?
Small businesses are under attack from every angle and AI-powered cyberthreats are evolving so quickly IT often doesn’t know where to turn first – firewalls, endpoints, wireless networks, operating systems, applications, databases, end-user education – nor does IT have the budget to fix them all.
Is your IT staff simply so overwhelmed that the basics like MFA are being forgotten? Are you waiting on funding or deployment of AI-powered fraud detection tools to counter these new threats? There is a growing number of security solutions that use AI to look for signs of AI deception in messages, but those tools can be costly and take time to implement.
In the meantime, Passpack provides a strong first line of defense against breaches while you figure that out.
Fight Back Against AI-powered Cyberthreats with Passpack
Don’t suffer an impending sense of doom waiting for your cyber defenses to catch up. There is a simple, affordable step you can take today in the face of these complex AI-powered threats: Password management.
Weak and/or compromised credential pairs remain the number one cause of successful data breaches and cyberattacks in 2026. Criminals are still coming for your username and passwords; they’re just using more sophisticated tools to trick you into divulging them. But no password, no access. That’s where Passpack comes in.
Passpack cannot stop users from falling victim to deepfakes or clicking on an infected phishing email. But it can put a strong layer of protection between your sensitive business data and criminals trying to steal it.
Passpack is a centralized credential creation, management and secure sharing platform for team-based organizations whose end-users need unfettered access to common resources. Passpack is:
- Built on zero-knowledge architecture and stores each user’s passwords, PINs, account numbers and licenses using 256-bit encryption in a secure digital vault. Access requires verification through the user’s own Packing (encryption) Key,. Not even Passpack employees can access your account.
- Managed by the organization’s trusted administrator(s) who have 100% visibility into all password-related activities and control over all user permissions. A random character generator creates strong passwords and sets rules for length, reuse and expiration.
- Designed for secure collaboration. When passwords and credentials are shared, they are transmitted in non-human-readable form only to users at pre-approved domains. Plus, Passpack supports MFA to confirm user identity with a second piece of data before granting access.
- Infinitely expandable and simple to use. Passpack supports an unlimited number of users, teams and credentials, minimizing the risk of a breach stemming from a compromised password – and you’ll never outgrow it.
So, while your IT department researches potential solutions to new AI-powered cyberthreats, don’t forget the basics like good password hygiene and activating MFA.
With Passpack, you can put a strong first line of defense in place today for as little as $1.50 per user per month (Teams Plan) or $4.50 per user per month (Business Plan).
Better still, try the Passpack Business Plan FREE for 28 days and take control over your business credentials risk-free!
Frequently Asked Questions (FAQ)
What are examples of AI-powered cyberthreats facing small businesses today?
Highly realistic deepfake audios and videos, credential-stuffing bots, zero-day attacks, API token attacks, automated DDoS attacks, injection or click-jacking attacks, AI model data poisoning, hyper-realistic phishing emails, and infostealer malware.
Why haven’t more small businesses adopted tools to detect AI-powered scams?
Some do not have the resources to install the latest AI-powered countermeasures, yet others may be so overwhelmed they don’t know what to fix first. A few are migrating toward password-less solutions, while some small business leaders do not believe it is their responsibility to protect people from AI-enabled cybercrime (i.e. their ISP should handle it).4
Sources & Acknowledgements
1,2,3,4 2025 Business Impact Report, Identity Theft Resource Center (ITRC), 12/2025
Passpack would like to credit the Identity Theft Resource Center (ITRC) and their December 2025 Business Impact Report for the statistics and trends cited in this article. Click here for a link to the report and view ITRC data sources.