How Are Attackers Using AI Against Small Businesses in 2026?
Attackers are using AI to win the one battle small businesses used to be good at: telling a real message from a fake one. The clumsy signs that once gave a scam away, the typos, the broken English, the robotic phone script, have been wiped clean. What lands in your inbox or rings your phone now looks and sounds completely legitimate.
The CrowdStrike 2026 Global Threat Report puts a number on the shift: attacks by AI-enabled adversaries jumped 89% in a single year. The report is careful to make one point, though, and it is the most reassuring thing in this whole article. AI has not invented a single new type of attack. It has just made the old ones much harder to catch.
Why does AI make scams so much harder to catch?
AI makes scams harder to catch because it removes the mistakes you were trained to look for. Think about how you currently spot a dodgy email. You scan for spelling errors, a strange tone, a greeting that does not quite fit. Those instincts were built around the fact that criminals were often sloppy. AI has taken the sloppiness away.
A scammer no longer needs good English, design skills, or even much effort. They type a rough idea into an AI tool and get back a polished email, a believable script, or a convincing fake profile in seconds. The CrowdStrike report describes this as AI enhancing established tactics rather than creating new ones, which is exactly why it is so dangerous. The attack is familiar, but every clue you relied on has gone.
This is why the rest of this article does not focus on spotting fakes. That advice has quietly expired. Instead, it focuses on a habit that still works no matter how good the fake is: checking.
What can AI fake that it could not before?
AI can now fake the three things people trust most: a familiar face, a familiar voice, and a familiar writing style. Each one used to be a reasonable signal that you were dealing with a real person. None of them is reliable any more, and the table below shows how far each has moved.
| How AI changed the scams you already know | |||
| Threat | What it used to look like | How AI changed it | Your best defence |
|---|---|---|---|
| Phishing email | Typos, odd phrasing, generic greeting | Flawless, personalised, sent in huge volume | Verify the request, not the wording |
| Voice scam (vishing) | Robotic or scripted phone call | A cloned voice of someone you know | A spoken codeword for money or access |
| Fake video call | Rare and hard to pull off | Deepfake video good enough for a quick call | Call back on a known, trusted number |
| Fake identity | Easy to catch with a few questions | AI-built personas and forged documents | Verify identity through a separate channel |
None of these defences involves judging whether something looks real. Every one of them involves confirming it by a route the attacker does not control. Hold on to that idea, because it is the whole game now.
Can someone really fake my voice or face on a call?
Yes, and this is the threat business owners underestimate most. AI can clone a voice from a few seconds of audio, which a scammer can lift from a voicemail, a podcast appearance, or a webinar. They can then phone your finance team sounding exactly like you, asking for an urgent payment.
Video has caught up too. The CrowdStrike report documents attackers using AI-generated faces and identities to pass as real people. In one case, they talked their way into genuine jobs through fake employment schemes. The same technology that fakes a job applicant can put a convincing version of your face on a video call.
There is a neat trick for the video version. On a live call, ask the person to hold up a hand and wave it slowly across their face. Deepfake software cannot keep up, so the image smears or glitches where the hand crosses, and the illusion falls apart. A genuine person will not mind doing it. We recently showed our clients how to challenge a suspected fake on a video call, with a short clip of exactly that glitch.
For voice, the answer is older and simpler: a codeword. Agree a word with your team that never appears online, and use it to confirm any request to move money or change details. A cloned voice cannot guess a word it has never heard. We explain the approach in our guide to verifying financial requests with a codeword.
How do I protect my business when I cannot trust what I see?
You protect your business by switching from spotting fakes to verifying truth. It is a small change in habit with a big effect, and it costs nothing. The point is to build a few simple reflexes that hold up no matter how convincing an attacker becomes.
Start with the three that matter most.
Make verification the rule for anything that moves money or grants access. If a message or call asks for either, confirm it before you act. Use a separate, trusted route, such as ringing the person back on a number you already have. This single habit defeats the cloned voice, the deepfake, and the perfect phishing email in one move.
Add a second lock to your accounts so a stolen password is not enough. AI makes passwords easier than ever to harvest at scale, which is why a second login step now matters far more than it did. The method you choose makes a real difference, and we ranked every type of Two Step Verification from worst to best so you can pick a strong one your team will actually use.
Give your team permission to be slow. Almost every AI scam works by creating urgency, because pressure stops people checking. A team member who feels safe saying "let me confirm that and call you back" is worth more than any piece of software. Make it clear that pausing to verify is exactly what you want, never an inconvenience.
Why is partnering with an IT provider the strongest defence?
Partnering with an IT provider is the strongest defence because these attacks now move faster than any owner can watch for. The CrowdStrike report recorded attackers spreading through a business in as little as 27 seconds. No founder can run their company and simultaneously stand guard against something that fast. A provider whose entire job is watching can.
This is the honest reason businesses come to Kimbley IT, a UK managed IT services provider. We start from a blunt assumption: given enough time, one of our clients will be hit by something serious. We cannot promise that day never comes. What we can promise is that when it does, the damage is contained and the recovery is quick. Everything is already in place for it.
That readiness comes from a setup we have built and refined over decades, standardised across our clients and hardened against exactly these tactics. So far, nothing has got through it. That is not luck. It is the result of choosing the right tools, configuring them with care, and keeping watch around the clock. That is the work a busy founder has no time to do.
In the end it comes down to one uneven contest. You have to get your defences right every single time. An attacker only has to get lucky once, and AI has made getting lucky easier than ever. Spreading that watch across a team that does nothing else is how you even the odds. If you want the fuller picture, we wrote separately about why partnering with the right IT support transforms your business.
Frequently asked questions
-
No, and that is the good news. The CrowdStrike 2026 Global Threat Report is clear that AI enhances existing tactics rather than inventing new ones. Phishing, voice scams, and fake identities are old tricks. AI has made them cheaper to run and far harder to spot, but the defences still work.
-
Because AI writes flawlessly. The typos and awkward phrasing that used to give scams away came from criminals writing in a rush or in a second language. AI removes both problems instantly. The reliable approach now is to verify any request through a separate channel rather than judging how it reads.
-
Ask them to wave a hand slowly across their face. Deepfake software glitches when a hand crosses the face, breaking the illusion, and a real person will happily do it. For anything involving money or access, also confirm the request by calling them back on a number you already trust.
-
No. The most effective defences are free habits, not expensive products. Agreeing a codeword, verifying requests through a second channel, and turning on strong Two Step Verification all cost nothing. Together they block the most damaging AI-powered scams aimed at small businesses.
-
Treat every request for money or access as unverified until you confirm it through a separate, trusted route. That one reflex defeats cloned voices, deepfakes, and perfect phishing emails at once. Pair it with strong Two Step Verification and you have closed the doors attackers rely on most.
Ready to take the pressure off?
You should not have to second-guess every call and email, wondering whether AI is on the other end. If you would like help putting these protections in place, book a video call with Kimbley IT using the form below. We will walk you through exactly how we keep our clients ready for whatever comes next.
